From a2d0de7e495b81e8317f85130618bf8227798e5d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 20 Dec 2022 12:15:33 -0500 Subject: [PATCH] kratos config jinja --- salt/kratos/defaults.yaml | 57 ++++++++++++++++++++++++ salt/kratos/files/kratos.yaml | 68 ----------------------------- salt/kratos/files/kratos.yaml.jinja | 14 ++++++ setup/so-functions | 8 ++-- 4 files changed, 75 insertions(+), 72 deletions(-) create mode 100644 salt/kratos/defaults.yaml delete mode 100644 salt/kratos/files/kratos.yaml create mode 100644 salt/kratos/files/kratos.yaml.jinja diff --git a/salt/kratos/defaults.yaml b/salt/kratos/defaults.yaml new file mode 100644 index 000000000..2e5fa1f7d --- /dev/null +++ b/salt/kratos/defaults.yaml @@ -0,0 +1,57 @@ +kratos: + config: + session: + lifespan: 24h + whoami: + required_aal: highest_available + selfservice: + methods: + password: + enabled: true + config: + haveibeenpwned_enabled: false + totp: + enabled: true + config: + issuer: Security Onion + flows: + settings: + ui_url: https://URL_BASE/?r=/settings + required_aal: highest_available + + verification: + ui_url: https://URL_BASE/ + + login: + ui_url: https://URL_BASE/login/ + + error: + ui_url: https://URL_BASE/login/ + + registration: + ui_url: https://URL_BASE/login/ + + default_browser_return_url: https://URL_BASE/ + allowed_return_urls: + - http://127.0.0.1 + log: + level: debug + format: json + secrets: + default: [] + serve: + public: + base_url: https://URL_BASE/auth/ + admin: + base_url: https://URL_BASE/kratos/ + hashers: + bcrypt: + cost: 12 + identity: + default_schema_id: default + schemas: + - id: default + url: file:///kratos-conf/schema.json + courier: + smtp: + connection_uri: smtps://URL_BASE:25 diff --git a/salt/kratos/files/kratos.yaml b/salt/kratos/files/kratos.yaml deleted file mode 100644 index 650c8c752..000000000 --- a/salt/kratos/files/kratos.yaml +++ /dev/null @@ -1,68 +0,0 @@ -{%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%} -{%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '') -%} -{%- set MFA_ISSUER = salt['pillar.get']('kratos:mfa_issuer', '') -%} - -session: - lifespan: {{ SESSIONTIMEOUT }} - whoami: - required_aal: highest_available - -selfservice: - methods: - password: - enabled: true - config: - haveibeenpwned_enabled: false - totp: - enabled: true - config: - issuer: {{ MFA_ISSUER }} - - flows: - settings: - ui_url: https://{{ GLOBALS.url_base }}/?r=/settings - required_aal: highest_available - - verification: - ui_url: https://{{ GLOBALS.url_base }}/ - - login: - ui_url: https://{{ GLOBALS.url_base }}/login/ - - error: - ui_url: https://{{ GLOBALS.url_base }}/login/ - - registration: - ui_url: https://{{ GLOBALS.url_base }}/login/ - - default_browser_return_url: https://{{ GLOBALS.url_base }}/ - allowed_return_urls: - - http://127.0.0.1 - -log: - level: debug - format: json - -secrets: - default: - - {{ KRATOSKEY }} - -serve: - public: - base_url: https://{{ GLOBALS.url_base }}/auth/ - admin: - base_url: https://{{ GLOBALS.url_base }}/kratos/ - -hashers: - bcrypt: - cost: 12 - -identity: - default_schema_id: default - schemas: - - id: default - url: file:///kratos-conf/schema.json - -courier: - smtp: - connection_uri: smtps://{{ GLOBALS.url_base }}:25 diff --git a/salt/kratos/files/kratos.yaml.jinja b/salt/kratos/files/kratos.yaml.jinja new file mode 100644 index 000000000..fc67a1db8 --- /dev/null +++ b/salt/kratos/files/kratos.yaml.jinja @@ -0,0 +1,14 @@ +{%- import_yaml 'kratos/defaults.yaml' as KRATOSDEFAULTS %} + +{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.login.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.login.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.error.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.error.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{%- do KRATOSDEFAULTS.kratos.config.selfservice.update({'default_browser_return_url': KRATOSDEFAULTS.kratos.config.selfservice.default_browser_return_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{%- do KRATOSDEFAULTS.kratos.config.serve.public.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.public.base_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{%- do KRATOSDEFAULTS.kratos.config.serve.admin.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.admin.base_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{%- do KRATOSDEFAULTS.kratos.config.courier.smtp.update({'connection_uri': KRATOSDEFAULTS.kratos.config.courier.smtp.connection_uri | replace("URL_BASE", GLOBALS.url_base)}) %} +{%- set KRATOSMERGED = salt['pillar.get']('kratos:config', default=KRATOSDEFAULTS.kratos.config, merge=true) %} + +{{- KRATOSMERGED | yaml(false) }} diff --git a/setup/so-functions b/setup/so-functions index db7c21997..adbb17d5d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1383,11 +1383,11 @@ kratos_pillar() { touch $adv_kratos_pillar_file printf '%s\n'\ "kratos:"\ - " kratoskey: '$KRATOSKEY'"\ - " sessiontimeout: '24h'"\ - " mfa_issuer: 'Security Onion'"\ + " config:"\ + " secrets:"\ + " default:"\ + " - '$KRATOSKEY'"\ "" > "$kratos_pillar_file" -} create_global() { title "Creating the global.sls"