kratos config jinja

salt/kratos/defaults.yaml

@@ -0,0 +1,57 @@
+kratos:
+  config:
+    session:
+      lifespan: 24h
+      whoami:
+        required_aal: highest_available
+    selfservice:
+      methods:
+        password:
+          enabled: true
+          config:
+            haveibeenpwned_enabled: false
+        totp:
+          enabled: true
+          config:
+            issuer: Security Onion
+      flows:
+        settings:
+          ui_url: https://URL_BASE/?r=/settings
+          required_aal: highest_available
+
+        verification:
+          ui_url: https://URL_BASE/
+
+        login:
+          ui_url: https://URL_BASE/login/
+
+        error:
+          ui_url: https://URL_BASE/login/
+
+        registration:
+          ui_url: https://URL_BASE/login/
+
+      default_browser_return_url: https://URL_BASE/
+      allowed_return_urls:
+        - http://127.0.0.1
+    log:
+      level: debug
+      format: json
+    secrets:
+      default: []
+    serve:
+      public:
+        base_url: https://URL_BASE/auth/
+      admin:
+        base_url: https://URL_BASE/kratos/
+    hashers:
+      bcrypt:
+        cost: 12
+    identity:
+      default_schema_id: default
+      schemas:
+        - id: default
+          url: file:///kratos-conf/schema.json
+    courier:
+      smtp:
+        connection_uri: smtps://URL_BASE:25

salt/kratos/files/kratos.yaml

@@ -1,68 +0,0 @@
-{%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%}
-{%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '') -%}
-{%- set MFA_ISSUER = salt['pillar.get']('kratos:mfa_issuer', '') -%}
-
-session:
-  lifespan: {{ SESSIONTIMEOUT }}
-  whoami:
-    required_aal: highest_available
-
-selfservice:
-  methods:
-    password:
-      enabled: true
-      config:
-        haveibeenpwned_enabled: false
-    totp:
-      enabled: true
-      config:
-        issuer: {{ MFA_ISSUER }}
-
-  flows:
-    settings:
-      ui_url: https://{{ GLOBALS.url_base }}/?r=/settings
-      required_aal: highest_available
-
-    verification:
-      ui_url: https://{{ GLOBALS.url_base }}/
-
-    login:
-      ui_url: https://{{ GLOBALS.url_base }}/login/
-
-    error:
-      ui_url: https://{{ GLOBALS.url_base }}/login/
-
-    registration:
-      ui_url: https://{{ GLOBALS.url_base }}/login/
-    
-  default_browser_return_url: https://{{ GLOBALS.url_base }}/
-  allowed_return_urls:
-    - http://127.0.0.1
-
-log:
-  level: debug
-  format: json
-
-secrets:
-  default:
-    - {{ KRATOSKEY }}
-
-serve:
-  public: 
-    base_url: https://{{ GLOBALS.url_base }}/auth/
-  admin: 
-    base_url: https://{{ GLOBALS.url_base }}/kratos/
-
-hashers:
-  bcrypt:
-    cost: 12
-
-identity:
-  default_schema_id: default
-  schemas:
-    - id: default
-      url: file:///kratos-conf/schema.json
-
-courier:
-  smtp:
-    connection_uri: smtps://{{ GLOBALS.url_base }}:25

salt/kratos/files/kratos.yaml.jinja

@@ -0,0 +1,14 @@
+{%- import_yaml 'kratos/defaults.yaml' as KRATOSDEFAULTS %}
+
+{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
+{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
+{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.login.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.login.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
+{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.error.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.error.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
+{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
+{%- do KRATOSDEFAULTS.kratos.config.selfservice.update({'default_browser_return_url': KRATOSDEFAULTS.kratos.config.selfservice.default_browser_return_url | replace("URL_BASE", GLOBALS.url_base)}) %}
+{%- do KRATOSDEFAULTS.kratos.config.serve.public.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.public.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
+{%- do KRATOSDEFAULTS.kratos.config.serve.admin.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.admin.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
+{%- do KRATOSDEFAULTS.kratos.config.courier.smtp.update({'connection_uri': KRATOSDEFAULTS.kratos.config.courier.smtp.connection_uri | replace("URL_BASE", GLOBALS.url_base)}) %}
+{%- set KRATOSMERGED = salt['pillar.get']('kratos:config', default=KRATOSDEFAULTS.kratos.config, merge=true) %}
+
+{{- KRATOSMERGED | yaml(false) }}

setup/so-functions

@@ -1383,11 +1383,11 @@ kratos_pillar() {
 	touch $adv_kratos_pillar_file
 	printf '%s\n'\
 		"kratos:"\
-		"  kratoskey: '$KRATOSKEY'"\
+		"  config:"\
-		"  sessiontimeout: '24h'"\
+		"    secrets:"\
-		"  mfa_issuer: 'Security Onion'"\
+		"      default:"\
+		"        - '$KRATOSKEY'"\
 		"" > "$kratos_pillar_file"
-}
 
 create_global() {
 	title "Creating the global.sls"