{%- set WEBACCESS = salt['pillar.get']('global:url_base', '') -%}
{%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%}
{%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '24h') -%}
{%- set MFA_ISSUER = salt['pillar.get']('kratos:mfa_issuer', 'Security Onion') -%}

session:
  lifespan: {{ SESSIONTIMEOUT }}
  whoami:
    required_aal: highest_available

selfservice:
  methods:
    password:
      enabled: true
      config:
        haveibeenpwned_enabled: false
    totp:
      enabled: true
      config:
        issuer: {{ MFA_ISSUER }}

  flows:
    settings:
      ui_url: https://{{ WEBACCESS }}/?r=/settings
      required_aal: highest_available

    verification:
      ui_url: https://{{ WEBACCESS }}/

    login:
      ui_url: https://{{ WEBACCESS }}/login/

    error:
      ui_url: https://{{ WEBACCESS }}/login/

    registration:
      ui_url: https://{{ WEBACCESS }}/login/
    
  default_browser_return_url: https://{{ WEBACCESS }}/
  allowed_return_urls:
    - http://127.0.0.1

log:
  level: debug
  format: json

secrets:
  default:
    - {{ KRATOSKEY }}

serve:
  public: 
    base_url: https://{{ WEBACCESS }}/auth/
  admin: 
    base_url: https://{{ WEBACCESS }}/kratos/

hashers:
  bcrypt:
    cost: 12

identity:
  default_schema_id: default
  schemas:
    - id: default
      url: file:///kratos-conf/schema.json

courier:
  smtp:
    connection_uri: smtps://{{ WEBACCESS }}:25