services: postgres_ory: image: postgres:${ORY_POSTGRES_TAG:-17-alpine} container_name: ory_postgres environment: - POSTGRES_USER=${ORY_POSTGRES_USER:-ory} - POSTGRES_PASSWORD=${ORY_POSTGRES_PASSWORD:-secret} - POSTGRES_DB=${ORY_POSTGRES_DB:-ory} volumes: - ./docker/ory/init-db:/docker-entrypoint-initdb.d - ory_postgres_data:/var/lib/postgresql/data networks: - ory-net healthcheck: test: [ "CMD-SHELL", "pg_isready -U ${ORY_POSTGRES_USER:-ory} -d ${KRATOS_DB:-ory_kratos}", ] interval: 5s timeout: 5s retries: 5 # --- Kratos --- kratos-migrate: image: oryd/kratos:${KRATOS_VERSION:-v26.2.0} environment: - DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KRATOS_DB:-ory_kratos}?sslmode=disable&max_conns=20 - KRATOS_SERVE_PUBLIC_BASE_URL=${KRATOS_BROWSER_URL} - KRATOS_SERVE_ADMIN_BASE_URL=${KRATOS_ADMIN_URL} - KRATOS_SELFSERVICE_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL} - KRATOS_SELFSERVICE_ALLOWED_RETURN_URLS=${KRATOS_ALLOWED_RETURN_URLS_JSON:-["${KRATOS_UI_URL}","${KRATOS_UI_URL}/","${USERFRONT_URL}","${USERFRONT_URL}/","${USERFRONT_URL}/ko","${USERFRONT_URL}/ko/","${USERFRONT_URL}/en","${USERFRONT_URL}/en/","${USERFRONT_URL}/auth/callback","${USERFRONT_URL}/ko/auth/callback","${USERFRONT_URL}/en/auth/callback","${ADMINFRONT_URL}/auth/callback","${DEVFRONT_URL}/auth/callback","${ORGFRONT_URL}/auth/callback"]} - KRATOS_SELFSERVICE_FLOWS_ERROR_UI_URL=${KRATOS_UI_URL}/error - KRATOS_SELFSERVICE_FLOWS_SETTINGS_UI_URL=${KRATOS_UI_URL}/error?error=settings_disabled - KRATOS_SELFSERVICE_FLOWS_RECOVERY_UI_URL=${KRATOS_UI_URL}/recovery - KRATOS_SELFSERVICE_FLOWS_VERIFICATION_UI_URL=${KRATOS_UI_URL}/verification - KRATOS_SELFSERVICE_FLOWS_LOGIN_UI_URL=${KRATOS_UI_URL}/login - KRATOS_SELFSERVICE_FLOWS_REGISTRATION_UI_URL=${KRATOS_UI_URL}/registration - KRATOS_SELFSERVICE_FLOWS_LOGOUT_AFTER_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL}/login volumes: - ./config/.generated/ory/kratos:/etc/config/kratos command: migrate sql up -e -c /etc/config/kratos/kratos.yml --yes depends_on: postgres_ory: condition: service_healthy networks: - ory-net kratos: image: oryd/kratos:${KRATOS_VERSION:-v26.2.0} container_name: ory_kratos environment: - DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KRATOS_DB:-ory_kratos}?sslmode=disable&max_conns=20 - COOKIE_SECRET=${COOKIE_SECRET:-localcookie123} - KRATOS_SERVE_PUBLIC_BASE_URL=${KRATOS_BROWSER_URL} - KRATOS_SERVE_ADMIN_BASE_URL=${KRATOS_ADMIN_URL} - KRATOS_SELFSERVICE_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL} - KRATOS_SELFSERVICE_ALLOWED_RETURN_URLS=${KRATOS_ALLOWED_RETURN_URLS_JSON:-["${KRATOS_UI_URL}","${KRATOS_UI_URL}/","${USERFRONT_URL}","${USERFRONT_URL}/","${USERFRONT_URL}/ko","${USERFRONT_URL}/ko/","${USERFRONT_URL}/en","${USERFRONT_URL}/en/","${USERFRONT_URL}/auth/callback","${USERFRONT_URL}/ko/auth/callback","${USERFRONT_URL}/en/auth/callback","${ADMINFRONT_URL}/auth/callback","${DEVFRONT_URL}/auth/callback","${ORGFRONT_URL}/auth/callback"]} - KRATOS_SELFSERVICE_FLOWS_ERROR_UI_URL=${KRATOS_UI_URL}/error - KRATOS_SELFSERVICE_FLOWS_SETTINGS_UI_URL=${KRATOS_UI_URL}/error?error=settings_disabled - KRATOS_SELFSERVICE_FLOWS_RECOVERY_UI_URL=${KRATOS_UI_URL}/recovery - KRATOS_SELFSERVICE_FLOWS_VERIFICATION_UI_URL=${KRATOS_UI_URL}/verification - KRATOS_SELFSERVICE_FLOWS_LOGIN_UI_URL=${KRATOS_UI_URL}/login - KRATOS_SELFSERVICE_FLOWS_REGISTRATION_UI_URL=${KRATOS_UI_URL}/registration - KRATOS_SELFSERVICE_FLOWS_LOGOUT_AFTER_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL}/login volumes: - ./config/.generated/ory/kratos:/etc/config/kratos command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier depends_on: kratos-migrate: condition: service_completed_successfully networks: - ory-net - kratosnet # --- Hydra --- hydra-migrate: image: oryd/hydra:${HYDRA_VERSION:-v26.2.0} environment: - DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${HYDRA_DB:-ory_hydra}?sslmode=disable&max_conns=20 command: migrate sql up -e --yes depends_on: postgres_ory: condition: service_healthy networks: - ory-net hydra: image: oryd/hydra:${HYDRA_VERSION:-v26.2.0} container_name: ory_hydra environment: - DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${HYDRA_DB:-ory_hydra}?sslmode=disable&max_conns=20 - URLS_SELF_ISSUER=${HYDRA_PUBLIC_URL} - URLS_LOGIN=${HYDRA_LOGIN_URL:-${USERFRONT_URL}/login} - URLS_CONSENT=${HYDRA_CONSENT_URL:-${USERFRONT_URL}/consent} - URLS_ERROR=${HYDRA_ERROR_URL:-${USERFRONT_URL}/error} - SECRETS_SYSTEM=${HYDRA_SYSTEM_SECRET:-${ORY_POSTGRES_PASSWORD}} volumes: - ./config/.generated/ory/hydra:/etc/config/hydra command: serve -c /etc/config/hydra/hydra.yml all --dev depends_on: hydra-migrate: condition: service_completed_successfully networks: - ory-net - hydranet # --- Keto --- keto-migrate: image: oryd/keto:${KETO_VERSION:-v26.2.0} environment: - DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KETO_DB:-ory_keto}?sslmode=disable&max_conns=20 volumes: - ./config/.generated/ory/keto:/etc/config/keto command: ["migrate", "up", "-c", "/etc/config/keto/keto.yml", "--yes"] depends_on: postgres_ory: condition: service_healthy networks: - ory-net keto: image: oryd/keto:${KETO_VERSION:-v26.2.0} container_name: ory_keto environment: - DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KETO_DB:-ory_keto}?sslmode=disable&max_conns=20 volumes: - ./config/.generated/ory/keto:/etc/config/keto command: serve -c /etc/config/keto/keto.yml depends_on: keto-migrate: condition: service_completed_successfully networks: - ory-net # --- Oathkeeper --- oathkeeper_logs_init: image: debian:trixie-slim command: [ "sh", "-c", "mkdir -p /var/log/oathkeeper && chown -R ${OATHKEEPER_UID:-1001}:${OATHKEEPER_GID:-1001} /var/log/oathkeeper", ] volumes: - oathkeeper_logs:/var/log/oathkeeper networks: - ory-net oathkeeper: image: oryd/oathkeeper:${OATHKEEPER_VERSION:-v26.2.0} container_name: ory_oathkeeper user: "${OATHKEEPER_UID:-1001}:${OATHKEEPER_GID:-1001}" ports: - "4457:4455" # Proxy environment: - APP_ENV=${APP_ENV:-development} - LOG_LEVEL=debug - OATHKEEPER_INTROSPECT_CLIENT_ID=${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect} - OATHKEEPER_INTROSPECT_CLIENT_SECRET=${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret} volumes: - ./config/.generated/ory/oathkeeper:/etc/config/oathkeeper - oathkeeper_logs:/var/log/oathkeeper entrypoint: ["/etc/config/oathkeeper/entrypoint.sh"] depends_on: oathkeeper_logs_init: condition: service_completed_successfully networks: - ory-net - public_net ory_clickhouse: image: clickhouse/clickhouse-server:${CLICKHOUSE_TAG:-24.6} container_name: ory_clickhouse environment: - CLICKHOUSE_USER=${ORY_CLICKHOUSE_USER:-ory} - CLICKHOUSE_PASSWORD=${ORY_CLICKHOUSE_PASSWORD:-orypass} volumes: - ory_clickhouse_data:/var/lib/clickhouse - ./docker/ory/clickhouse:/docker-entrypoint-initdb.d networks: - ory-net ory_vector: image: timberio/vector:0.36.0-alpine container_name: ory_vector environment: - ORY_CLICKHOUSE_USER=${ORY_CLICKHOUSE_USER:-ory} - ORY_CLICKHOUSE_PASSWORD=${ORY_CLICKHOUSE_PASSWORD:-orypass} volumes: - ./docker/ory/vector:/etc/vector - oathkeeper_logs:/var/log/oathkeeper command: ["-c", "/etc/vector/vector.toml"] depends_on: - oathkeeper - ory_clickhouse networks: - ory-net # --- 초기화 & 헬스체크 --- ory_stack_check: image: debian:trixie-slim container_name: ory_stack_check command: > /bin/sh -c " apt-get update >/dev/null && apt-get install -y --no-install-recommends curl >/dev/null; echo 'Wait for services...'; check_ready() { name=\"$$1\"; url=\"$$2\"; max=\"$${ORY_STACK_CHECK_MAX_ATTEMPTS:-60}\"; i=1; while [ \"$$i\" -le \"$$max\" ]; do if curl --connect-timeout 2 --max-time 3 -fsS \"$$url\" >/dev/null; then echo \"Ory service ready: $$name\"; return 0; fi; echo \"Waiting for Ory service: $$name ($$i/$$max)\"; i=$$((i + 1)); sleep 1; done; echo \"ERROR: Ory service not ready: $$name after $$max attempts ($$url)\" >&2; echo \"ERROR: Check service logs: docker logs ory_$$name\" >&2; return 1; }; check_ready kratos http://kratos:4433/health/ready || exit 1; check_ready hydra http://hydra:4444/health/ready || exit 1; check_ready keto http://keto:4466/health/ready || exit 1; echo 'Ory Stack is fully operational!';" depends_on: - kratos - hydra - keto networks: - ory-net # 기본 RP (Admin Front 등) 자동 등록 컨테이너 init-rp: image: oryd/hydra:${HYDRA_CLI_VERSION:-v26.2.0} env_file: - .env entrypoint: ["/bin/sh", "-ec"] command: - | hydra delete oauth2-client --endpoint "$${HYDRA_ADMIN_URL}" adminfront >/dev/null 2>&1 || true hydra delete oauth2-client --endpoint "$${HYDRA_ADMIN_URL}" devfront >/dev/null 2>&1 || true hydra delete oauth2-client --endpoint "$${HYDRA_ADMIN_URL}" orgfront >/dev/null 2>&1 || true hydra delete oauth2-client --endpoint "$${HYDRA_ADMIN_URL}" "$${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}" >/dev/null 2>&1 || true hydra create oauth2-client \ --endpoint "$${HYDRA_ADMIN_URL}" \ --id adminfront \ --name "AdminFront" \ --grant-type authorization_code,refresh_token \ --response-type code \ --scope openid,offline_access,profile,email \ --token-endpoint-auth-method none \ --redirect-uri ${ADMINFRONT_CALLBACK_URLS} hydra create oauth2-client \ --endpoint "$${HYDRA_ADMIN_URL}" \ --id devfront \ --name "DevFront" \ --grant-type authorization_code,refresh_token \ --response-type code \ --scope openid,offline_access,profile,email \ --token-endpoint-auth-method none \ --redirect-uri ${DEVFRONT_CALLBACK_URLS} hydra create oauth2-client \ --endpoint "$${HYDRA_ADMIN_URL}" \ --id orgfront \ --name "OrgFront" \ --grant-type authorization_code,refresh_token \ --response-type code \ --scope openid,offline_access,profile,email \ --token-endpoint-auth-method none \ --redirect-uri ${ORGFRONT_CALLBACK_URLS} hydra create oauth2-client \ --endpoint "$${HYDRA_ADMIN_URL}" \ --id "$${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}" \ --secret "$${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}" \ --grant-type client_credentials \ --response-type token \ --scope openid,offline_access,profile,email depends_on: ory_stack_check: condition: service_completed_successfully networks: - hydranet volumes: ory_postgres_data: ory_clickhouse_data: oathkeeper_logs: networks: ory-net: external: true name: ory-net hydranet: external: true name: hydranet kratosnet: external: true name: kratosnet public_net: external: true name: public_net