services: postgres_ory: image: postgres:${ORY_POSTGRES_TAG:-17-alpine} environment: - POSTGRES_USER=${ORY_POSTGRES_USER:-ory} - POSTGRES_PASSWORD=${ORY_POSTGRES_PASSWORD:-secret} - POSTGRES_DB=${ORY_POSTGRES_DB:-ory} volumes: - ./docker/ory/init-db:/docker-entrypoint-initdb.d - ory_postgres_data_test2:/var/lib/postgresql/data networks: - test2_net healthcheck: test: [ "CMD-SHELL", "pg_isready -U ${ORY_POSTGRES_USER:-ory} -d ${KRATOS_DB:-ory_kratos}", ] interval: 5s timeout: 5s retries: 5 # --- Kratos --- kratos-migrate: image: oryd/kratos:${KRATOS_VERSION:-v25.4.0} env_file: - .env.test2 environment: - DSN=postgres://${ORY_POSTGRES_USER:-ory}:${ORY_POSTGRES_PASSWORD:-secret}@postgres_ory:5432/${KRATOS_DB:-ory_kratos}?sslmode=disable&max_conns=20 - KRATOS_SESSION_COOKIE_DOMAIN=${KRATOS_SESSION_COOKIE_DOMAIN:-hmac.kr} - KRATOS_SERVE_PUBLIC_BASE_URL=${KRATOS_BROWSER_URL:-http://localhost:15000/auth} - KRATOS_SERVE_ADMIN_BASE_URL=${KRATOS_ADMIN_URL:-http://kratos:4434} - KRATOS_SELFSERVICE_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL:-http://localhost:15000} - KRATOS_SELFSERVICE_ALLOWED_RETURN_URLS=${KRATOS_ALLOWED_RETURN_URLS_JSON:-["http://localhost:15000","http://localhost:15000/"]} - KRATOS_SELFSERVICE_FLOWS_ERROR_UI_URL=${KRATOS_UI_URL:-http://localhost:15000}/error - KRATOS_SELFSERVICE_FLOWS_SETTINGS_UI_URL=${KRATOS_UI_URL:-http://localhost:15000}/error?error=settings_disabled - KRATOS_SELFSERVICE_FLOWS_RECOVERY_UI_URL=${KRATOS_UI_URL:-http://localhost:15000}/recovery - KRATOS_SELFSERVICE_FLOWS_VERIFICATION_UI_URL=${KRATOS_UI_URL:-http://localhost:15000}/verification - KRATOS_SELFSERVICE_FLOWS_LOGIN_UI_URL=${KRATOS_UI_URL:-http://localhost:15000}/login - KRATOS_SELFSERVICE_FLOWS_REGISTRATION_UI_URL=${KRATOS_UI_URL:-http://localhost:15000}/registration - KRATOS_SELFSERVICE_FLOWS_LOGOUT_AFTER_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL:-http://localhost:15000}/login volumes: - ./docker/ory/kratos:/etc/config/kratos command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes depends_on: postgres_ory: condition: service_healthy networks: - test2_net kratos: image: oryd/kratos:${KRATOS_VERSION:-v25.4.0} env_file: - .env.test2 environment: - DSN=postgres://${ORY_POSTGRES_USER:-ory}:${ORY_POSTGRES_PASSWORD:-secret}@postgres_ory:5432/${KRATOS_DB:-ory_kratos}?sslmode=disable&max_conns=20 - COOKIE_SECRET=${COOKIE_SECRET:-localcookie123} - KRATOS_SESSION_COOKIE_DOMAIN=${KRATOS_SESSION_COOKIE_DOMAIN:-hmac.kr} - KRATOS_SERVE_PUBLIC_BASE_URL=${KRATOS_BROWSER_URL:-http://localhost:15000/auth} - KRATOS_SERVE_ADMIN_BASE_URL=${KRATOS_ADMIN_URL:-http://kratos:4434} - KRATOS_SELFSERVICE_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL:-http://localhost:15000} - KRATOS_SELFSERVICE_ALLOWED_RETURN_URLS=${KRATOS_ALLOWED_RETURN_URLS_JSON:-["http://localhost:15000","http://localhost:15000/"]} - KRATOS_SELFSERVICE_FLOWS_ERROR_UI_URL=${KRATOS_UI_URL:-http://localhost:15000}/error - KRATOS_SELFSERVICE_FLOWS_SETTINGS_UI_URL=${KRATOS_UI_URL:-http://localhost:15000}/error?error=settings_disabled - KRATOS_SELFSERVICE_FLOWS_RECOVERY_UI_URL=${KRATOS_UI_URL:-http://localhost:15000}/recovery - KRATOS_SELFSERVICE_FLOWS_VERIFICATION_UI_URL=${KRATOS_UI_URL:-http://localhost:15000}/verification - KRATOS_SELFSERVICE_FLOWS_LOGIN_UI_URL=${KRATOS_UI_URL:-http://localhost:15000}/login - KRATOS_SELFSERVICE_FLOWS_REGISTRATION_UI_URL=${KRATOS_UI_URL:-http://localhost:15000}/registration - KRATOS_SELFSERVICE_FLOWS_LOGOUT_AFTER_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL:-http://localhost:15000}/login volumes: - ./docker/ory/kratos:/etc/config/kratos command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier depends_on: kratos-migrate: condition: service_completed_successfully networks: - test2_net # --- Hydra --- hydra-migrate: image: oryd/hydra:${HYDRA_VERSION:-v25.4.0} env_file: - .env.test2 environment: - DSN=postgres://${ORY_POSTGRES_USER:-ory}:${ORY_POSTGRES_PASSWORD:-secret}@postgres_ory:5432/${HYDRA_DB:-ory_hydra}?sslmode=disable&max_conns=20 command: migrate sql up -e --yes depends_on: postgres_ory: condition: service_healthy networks: - test2_net hydra: image: oryd/hydra:${HYDRA_VERSION:-v25.4.0} env_file: - .env.test2 environment: - DSN=postgres://${ORY_POSTGRES_USER:-ory}:${ORY_POSTGRES_PASSWORD:-secret}@postgres_ory:5432/${HYDRA_DB:-ory_hydra}?sslmode=disable&max_conns=20 - URLS_SELF_ISSUER=${USERFRONT_URL:-http://localhost:5000}/oidc - URLS_LOGIN=${USERFRONT_URL:-http://localhost:5000}/login - URLS_CONSENT=${USERFRONT_URL:-http://localhost:5000}/consent - URLS_ERROR=${USERFRONT_URL:-http://localhost:5000}/error - SECRETS_SYSTEM=${ORY_POSTGRES_PASSWORD} volumes: - ./docker/ory/hydra:/etc/config/hydra command: serve -c /etc/config/hydra/hydra.yml all --dev depends_on: hydra-migrate: condition: service_completed_successfully networks: - test2_net # --- Keto --- keto-migrate: image: oryd/keto:${KETO_VERSION:-v25.4.0} env_file: - .env.test2 environment: - DSN=postgres://${ORY_POSTGRES_USER:-ory}:${ORY_POSTGRES_PASSWORD:-secret}@postgres_ory:5432/${KETO_DB:-ory_keto}?sslmode=disable&max_conns=20 volumes: - ./docker/ory/keto:/etc/config/keto command: ["migrate", "up", "-c", "/etc/config/keto/keto.yml", "--yes"] depends_on: postgres_ory: condition: service_healthy networks: - test2_net keto: image: oryd/keto:${KETO_VERSION:-v25.4.0} env_file: - .env.test2 environment: - DSN=postgres://${ORY_POSTGRES_USER:-ory}:${ORY_POSTGRES_PASSWORD:-secret}@postgres_ory:5432/${KETO_DB:-ory_keto}?sslmode=disable&max_conns=20 volumes: - ./docker/ory/keto:/etc/config/keto command: serve -c /etc/config/keto/keto.yml depends_on: keto-migrate: condition: service_completed_successfully networks: - test2_net # --- Oathkeeper --- oathkeeper: image: oryd/oathkeeper:${OATHKEEPER_VERSION:-v25.4.0} user: "${OATHKEEPER_UID:-1001}:${OATHKEEPER_GID:-1001}" env_file: - .env.test2 ports: - "${OATHKEEPER_PROXY_PORT:-14467}:4455" # Proxy environment: - APP_ENV=${APP_ENV:-development} - LOG_LEVEL=debug - OATHKEEPER_INTROSPECT_CLIENT_ID=${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect} - OATHKEEPER_INTROSPECT_CLIENT_SECRET=${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret} volumes: - ./docker/ory/oathkeeper:/etc/config/oathkeeper - oathkeeper_logs_test2:/var/log/oathkeeper entrypoint: ["/etc/config/oathkeeper/entrypoint.sh"] networks: - test2_net ory_clickhouse: image: clickhouse/clickhouse-server:latest environment: - CLICKHOUSE_USER=${ORY_CLICKHOUSE_USER:-ory} - CLICKHOUSE_PASSWORD=${ORY_CLICKHOUSE_PASSWORD:-orypass} volumes: - ory_clickhouse_data_test2:/var/lib/clickhouse - ./docker/ory/clickhouse:/docker-entrypoint-initdb.d networks: - test2_net ory_vector: image: timberio/vector:0.36.0-alpine volumes: - ./docker/ory/vector:/etc/vector - oathkeeper_logs_test2:/var/log/oathkeeper command: ["-c", "/etc/vector/vector.toml"] depends_on: - oathkeeper - ory_clickhouse networks: - test2_net # --- 초기화 & 헬스체크 --- ory_stack_check: image: alpine:latest command: > /bin/sh -c " apk add --no-cache curl; echo 'Wait for services...'; until curl -s http://kratos:4433/health/ready; do sleep 1; done; until curl -s http://hydra:4444/health/ready; do sleep 1; done; until curl -s http://keto:4466/health/ready; do sleep 1; done; echo 'Ory Stack is fully operational!';" depends_on: - kratos - hydra - keto networks: - test2_net # 기본 RP (Admin Front 등) 자동 등록 컨테이너 init-rp: image: oryd/hydra:v25.4.0 entrypoint: ["/bin/sh"] command: - -ec - | hydra delete oauth2-client --endpoint http://hydra:4445 adminfront >/dev/null 2>&1 || true hydra delete oauth2-client --endpoint http://hydra:4445 devfront >/dev/null 2>&1 || true hydra delete oauth2-client --endpoint http://hydra:4445 ${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect} >/dev/null 2>&1 || true # --- AdminFront --- hydra delete oauth2-client --endpoint http://hydra:4445 adminfront || true hydra create oauth2-client \ --endpoint http://hydra:4445 \ --id adminfront \ --name "AdminFront" \ --grant-type authorization_code,refresh_token \ --response-type code \ --scope openid,offline_access,profile,email \ --token-endpoint-auth-method none \ --redirect-uri https://ssob.hmac.kr/auth/callback \ --redirect-uri https://adminb.hmac.kr/auth/callback \ --redirect-uri http://localhost:25173/auth/callback \ --redirect-uri http://adminb.hmac.kr:25173/auth/callback # --- DevFront --- hydra delete oauth2-client --endpoint http://hydra:4445 devfront || true hydra create oauth2-client \ --endpoint http://hydra:4445 \ --id devfront \ --name "DevFront" \ --grant-type authorization_code,refresh_token \ --response-type code \ --scope openid,offline_access,profile,email \ --token-endpoint-auth-method none \ --redirect-uri https://ssob.hmac.kr/auth/callback \ --redirect-uri https://devb.hmac.kr/auth/callback \ --redirect-uri http://localhost:25174/auth/callback \ --redirect-uri http://devb.hmac.kr:25174/auth/callback hydra create oauth2-client \ --endpoint http://hydra:4445 \ --id ${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect} \ --secret ${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret} \ --grant-type client_credentials \ --response-type token \ --scope openid,offline_access,profile,email depends_on: ory_stack_check: condition: service_completed_successfully networks: - test2_net volumes: ory_postgres_data_test2: ory_clickhouse_data_test2: oathkeeper_logs_test2: networks: test2_net: name: test2_net driver: bridge