diff --git a/base/devtools/gitea-theme-cm.yaml b/base/devtools/gitea-theme-cm.yaml
index 17ede88..d0ee75c 100644
--- a/base/devtools/gitea-theme-cm.yaml
+++ b/base/devtools/gitea-theme-cm.yaml
@@ -21,7 +21,7 @@ data:
/* Monaspace Neon Variable (code font) — from jsDelivr */
@font-face {
font-family: 'Monaspace Neon';
- src: url('https://cdn.jsdelivr.net/npm/@github/monaspace@1.101/dist/fonts/variable/MonaspaceNeonVarVF[wght,slnt].woff2') format('woff2');
+ src: url('https://cdn.jsdelivr.net/gh/githubnext/monaspace@v1.101/fonts/webfonts/MonaspaceNeonVarVF%5Bwght%2Cwdth%2Cslnt%5D.woff2') format('woff2');
font-weight: 200 800;
font-style: oblique 0deg 10deg;
font-display: swap;
diff --git a/base/lasuite/people-frontend-nginx-configmap.yaml b/base/lasuite/people-frontend-nginx-configmap.yaml
index 575f292..ef684e2 100644
--- a/base/lasuite/people-frontend-nginx-configmap.yaml
+++ b/base/lasuite/people-frontend-nginx-configmap.yaml
@@ -21,7 +21,7 @@ data:
gzip off;
sub_filter 'integration.lasuite.numerique.gouv.fr' 'integration.DOMAIN_SUFFIX';
- sub_filter '' '';
+ sub_filter '' '';
sub_filter_once off;
sub_filter_types text/html application/javascript;
diff --git a/base/ory/kratos-values.yaml b/base/ory/kratos-values.yaml
index bebeb5d..7305859 100644
--- a/base/ory/kratos-values.yaml
+++ b/base/ory/kratos-values.yaml
@@ -21,6 +21,24 @@ kratos:
- https://src.DOMAIN_SUFFIX/
- https://find.DOMAIN_SUFFIX/
- https://admin.DOMAIN_SUFFIX/
+ methods:
+ password:
+ enabled: true
+ totp:
+ enabled: true
+ config:
+ issuer: Sunbeam Studios
+ webauthn:
+ enabled: true
+ config:
+ passwordless: false
+ rp:
+ display_name: Sunbeam Studios
+ id: DOMAIN_SUFFIX
+ origins:
+ - https://auth.DOMAIN_SUFFIX
+ lookup_secret:
+ enabled: true
flows:
error:
ui_url: https://auth.DOMAIN_SUFFIX/error
@@ -36,13 +54,17 @@ kratos:
enabled: true
ui_url: https://auth.DOMAIN_SUFFIX/verification
settings:
- ui_url: https://auth.DOMAIN_SUFFIX/settings
+ ui_url: https://auth.DOMAIN_SUFFIX/security
+ privileged_session_max_age: 5m
+ required_aal: highest_available
identity:
default_schema_id: employee
schemas:
- id: employee
url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2VtcGxveWVlLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiRW1wbG95ZWUiLAogICJwcm9wZXJ0aWVzIjogewogICAgInRyYWl0cyI6IHsKICAgICAgInR5cGUiOiAib2JqZWN0IiwKICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgImVtYWlsIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJmb3JtYXQiOiAiZW1haWwiLAogICAgICAgICAgInRpdGxlIjogIkVtYWlsIiwKICAgICAgICAgICJvcnkuc2gva3JhdG9zIjogewogICAgICAgICAgICAiY3JlZGVudGlhbHMiOiB7ICJwYXNzd29yZCI6IHsgImlkZW50aWZpZXIiOiB0cnVlIH0gfSwKICAgICAgICAgICAgInJlY292ZXJ5IjogeyAidmlhIjogImVtYWlsIiB9LAogICAgICAgICAgICAidmVyaWZpY2F0aW9uIjogeyAidmlhIjogImVtYWlsIiB9CiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAiZ2l2ZW5fbmFtZSI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIkZpcnN0IG5hbWUiIH0sCiAgICAgICAgImZhbWlseV9uYW1lIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiTGFzdCBuYW1lIiB9LAogICAgICAgICJtaWRkbGVfbmFtZSI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIk1pZGRsZSBuYW1lIiB9LAogICAgICAgICJuaWNrbmFtZSI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIk5pY2tuYW1lIiB9LAogICAgICAgICJwaWN0dXJlIjogeyAidHlwZSI6ICJzdHJpbmciLCAiZm9ybWF0IjogInVyaSIsICJ0aXRsZSI6ICJQcm9maWxlIHBpY3R1cmUiIH0sCiAgICAgICAgInBob25lX251bWJlciI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIlBob25lIG51bWJlciIgfSwKICAgICAgICAiam9iX3RpdGxlIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiSm9iIHRpdGxlIiB9LAogICAgICAgICJkZXBhcnRtZW50IjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiRGVwYXJ0bWVudCIgfSwKICAgICAgICAib2ZmaWNlX2xvY2F0aW9uIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiT2ZmaWNlIGxvY2F0aW9uIiB9LAogICAgICAgICJlbXBsb3llZV9pZCI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIkVtcGxveWVlIElEIiB9LAogICAgICAgICJoaXJlX2RhdGUiOiB7ICJ0eXBlIjogInN0cmluZyIsICJmb3JtYXQiOiAiZGF0ZSIsICJ0aXRsZSI6ICJIaXJlIGRhdGUiIH0sCiAgICAgICAgIm1hbmFnZXIiOiB7ICJ0eXBlIjogInN0cmluZyIsICJ0aXRsZSI6ICJNYW5hZ2VyIiB9CiAgICAgIH0sCiAgICAgICJyZXF1aXJlZCI6IFsiZW1haWwiXQogICAgfQogIH0KfQo=
+ - id: default
+ url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2lkZW50aXR5Lmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiUGVyc29uIChsZWdhY3kpIiwKICAicHJvcGVydGllcyI6IHsKICAgICJ0cmFpdHMiOiB7CiAgICAgICJ0eXBlIjogIm9iamVjdCIsCiAgICAgICJwcm9wZXJ0aWVzIjogewogICAgICAgICJlbWFpbCI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAiZm9ybWF0IjogImVtYWlsIiwKICAgICAgICAgICJ0aXRsZSI6ICJFbWFpbCIsCiAgICAgICAgICAib3J5LnNoL2tyYXRvcyI6IHsKICAgICAgICAgICAgImNyZWRlbnRpYWxzIjogeyAicGFzc3dvcmQiOiB7ICJpZGVudGlmaWVyIjogdHJ1ZSB9IH0sCiAgICAgICAgICAgICJyZWNvdmVyeSI6IHsgInZpYSI6ICJlbWFpbCIgfSwKICAgICAgICAgICAgInZlcmlmaWNhdGlvbiI6IHsgInZpYSI6ICJlbWFpbCIgfQogICAgICAgICAgfQogICAgICAgIH0sCiAgICAgICAgIm5hbWUiOiB7CiAgICAgICAgICAidHlwZSI6ICJvYmplY3QiLAogICAgICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgICAgICJmaXJzdCI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIkZpcnN0IG5hbWUiIH0sCiAgICAgICAgICAgICJsYXN0IjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiTGFzdCBuYW1lIiB9CiAgICAgICAgICB9CiAgICAgICAgfQogICAgICB9LAogICAgICAicmVxdWlyZWQiOiBbImVtYWlsIl0KICAgIH0KICB9Cn0K
- id: external
url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2V4dGVybmFsLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiRXh0ZXJuYWwgVXNlciIsCiAgInByb3BlcnRpZXMiOiB7CiAgICAidHJhaXRzIjogewogICAgICAidHlwZSI6ICJvYmplY3QiLAogICAgICAicHJvcGVydGllcyI6IHsKICAgICAgICAiZW1haWwiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgImZvcm1hdCI6ICJlbWFpbCIsCiAgICAgICAgICAidGl0bGUiOiAiRW1haWwiLAogICAgICAgICAgIm9yeS5zaC9rcmF0b3MiOiB7CiAgICAgICAgICAgICJjcmVkZW50aWFscyI6IHsgInBhc3N3b3JkIjogeyAiaWRlbnRpZmllciI6IHRydWUgfSB9LAogICAgICAgICAgICAicmVjb3ZlcnkiOiB7ICJ2aWEiOiAiZW1haWwiIH0sCiAgICAgICAgICAgICJ2ZXJpZmljYXRpb24iOiB7ICJ2aWEiOiAiZW1haWwiIH0KICAgICAgICAgIH0KICAgICAgICB9LAogICAgICAgICJnaXZlbl9uYW1lIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiRmlyc3QgbmFtZSIgfSwKICAgICAgICAiZmFtaWx5X25hbWUiOiB7ICJ0eXBlIjogInN0cmluZyIsICJ0aXRsZSI6ICJMYXN0IG5hbWUiIH0sCiAgICAgICAgIm5pY2tuYW1lIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiTmlja25hbWUiIH0sCiAgICAgICAgInBpY3R1cmUiOiB7ICJ0eXBlIjogInN0cmluZyIsICJmb3JtYXQiOiAidXJpIiwgInRpdGxlIjogIlByb2ZpbGUgcGljdHVyZSIgfQogICAgICB9LAogICAgICAicmVxdWlyZWQiOiBbImVtYWlsIl0KICAgIH0KICB9Cn0K
@@ -50,7 +72,7 @@ kratos:
smtp:
connection_uri: "smtp://postfix.lasuite.svc.cluster.local:25/?skip_ssl_verify=true"
from_address: no-reply@DOMAIN_SUFFIX
- from_name: Sunbeam
+ from_name: Sunbeam Studios
oauth2_provider:
url: http://hydra-admin.ory.svc.cluster.local:4445
@@ -63,6 +85,8 @@ kratos:
domain: DOMAIN_SUFFIX
persistent: true
lifespan: 720h
+ whoami:
+ required_aal: highest_available
serve:
public:
diff --git a/base/ory/login-ui-deployment.yaml b/base/ory/login-ui-deployment.yaml
deleted file mode 100644
index edaac6c..0000000
--- a/base/ory/login-ui-deployment.yaml
+++ /dev/null
@@ -1,63 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: login-ui
- namespace: ory
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: login-ui
- template:
- metadata:
- labels:
- app: login-ui
- spec:
- containers:
- - name: login-ui
- image: oryd/kratos-selfservice-ui-node:v1.3.0
- ports:
- - name: http
- containerPort: 3000
- protocol: TCP
- env:
- - name: KRATOS_PUBLIC_URL
- value: "http://kratos-public.ory.svc.cluster.local:80"
- - name: KRATOS_BROWSER_URL
- value: "https://auth.DOMAIN_SUFFIX/kratos"
- - name: HYDRA_ADMIN_URL
- value: "http://hydra-admin.ory.svc.cluster.local:4445"
- - name: PORT
- value: "3000"
- - name: COOKIE_SECRET
- valueFrom:
- secretKeyRef:
- name: login-ui-secrets
- key: cookie-secret
- - name: CSRF_COOKIE_NAME
- value: "csrf"
- - name: CSRF_COOKIE_SECRET
- valueFrom:
- secretKeyRef:
- name: login-ui-secrets
- key: csrf-cookie-secret
- resources:
- limits:
- memory: 256Mi
- requests:
- memory: 128Mi
- cpu: 25m
----
-apiVersion: v1
-kind: Service
-metadata:
- name: login-ui
- namespace: ory
-spec:
- selector:
- app: login-ui
- ports:
- - name: http
- port: 3000
- targetPort: 3000
- protocol: TCP