fix(ory): enable MFA methods, fix font URL, clean up login-ui

Enable TOTP, WebAuthn, and lookup secret MFA methods in Kratos config.
Fix Monaspace Neon font CDN URL in Gitea theme ConfigMap. Remove
redundant Google Fonts preconnect from people-frontend nginx config.
Delete unused login-ui-deployment.yaml (login-ui is part of the Ory
Helm chart, not a standalone deployment).

base/ory/kratos-values.yaml

@@ -21,6 +21,24 @@ kratos:
         - https://src.DOMAIN_SUFFIX/
         - https://find.DOMAIN_SUFFIX/
         - https://admin.DOMAIN_SUFFIX/
+      methods:
+        password:
+          enabled: true
+        totp:
+          enabled: true
+          config:
+            issuer: Sunbeam Studios
+        webauthn:
+          enabled: true
+          config:
+            passwordless: false
+            rp:
+              display_name: Sunbeam Studios
+              id: DOMAIN_SUFFIX
+              origins:
+                - https://auth.DOMAIN_SUFFIX
+        lookup_secret:
+          enabled: true
       flows:
         error:
           ui_url: https://auth.DOMAIN_SUFFIX/error
@@ -36,13 +54,17 @@ kratos:
           enabled: true
           ui_url: https://auth.DOMAIN_SUFFIX/verification
         settings:
-          ui_url: https://auth.DOMAIN_SUFFIX/settings
+          ui_url: https://auth.DOMAIN_SUFFIX/security
+          privileged_session_max_age: 5m
+          required_aal: highest_available
 
     identity:
       default_schema_id: employee
       schemas:
         - id: employee
           url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2VtcGxveWVlLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiRW1wbG95ZWUiLAogICJwcm9wZXJ0aWVzIjogewogICAgInRyYWl0cyI6IHsKICAgICAgInR5cGUiOiAib2JqZWN0IiwKICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgImVtYWlsIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJmb3JtYXQiOiAiZW1haWwiLAogICAgICAgICAgInRpdGxlIjogIkVtYWlsIiwKICAgICAgICAgICJvcnkuc2gva3JhdG9zIjogewogICAgICAgICAgICAiY3JlZGVudGlhbHMiOiB7ICJwYXNzd29yZCI6IHsgImlkZW50aWZpZXIiOiB0cnVlIH0gfSwKICAgICAgICAgICAgInJlY292ZXJ5IjogeyAidmlhIjogImVtYWlsIiB9LAogICAgICAgICAgICAidmVyaWZpY2F0aW9uIjogeyAidmlhIjogImVtYWlsIiB9CiAgICAgICAgICB9CiAgICAgICAgfSwKICAgICAgICAiZ2l2ZW5fbmFtZSI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIkZpcnN0IG5hbWUiIH0sCiAgICAgICAgImZhbWlseV9uYW1lIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiTGFzdCBuYW1lIiB9LAogICAgICAgICJtaWRkbGVfbmFtZSI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIk1pZGRsZSBuYW1lIiB9LAogICAgICAgICJuaWNrbmFtZSI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIk5pY2tuYW1lIiB9LAogICAgICAgICJwaWN0dXJlIjogeyAidHlwZSI6ICJzdHJpbmciLCAiZm9ybWF0IjogInVyaSIsICJ0aXRsZSI6ICJQcm9maWxlIHBpY3R1cmUiIH0sCiAgICAgICAgInBob25lX251bWJlciI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIlBob25lIG51bWJlciIgfSwKICAgICAgICAiam9iX3RpdGxlIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiSm9iIHRpdGxlIiB9LAogICAgICAgICJkZXBhcnRtZW50IjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiRGVwYXJ0bWVudCIgfSwKICAgICAgICAib2ZmaWNlX2xvY2F0aW9uIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiT2ZmaWNlIGxvY2F0aW9uIiB9LAogICAgICAgICJlbXBsb3llZV9pZCI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIkVtcGxveWVlIElEIiB9LAogICAgICAgICJoaXJlX2RhdGUiOiB7ICJ0eXBlIjogInN0cmluZyIsICJmb3JtYXQiOiAiZGF0ZSIsICJ0aXRsZSI6ICJIaXJlIGRhdGUiIH0sCiAgICAgICAgIm1hbmFnZXIiOiB7ICJ0eXBlIjogInN0cmluZyIsICJ0aXRsZSI6ICJNYW5hZ2VyIiB9CiAgICAgIH0sCiAgICAgICJyZXF1aXJlZCI6IFsiZW1haWwiXQogICAgfQogIH0KfQo=
+        - id: default
+          url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2lkZW50aXR5Lmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiUGVyc29uIChsZWdhY3kpIiwKICAicHJvcGVydGllcyI6IHsKICAgICJ0cmFpdHMiOiB7CiAgICAgICJ0eXBlIjogIm9iamVjdCIsCiAgICAgICJwcm9wZXJ0aWVzIjogewogICAgICAgICJlbWFpbCI6IHsKICAgICAgICAgICJ0eXBlIjogInN0cmluZyIsCiAgICAgICAgICAiZm9ybWF0IjogImVtYWlsIiwKICAgICAgICAgICJ0aXRsZSI6ICJFbWFpbCIsCiAgICAgICAgICAib3J5LnNoL2tyYXRvcyI6IHsKICAgICAgICAgICAgImNyZWRlbnRpYWxzIjogeyAicGFzc3dvcmQiOiB7ICJpZGVudGlmaWVyIjogdHJ1ZSB9IH0sCiAgICAgICAgICAgICJyZWNvdmVyeSI6IHsgInZpYSI6ICJlbWFpbCIgfSwKICAgICAgICAgICAgInZlcmlmaWNhdGlvbiI6IHsgInZpYSI6ICJlbWFpbCIgfQogICAgICAgICAgfQogICAgICAgIH0sCiAgICAgICAgIm5hbWUiOiB7CiAgICAgICAgICAidHlwZSI6ICJvYmplY3QiLAogICAgICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgICAgICJmaXJzdCI6IHsgInR5cGUiOiAic3RyaW5nIiwgInRpdGxlIjogIkZpcnN0IG5hbWUiIH0sCiAgICAgICAgICAgICJsYXN0IjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiTGFzdCBuYW1lIiB9CiAgICAgICAgICB9CiAgICAgICAgfQogICAgICB9LAogICAgICAicmVxdWlyZWQiOiBbImVtYWlsIl0KICAgIH0KICB9Cn0K
         - id: external
           url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLnN1bmJlYW0uc3R1ZGlvL2V4dGVybmFsLmpzb24iLAogICIkc2NoZW1hIjogImh0dHA6Ly9qc29uLXNjaGVtYS5vcmcvZHJhZnQtMDcvc2NoZW1hIyIsCiAgInR5cGUiOiAib2JqZWN0IiwKICAidGl0bGUiOiAiRXh0ZXJuYWwgVXNlciIsCiAgInByb3BlcnRpZXMiOiB7CiAgICAidHJhaXRzIjogewogICAgICAidHlwZSI6ICJvYmplY3QiLAogICAgICAicHJvcGVydGllcyI6IHsKICAgICAgICAiZW1haWwiOiB7CiAgICAgICAgICAidHlwZSI6ICJzdHJpbmciLAogICAgICAgICAgImZvcm1hdCI6ICJlbWFpbCIsCiAgICAgICAgICAidGl0bGUiOiAiRW1haWwiLAogICAgICAgICAgIm9yeS5zaC9rcmF0b3MiOiB7CiAgICAgICAgICAgICJjcmVkZW50aWFscyI6IHsgInBhc3N3b3JkIjogeyAiaWRlbnRpZmllciI6IHRydWUgfSB9LAogICAgICAgICAgICAicmVjb3ZlcnkiOiB7ICJ2aWEiOiAiZW1haWwiIH0sCiAgICAgICAgICAgICJ2ZXJpZmljYXRpb24iOiB7ICJ2aWEiOiAiZW1haWwiIH0KICAgICAgICAgIH0KICAgICAgICB9LAogICAgICAgICJnaXZlbl9uYW1lIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiRmlyc3QgbmFtZSIgfSwKICAgICAgICAiZmFtaWx5X25hbWUiOiB7ICJ0eXBlIjogInN0cmluZyIsICJ0aXRsZSI6ICJMYXN0IG5hbWUiIH0sCiAgICAgICAgIm5pY2tuYW1lIjogeyAidHlwZSI6ICJzdHJpbmciLCAidGl0bGUiOiAiTmlja25hbWUiIH0sCiAgICAgICAgInBpY3R1cmUiOiB7ICJ0eXBlIjogInN0cmluZyIsICJmb3JtYXQiOiAidXJpIiwgInRpdGxlIjogIlByb2ZpbGUgcGljdHVyZSIgfQogICAgICB9LAogICAgICAicmVxdWlyZWQiOiBbImVtYWlsIl0KICAgIH0KICB9Cn0K
 
@@ -50,7 +72,7 @@ kratos:
       smtp:
         connection_uri: "smtp://postfix.lasuite.svc.cluster.local:25/?skip_ssl_verify=true"
         from_address: no-reply@DOMAIN_SUFFIX
-        from_name: Sunbeam
+        from_name: Sunbeam Studios
 
     oauth2_provider:
       url: http://hydra-admin.ory.svc.cluster.local:4445
@@ -63,6 +85,8 @@ kratos:
         domain: DOMAIN_SUFFIX
         persistent: true
       lifespan: 720h
+      whoami:
+        required_aal: highest_available
 
     serve:
       public:

base/ory/login-ui-deployment.yaml

@@ -1,63 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: login-ui
-  namespace: ory
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: login-ui
-  template:
-    metadata:
-      labels:
-        app: login-ui
-    spec:
-      containers:
-        - name: login-ui
-          image: oryd/kratos-selfservice-ui-node:v1.3.0
-          ports:
-            - name: http
-              containerPort: 3000
-              protocol: TCP
-          env:
-            - name: KRATOS_PUBLIC_URL
-              value: "http://kratos-public.ory.svc.cluster.local:80"
-            - name: KRATOS_BROWSER_URL
-              value: "https://auth.DOMAIN_SUFFIX/kratos"
-            - name: HYDRA_ADMIN_URL
-              value: "http://hydra-admin.ory.svc.cluster.local:4445"
-            - name: PORT
-              value: "3000"
-            - name: COOKIE_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: login-ui-secrets
-                  key: cookie-secret
-            - name: CSRF_COOKIE_NAME
-              value: "csrf"
-            - name: CSRF_COOKIE_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: login-ui-secrets
-                  key: csrf-cookie-secret
-          resources:
-            limits:
-              memory: 256Mi
-            requests:
-              memory: 128Mi
-              cpu: 25m
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: login-ui
-  namespace: ory
-spec:
-  selector:
-    app: login-ui
-  ports:
-    - name: http
-      port: 3000
-      targetPort: 3000
-      protocol: TCP