ouranos/ansible/pplg/config_local.py.j2

# PgAdmin4 Local Configuration - Managed by Ansible
# Gunicorn-based deployment (no Apache) with Casdoor OAuth SSO
# Red Panda Approved

import os

# Server settings
DEFAULT_SERVER = '0.0.0.0'
DEFAULT_SERVER_PORT = {{pgadmin_port}}

# Data directory
DATA_DIR = '{{pgadmin_data_dir}}'
SESSION_DB_PATH = os.path.join(DATA_DIR, 'sessions')
STORAGE_DIR = os.path.join(DATA_DIR, 'storage')
SQLITE_PATH = os.path.join(DATA_DIR, 'pgadmin4.db')

# Log settings
LOG_FILE = '{{pgadmin_log_dir}}/pgadmin4.log'

# Default admin credentials (for initial setup)
SETUP_EMAIL = '{{pgadmin_email}}'
SETUP_PASSWORD = '{{pgadmin_password}}'

# Authentication - OAuth2 (Casdoor) + internal fallback
AUTHENTICATION_SOURCES = ['oauth2', 'internal']

# Master password disabled (use OAuth)
MASTER_PASSWORD_REQUIRED = False

# Reverse proxy settings (Titania HAProxy -> Prospero HAProxy -> Gunicorn)
ENHANCED_COOKIE_PROTECTION = False
PROXY_X_FOR_COUNT = 2
PROXY_X_PROTO_COUNT = 2
PROXY_X_HOST_COUNT = 2
X_FRAME_OPTIONS = 'SAMEORIGIN'
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = 'Lax'
WTF_CSRF_SSL_STRICT = False

# OAuth2 Configuration (Casdoor OIDC)
OAUTH2_AUTO_CREATE_USER = True
OAUTH2_CONFIG = [{
    'OAUTH2_NAME': 'Casdoor',
    'OAUTH2_DISPLAY_NAME': 'Casdoor SSO',
    'OAUTH2_CLIENT_ID': '{{pgadmin_oauth_client_id}}',
    'OAUTH2_CLIENT_SECRET': '{{pgadmin_oauth_client_secret}}',
    'OAUTH2_TOKEN_URL': 'https://id.ouranos.helu.ca/api/login/oauth/access_token',
    'OAUTH2_AUTHORIZATION_URL': 'https://id.ouranos.helu.ca/login/oauth/authorize',
    'OAUTH2_API_BASE_URL': 'https://id.ouranos.helu.ca/',
    'OAUTH2_USERINFO_ENDPOINT': 'api/userinfo',
    'OAUTH2_SERVER_METADATA_URL': 'https://id.ouranos.helu.ca/.well-known/openid-configuration',
    'OAUTH2_SCOPE': 'openid profile email',
    'OAUTH2_ICON': 'fa-openid',
    'OAUTH2_BUTTON_COLOR': '#2db7f5',
}]