Configuration

LogIt configuration is managed through secrets/secrets.json.

Core Configuration

Basic Settings

{
  "MONGO_URI": "mongodb://localhost:27017/logit_db",
  "SECRET_KEY": "your-secret-key-here",
  "OIDC_ENABLED": false
}

Configuration Keys

MONGO_URI

MongoDB connection string. Format:

  • Without auth: mongodb://localhost:27017/logit_db

  • With auth: mongodb://user:pass@localhost:27017/logit_db?authSource=logit_db

SECRET_KEY

Secret key for session encryption. Generate with:

import secrets
print(secrets.token_hex(32))
OIDC_ENABLED

Enable/disable OpenID Connect SSO (true or false)

SSO Configuration (Optional)

To enable institutional SSO with OpenID Connect:

Full SSO Configuration

{
  "MONGO_URI": "mongodb://localhost:27017/logit_db",
  "SECRET_KEY": "your-secret-key",

  "OIDC_ENABLED": true,
  "OIDC_CLIENT_ID": "your-client-id",
  "OIDC_CLIENT_SECRET": "your-client-secret",
  "OIDC_DISCOVERY_URL": "https://sso.nikhef.nl/.well-known/openid-configuration",
  "OIDC_REDIRECT_URI": "https://your-domain.nl/auth/callback",
  "OIDC_SCOPES": "openid profile email",
  "OIDC_ALLOWED_GROUPS": ["xenon"],
  "OIDC_GROUP_CLAIM": "groups",

  "DEFAULT_LOGBOOKS": ["xams"]
}

SSO Configuration Keys

OIDC_CLIENT_ID

Client ID provided by your SSO provider

OIDC_CLIENT_SECRET

Client secret provided by your SSO provider

OIDC_DISCOVERY_URL

OpenID Connect discovery endpoint URL

OIDC_REDIRECT_URI

Callback URL for SSO (must match provider configuration)

  • Development: http://localhost:5000/auth/callback

  • Production: https://your-domain.nl/auth/callback

OIDC_SCOPES

Space-separated list of OAuth scopes (usually "openid profile email")

OIDC_ALLOWED_GROUPS

Array of group names that are allowed to log in via SSO

  • Leave empty [] to allow all authenticated users

  • Example: ["xenon", "researchers"]

OIDC_GROUP_CLAIM

Name of the claim containing group memberships in the ID token

  • Common values: "groups", "eduperson_entitlement"

DEFAULT_LOGBOOKS

Array of logbook names new SSO users can access by default

  • Example: ["xams", "common"]

For detailed SSO setup instructions, see docs/SSO_SETUP.md.

MongoDB Configuration

Without Authentication (Development)

{
  "MONGO_URI": "mongodb://localhost:27017/logit_db"
}

With Authentication (Production)

{
  "MONGO_URI": "mongodb://logit_user:password@localhost:27017/logit_db?authSource=logit_db"
}

See MONGODB_AUTH_SETUP.md for setting up MongoDB authentication.

Remote MongoDB

To connect to a remote MongoDB instance:

{
  "MONGO_URI": "mongodb://user:pass@remote-host:27017/logit_db?authSource=logit_db"
}

Ensure MongoDB is configured to accept remote connections and firewall rules allow access.

Environment Variables

Application Timezone

Set the timezone for slow control data timestamps:

export APP_TZ="Europe/Amsterdam"

Add to systemd service file:

[Service]
Environment="APP_TZ=Europe/Amsterdam"

Or add to .bashrc / .profile for development.

Flask Environment

export FLASK_ENV=development  # or production
export FLASK_APP=run.py

Slow Control Configuration

Slow control data should be written to the MongoDB collection slow_control_data with documents in this format:

{
  "timestamp": ISODate("2024-01-01T12:00:00Z"),
  "TT201": 25.3,
  "TT202": 24.8,
  "PT101": 1.013,
  // ... other sensor readings
}

Customize sensor groups in app/routes/slow_control.py:

temperature_sensors = ["TT201", "TT202", "TT203"]
pressure_sensors = ["PT101", "PT102"]

Logbook Configuration

Logbooks are created via the admin panel, but you can also create them directly in MongoDB:

db.logbooks.insertOne({
  "name": "xams",
  "users": []  // ObjectIds of users with access
})

Security Best Practices

  1. Strong SECRET_KEY: Use a long random string (64+ characters)

  2. HTTPS in production: Use nginx/apache with SSL certificates

  3. MongoDB authentication: Always enable in production

  4. Restrict MongoDB bind IP: Only allow localhost or specific IPs

  5. File permissions: Ensure secrets/secrets.json is not world-readable

chmod 600 secrets/secrets.json

  1. Firewall: Block MongoDB port (27017) from public access

  2. Regular updates: Keep dependencies up to date

Configuration Examples

Development Setup

{
  "MONGO_URI": "mongodb://localhost:27017/logit_db",
  "SECRET_KEY": "dev-key-change-in-production",
  "OIDC_ENABLED": false
}

Production with Local Auth

{
  "MONGO_URI": "mongodb://logit_user:SecurePass123@localhost:27017/logit_db?authSource=logit_db",
  "SECRET_KEY": "long-random-secret-key-generated-with-secrets-module",
  "OIDC_ENABLED": false
}

Production with SSO

{
  "MONGO_URI": "mongodb://logit_user:SecurePass123@localhost:27017/logit_db?authSource=logit_db",
  "SECRET_KEY": "long-random-secret-key-generated-with-secrets-module",
  "OIDC_ENABLED": true,
  "OIDC_CLIENT_ID": "logit-production",
  "OIDC_CLIENT_SECRET": "client-secret-from-sso-provider",
  "OIDC_DISCOVERY_URL": "https://sso.institution.org/.well-known/openid-configuration",
  "OIDC_REDIRECT_URI": "https://logit.institution.org/auth/callback",
  "OIDC_SCOPES": "openid profile email",
  "OIDC_ALLOWED_GROUPS": ["researchers", "admin"],
  "OIDC_GROUP_CLAIM": "groups",
  "DEFAULT_LOGBOOKS": ["main", "equipment"]
}