computer-playbook/roles/web-app-drupal/templates/settings.local.php.j2

<?php
/**
 * Local settings overrides generated by Ansible.
 * - Reads DB + OIDC endpoints from environment variables.
 * - Sets $databases and selected $config overrides.
 */

$env = getenv();

/** Database **/
$host = getenv('DRUPAL_DB_HOST') ?: '{{ database_host }}:{{ database_port }}';
$db   = getenv('DRUPAL_DB_NAME') ?: '{{ database_name }}';
$user = getenv('DRUPAL_DB_USER') ?: '{{ database_username }}';
$pass = getenv('DRUPAL_DB_PASSWORD') ?: '{{ database_password }}';

$parts = explode(':', $host, 2);
$hostname = $parts[0];
$port = isset($parts[1]) ? (int)$parts[1] : 3306;

$databases['default']['default'] = [
  'database' => $db,
  'username' => $user,
  'password' => $pass,
  'prefix'   => '',
  'host'     => $hostname,
  'port'     => $port,
  'namespace'=> 'Drupal\\Core\\Database\\Driver\\mysql',
  'driver'   => 'mysql',
];

/** OIDC endpoint hints (optional) — the real config is applied via Drush. */
$config['openid_connect.settings']['automatic_account_creation'] = true;
$config['openid_connect.settings']['always_save_userinfo'] = true;
$config['openid_connect.settings']['link_existing_users'] = true;

/** Trusted host patterns can be extended by Ansible task 04_trusted_hosts.yml */

/** Enable local services YML if present */
$settings['container_yamls'][] = $app_root . '/' . $site_path . '/services.local.yml';

// Reverse proxy optional über ENV setzen (z.B. "10.0.0.0/8, 172.16.0.0/12")
$proxy = getenv('REVERSE_PROXY_ADDRESSES');
if ($proxy) {
  $settings['reverse_proxy'] = TRUE;
  $settings['reverse_proxy_addresses'] = array_map('trim', explode(',', $proxy));
}

/** Hash salt (from schema/credentials, hashed with SHA-256) */
$settings['hash_salt'] = '{{ applications | get_app_conf(application_id, "credentials.hash_salt", True) }}';