From 33ffecb3a2e2d9f205a6d1ffb5c0161b20e51f0e Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Mon, 5 Sep 2022 16:01:56 +0200
Subject: [PATCH 01/92] feat: WIP! Added Samply Beam and Spot to CCP

---
 ccp/docker-compose.yml | 71 +++++++++++++++++++++++++-----------------
 start-bridgehead.sh    |  2 +-
 2 files changed, 44 insertions(+), 29 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index e3ef2e4..75a06c3 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -7,8 +7,7 @@ services:
     command:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
-      - --providers.docker=true
-      - --api.dashboard=true
+      - --providers.docker=true - --api.dashboard=true
       - --accesslog=true # print access-logs
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
@@ -67,36 +66,52 @@ services:
       - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,ccp-auth"
       - "traefik.http.routers.blaze_ccp.tls=true"
   
-  ccp-search-share:
-    image: "samply/dktk-fed-search-share:main"
-    container_name: bridgehead-ccp-share
+  task-store:
+    image: "samply/blaze:develop"
     environment:
-      APP_BASE_URL: "http://dktk-fed-search-share:8080"
-      APP_BROKER_BASEURL: "https://dktk-fed-search.verbis.dkfz.de/broker/rest/searchbroker"
-      APP_BROKER_MAIL: ${CCP_SEARCHBROKER_USERNAME}
-      APP_BROKER_AUTHTOKEN: ${CCP_SEARCHBROKER_PASSWORD}
-      APP_STORE_BASEURL: "http://bridgehead-ccp-blaze:8080/fhir"
-      SPRING_DATASOURCE_URL: "jdbc:postgresql://bridgehead-ccp-share-db:5432/postgres"
-      JAVA_TOOL_OPTIONS: -Xmx1g -Dhttp.proxyHost=bridgehead-forward-proxy -Dhttp.proxyPort=3128 -Dhttps.proxyHost=bridgehead-forward-proxy -Dhttps.proxyPort=3128 -Dhttp.nonProxyHosts="bridgehead-*"
-    depends_on:
-    - ccp-search-share-db
-    - blaze
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dktk-fed-search.rule=PathPrefix(`/ccp-connector`)"
-      - "traefik.http.services.dktk-fed-search.loadbalancer.server.port=8080"
-
-  ccp-search-share-db:
-    image: "postgres:14"
-    container_name: bridgehead-ccp-share-db
-    environment:
-      POSTGRES_USER: "postgres"
-      POSTGRES_PASSWORD: "postgres"
-      POSTGRES_DB: "dktk-fed-search-share"
+      BASE_URL: "http://localhost:8083"
+      JAVA_TOOL_OPTIONS: "-Xmx1g"
+      LOG_LEVEL: "debug"
+    ports:
+    - "8083:8080"
     volumes:
-    - "ccp-search-share-db-data:/var/lib/postgresql/data"
+    - "task-store-data:/app/data"
+
+  data-store:
+    image: "samply/blaze:develop"
+    environment:
+      BASE_URL: "http://localhost:8084"
+      JAVA_TOOL_OPTIONS: "-Xmx1g"
+      LOG_LEVEL: "debug"
+    ports:
+    - "8084:8080"
+    volumes:
+    - "data-store-data:/app/data"
+
+  # spot:
+  #   image: "samply/spot"
+
+  beam-proxy:
+    image: "samply/beam-proxy:develop"
+    environment:
+      BROKER_URL: ${BROKER_URL}
+      PROXY_ID: ${PROXY_ID}
+      APP_0_ID: ${APP_0_ID_SHORT}
+      APP_0_KEY: ${APP_0_KEY}
+      APP_1_ID: ${APP_1_ID_SHORT}
+      APP_1_KEY: ${APP_1_KEY}
+      PRIVKEY_FILE: /run/secrets/proxy.pem
+    secrets:
+      - proxy.pem
+
 
 volumes:
   blaze-data:
   bridgehead-proxy:
   ccp-search-share-db-data:
+  task-store-data:
+  data-store-data:
+
+secrets:
+  proxy.pem:
+    file: ./pki/${PROXY_ID_SHORT}.priv.pem
diff --git a/start-bridgehead.sh b/start-bridgehead.sh
index bf1478d..b658c93 100755
--- a/start-bridgehead.sh
+++ b/start-bridgehead.sh
@@ -13,6 +13,6 @@ source site.conf
 
 log "Starting bridgehead"
 
-docker-compose -f ${project}/docker-compose.yml --env-file site-config/${project}.env up -d
+docker-compose -f <(docker run --rm --volume ${pwd}/${project}/:/tmp/workdir/ samply/templer /tmp/workdir/docker-compose.yml TEST="TEST_0 TEST_1") config
 
 log "The bridgehead should be in online in a few seconds"

From 5c2c76e75979d4b94840bd2cdf673226c0473e62 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Wed, 7 Sep 2022 11:09:53 +0200
Subject: [PATCH 02/92] Added WIP spot and beam proxy

---
 ccp/docker-compose.yml | 52 +++++++++++++++++++-----------------------
 lib/prerequisites.sh   |  5 ++++
 2 files changed, 28 insertions(+), 29 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 75a06c3..860b689 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -7,7 +7,8 @@ services:
     command:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
-      - --providers.docker=true - --api.dashboard=true
+      - --providers.docker=true 
+      - --api.dashboard=true
       - --accesslog=true # print access-logs
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
@@ -51,7 +52,7 @@ services:
     image: "samply/blaze:0.17"
     container_name: bridgehead-ccp-blaze
     environment:
-      BASE_URL: "http://blaze:8080"
+      BASE_URL: "http://bridgehead-ccp-blaze:8080"
       JAVA_TOOL_OPTIONS: "-Xmx4g"
       LOG_LEVEL: "debug"
       ENFORCE_REFERENTIAL_INTEGRITY: "false"
@@ -65,34 +66,24 @@ services:
       - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
       - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,ccp-auth"
       - "traefik.http.routers.blaze_ccp.tls=true"
-  
-  task-store:
-    image: "samply/blaze:develop"
-    environment:
-      BASE_URL: "http://localhost:8083"
-      JAVA_TOOL_OPTIONS: "-Xmx1g"
-      LOG_LEVEL: "debug"
-    ports:
-    - "8083:8080"
-    volumes:
-    - "task-store-data:/app/data"
 
-  data-store:
-    image: "samply/blaze:develop"
+  spot:
+    image: "docker.verbis.dkfz.de/ccp-private/local-spot@sha256:9a80eeef29f08ecec947fc2df55a65424255e6d60105fee8ee0ef77db27af01c"
     environment:
-      BASE_URL: "http://localhost:8084"
-      JAVA_TOOL_OPTIONS: "-Xmx1g"
-      LOG_LEVEL: "debug"
-    ports:
-    - "8084:8080"
-    volumes:
-    - "data-store-data:/app/data"
-
-  # spot:
-  #   image: "samply/spot"
+      SECRET: ${SECRET}
+      APPID: ${APP_0_ID_SHORT}
+      PROXY_ID: ${PROXY_ID}
+      LDM_URL: ${LDM_URL}
+      BEAM_PROXY: http://beam-proxy:8081
+    depends_on:
+      - "beam-proxy"
+      - "blaze"
+    labels:
+      - "traefik.enable=false"
 
   beam-proxy:
     image: "samply/beam-proxy:develop"
+    container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}
       PROXY_ID: ${PROXY_ID}
@@ -101,17 +92,20 @@ services:
       APP_1_ID: ${APP_1_ID_SHORT}
       APP_1_KEY: ${APP_1_KEY}
       PRIVKEY_FILE: /run/secrets/proxy.pem
+      http_proxy: http://bridgehead-forward-proxy:3128
+      https_proxy: http://bridgehead-forward-proxy:3128
     secrets:
       - proxy.pem
+    labels:
+      - "traefik.enable=false"
+    depends_on:
+      - "forward_proxy"
 
 
 volumes:
   blaze-data:
   bridgehead-proxy:
-  ccp-search-share-db-data:
-  task-store-data:
-  data-store-data:
 
 secrets:
   proxy.pem:
-    file: ./pki/${PROXY_ID_SHORT}.priv.pem
+    file: /etc/bridgehead/pki/${PROXY_ID_SHORT}.priv.pem
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index e04161b..0000406 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -52,6 +52,11 @@ if [ ! -e "certs/traefik.crt" ]; then
   openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST"
 fi
 
+if [ ! -e "etc/bridgehead/pki/*.priv.pem" ]; then
+    log ERROR "Privaste certificsate for beam is missing"
+    exit 1
+fi
+
 if [ -e /etc/bridgehead/vault.conf ]; then
 	if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
 		log ERROR "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."

From 4ef896c3f26604b536ca09bfe6f9bef01cbf1748 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Wed, 7 Sep 2022 15:26:01 +0200
Subject: [PATCH 03/92] Replaced forward proxy with site proxy

---
 ccp/docker-compose.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 860b689..bf4ba2c 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -92,8 +92,9 @@ services:
       APP_1_ID: ${APP_1_ID_SHORT}
       APP_1_KEY: ${APP_1_KEY}
       PRIVKEY_FILE: /run/secrets/proxy.pem
-      http_proxy: http://bridgehead-forward-proxy:3128
-      https_proxy: http://bridgehead-forward-proxy:3128
+      RUST_LOG: info
+      http_proxy: ${http_proxy}
+      https_proxy: ${https_proxy}
     secrets:
       - proxy.pem
     labels:

From 1050d413cd5aa4a189c9b3dfd20b143388496ce1 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Thu, 8 Sep 2022 09:33:03 +0200
Subject: [PATCH 04/92] Added more Debug loging

---
 ccp/docker-compose.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index bf4ba2c..6a8c26f 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -68,7 +68,7 @@ services:
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   spot:
-    image: "docker.verbis.dkfz.de/ccp-private/local-spot@sha256:9a80eeef29f08ecec947fc2df55a65424255e6d60105fee8ee0ef77db27af01c"
+    image: "samply/spot"
     environment:
       SECRET: ${SECRET}
       APPID: ${APP_0_ID_SHORT}
@@ -92,7 +92,7 @@ services:
       APP_1_ID: ${APP_1_ID_SHORT}
       APP_1_KEY: ${APP_1_KEY}
       PRIVKEY_FILE: /run/secrets/proxy.pem
-      RUST_LOG: info
+      RUST_LOG: debug
       http_proxy: ${http_proxy}
       https_proxy: ${https_proxy}
     secrets:

From 066ab45e9c41a2bfce5ea04757dfb8da8c889bdf Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Thu, 8 Sep 2022 10:21:14 +0200
Subject: [PATCH 05/92] WIP: Beam Pem Check

---
 lib/prerequisites.sh | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 0000406..e04161b 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -52,11 +52,6 @@ if [ ! -e "certs/traefik.crt" ]; then
   openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST"
 fi
 
-if [ ! -e "etc/bridgehead/pki/*.priv.pem" ]; then
-    log ERROR "Privaste certificsate for beam is missing"
-    exit 1
-fi
-
 if [ -e /etc/bridgehead/vault.conf ]; then
 	if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
 		log ERROR "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."

From cd7257b2958acf90565c595e7ebc07561a2a95e4 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Thu, 8 Sep 2022 10:23:07 +0200
Subject: [PATCH 06/92] Added real image

---
 ccp/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 6a8c26f..365c1f4 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -82,7 +82,7 @@ services:
       - "traefik.enable=false"
 
   beam-proxy:
-    image: "samply/beam-proxy:develop"
+    image: "docker.verbis.dkfz.de/ccp-private/local-spot@sha256:dd57474f9dd0a37ddc45d29fda160eac0070446da974a76cedc78c184b47adda"
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}

From c8fc96132164180cb5cd47a8bcd5b49f1e31f8c0 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Thu, 8 Sep 2022 10:24:25 +0200
Subject: [PATCH 07/92] At the right point now

---
 ccp/docker-compose.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 365c1f4..ab0a830 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -68,7 +68,7 @@ services:
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   spot:
-    image: "samply/spot"
+    image: "docker pull docker.verbis.dkfz.de/ccp-private/local-spot@sha256:dd57474f9dd0a37ddc45d29fda160eac0070446da974a76cedc78c184b47adda"
     environment:
       SECRET: ${SECRET}
       APPID: ${APP_0_ID_SHORT}
@@ -82,7 +82,7 @@ services:
       - "traefik.enable=false"
 
   beam-proxy:
-    image: "docker.verbis.dkfz.de/ccp-private/local-spot@sha256:dd57474f9dd0a37ddc45d29fda160eac0070446da974a76cedc78c184b47adda"
+    image: "samply/beam-proxy:develop"
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}

From 93f0551ac6e2ea3a8bb468da5bc0798dbaddf5b6 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Thu, 8 Sep 2022 10:25:18 +0200
Subject: [PATCH 08/92] Fix ref

---
 ccp/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index ab0a830..48bb616 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -68,7 +68,7 @@ services:
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   spot:
-    image: "docker pull docker.verbis.dkfz.de/ccp-private/local-spot@sha256:dd57474f9dd0a37ddc45d29fda160eac0070446da974a76cedc78c184b47adda"
+    image: "docker.verbis.dkfz.de/ccp-private/local-spot@sha256:dd57474f9dd0a37ddc45d29fda160eac0070446da974a76cedc78c184b47adda"
     environment:
       SECRET: ${SECRET}
       APPID: ${APP_0_ID_SHORT}

From f4f33b95fccd2f94a95e8189476c1ac91c0221df Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Mon, 26 Sep 2022 10:51:35 +0200
Subject: [PATCH 09/92] fix: Added Traefik Certificate Specification

---
 ccp/docker-compose.yml                      | 5 ++++-
 lib/traefik-configuration/certificates.yaml | 4 ++++
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 lib/traefik-configuration/certificates.yaml

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 48bb616..8ac42c8 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -7,7 +7,9 @@ services:
     command:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
-      - --providers.docker=true 
+      - --providers.docker=true
+      - --providers.file.watch=true
+      - --providers.file.directory=/configuration/
       - --api.dashboard=true
       - --accesslog=true # print access-logs
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
@@ -24,6 +26,7 @@ services:
       - 443:443
     volumes:
       - ../certs:/tools/certs
+      - ../lib/traefik-configuration/:/configuration
       - /var/run/docker.sock:/var/run/docker.sock:ro
 
   forward_proxy:
diff --git a/lib/traefik-configuration/certificates.yaml b/lib/traefik-configuration/certificates.yaml
new file mode 100644
index 0000000..7a78ce3
--- /dev/null
+++ b/lib/traefik-configuration/certificates.yaml
@@ -0,0 +1,4 @@
+tls:
+  certificates:
+    - certFile: /certs/certificate.pem
+      keyFile: /certs/private-key.pem

From 996e8dbd1bb7e6b5c5497916e259592c66bb121b Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Mon, 26 Sep 2022 10:54:46 +0200
Subject: [PATCH 10/92] refactor: Remove unused Bridgehead Scripts

---
 install-bridgehead.sh   | 32 --------------------------------
 start-bridgehead.sh     | 18 ------------------
 stop-bridgehead.sh      |  8 --------
 uninstall-bridgehead.sh | 10 ----------
 update-bridgehead.sh    | 38 --------------------------------------
 5 files changed, 106 deletions(-)
 delete mode 100755 install-bridgehead.sh
 delete mode 100755 start-bridgehead.sh
 delete mode 100755 stop-bridgehead.sh
 delete mode 100755 uninstall-bridgehead.sh
 delete mode 100755 update-bridgehead.sh

diff --git a/install-bridgehead.sh b/install-bridgehead.sh
deleted file mode 100755
index 389354a..0000000
--- a/install-bridgehead.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/bash
-### Note: Currently not complete, needs some features before useable for production
-
-source lib/functions.sh
-
-exitIfNotRoot
-
-if ! ./lib/prerequisites.sh; then
-    log "Prerequisites failed, exiting"
-    exit 1
-fi
-source site.conf
-
-./lib/generate.sh
-
-echo -e "\nInstalling systemd units ..."
-cp -v \
-    lib/systemd/bridgehead\@.service \
-    lib/systemd/bridgehead-update\@.service \
-    lib/systemd/bridgehead-update\@.timer \
-    /etc/systemd/system/
-
-systemctl daemon-reload
-
-if ! systemctl is-active --quiet bridgehead@"${project}"; then
-    echo "Enabling autostart of bridgehead@${project}.service"
-    systemctl enable bridgehead@"${project}"
-    echo "Enabling nightly updates for bridgehead@${project}.service ..."
-    systemctl enable --now bridgehead-update@"${project}".timer
-fi
-
-echo -e "\nDone - now start your bridgehead by running\n\tsystemctl start bridgehead@${project}.service\nor by rebooting your machine."
\ No newline at end of file
diff --git a/start-bridgehead.sh b/start-bridgehead.sh
deleted file mode 100755
index b658c93..0000000
--- a/start-bridgehead.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-### Note: Currently not complete, needs some features before useable for production
-
-source lib/functions.sh
-
-if ! lib/prerequisites.sh; then
-    log "Prerequisites failed, exiting"
-    exit
-fi
-source site.conf
-
-./lib/generate.sh
-
-log "Starting bridgehead"
-
-docker-compose -f <(docker run --rm --volume ${pwd}/${project}/:/tmp/workdir/ samply/templer /tmp/workdir/docker-compose.yml TEST="TEST_0 TEST_1") config
-
-log "The bridgehead should be in online in a few seconds"
diff --git a/stop-bridgehead.sh b/stop-bridgehead.sh
deleted file mode 100755
index 6da0228..0000000
--- a/stop-bridgehead.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash -e
-
-source lib/functions.sh
-source site.conf
-
-log "Stopping bridgehead"
-
-docker-compose -f ${project}/docker-compose.yml --env-file site-config/${project}.env down
diff --git a/uninstall-bridgehead.sh b/uninstall-bridgehead.sh
deleted file mode 100755
index 877ca01..0000000
--- a/uninstall-bridgehead.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash -e
-
-source site.conf
-source lib/functions.sh
-
-echo "Stopping systemd services and removing bridgehead ..."
-
-systemctl disable --now bridgehead@${project}.service bridgehead-update@${project}.timer bridgehead-update@${project}.service
-
-rm -v /etc/systemd/system/{bridgehead\@.service,bridgehead-update\@.timer,bridgehead-update\@.service}
diff --git a/update-bridgehead.sh b/update-bridgehead.sh
deleted file mode 100755
index 330d303..0000000
--- a/update-bridgehead.sh
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/bash
-service="bridgehead"
-
-source lib/functions.sh
-
-if ! lib/prerequisites.sh; then
-    log "Prerequisites failed, exiting"
-    exit
-fi
-
-log "INFO" "Checking for updates of $service"
-# check prerequisites
-
-# check if updates are available
-old_git_hash="$(git rev-parse --verify HEAD)"
-git fetch 2>&1
-git pull 2>&1
-new_git_hash="$(git rev-parse --verify HEAD)"
-git_updated="false"
-if [ "$old_git_hash" != "$new_git_hash" ]; then
-  log "INFO" "Pulled new changes from origin"
-  git_updated="true"
-fi
-docker_updated="false"
-for image in $(docker ps --filter "name=$service" --format {{.Image}}); do
-  log "INFO" "Checking for Updates of Image: $image"
-  if docker pull $image | grep "Downloaded newer image"; then
-    log "INFO" "$image updated."
-    docker_updated="true"
-  fi
-done
-if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
-  log "INFO" "Due to previous updates now restarting $service@$1"
-  systemctl restart "$service@$1.service"
-  ./lib/generate.sh
-fi
-log "INFO" "checking updates finished"
-exit 0

From b95357570c3679818010b2e72cd1761f356bf752 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Thu, 29 Sep 2022 16:31:35 +0200
Subject: [PATCH 11/92] fix: Added All Proxy in Beam

---
 ccp/docker-compose.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 8ac42c8..5bc9e61 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -96,8 +96,7 @@ services:
       APP_1_KEY: ${APP_1_KEY}
       PRIVKEY_FILE: /run/secrets/proxy.pem
       RUST_LOG: debug
-      http_proxy: ${http_proxy}
-      https_proxy: ${https_proxy}
+      ALL_PROXY: http://forward_proxy:3128
     secrets:
       - proxy.pem
     labels:

From ab7565b1502643a65163abf3de8c6bfd8b38e811 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Thu, 29 Sep 2022 16:33:50 +0200
Subject: [PATCH 12/92] fix: Switched Spot to Docker Hub Image

---
 ccp/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 5bc9e61..a2a6cc7 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -71,7 +71,7 @@ services:
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   spot:
-    image: "docker.verbis.dkfz.de/ccp-private/local-spot@sha256:dd57474f9dd0a37ddc45d29fda160eac0070446da974a76cedc78c184b47adda"
+    image: samply/spot:latest
     environment:
       SECRET: ${SECRET}
       APPID: ${APP_0_ID_SHORT}

From caef43ec59f9d1ab9e4496402a4be9b6e0b79280 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 30 Sep 2022 11:49:18 +0200
Subject: [PATCH 13/92] fix: Ensured use of HTTP_PROXY_URL in update job

---
 lib/update-bridgehead.sh | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index b6cd317..6b4e0fe 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -26,9 +26,15 @@ for DIR in /etc/bridgehead $(pwd); do
     git -C $DIR config credential.helper "$CREDHELPER"
   fi
   old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
-  git -C $DIR fetch 2>&1
-  git -C $DIR pull 2>&1
-  new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
+  if [ -z "$HTTP_PROXY_URL" ]; then
+    log "INFO" "Git is using no proxy!"
+    git -C $DIR fetch 2>&1
+    git -C $DIR pull 2>&1
+  else
+    log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}"
+    git -c http.proxy=$HTTP_PROXY_URL -c http.proxy=$HTTP_PROXY_URL -C $DIR fetch 2>&1
+    git -c http.proxy=$HTTP_PROXY_URL -c http.proxy=$HTTP_PROXY_URL -C $DIR pull 2>&1
+  fi  new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   git_updated="false"
   if [ "$old_git_hash" != "$new_git_hash" ]; then
     log "INFO" "Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"

From da6cf146003d4b8e8dc26c86aff00c9cef9363b1 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Fri, 30 Sep 2022 13:42:41 +0200
Subject: [PATCH 14/92] Add missing newline in update-bridgehead.sh

---
 lib/update-bridgehead.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 6b4e0fe..9788ff1 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -34,7 +34,8 @@ for DIR in /etc/bridgehead $(pwd); do
     log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}"
     git -c http.proxy=$HTTP_PROXY_URL -c http.proxy=$HTTP_PROXY_URL -C $DIR fetch 2>&1
     git -c http.proxy=$HTTP_PROXY_URL -c http.proxy=$HTTP_PROXY_URL -C $DIR pull 2>&1
-  fi  new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
+  fi
+  new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   git_updated="false"
   if [ "$old_git_hash" != "$new_git_hash" ]; then
     log "INFO" "Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"

From 55f4f66328948f73f7210855d4f49f5559fd4f1e Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 30 Sep 2022 13:54:43 +0200
Subject: [PATCH 15/92] fix: Now using correct Certificates for Traefik

---
 lib/traefik-configuration/certificates.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/traefik-configuration/certificates.yaml b/lib/traefik-configuration/certificates.yaml
index 7a78ce3..eb9809a 100644
--- a/lib/traefik-configuration/certificates.yaml
+++ b/lib/traefik-configuration/certificates.yaml
@@ -1,4 +1,4 @@
 tls:
   certificates:
-    - certFile: /certs/certificate.pem
-      keyFile: /certs/private-key.pem
+    - certFile: /certs/traefik.crt
+      keyFile: /certs/traefik.key

From 4c84d65548bd2d31202afd133e06e3c2845169d3 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 30 Sep 2022 14:20:37 +0200
Subject: [PATCH 16/92] refactor: Use Proxy from Site Config

---
 ccp/docker-compose.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index a2a6cc7..2b05083 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -33,8 +33,8 @@ services:
     container_name: bridgehead-forward-proxy
     image: samply/bridgehead-forward-proxy:develop
     environment:
-      http_proxy: ${http_proxy}
-      https_proxy: ${https_proxy}
+      http_proxy: ${HTTP_PROXY_URL}
+      https_proxy: ${HTTPS_PROXY_URL}
     volumes:
       - "bridgehead-proxy:/var/log/squid"
     

From 7692c4e889434b366def22cddb2b61c8e488acbd Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 30 Sep 2022 15:25:09 +0200
Subject: [PATCH 17/92] Update install scripts and prereqs (sudo)

---
 lib/prerequisites.sh                 |  6 ++++++
 lib/remove-bridgehead-units.sh       |  4 ++++
 lib/setup-bridgehead-units.sh        | 31 +++++++++++++++++++++-------
 lib/systemd/bridgehead-update@.timer |  4 ++--
 lib/systemd/bridgehead@.service      |  3 ++-
 5 files changed, 37 insertions(+), 11 deletions(-)

diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index e04161b..4e03530 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -23,6 +23,12 @@ for prerequisite in $prerequisites; do
   # TODO: Check for specific version
 done
 
+log INFO "Checking if sudo is installed ..."
+if [ ! -d /etc/sudoers.d ]; then
+  log ERROR "/etc/sudoers.d does not exist. Please install sudo package."
+  exit 1
+fi
+
 log INFO "Checking configuration ..."
 
 ## Download submodule
diff --git a/lib/remove-bridgehead-units.sh b/lib/remove-bridgehead-units.sh
index b81b042..36d1dad 100755
--- a/lib/remove-bridgehead-units.sh
+++ b/lib/remove-bridgehead-units.sh
@@ -16,6 +16,10 @@ export PROJECT=$1
 
 #checkRequirements // not needed when uninstalling
 
+log INFO "Removing bridgehead sudoers permissions."
+
+rm -vf /etc/sudoers.d/bridgehead-${PROJECT}
+
 log "INFO" "Stopping system units and removing bridgehead for ${PROJECT} ..."
 
 systemctl disable --now bridgehead@${PROJECT}.service bridgehead-update@${PROJECT}.timer bridgehead-update@${PROJECT}.service
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index dc3f9fb..f2c213c 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -e
 
 source lib/functions.sh
 
@@ -18,6 +18,18 @@ export PROJECT=$1
 
 checkRequirements
 
+log "INFO" "Allowing the bridgehead user to start/stop the bridgehead."
+
+cat <<EOF > /etc/sudoers.d/bridgehead-"${PROJECT}"
+# This has been added by the Bridgehead installer. Remove with bridgehead uninstall.
+Cmnd_Alias BRIDGEHEAD${PROJECT} = \\
+    /bin/systemctl start   bridgehead@${PROJECT}.service, \\
+    /bin/systemctl stop    bridgehead@${PROJECT}.service, \\
+    /bin/systemctl restart bridgehead@${PROJECT}.service
+
+bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT}
+EOF
+
 log "INFO" "Register system units for bridgehead and bridgehead-update"
 cp -v \
     lib/systemd/bridgehead\@.service \
@@ -27,11 +39,14 @@ cp -v \
 
 systemctl daemon-reload
 
-if ! systemctl is-active --quiet bridgehead@"${PROJECT}"; then
-    log "INFO" "Enabling autostart of bridgehead@${PROJECT}.service"
-    systemctl enable bridgehead@"${PROJECT}"
-    log "INFO" "Enabling nightly updates for bridgehead@${PROJECT}.service ..."
-    systemctl enable --now bridgehead-update@"${PROJECT}".timer
-fi
+log INFO "Trying to update your bridgehead ..."
 
-log "INFO" "\nDone - now start your bridgehead by running\n\tsystemctl start bridgehead@${PROJECT}.service\nor by rebooting your machine."
+systemctl start bridgehead-update@"${PROJECT}".service
+
+log "INFO" "Enabling autostart of bridgehead@${PROJECT}.service"
+systemctl enable bridgehead@"${PROJECT}".service
+
+log "INFO" "Enabling auto-updates for bridgehead@${PROJECT}.service ..."
+systemctl enable --now bridgehead-update@"${PROJECT}".timer
+
+log "INFO" "\nSuccess - now start your bridgehead by running\n            systemctl start bridgehead@${PROJECT}.service\n          or by rebooting your machine."
diff --git a/lib/systemd/bridgehead-update@.timer b/lib/systemd/bridgehead-update@.timer
index ce44814..4c8fada 100644
--- a/lib/systemd/bridgehead-update@.timer
+++ b/lib/systemd/bridgehead-update@.timer
@@ -1,8 +1,8 @@
 [Unit]
-Description=Nightly Updates of Bridgehead (%i)
+Description=Hourly Updates of Bridgehead (%i)
 
 [Timer]
-OnCalendar=*-*-* 03:00:00
+OnCalendar=*-*-* *:00:00
 
 [Install]
 WantedBy=basic.target
diff --git a/lib/systemd/bridgehead@.service b/lib/systemd/bridgehead@.service
index 4458d9a..c387c71 100644
--- a/lib/systemd/bridgehead@.service
+++ b/lib/systemd/bridgehead@.service
@@ -1,5 +1,6 @@
 [Unit]
-Description=Bridgehead (%i) Service
+Description=Bridgehead (%i)
+Requires=docker.service
 
 [Service]
 User=bridgehead

From d89c08702ce6e26c743c69842c5f9341a7fdf3f5 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 30 Sep 2022 15:35:37 +0200
Subject: [PATCH 18/92] Update deployment

---
 lib/setup-bridgehead-units.sh | 11 ++++++-----
 lib/update-bridgehead.sh      |  2 +-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index f2c213c..a1393c2 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -22,12 +22,13 @@ log "INFO" "Allowing the bridgehead user to start/stop the bridgehead."
 
 cat <<EOF > /etc/sudoers.d/bridgehead-"${PROJECT}"
 # This has been added by the Bridgehead installer. Remove with bridgehead uninstall.
-Cmnd_Alias BRIDGEHEAD${PROJECT} = \\
-    /bin/systemctl start   bridgehead@${PROJECT}.service, \\
-    /bin/systemctl stop    bridgehead@${PROJECT}.service, \\
-    /bin/systemctl restart bridgehead@${PROJECT}.service
+Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
+    /bin/systemctl start bridgehead@${PROJECT}.service, \\
+    /bin/systemctl stop bridgehead@${PROJECT}.service, \\
+    /bin/systemctl restart bridgehead@${PROJECT}.service, \\
+    /bin/systemctl restart bridgehead@*.service
 
-bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT}
+bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
 
 log "INFO" "Register system units for bridgehead and bridgehead-update"
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 9788ff1..9bb73bd 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -70,7 +70,7 @@ done
 # If anything is updated, restart service
 if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
   log "INFO" "Update detected, now restarting bridgehead"
-  systemctl restart 'bridgehead@*'
+  sudo /bin/systemctl restart bridgehead@*.service
 else
   log "INFO" "Nothing updated, nothing to restart."
 fi

From 69b33941c4db72217407508be484e12396d2e373 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 30 Sep 2022 16:05:36 +0200
Subject: [PATCH 19/92] Derive spot variables

---
 bridgehead             | 12 +++++++++---
 ccp/docker-compose.yml | 16 ++++++++--------
 ccp/vars               |  7 +++++++
 3 files changed, 24 insertions(+), 11 deletions(-)
 create mode 100644 ccp/vars

diff --git a/bridgehead b/bridgehead
index 20616e6..35442c9 100755
--- a/bridgehead
+++ b/bridgehead
@@ -41,14 +41,20 @@ case "$PROJECT" in
 		;;
 esac
 
+# Load variables from /etc/bridgehead and /srv/docker/bridgehead
+set -a
+source /etc/bridgehead/$PROJECT.conf
+fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || exit 1
+[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
+set +a
+
 case "$ACTION" in
 	start)
 		checkRequirements
-		fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || exit 1
-		exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.conf up
+		exec docker-compose -f ./$PROJECT/docker-compose.yml up
 		;;
 	stop)
-		exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.conf down
+		exec docker-compose -f ./$PROJECT/docker-compose.yml down
 		;;
 	update)
 		exec ./lib/update-bridgehead.sh $PROJECT
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 2b05083..161e495 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -73,10 +73,10 @@ services:
   spot:
     image: samply/spot:latest
     environment:
-      SECRET: ${SECRET}
-      APPID: ${APP_0_ID_SHORT}
+      SECRET: ${SPOT_BEAM_SECRET_LONG}
+      APPID: spot
       PROXY_ID: ${PROXY_ID}
-      LDM_URL: ${LDM_URL}
+      LDM_URL: http://bridgehead-ccp-blaze:8080/fhir
       BEAM_PROXY: http://beam-proxy:8081
     depends_on:
       - "beam-proxy"
@@ -90,10 +90,10 @@ services:
     environment:
       BROKER_URL: ${BROKER_URL}
       PROXY_ID: ${PROXY_ID}
-      APP_0_ID: ${APP_0_ID_SHORT}
-      APP_0_KEY: ${APP_0_KEY}
-      APP_1_ID: ${APP_1_ID_SHORT}
-      APP_1_KEY: ${APP_1_KEY}
+      APP_0_ID: spot
+      APP_0_KEY: ${SPOT_BEAM_SECRET_SHORT}
+      APP_1_ID: report-hub
+      APP_1_KEY: ${REPORTHUB_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
       RUST_LOG: debug
       ALL_PROXY: http://forward_proxy:3128
@@ -111,4 +111,4 @@ volumes:
 
 secrets:
   proxy.pem:
-    file: /etc/bridgehead/pki/${PROXY_ID_SHORT}.priv.pem
+    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
diff --git a/ccp/vars b/ccp/vars
new file mode 100644
index 0000000..4152fa4
--- /dev/null
+++ b/ccp/vars
@@ -0,0 +1,7 @@
+BROKER_ID=broker.dev.ccp-it.dktk.dkfz.de
+BROKER_URL=https://${BROKER_ID}
+PROXY_ID=${SITE_ID}.${BROKER_ID}
+SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
+REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"

From 99126a89598961401469dae5b9b177bb8b47cf48 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Tue, 4 Oct 2022 10:04:32 +0200
Subject: [PATCH 20/92] Shutdown all docker containers if one fails

... will then be restarted by systemd
---
 bridgehead | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bridgehead b/bridgehead
index 35442c9..85d9348 100755
--- a/bridgehead
+++ b/bridgehead
@@ -51,7 +51,7 @@ set +a
 case "$ACTION" in
 	start)
 		checkRequirements
-		exec docker-compose -f ./$PROJECT/docker-compose.yml up
+		exec docker-compose -f ./$PROJECT/docker-compose.yml up --abort-on-container-exit
 		;;
 	stop)
 		exec docker-compose -f ./$PROJECT/docker-compose.yml down

From bba1041bed0dcda5ea021630bdb193ff811a9c20 Mon Sep 17 00:00:00 2001
From: Torben Brenner <76154651+torbrenner@users.noreply.github.com>
Date: Wed, 5 Oct 2022 12:52:39 +0200
Subject: [PATCH 21/92] Updated Blaze from v0.17 -> v0.18

---
 ccp/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 161e495..65343d6 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -52,7 +52,7 @@ services:
       SITE_NAME: ${SITE_NAME}
 
   blaze:
-    image: "samply/blaze:0.17"
+    image: "samply/blaze:0.18"
     container_name: bridgehead-ccp-blaze
     environment:
       BASE_URL: "http://bridgehead-ccp-blaze:8080"

From b41e5b23158d0a8e05b1620d3599b19a56a716cd Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Wed, 5 Oct 2022 19:58:07 +0200
Subject: [PATCH 22/92] Fix permissions on startup. Requires re-install of
 systemd units.

---
 bridgehead                             | 3 +++
 lib/systemd/bridgehead-update@.service | 1 +
 lib/systemd/bridgehead@.service        | 1 +
 3 files changed, 5 insertions(+)

diff --git a/bridgehead b/bridgehead
index 85d9348..eba542d 100755
--- a/bridgehead
+++ b/bridgehead
@@ -65,6 +65,9 @@ case "$ACTION" in
 	uninstall)
 		exec ./lib/remove-bridgehead-units.sh $PROJECT
 		;;
+	fixPermissions)
+		chown -R bridgehead /etc/bridgehead .
+		;;
 	*)
 		printUsage
 		exit 1
diff --git a/lib/systemd/bridgehead-update@.service b/lib/systemd/bridgehead-update@.service
index c1d8b4c..e8b42ea 100644
--- a/lib/systemd/bridgehead-update@.service
+++ b/lib/systemd/bridgehead-update@.service
@@ -4,6 +4,7 @@ Description=Bridgehead (%i) Update Service
 [Service]
 Type=oneshot
 User=bridgehead
+ExecStartPre=-/srv/docker/bridgehead/bridgehead fixPermissions %i
 ExecStart=/srv/docker/bridgehead/bridgehead update %i
 
 [Install]
diff --git a/lib/systemd/bridgehead@.service b/lib/systemd/bridgehead@.service
index c387c71..f109e5a 100644
--- a/lib/systemd/bridgehead@.service
+++ b/lib/systemd/bridgehead@.service
@@ -6,6 +6,7 @@ Requires=docker.service
 User=bridgehead
 Restart=always
 RestartSec=30
+ExecStartPre=-/srv/docker/bridgehead/bridgehead fixPermissions %i
 ExecStart=/srv/docker/bridgehead/bridgehead start %i
 ExecStop=/srv/docker/bridgehead/bridgehead stop %i
 

From 8a6274389459c0c15a8dfcac852c2238c1081b07 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Thu, 6 Oct 2022 10:45:50 +0200
Subject: [PATCH 23/92] Monitoring for bridgehead startup and update (#22)

---
 bridgehead                             | 12 +++++---
 lib/functions.sh                       | 23 +++++++++++----
 lib/gitpassword.sh                     |  5 ++--
 lib/log.sh                             |  5 ++++
 lib/monitoring.sh                      | 41 ++++++++++++++++++++++++++
 lib/prerequisites.sh                   | 16 ++++------
 lib/setup-bridgehead-units.sh          |  4 ++-
 lib/systemd/bridgehead-update@.service |  3 +-
 lib/systemd/bridgehead@.service        |  3 +-
 lib/update-bridgehead.sh               | 19 +++++++-----
 10 files changed, 98 insertions(+), 33 deletions(-)
 create mode 100644 lib/log.sh
 create mode 100755 lib/monitoring.sh

diff --git a/bridgehead b/bridgehead
index eba542d..87d6a1f 100755
--- a/bridgehead
+++ b/bridgehead
@@ -43,14 +43,16 @@ esac
 
 # Load variables from /etc/bridgehead and /srv/docker/bridgehead
 set -a
-source /etc/bridgehead/$PROJECT.conf
-fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || exit 1
+source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
+fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 [ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 set +a
 
 case "$ACTION" in
 	start)
+		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
+		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
 		exec docker-compose -f ./$PROJECT/docker-compose.yml up --abort-on-container-exit
 		;;
 	stop)
@@ -65,8 +67,10 @@ case "$ACTION" in
 	uninstall)
 		exec ./lib/remove-bridgehead-units.sh $PROJECT
 		;;
-	fixPermissions)
-		chown -R bridgehead /etc/bridgehead .
+	preRun | preUpdate)
+		fixPermissions
+		;;
+	postRun | postUpdate)
 		;;
 	*)
 		printUsage
diff --git a/lib/functions.sh b/lib/functions.sh
index 3d5a88f..ded0cd9 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -1,9 +1,11 @@
 #!/bin/bash -e
 
+source lib/log.sh
+
 exitIfNotRoot() {
   if [ "$EUID" -ne 0 ]; then
     log "ERROR" "Please run as root"
-    exit 1
+    fail_and_report 1 "Please run as root"
   fi
 }
 
@@ -16,10 +18,6 @@ checkOwner(){
   return 0
 }
 
-log() {
-  echo -e "$(date +'%Y-%m-%d %T')" "$1:" "$2"
-}
-
 printUsage() {
 	echo "Usage: bridgehead start|stop|update|install|uninstall PROJECTNAME"
 	echo "PROJECTNAME should be one of ccp|nngm|gbn"
@@ -28,7 +26,7 @@ printUsage() {
 checkRequirements() {
 	if ! lib/prerequisites.sh; then
 		log "ERROR" "Validating Prerequisites failed, please fix the error(s) above this line."
-		exit 1
+		fail_and_report 1 "Validating prerequisites failed."
 	else
 		return 0
 	fi
@@ -97,6 +95,19 @@ assertVarsNotEmpty() {
 	return 0
 }
 
+fixPermissions() {
+	CHOWN=$(which chown)
+	sudo $CHOWN -R bridgehead /etc/bridgehead /srv/docker/bridgehead
+}
+
+source lib/monitoring.sh
+
+fail_and_report() {
+	log ERROR "$2"
+	hc_send $1 "$2"
+	exit $1
+}
+
 ##Setting Network properties
 export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
 export HOST=$(hostname)
diff --git a/lib/gitpassword.sh b/lib/gitpassword.sh
index 25eb9ce..17756d6 100755
--- a/lib/gitpassword.sh
+++ b/lib/gitpassword.sh
@@ -22,7 +22,7 @@ cd $BASE
 
 source lib/functions.sh
 
-assertVarsNotEmpty SITE_ID || exit 1
+assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
 
 PARAMS="$(cat)"
 GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
@@ -30,8 +30,7 @@ GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
 fetchVarsFromVault GIT_PASSWORD
 
 if [ -z "${GIT_PASSWORD}" ]; then
-	log ERROR "Git password not found."
-	exit 1
+	fail_and_report 1 "gitpassword.sh failed: Git password not found."
 fi
 
 cat <<EOF
diff --git a/lib/log.sh b/lib/log.sh
new file mode 100644
index 0000000..e05eee7
--- /dev/null
+++ b/lib/log.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+log() {
+  echo -e "$(date +'%Y-%m-%d %T')" "$1:" "$2"
+}
diff --git a/lib/monitoring.sh b/lib/monitoring.sh
new file mode 100755
index 0000000..d9bbf60
--- /dev/null
+++ b/lib/monitoring.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+source lib/log.sh
+
+function hc_set_uuid(){
+    HCUUID="$1"
+}
+
+function hc_set_service(){
+    HCSERVICE="$1"
+}
+
+UPTIME=
+
+function hc_send(){
+    if [ -n "$MONITOR_APIKEY" ]; then
+        hc_set_uuid $MONITOR_APIKEY
+    fi
+
+    if [ -n "$HCSERVICE" ]; then
+        HCURL="https://hc-ping.com/$PING_KEY/$HCSERVICE"
+    fi
+    if [ -n "$HCUUID" ]; then
+        HCURL="https://hc-ping.com/$HCUUID"
+    fi
+    if [ ! -n "$HCURL" ]; then
+        log WARN "Healthcheck reporting failed: Neither Healthcheck UUID nor service set - please check config in /etc/bridgehead"
+        return 1
+    fi
+
+    if [ -z "$UPTIME" ]; then
+        UPTIME=$(docker ps --format '{{.Names}} {{.RunningFor}}' --filter name=bridgehead || echo "Unable to get docker statistics")
+    fi
+
+    if [ -n "$2" ]; then
+        MSG="$2\n\nDocker stats:\n$UPTIME"
+        echo -e "$MSG" | https_proxy=$HTTPS_PROXY_URL curl -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+    else
+        https_proxy=$HTTPS_PROXY_URL curl -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+    fi
+}
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 4e03530..f4fd3be 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -17,32 +17,28 @@ for prerequisite in $prerequisites; do
   $prerequisite --version 2>&1
   is_available=$?
   if [ $is_available -gt 0 ]; then
-    log "ERROR" "Prerequisite not fulfilled - $prerequisite is not available!"
-    exit 79
+    fail_and_report 79 "Prerequisite not fulfilled - $prerequisite is not available!"
   fi
   # TODO: Check for specific version
 done
 
 log INFO "Checking if sudo is installed ..."
 if [ ! -d /etc/sudoers.d ]; then
-  log ERROR "/etc/sudoers.d does not exist. Please install sudo package."
-  exit 1
+  fail_and_report 1 "/etc/sudoers.d does not exist. Please install sudo package."
 fi
 
 log INFO "Checking configuration ..."
 
 ## Download submodule
 if [ ! -d "/etc/bridgehead/" ]; then
-  log ERROR "Please set up the config folder at /etc/bridgehead. Instruction are in the readme."
-  exit 1
+  fail_and_report 1 "Please set up the config folder at /etc/bridgehead. Instruction are in the readme."
 fi
 
 # TODO: Check all required variables here in a generic loop
 
 #check if project env is present
 if [ -d "/etc/bridgehead/${PROJECT}.conf" ]; then
-   log ERROR "Project config not found. Please copy the template from ${PROJECT} and put it under /etc/bridgehead-config/${PROJECT}.conf."
-   exit 1
+   fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under /etc/bridgehead-config/${PROJECT}.conf."
 fi
 
 # TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
@@ -60,11 +56,11 @@ fi
 
 if [ -e /etc/bridgehead/vault.conf ]; then
 	if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
-		log ERROR "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
-		exit 1
+    fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
 	fi
 fi
 
 log INFO "Success - all prerequisites are met!"
+hc_send log "Success - all prerequisites are met!"
 
 exit 0
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index a1393c2..a96e583 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -26,7 +26,9 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
     /bin/systemctl start bridgehead@${PROJECT}.service, \\
     /bin/systemctl stop bridgehead@${PROJECT}.service, \\
     /bin/systemctl restart bridgehead@${PROJECT}.service, \\
-    /bin/systemctl restart bridgehead@*.service
+    /bin/systemctl restart bridgehead@*.service, \\
+    /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead, \\
+    /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
 
 bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
diff --git a/lib/systemd/bridgehead-update@.service b/lib/systemd/bridgehead-update@.service
index e8b42ea..3a7f347 100644
--- a/lib/systemd/bridgehead-update@.service
+++ b/lib/systemd/bridgehead-update@.service
@@ -4,8 +4,9 @@ Description=Bridgehead (%i) Update Service
 [Service]
 Type=oneshot
 User=bridgehead
-ExecStartPre=-/srv/docker/bridgehead/bridgehead fixPermissions %i
+ExecStartPre=-/srv/docker/bridgehead/bridgehead preUpdate %i
 ExecStart=/srv/docker/bridgehead/bridgehead update %i
+ExecStopPost=-/srv/docker/bridgehead/bridgehead postUpdate %i
 
 [Install]
 WantedBy=multi-user.target
diff --git a/lib/systemd/bridgehead@.service b/lib/systemd/bridgehead@.service
index f109e5a..7645793 100644
--- a/lib/systemd/bridgehead@.service
+++ b/lib/systemd/bridgehead@.service
@@ -6,9 +6,10 @@ Requires=docker.service
 User=bridgehead
 Restart=always
 RestartSec=30
-ExecStartPre=-/srv/docker/bridgehead/bridgehead fixPermissions %i
+ExecStartPre=-/srv/docker/bridgehead/bridgehead preRun %i
 ExecStart=/srv/docker/bridgehead/bridgehead start %i
 ExecStop=/srv/docker/bridgehead/bridgehead stop %i
+ExecStopPost=-/srv/docker/bridgehead/bridgehead postRun %i
 
 [Install]
 WantedBy=multi-user.target
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 9bb73bd..162d592 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -1,20 +1,21 @@
 #!/bin/bash
 source lib/functions.sh
 
+hc_send log "Updating bridgehead ..."
+
 CONFFILE=/etc/bridgehead/$1.conf
 
 if [ ! -e $CONFFILE ]; then
-  log ERROR "Configuration file $CONFFILE not found."
-  exit 1
+  fail_and_report 1 "Configuration file $CONFFILE not found."
 fi
 
 source $CONFFILE
 
-assertVarsNotEmpty SITE_ID || exit 1
+assertVarsNotEmpty SITE_ID || fail_and_report 1 "Update failed: SITE_ID empty"
 export SITE_ID
 
-checkOwner . bridgehead || exit 1
-checkOwner /etc/bridgehead bridgehead || exit 1
+checkOwner . bridgehead || fail_and_report 1 "Update failed: Wrong permissions in $(pwd)"
+checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
 
 CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 
@@ -69,10 +70,14 @@ done
 
 # If anything is updated, restart service
 if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
-  log "INFO" "Update detected, now restarting bridgehead"
+  RES="Update detected, now restarting bridgehead"
+  log "INFO" "$RES"
+  hc_send log "$RES"
   sudo /bin/systemctl restart bridgehead@*.service
 else
-  log "INFO" "Nothing updated, nothing to restart."
+  RES="Nothing updated, nothing to restart."
+  log "INFO" "$RES"
+  hc_send log "$RES"
 fi
 
 exit 0

From 2fb57980eef3a4f51fbe90025d508396045ff25a Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 6 Oct 2022 12:04:24 +0200
Subject: [PATCH 24/92] Format docker status table

---
 lib/monitoring.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index d9bbf60..b6384b0 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -29,7 +29,7 @@ function hc_send(){
     fi
 
     if [ -z "$UPTIME" ]; then
-        UPTIME=$(docker ps --format '{{.Names}} {{.RunningFor}}' --filter name=bridgehead || echo "Unable to get docker statistics")
+        UPTIME=$(docker ps --format 'table {{.Names}} \t{{.RunningFor}} \t {{.Status}} \t {{.Image}}' --filter name=bridgehead || echo "Unable to get docker statistics")
     fi
 
     if [ -n "$2" ]; then

From 0f449344195b8724a8905981d6c0afcd2288977d Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 6 Oct 2022 12:05:36 +0200
Subject: [PATCH 25/92] Clarified log message

---
 lib/update-bridgehead.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 162d592..a79fece 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 source lib/functions.sh
 
-hc_send log "Updating bridgehead ..."
+hc_send log "Checking for bridgehead updates ..."
 
 CONFFILE=/etc/bridgehead/$1.conf
 

From f7c4bf6ac5cb0def425904b6d9dc9a5a872ca479 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 6 Oct 2022 12:49:31 +0200
Subject: [PATCH 26/92] Consider stopped docker containers for reports, updates

---
 lib/monitoring.sh        | 2 +-
 lib/update-bridgehead.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index b6384b0..bdd9a35 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -29,7 +29,7 @@ function hc_send(){
     fi
 
     if [ -z "$UPTIME" ]; then
-        UPTIME=$(docker ps --format 'table {{.Names}} \t{{.RunningFor}} \t {{.Status}} \t {{.Image}}' --filter name=bridgehead || echo "Unable to get docker statistics")
+        UPTIME=$(docker ps -a --format 'table {{.Names}} \t{{.RunningFor}} \t {{.Status}} \t {{.Image}}' --filter name=bridgehead || echo "Unable to get docker statistics")
     fi
 
     if [ -n "$2" ]; then
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index a79fece..19dd8e7 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -60,7 +60,7 @@ done
 # Check docker updates
 log "INFO" "Checking for updates to running docker images ..."
 docker_updated="false"
-for IMAGE in $(docker ps --filter "name=bridgehead" --format {{.Image}}); do
+for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
     log "INFO" "$IMAGE updated."

From 7b15e02becda271641ebc002955c30dab025d708 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 6 Oct 2022 12:49:48 +0200
Subject: [PATCH 27/92] Use HTTPS proxy (not http proxy) for git pull

---
 lib/update-bridgehead.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 19dd8e7..ef07590 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -33,8 +33,8 @@ for DIR in /etc/bridgehead $(pwd); do
     git -C $DIR pull 2>&1
   else
     log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}"
-    git -c http.proxy=$HTTP_PROXY_URL -c http.proxy=$HTTP_PROXY_URL -C $DIR fetch 2>&1
-    git -c http.proxy=$HTTP_PROXY_URL -c http.proxy=$HTTP_PROXY_URL -C $DIR pull 2>&1
+    git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR fetch 2>&1
+    git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1
   fi
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   git_updated="false"

From 67ec348f747b8419f3ab454d9884d50c2bd13179 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 6 Oct 2022 16:27:52 +0200
Subject: [PATCH 28/92] Support docker-compose.override.yml

---
 bridgehead | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/bridgehead b/bridgehead
index 87d6a1f..6ea59e4 100755
--- a/bridgehead
+++ b/bridgehead
@@ -48,15 +48,21 @@ fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Una
 [ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 set +a
 
+OVERRIDE=""
+if [ -f "$PROJECT/docker-compose.override.yml" ]; then
+	log INFO "Apply docker-compose.override.yml"
+	OVERRIDE+="-f ./$PROJECT/docker-compose.override.yml"
+fi
+
 case "$ACTION" in
 	start)
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
-		exec docker-compose -f ./$PROJECT/docker-compose.yml up --abort-on-container-exit
+		exec docker-compose -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
-		exec docker-compose -f ./$PROJECT/docker-compose.yml down
+		exec docker-compose -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		;;
 	update)
 		exec ./lib/update-bridgehead.sh $PROJECT

From ca45a3dbe9a408e618e33adbff65b6b06c226d21 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 11 Oct 2022 11:06:52 +0200
Subject: [PATCH 29/92] Support /etc/bridgehead/PROJECT.local.conf

---
 bridgehead | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/bridgehead b/bridgehead
index 6ea59e4..5c7d121 100755
--- a/bridgehead
+++ b/bridgehead
@@ -44,13 +44,17 @@ esac
 # Load variables from /etc/bridgehead and /srv/docker/bridgehead
 set -a
 source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
+if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
+	log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
+	source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
+fi
 fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 [ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 set +a
 
 OVERRIDE=""
 if [ -f "$PROJECT/docker-compose.override.yml" ]; then
-	log INFO "Apply docker-compose.override.yml"
+	log INFO "Applying $PROJECT/docker-compose.override.yml"
 	OVERRIDE+="-f ./$PROJECT/docker-compose.override.yml"
 fi
 

From f7742f2a2bfb0e2d9292ff75c96d7a5dbaa095f7 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 11 Oct 2022 13:28:51 +0200
Subject: [PATCH 30/92] Make traefik volumes read-only

---
 ccp/docker-compose.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 65343d6..d78a842 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -25,8 +25,8 @@ services:
       - 80:80
       - 443:443
     volumes:
-      - ../certs:/tools/certs
-      - ../lib/traefik-configuration/:/configuration
+      - ../certs:/tools/certs:ro
+      - ../lib/traefik-configuration/:/configuration:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
 
   forward_proxy:

From e439510920f36c272fe8ce99efc630849ce0ac9b Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 11 Oct 2022 13:29:09 +0200
Subject: [PATCH 31/92] Rename spot container so it shows up in monitoring

---
 ccp/docker-compose.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index d78a842..3ef7f24 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -72,6 +72,7 @@ services:
 
   spot:
     image: samply/spot:latest
+    container_name: bridgehead-spot
     environment:
       SECRET: ${SPOT_BEAM_SECRET_LONG}
       APPID: spot

From 7ecb39d6cede55a820e36900ccca92554782b1f7 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 11 Oct 2022 18:29:08 +0200
Subject: [PATCH 32/92] Use new forward proxy

---
 ccp/docker-compose.yml | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 3ef7f24..c446f64 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -31,13 +31,14 @@ services:
 
   forward_proxy:
     container_name: bridgehead-forward-proxy
-    image: samply/bridgehead-forward-proxy:develop
+    image: samply/bridgehead-forward-proxy:main
     environment:
-      http_proxy: ${HTTP_PROXY_URL}
-      https_proxy: ${HTTPS_PROXY_URL}
+      HTTPS_PROXY: ${HTTPS_PROXY_URL}
+      USERNAME: ${HTTPS_PROXY_USERNAME}
+      PASSWORD: ${HTTPS_PROXY_PASSWORD}
     volumes:
-      - "bridgehead-proxy:/var/log/squid"
-    
+      - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
+
   landing:
     container_name: bridgehead-landingpage
     image: samply/bridgehead-landingpage:master
@@ -60,7 +61,7 @@ services:
       LOG_LEVEL: "debug"
       ENFORCE_REFERENTIAL_INTEGRITY: "false"
     volumes:
-    - "blaze-data:/app/data"
+      - "blaze-data:/app/data"
     labels:
       - "traefik.enable=true"
       - "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}"
@@ -98,17 +99,19 @@ services:
       PRIVKEY_FILE: /run/secrets/proxy.pem
       RUST_LOG: debug
       ALL_PROXY: http://forward_proxy:3128
+      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
     secrets:
       - proxy.pem
     labels:
       - "traefik.enable=false"
     depends_on:
       - "forward_proxy"
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
 
 
 volumes:
   blaze-data:
-  bridgehead-proxy:
 
 secrets:
   proxy.pem:

From 0f1cb966badaa95997b4636840ff1197d8b755c6 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Tue, 11 Oct 2022 18:36:42 +0200
Subject: [PATCH 33/92] Use tag latest for forward proxy

---
 ccp/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index c446f64..bc8fdf2 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -31,7 +31,7 @@ services:
 
   forward_proxy:
     container_name: bridgehead-forward-proxy
-    image: samply/bridgehead-forward-proxy:main
+    image: samply/bridgehead-forward-proxy:latest
     environment:
       HTTPS_PROXY: ${HTTPS_PROXY_URL}
       USERNAME: ${HTTPS_PROXY_USERNAME}

From e273e97d9cfa1fb351743ae4db4227e2ee6a368d Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Mon, 17 Oct 2022 14:38:34 +0200
Subject: [PATCH 34/92] Certificate enrollment (#24)

---
 bridgehead           |  8 ++++++++
 ccp/vars             |  2 ++
 lib/functions.sh     |  2 +-
 lib/prerequisites.sh | 11 ++++++++++-
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/bridgehead b/bridgehead
index 5c7d121..5548a7d 100755
--- a/bridgehead
+++ b/bridgehead
@@ -77,6 +77,14 @@ case "$ACTION" in
 	uninstall)
 		exec ./lib/remove-bridgehead-units.sh $PROJECT
 		;;
+	enroll)
+		if [ -e $PRIVATEKEYFILENAME ]; then
+			echo "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed."
+			exit 1
+		fi
+		docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $PROXY_ID --admin-email $SUPPORT_EMAIL
+		chmod 600 $PRIVATEKEYFILENAME
+		;;
 	preRun | preUpdate)
 		fixPermissions
 		;;
diff --git a/ccp/vars b/ccp/vars
index 4152fa4..ce12d1a 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -5,3 +5,5 @@ SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | he
 SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
 REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"
+SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
diff --git a/lib/functions.sh b/lib/functions.sh
index ded0cd9..5059829 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -19,7 +19,7 @@ checkOwner(){
 }
 
 printUsage() {
-	echo "Usage: bridgehead start|stop|update|install|uninstall PROJECTNAME"
+	echo "Usage: bridgehead start|stop|update|install|uninstall|enroll PROJECTNAME"
 	echo "PROJECTNAME should be one of ccp|nngm|gbn"
 }
 
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index f4fd3be..2709a6f 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -43,7 +43,7 @@ fi
 
 # TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
 
-log INFO "Checking ssl cert"
+log INFO "Checking ssl cert for accessing bridgehead via https"
 
 if [ ! -d "certs" ]; then
   log WARN "TLS cert missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...)"
@@ -60,6 +60,15 @@ if [ -e /etc/bridgehead/vault.conf ]; then
 	fi
 fi
 
+log INFO "Checking your beam proxy private key"
+
+if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
+	log INFO "Success - private key found."
+else
+	log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
+	exit 1
+fi
+
 log INFO "Success - all prerequisites are met!"
 hc_send log "Success - all prerequisites are met!"
 

From f8b9aed7f52b1c0774b94afbbac20d23aad612eb Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 15:09:18 +0200
Subject: [PATCH 35/92] Cleaning

---
 .gitignore             |   8 +--
 ccp/docker-compose.yml |   4 +-
 lib/generate.sh        | 116 -----------------------------------------
 lib/log.sh             |   0
 lib/prerequisites.sh   |  20 +++----
 site.dev.conf          |  11 ----
 6 files changed, 13 insertions(+), 146 deletions(-)
 delete mode 100755 lib/generate.sh
 mode change 100644 => 100755 lib/log.sh
 delete mode 100644 site.dev.conf

diff --git a/.gitignore b/.gitignore
index d6c86b5..2c4c7ec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,10 +3,4 @@
 site-config/*
 
 ## Ignore site configuration
-config/**/*
-!config/**/*.default
-landing/*
-docker-compose.override.yml
-site.conf
-auth/*
-certs/*
+*/docker-compose.override.yml
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 65343d6..2539d8e 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -25,8 +25,8 @@ services:
       - 80:80
       - 443:443
     volumes:
-      - ../certs:/tools/certs
-      - ../lib/traefik-configuration/:/configuration
+      - /etc/bridgehead/traefik-tls:/tools/certs:ro
+      - ../lib/traefik-configuration/:/configuration:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
 
   forward_proxy:
diff --git a/lib/generate.sh b/lib/generate.sh
deleted file mode 100755
index 9673055..0000000
--- a/lib/generate.sh
+++ /dev/null
@@ -1,116 +0,0 @@
-#!/bin/bash
-
-if [ ! -d ./landing ]
-then 
-  mkdir landing
-fi
-
-if [ ! -f ./landing/index.html ]
-then
-  touch index.html
-fi
-
-CENTRAL_SERVICES="          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://monitor.vmitro.de/icingaweb2/dashboard\">Monitoring Service</td>
-          </tr>"
-
-LOCAL_SERVICES="          <tr>
-            <td>Bridgehead</td>
-            <td>Reverse Proxy <a href=\"http://${HOST}:8080/\">Traefik</a></td>
-          </tr>"
-
-if [ "$project" = "dktk" ] || [ "$project" = "c4" ] || [ "$project" = "dktk-fed" ]
-then
-    CENTRAL_SERVICES+="          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://patientlist.ccp-it.dktk.dkfz.de\">Zentrale Patientenliste</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://decentralsearch.ccp-it.dktk.dkfz.de\">Dezentrale Suche</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://centralsearch.ccp-it.dktk.dkfz.de\">Zentrale Suche</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://deployment.ccp-it.dktk.dkfz.de\">Deployment-Server</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://dktk-kne.kgu.de\">Zentraler Kontrollnummernerzeuger</td>
-          </tr>
-          "
-fi
-
-if [ "$project" = "dktk-fed" ]
-then 
-    LOCAL_SERVICES+="         <tr>
-            <td>DKTK</td>
-            <td><a href=\"https://${HOST}/dktk-localdatamanagement/fhir/\">Blaze</a></td>
-          </tr>
-          "
-fi
-
-cat > ./landing/index.html <<EOL
-<html lang="en">
-
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <meta name="description" content="">
-  <title>Bridgehead Overview</title>
-  <!-- Bootstrap core CSS -->
-  <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet"
-    integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
-  <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"
-    integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p"
-    crossorigin="anonymous"></script>
-
-</head>
-
-<body class="d-flex flex-column min-vh-100">
-
-  <nav class="navbar navbar-light" style="background-color: #aad7f6;">
-    <h2 class="pb-2 border-bottom">Bridgehead ${site_name}</h2>
-  </nav>
-  <div class="container px-4 py-5" id="featured-3">
-    <div>
-      <h2>Components</h2>
-      <h3>Central</h3>
-      <table class="table">
-        <thead class="thead-dark">
-          <tr>
-            <th style="width: 50%">Group</th>
-            <th style="width: 50%">Service</th>
-          </tr>
-        </thead>
-        <tbody>
-          ${CENTRAL_SERVICES}
-        </tbody>
-      </table>
-    </div>
-
-    <div>
-      <h3>Local</h3>
-      <table class="table">
-        <thead class="thead-dark">
-          <tr>
-            <th style="width: 50%">Project</th>
-            <th style="width: 50%">Services</th>
-          </tr>
-        </thead>
-        <tbody>
-          ${LOCAL_SERVICES}
-        </tbody>
-      </table>
-    </div>
-    <footer class="footer mt-auto py-3">
-     <a href="https://dktk.dkfz.de/"><img src="https://www.oncoray.de/fileadmin/files/bilder_gruppen/DKTK/Logo_DKTK_neu_2016.jpg" style="max-width: 30%; height: auto;"></a> DKTK 2022<span style="float: right;"><a href="https://github.com/samply/bridgehead"><button type="button" class="btn btn-primary">Documentaion</button></a></span>
-    </footer>
-</body>
-
-</html>
-EOL
\ No newline at end of file
diff --git a/lib/log.sh b/lib/log.sh
old mode 100644
new mode 100755
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 2709a6f..689f383 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -45,28 +45,28 @@ fi
 
 log INFO "Checking ssl cert for accessing bridgehead via https"
 
-if [ ! -d "certs" ]; then
-  log WARN "TLS cert missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...)"
-  mkdir -p certs
+if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
+  log WARN "TLS certs for accessing bridgehead via https missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...) and put into /etc/bridgehead/traefik-tls"
+  mkdir -p /etc/bridgehead/traefik-tls
 fi
 
-if [ ! -e "certs/traefik.crt" ]; then
-  openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST"
+if [ ! -e "/etc/bridgehead/traefik-tls/traefik.crt" ]; then
+  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/traefik.key -out /etc/bridgehead/traefik-tls/traefik.crt -days 3650 -subj "/CN=$HOST"
 fi
 
 if [ -e /etc/bridgehead/vault.conf ]; then
-	if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
+  if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
     fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
-	fi
+  fi
 fi
 
 log INFO "Checking your beam proxy private key"
 
 if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
-	log INFO "Success - private key found."
+  log INFO "Success - private key found."
 else
-	log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
-	exit 1
+  log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
+  exit 1
 fi
 
 log INFO "Success - all prerequisites are met!"
diff --git a/site.dev.conf b/site.dev.conf
deleted file mode 100644
index 94e315d..0000000
--- a/site.dev.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-### This is the configuration file for secrets, only your site should know
-
-##Setting Network properties
-export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
-export HOST=
-
-export site_name=
-### Write the Project you want to start with the brigdehead
-##Exmaple project=dktk-fed
-export project=

From 9658f6ed2e36a6c5aa0abcda95adfbec637bc702 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 15:21:12 +0200
Subject: [PATCH 36/92] Fix traefik cert

---
 ccp/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 2539d8e..3116eac 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -25,7 +25,7 @@ services:
       - 80:80
       - 443:443
     volumes:
-      - /etc/bridgehead/traefik-tls:/tools/certs:ro
+      - /etc/bridgehead/traefik-tls:/certs:ro
       - ../lib/traefik-configuration/:/configuration:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
 

From a8a33291a75527f8f6ecef0a47eacada2d7a75f4 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 15:30:43 +0200
Subject: [PATCH 37/92] Rename traefik certificate/key

---
 lib/prerequisites.sh                        | 4 ++--
 lib/traefik-configuration/certificates.yaml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 689f383..2738620 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -50,8 +50,8 @@ if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
   mkdir -p /etc/bridgehead/traefik-tls
 fi
 
-if [ ! -e "/etc/bridgehead/traefik-tls/traefik.crt" ]; then
-  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/traefik.key -out /etc/bridgehead/traefik-tls/traefik.crt -days 3650 -subj "/CN=$HOST"
+if [ ! -e "/etc/bridgehead/traefik-tls/fullchain.pem" ]; then
+  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/privkey.pem -out /etc/bridgehead/traefik-tls/fullchain.pem -days 3650 -subj "/CN=$HOST"
 fi
 
 if [ -e /etc/bridgehead/vault.conf ]; then
diff --git a/lib/traefik-configuration/certificates.yaml b/lib/traefik-configuration/certificates.yaml
index eb9809a..2644333 100644
--- a/lib/traefik-configuration/certificates.yaml
+++ b/lib/traefik-configuration/certificates.yaml
@@ -1,4 +1,4 @@
 tls:
   certificates:
-    - certFile: /certs/traefik.crt
-      keyFile: /certs/traefik.key
+    - certFile: /certs/fullchain.pem
+      keyFile: /certs/privkey.pem

From f72a185dbba6cdd618f3e3e065b805d32e1b5555 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 16:07:25 +0200
Subject: [PATCH 38/92] Be more specific about what changed on an update

---
 lib/update-bridgehead.sh | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index ef07590..eefa38a 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -19,6 +19,8 @@ checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong
 
 CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 
+CHANGES=""
+
 # Check git updates
 for DIR in /etc/bridgehead $(pwd); do
   log "INFO" "Checking for updates to git repo $DIR ..."
@@ -39,7 +41,9 @@ for DIR in /etc/bridgehead $(pwd); do
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   git_updated="false"
   if [ "$old_git_hash" != "$new_git_hash" ]; then
-    log "INFO" "Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
+    CHANGE="Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
+    CHANGES+="$CHANGE\n"
+    log "INFO" "$CHANGE"
     # NOTE: Link generation doesn't work on repositories placed at an self-hosted instance of bitbucket.
     # See: https://community.atlassian.com/t5/Bitbucket-questions/BitBucket-4-14-diff-between-any-two-commits/qaq-p/632974
     git_repository_url="$(git -C $DIR remote get-url origin)"
@@ -63,14 +67,16 @@ docker_updated="false"
 for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
-    log "INFO" "$IMAGE updated."
+    CHANGE="Image $IMAGE updated."
+    CHANGES+="$CHANGE\n"
+    log "INFO" "$CHANGE"
     docker_updated="true"
   fi
 done
 
 # If anything is updated, restart service
 if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
-  RES="Update detected, now restarting bridgehead"
+  RES="Updates detected, now restarting bridgehead:\n$CHANGES"
   log "INFO" "$RES"
   hc_send log "$RES"
   sudo /bin/systemctl restart bridgehead@*.service

From 17c6a2b0e0d2225393836dee2f666650cc887624 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 16:11:34 +0200
Subject: [PATCH 39/92] Fix git update detection

---
 lib/update-bridgehead.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index eefa38a..dc108f5 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -22,6 +22,7 @@ CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 CHANGES=""
 
 # Check git updates
+git_updated="false"
 for DIR in /etc/bridgehead $(pwd); do
   log "INFO" "Checking for updates to git repo $DIR ..."
   if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
@@ -39,10 +40,9 @@ for DIR in /etc/bridgehead $(pwd); do
     git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1
   fi
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
-  git_updated="false"
   if [ "$old_git_hash" != "$new_git_hash" ]; then
     CHANGE="Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
-    CHANGES+="$CHANGE\n"
+    CHANGES+="- $CHANGE\n"
     log "INFO" "$CHANGE"
     # NOTE: Link generation doesn't work on repositories placed at an self-hosted instance of bitbucket.
     # See: https://community.atlassian.com/t5/Bitbucket-questions/BitBucket-4-14-diff-between-any-two-commits/qaq-p/632974
@@ -68,7 +68,7 @@ for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*im
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
     CHANGE="Image $IMAGE updated."
-    CHANGES+="$CHANGE\n"
+    CHANGES+="- $CHANGE\n"
     log "INFO" "$CHANGE"
     docker_updated="true"
   fi

From 2b788358728a786a0739f412e51dfc15b4b8bad7 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 20 Oct 2022 16:55:05 +0200
Subject: [PATCH 40/92] Add housekeeping task (docker image cleanup)

---
 lib/update-bridgehead.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index dc108f5..e64abd6 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -1,6 +1,17 @@
 #!/bin/bash
 source lib/functions.sh
 
+AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true}
+
+if [ "$AUTO_HOUSEKEEPING" == "true" ]; then
+	A="Performing automatic maintenance: Cleaning docker images."
+	hc_send log "$A"
+	log INFO "$A"
+	docker system prune -a -f
+else
+	log WARN "Automatic housekeeping disabled (variable AUTO_HOUSEKEEPING != \"true\")"
+fi
+
 hc_send log "Checking for bridgehead updates ..."
 
 CONFFILE=/etc/bridgehead/$1.conf

From 07c0c4534e4067eec5cedd10d561dd8b584f4c35 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 25 Oct 2022 11:45:01 +0200
Subject: [PATCH 41/92] Make this work for BBMRI-ERIC

---
 bbmri/docker-compose.yml       | 116 +++++++++++++++++++++++++++++++++
 bbmri/vars                     |   7 ++
 bridgehead                     |   2 +-
 gbn/docker-compose.yml         | 100 ----------------------------
 lib/functions.sh               |   2 +-
 lib/remove-bridgehead-units.sh |   4 +-
 lib/setup-bridgehead-units.sh  |   4 +-
 7 files changed, 129 insertions(+), 106 deletions(-)
 create mode 100644 bbmri/docker-compose.yml
 create mode 100644 bbmri/vars
 delete mode 100644 gbn/docker-compose.yml

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
new file mode 100644
index 0000000..825ec6a
--- /dev/null
+++ b/bbmri/docker-compose.yml
@@ -0,0 +1,116 @@
+version: "3.7"
+
+services:
+  traefik:
+    container_name: bridgehead-traefik
+    image: traefik:latest
+    command:
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --providers.docker=true
+      - --providers.file.watch=true
+      - --providers.file.directory=/configuration/
+      - --api.dashboard=true
+      - --accesslog=true # print access-logs
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
+    labels:
+      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+      - "traefik.http.routers.dashboard.entrypoints=websecure"
+      - "traefik.http.routers.dashboard.service=api@internal"
+      - "traefik.http.routers.dashboard.tls=true"
+      - "traefik.http.routers.dashboard.middlewares=auth"
+      - "traefik.http.middlewares.auth.basicauth.users=${bc_auth_users}"
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - /etc/bridgehead/traefik-tls:/certs:ro
+      - ../lib/traefik-configuration/:/configuration:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+  forward_proxy:
+    container_name: bridgehead-forward-proxy
+    image: samply/bridgehead-forward-proxy:latest
+    environment:
+      HTTPS_PROXY: ${HTTPS_PROXY_URL}
+      USERNAME: ${HTTPS_PROXY_USERNAME}
+      PASSWORD: ${HTTPS_PROXY_PASSWORD}
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
+
+  landing:
+    container_name: bridgehead-landingpage
+    image: samply/bridgehead-landingpage:master
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+      - "traefik.http.services.landing.loadbalancer.server.port=80"
+      - "traefik.http.routers.landing.tls=true"
+    environment:
+      HOST: ${HOST}
+      PROJECT: ${PROJECT}
+      SITE_NAME: ${SITE_NAME}
+
+  blaze:
+    image: "samply/blaze:0.18"
+    container_name: bridgehead-ccp-blaze
+    environment:
+      BASE_URL: "http://bridgehead-ccp-blaze:8080"
+      JAVA_TOOL_OPTIONS: "-Xmx4g"
+      LOG_LEVEL: "debug"
+      ENFORCE_REFERENTIAL_INTEGRITY: "false"
+    volumes:
+      - "blaze-data:/app/data"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}"
+      - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-localdatamanagement`)"
+      - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/ccp-localdatamanagement"
+      - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
+      - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,ccp-auth"
+      - "traefik.http.routers.blaze_ccp.tls=true"
+
+  spot:
+    image: samply/spot:latest
+    container_name: bridgehead-spot
+    environment:
+      SECRET: ${SPOT_BEAM_SECRET_LONG}
+      APPID: spot
+      PROXY_ID: ${PROXY_ID}
+      LDM_URL: http://bridgehead-ccp-blaze:8080/fhir
+      BEAM_PROXY: http://beam-proxy:8081
+    depends_on:
+      - "beam-proxy"
+      - "blaze"
+    labels:
+      - "traefik.enable=false"
+
+  beam-proxy:
+    image: "samply/beam-proxy:develop"
+    container_name: bridgehead-beam-proxy
+    environment:
+      BROKER_URL: ${BROKER_URL}
+      PROXY_ID: ${PROXY_ID}
+      APP_0_ID: spot
+      APP_0_KEY: ${SPOT_BEAM_SECRET_SHORT}
+      PRIVKEY_FILE: /run/secrets/proxy.pem
+      RUST_LOG: debug
+      ALL_PROXY: http://forward_proxy:3128
+      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
+    secrets:
+      - proxy.pem
+    labels:
+      - "traefik.enable=false"
+    depends_on:
+      - "forward_proxy"
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
+
+
+volumes:
+  blaze-data:
+
+secrets:
+  proxy.pem:
+    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
diff --git a/bbmri/vars b/bbmri/vars
new file mode 100644
index 0000000..8faa106
--- /dev/null
+++ b/bbmri/vars
@@ -0,0 +1,7 @@
+BROKER_ID=broker.bbmri.samply.de
+BROKER_URL=https://${BROKER_ID}
+PROXY_ID=${SITE_ID}.${BROKER_ID}
+SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
+SUPPORT_EMAIL=tomasik@mail.muni.cz
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
diff --git a/bridgehead b/bridgehead
index 5548a7d..fe4bb19 100755
--- a/bridgehead
+++ b/bridgehead
@@ -32,7 +32,7 @@ case "$PROJECT" in
 	nngm)
 		#nothing extra to do
 		;;
-	gbn)
+	bbmri)
 		#nothing extra to do
 		;;
 	*)
diff --git a/gbn/docker-compose.yml b/gbn/docker-compose.yml
deleted file mode 100644
index 476d355..0000000
--- a/gbn/docker-compose.yml
+++ /dev/null
@@ -1,100 +0,0 @@
-version: '3.7'
-
-volumes:
-  gbn-connector-logs:
-  gbn-connector-db-data:
-  gbn-store-db-data:
-
-services:
-  traefik:
-    container_name: bridgehead-traefik
-    image: traefik:2
-    command:
-      - --entrypoints.web.address=:80
-      - --entrypoints.websecure.address=:443
-      - --providers.docker=true
-      - --api.dashboard=true
-      - --accesslog=true # print access-logs
-      - --entrypoints.web.http.redirections.entrypoint.to=websecure
-      - --entrypoints.web.http.redirections.entrypoint.scheme=https
-    labels:
-      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
-      - "traefik.http.routers.dashboard.entrypoints=websecure"
-      - "traefik.http.routers.dashboard.service=api@internal"
-      - "traefik.http.routers.dashboard.tls=true"
-      - "traefik.http.routers.dashboard.middlewares=auth"
-      - "traefik.http.middlewares.auth.basicauth.users=${bc_auth_users}"
-    ports:
-      - 80:80
-      - 443:443
-    volumes:
-      - ../certs:/tools/certs
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    extra_hosts:
-      - "host.docker.internal:host-gateway"
-
-  forward_proxy:
-    container_name: bridgehead-forward-proxy
-    image: ubuntu/squid
-    environment:
-      http_proxy: ${http_proxy}
-      https_proxy: ${https_proxy}
-    volumes:
-      - "bridgehead-proxy:/var/log/squid"
-    
-  landing:
-    container_name: bridgehead-landingpage
-    image: samply/bridgehead-landingpage
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
-    environment:
-      HOST: ${HOST}
-      PROJECT: ${PROJECT}
-      SITE_NAME: ${SITE_NAME}
-
-  blaze:
-    image: "samply/blaze:0.17"
-    container_name: bridgehead-gbn-blaze
-    environment:
-      BASE_URL: "http://blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx4g"
-      LOG_LEVEL: "debug"
-      ENFORCE_REFERENTIAL_INTEGRITY: "false"
-    volumes:
-    - "blaze-data:/app/data"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.middlewares.gbn-auth.basicauth.users=${bc_auth_users}"
-      - "traefik.http.routers.blaze_gbn.rule=PathPrefix(`/gbn-localdatamanagement`)"
-      - "traefik.http.middlewares.gbn_b_strip.stripprefix.prefixes=/gbn-localdatamanagement"
-      - "traefik.http.services.blaze_gbn.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze_gbn.middlewares=gbn_b_strip,gbn-auth"
-      - "traefik.http.routers.blaze_gbn.tls=true"
-
-  gbn-connector:
-    container_name: bridgehead-gbn-connector
-    image: "samply/share-client:gbn-feature-environmentPreconfiguration"
-    environment:
-      POSTGRES_PASSWORD: ${CONNECTOR_POSTGRES_PASS}
-    volumes:
-      - "gbn-connector-logs:/usr/local/tomcat/logs"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.gbn_connector.rule=PathPrefix(`/gbn-connector`)"
-      - "traefik.http.services.gbn_connector.loadbalancer.server.port=8080"
-    depends_on:
-      - "gbn-connector-db"
-    restart: "always"
-
-  gbn-connector-db:
-    image: "postgres:10.17"
-    environment:
-      POSTGRES_DB: "samply.connector"
-      POSTGRES_USER: "samply"
-      POSTGRES_PASSWORD: ${CONNECTOR_POSTGRES_PASS}
-    volumes:
-      - "gbn-connector-db-data:/var/lib/postgresql/data"
-    restart: "always"
diff --git a/lib/functions.sh b/lib/functions.sh
index 5059829..e26d452 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -20,7 +20,7 @@ checkOwner(){
 
 printUsage() {
 	echo "Usage: bridgehead start|stop|update|install|uninstall|enroll PROJECTNAME"
-	echo "PROJECTNAME should be one of ccp|nngm|gbn"
+	echo "PROJECTNAME should be one of ccp|nngm|bbmri"
 }
 
 checkRequirements() {
diff --git a/lib/remove-bridgehead-units.sh b/lib/remove-bridgehead-units.sh
index 36d1dad..fa63ef4 100755
--- a/lib/remove-bridgehead-units.sh
+++ b/lib/remove-bridgehead-units.sh
@@ -7,8 +7,8 @@ if [ $# -eq 0 ]; then
     exit 1
 fi
 
-if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "gbn" ]; then
-    log "ERROR" "Please provide a supported project like ccp, gbn or nngm"
+if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "bbmri" ]; then
+    log "ERROR" "Please provide a supported project like ccp, bbmri or nngm"
     exit 1
 fi
 
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index a96e583..57f7df5 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -9,8 +9,8 @@ if [ $# -eq 0 ]; then
     exit 1
 fi
 
-if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "gbn" ]; then
-    log "ERROR" "Please provide a supported project like ccp, gbn or nngm"
+if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "bbmri" ]; then
+    log "ERROR" "Please provide a supported project like ccp, bbmri or nngm"
     exit 1
 fi
 

From aa595d2ea250afc49d8bb9e30faa325bbbd86887 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 25 Oct 2022 12:07:07 +0200
Subject: [PATCH 42/92] Remove landing page for BBMRI

---
 bbmri/docker-compose.yml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 825ec6a..4b22589 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -39,18 +39,18 @@ services:
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
 
-  landing:
-    container_name: bridgehead-landingpage
-    image: samply/bridgehead-landingpage:master
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
-    environment:
-      HOST: ${HOST}
-      PROJECT: ${PROJECT}
-      SITE_NAME: ${SITE_NAME}
+#  landing:
+#    container_name: bridgehead-landingpage
+#    image: samply/bridgehead-landingpage:master
+#    labels:
+#      - "traefik.enable=true"
+#      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+#      - "traefik.http.services.landing.loadbalancer.server.port=80"
+#      - "traefik.http.routers.landing.tls=true"
+#    environment:
+#      HOST: ${HOST}
+#      PROJECT: ${PROJECT}
+#      SITE_NAME: ${SITE_NAME}
 
   blaze:
     image: "samply/blaze:0.18"

From b18b98e7929557b4a190cfc504a03a1abb60a9b0 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Wed, 26 Oct 2022 10:10:31 +0200
Subject: [PATCH 43/92] Make bridgehead-update ignore commented out docker
 images

---
 lib/update-bridgehead.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index e64abd6..7212d13 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -75,7 +75,7 @@ done
 # Check docker updates
 log "INFO" "Checking for updates to running docker images ..."
 docker_updated="false"
-for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
+for IMAGE in $(cat $PROJECT/docker-compose.yml | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
     CHANGE="Image $IMAGE updated."

From d2848342893fcce331852f0cd81a10f325b4422e Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Wed, 26 Oct 2022 10:13:38 +0200
Subject: [PATCH 44/92] Use official BBMRI-ERIC support e-mail

---
 bbmri/vars | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bbmri/vars b/bbmri/vars
index 8faa106..6fb693d 100644
--- a/bbmri/vars
+++ b/bbmri/vars
@@ -3,5 +3,5 @@ BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
-SUPPORT_EMAIL=tomasik@mail.muni.cz
+SUPPORT_EMAIL=bridgehead@helpdesk.bbmri-eric.eu
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem

From 3351e696af7416226fa52e391c7a3e6eee945198 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Wed, 26 Oct 2022 10:44:32 +0200
Subject: [PATCH 45/92] Don't pull ubuntu image on every startup. Use server's
 full hostname.

---
 lib/functions.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index e26d452..e3df4ad 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -109,8 +109,11 @@ fail_and_report() {
 }
 
 ##Setting Network properties
-export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
-export HOST=$(hostname)
+# currently not needed
+#export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
+
+export HOST=$(hostname -f)
+
 export PRODUCTION="false";
 if [ "$(git branch --show-current)" == "main" ]; then
 	export PRODUCTION="true";

From 404e5440b8aa136b65fa7aa5f23a62e66e8dda6d Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Wed, 26 Oct 2022 11:50:21 +0200
Subject: [PATCH 46/92] Support nngm within CCP bridgehead

---
 bridgehead              |  4 +-
 ccp/nngm-compose.yml    | 32 +++++++++++++++
 ccp/nngm-setup.sh       | 10 +++++
 ccp/vars                |  4 ++
 nngm/docker-compose.yml | 86 -----------------------------------------
 5 files changed, 48 insertions(+), 88 deletions(-)
 create mode 100644 ccp/nngm-compose.yml
 create mode 100644 ccp/nngm-setup.sh
 delete mode 100644 nngm/docker-compose.yml

diff --git a/bridgehead b/bridgehead
index fe4bb19..e1e1d0b 100755
--- a/bridgehead
+++ b/bridgehead
@@ -52,10 +52,10 @@ fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Una
 [ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 set +a
 
-OVERRIDE=""
+OVERRIDE=${OVERRIDE:=""}
 if [ -f "$PROJECT/docker-compose.override.yml" ]; then
 	log INFO "Applying $PROJECT/docker-compose.override.yml"
-	OVERRIDE+="-f ./$PROJECT/docker-compose.override.yml"
+	OVERRIDE+=" -f ./$PROJECT/docker-compose.override.yml"
 fi
 
 case "$ACTION" in
diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml
new file mode 100644
index 0000000..c212fed
--- /dev/null
+++ b/ccp/nngm-compose.yml
@@ -0,0 +1,32 @@
+version: "3.7"
+
+services:
+  connector:
+    container_name: bridgehead-connector
+    image: docker.verbis.dkfz.de/ccp/connector:bk2
+    environment:
+      POSTGRES_PASSWORD: ${CONNECTOR_POSTGRES_PASSWORD}
+      NNGM_MAGICPL_APIKEY: ${NNGM_MAGICPL_APIKEY}
+      NNGM_MAINZELLISTE_APIKEY: ${NNGM_MAINZELLISTE_APIKEY}
+      NNGM_CTS_APIKEY: ${NNGM_CTS_APIKEY}
+      NNGM_CRYPTKEY: ${NNGM_CRYPTKEY}
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.connector.rule=PathPrefix(`/ccp-connector`)"
+      - "traefik.http.services.connector.loadbalancer.server.port=8080"
+      - "traefik.http.routers.connector.tls=true"
+
+  connector_db:
+    image: postgres:9.5-alpine
+    container_name: bridgehead-ccp-connector-db
+    volumes:
+      - "connector_db_data:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_DB: "samplyconnector"
+      POSTGRES_USER: "samplyconnector"
+      POSTGRES_PASSWORD: ${CONNECTOR_POSTGRES_PASSWORD}
+    restart: always
+
+volumes:
+  connector_db_data:
diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
new file mode 100644
index 0000000..08a6d43
--- /dev/null
+++ b/ccp/nngm-setup.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+function nngmSetup() {
+	if [ -n "$NNGM_CTS_APIKEY" ]; then
+		log INFO "nNGM setup detected -- will start nNGM Connector."
+		OVERRIDE+="-f ./$PROJECT/nngm-compose.yml"
+	fi
+}
+
+CONNECTOR_POSTGRES_PASSWORD="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
diff --git a/ccp/vars b/ccp/vars
index ce12d1a..f5f734e 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -7,3 +7,7 @@ REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g'
 REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"
 SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
+
+# This will load nngm setup. Effective only if nngm configuration is defined.
+source $PROJECT/nngm-setup.sh
+nngmSetup
diff --git a/nngm/docker-compose.yml b/nngm/docker-compose.yml
deleted file mode 100644
index 3b28580..0000000
--- a/nngm/docker-compose.yml
+++ /dev/null
@@ -1,86 +0,0 @@
-version: "3.7"
-
-services:
-  traefik:
-    container_name: bridgehead-traefik
-    image: traefik:2.4
-    command:
-      - --api.insecure=true
-      - --entrypoints.web.address=:80
-      - --entrypoints.websecure.address=:443
-      - --providers.docker=true
-      - --entrypoints.web.http.redirections.entrypoint.to=websecure
-      - --entrypoints.web.http.redirections.entrypoint.scheme=https
-    ports:
-      - 80:80
-      - 443:443
-      - 8080:8080
-    volumes:
-      - ../certs:/tools/certs
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    extra_hosts:
-      - "host.docker.internal:host-gateway"
-
-  ### Does need to know the outside proxy to connect central components
-  forward_proxy:
-    container_name: bridgehead-squid
-    image: ubuntu/squid
-    environment:
-      http_proxy: ${http_proxy}
-      https_proxy: ${https_proxy}
-    volumes:
-      - "bridgehead-proxy:/var/log/squid"
-    
-## Needs internal proxy config
-  landing:
-    container_name: bridgehead-landingpage
-    image: samply/bridgehead-landingpage
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
-    environment:
-      HOST: ${HOST}
-      PROJECT: ${PROJECT}
-      SITE_NAME: ${SITE_NAME}
-
-  nngm-connector:
-      container_name: bridgehead-nngm-connector
-      image: "samply/share-client:nngm-feature-environmentPreconfiguration"
-      environment:
-        POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
-        NNGM_MAGICPL_APIKEY: ${NNGM_MAGICPL_APIKEY}
-        NNGM_MAINZELLISTE_APIKEY: ${NNGM_MAINZELLISTE_APIKEY}
-        NNGM_CTS_APIKEY: ${NNGM_CTS_APIKEY}
-        NNGM_CRYPTKEY: ${NNGM_CRYPTKEY}
-      volumes:
-        - "nngm-connector-logs:/usr/local/tomcat/logs"
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.routers.nngm_connector.rule=PathPrefix(`/nngm-connector`)"
-        - "traefik.http.services.nngm_connector.loadbalancer.server.port=8080"
-        - "traefik.http.routers.nngm_connector.tls=true"
-
-      depends_on:
-        - "nngm-connector-db"
-        - "forward_proxy"
-      ports:
-      - 5005:5005
-      restart: "always"
-
-  nngm-connector-db:
-      container_name: bridgehead-nngm-connector-db
-      image: "postgres:10.17"
-      environment:
-        POSTGRES_DB: "share_v2"
-        POSTGRES_USER: "samplyweb"
-        POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
-      volumes:
-        - "nngm-connector-db-data:/var/lib/postgresql/data"
-      restart: "always"
-
-volumes:
-  nngm-connector-db-data:
-  nngm-connector-logs:
-  bridgehead-proxy:

From c70be3d5c94dcbaf5919de5d7a58c180510380ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Radovan=20Tom=C3=A1=C5=A1ik?= <tomasik@mail.muni.cz>
Date: Wed, 26 Oct 2022 16:18:10 +0200
Subject: [PATCH 47/92] Update README.md

---
 README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index 0bb72e1..ef0118d 100644
--- a/README.md
+++ b/README.md
@@ -132,6 +132,16 @@ If systemd is not installed, you can start the bridgehead. However, for producti
 
 ## Getting Started
 
+### Quick Start
+
+```mkdir /etc/bridgehead/ && chown -R bridgehead . /etc/bridgehead/```
+```git clone https://github.com/samply/bridgehead.git -b feature/samplyBeam```
+### Migration
+Run:
+```docker-compose down```
+For the old installation of the BH. Then replace the docker volume name for the blaze store in the BH 2.0 docker-compose.yml with the docker volume of the old Blaze store. 
+
+
 ### Installation 
 
 If your system passed all checks from ["Requirements" section], you are now ready to download the bridgehead.

From 5c65ae96383e358a141be986c35c403cca719604 Mon Sep 17 00:00:00 2001
From: PierreDelpy <p.delpy@dkfz-heidelberg.de>
Date: Wed, 26 Oct 2022 14:33:38 +0000
Subject: [PATCH 48/92] add port quick solution for ssl cert verification with
 portnumber; genereate persistent connector password

---
 ccp/nngm-compose.yml | 2 ++
 ccp/nngm-setup.sh    | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml
index c212fed..478af29 100644
--- a/ccp/nngm-compose.yml
+++ b/ccp/nngm-compose.yml
@@ -11,6 +11,8 @@ services:
       NNGM_CTS_APIKEY: ${NNGM_CTS_APIKEY}
       NNGM_CRYPTKEY: ${NNGM_CRYPTKEY}
     restart: always
+    ports:
+      - "8080:8080"
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.connector.rule=PathPrefix(`/ccp-connector`)"
diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index 08a6d43..bd1b6aa 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -7,4 +7,5 @@ function nngmSetup() {
 	fi
 }
 
-CONNECTOR_POSTGRES_PASSWORD="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+#CONNECTOR_POSTGRES_PASSWORD="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+CONNECTOR_POSTGRES_PASSWORD="$(echo -n /etc/bridgehead/pki/mannheim.priv.pem | sha256sum | head -c 20)"

From 5e5ed73c919621013e72492810995ac13543d038 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Radovan=20Tom=C3=A1=C5=A1ik?= <tomasik@mail.muni.cz>
Date: Wed, 26 Oct 2022 16:34:47 +0200
Subject: [PATCH 49/92] Update README.md

---
 README.md | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index ef0118d..055a008 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,7 @@ TOC
       - [docker](#dockerhttpsdocsdockercomget-docker)
       - [systemd](#systemd)
 2. [Getting Started](#getting-started)
+    - [Quick Start](#quick-start)
     - [DKTK](#dktkc4)
     - [C4](#c4)
     - [GBA/BBMRI-ERIC](#gbabbmri-eric)
@@ -134,15 +135,6 @@ If systemd is not installed, you can start the bridgehead. However, for producti
 
 ### Quick Start
 
-```mkdir /etc/bridgehead/ && chown -R bridgehead . /etc/bridgehead/```
-```git clone https://github.com/samply/bridgehead.git -b feature/samplyBeam```
-### Migration
-Run:
-```docker-compose down```
-For the old installation of the BH. Then replace the docker volume name for the blaze store in the BH 2.0 docker-compose.yml with the docker volume of the old Blaze store. 
-
-
-### Installation 
 
 If your system passed all checks from ["Requirements" section], you are now ready to download the bridgehead.
 
@@ -155,10 +147,6 @@ sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead;
 
 It is recomended to create a user for the bridgehead service.  This should be done after clone the repository. Since not all linux distros support ```adduser```, we provide an action for the systemcall ```useradd```. You should try the first one, when the systm can't create the user you should try the second one.
 
-``` shell
-adduser --no-create-home --disabled-login --ingroup docker --gecos "" bridgehead
-```
-
 ``` shell
 useradd -M -g docker -N -s /sbin/nologin bridgehead
 ```
@@ -168,6 +156,25 @@ After adding the User you need to change the ownership of the directory to the b
 ``` shell
 chown bridgehead /srv/docker/bridgehead/ -R
 ```
+Download the configuration repository:
+
+``` shell
+sudo git clone https://github.com/samply/bridgehead-config.git -b fix/bbmri-config /etc/bridgehead;
+```
+Change ownership:
+``` shell
+chown bridgehead /etc/bridgehead/ -R
+```
+Modify SITE_ID and SITE_NAME in bbmri.conf
+RUN:
+
+
+```shell
+sudo /etc/bridgehead/bridgehead enroll bbmri
+```
+```shell
+sudo /srv/docker/bridgehead/bridgehead start bbmri
+```
 
 ### Configuration
 

From 6a27b9a5ad90feb972ebacfb59e5cbe3215986dc Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Thu, 27 Oct 2022 11:58:24 +0200
Subject: [PATCH 50/92] Issue a warning (but don't crash) on missing
 MONITOR_APIKEY

---
 lib/monitoring.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index bdd9a35..8744d7f 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -24,8 +24,8 @@ function hc_send(){
         HCURL="https://hc-ping.com/$HCUUID"
     fi
     if [ ! -n "$HCURL" ]; then
-        log WARN "Healthcheck reporting failed: Neither Healthcheck UUID nor service set - please check config in /etc/bridgehead"
-        return 1
+        log WARN "Did not report Healthcheck: Neither Healthcheck UUID nor service set. Please define MONITOR_APIKEY in /etc/bridgehead."
+        return 0
     fi
 
     if [ -z "$UPTIME" ]; then

From c7f727afff1e69421020d1b6e400e3cf26e662e8 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 08:23:55 +0200
Subject: [PATCH 51/92] Fixed links to bbmri, instead of ccp

---
 bbmri/docker-compose.yml | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 4b22589..b891af7 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -39,24 +39,24 @@ services:
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
 
-#  landing:
-#    container_name: bridgehead-landingpage
-#    image: samply/bridgehead-landingpage:master
-#    labels:
-#      - "traefik.enable=true"
-#      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-#      - "traefik.http.services.landing.loadbalancer.server.port=80"
-#      - "traefik.http.routers.landing.tls=true"
-#    environment:
-#      HOST: ${HOST}
-#      PROJECT: ${PROJECT}
-#      SITE_NAME: ${SITE_NAME}
+ landing:
+   container_name: bridgehead-landingpage
+   image: samply/bridgehead-landingpage:master
+   labels:
+     - "traefik.enable=true"
+     - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+     - "traefik.http.services.landing.loadbalancer.server.port=80"
+     - "traefik.http.routers.landing.tls=true"
+   environment:
+     HOST: ${HOST}
+     PROJECT: ${PROJECT}
+     SITE_NAME: ${SITE_NAME}
 
   blaze:
     image: "samply/blaze:0.18"
-    container_name: bridgehead-ccp-blaze
+    container_name: bridgehead-bbmri-blaze
     environment:
-      BASE_URL: "http://bridgehead-ccp-blaze:8080"
+      BASE_URL: "http://bridgehead-bbmri-blaze:8080"
       JAVA_TOOL_OPTIONS: "-Xmx4g"
       LOG_LEVEL: "debug"
       ENFORCE_REFERENTIAL_INTEGRITY: "false"
@@ -65,8 +65,8 @@ services:
     labels:
       - "traefik.enable=true"
       - "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}"
-      - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-localdatamanagement`)"
-      - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/ccp-localdatamanagement"
+      - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/bbmri-localdatamanagement`)"
+      - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/bbmri-localdatamanagement"
       - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
       - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,ccp-auth"
       - "traefik.http.routers.blaze_ccp.tls=true"
@@ -78,7 +78,7 @@ services:
       SECRET: ${SPOT_BEAM_SECRET_LONG}
       APPID: spot
       PROXY_ID: ${PROXY_ID}
-      LDM_URL: http://bridgehead-ccp-blaze:8080/fhir
+      LDM_URL: http://bridgehead-bbmri-blaze:8080/fhir
       BEAM_PROXY: http://beam-proxy:8081
     depends_on:
       - "beam-proxy"

From 5755baaf009e8c332750baf44048285ae93d74c6 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 10:06:43 +0200
Subject: [PATCH 52/92] Support docker compose as well as docker-compose

---
 bridgehead           | 4 ++--
 lib/prerequisites.sh | 8 +++++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/bridgehead b/bridgehead
index e1e1d0b..b204383 100755
--- a/bridgehead
+++ b/bridgehead
@@ -63,10 +63,10 @@ case "$ACTION" in
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
-		exec docker-compose -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
+		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
-		exec docker-compose -f ./$PROJECT/docker-compose.yml $OVERRIDE down
+		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		;;
 	update)
 		exec ./lib/update-bridgehead.sh $PROJECT
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 2738620..dfd3cdd 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -10,9 +10,15 @@ fi
 checkOwner . bridgehead || exit 1
 checkOwner /etc/bridgehead bridgehead || exit 1
 
+if [[ "$(docker compose version 2>/dev/null)" == *"Docker Compose version"* ]]; then
+	COMPOSE="docker compose"
+else
+	COMPOSE="docker-compose"
+fi
+
 ## Check if user is a su
 log INFO "Checking if all prerequisites are met ..."
-prerequisites="git docker docker-compose"
+prerequisites="git docker $COMPOSE"
 for prerequisite in $prerequisites; do
   $prerequisite --version 2>&1
   is_available=$?

From 2aef5f29c304d157967f21eaefe78301692009c6 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 10:12:21 +0200
Subject: [PATCH 53/92] Move to functions.sh

---
 bridgehead           | 2 ++
 lib/functions.sh     | 9 +++++++++
 lib/prerequisites.sh | 6 ------
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/bridgehead b/bridgehead
index b204383..f18311a 100755
--- a/bridgehead
+++ b/bridgehead
@@ -58,6 +58,8 @@ if [ -f "$PROJECT/docker-compose.override.yml" ]; then
 	OVERRIDE+=" -f ./$PROJECT/docker-compose.override.yml"
 fi
 
+detectCompose
+
 case "$ACTION" in
 	start)
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
diff --git a/lib/functions.sh b/lib/functions.sh
index e3df4ad..b5a03a0 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -2,6 +2,15 @@
 
 source lib/log.sh
 
+detectCompose() {
+	if [[ "$(docker compose version 2>/dev/null)" == *"Docker Compose version"* ]]; then
+		COMPOSE="docker compose"
+	else
+		COMPOSE="docker-compose"
+		# This is intended to fail on startup in the next prereq check.
+	fi
+}
+
 exitIfNotRoot() {
   if [ "$EUID" -ne 0 ]; then
     log "ERROR" "Please run as root"
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index dfd3cdd..d90d50e 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -10,12 +10,6 @@ fi
 checkOwner . bridgehead || exit 1
 checkOwner /etc/bridgehead bridgehead || exit 1
 
-if [[ "$(docker compose version 2>/dev/null)" == *"Docker Compose version"* ]]; then
-	COMPOSE="docker compose"
-else
-	COMPOSE="docker-compose"
-fi
-
 ## Check if user is a su
 log INFO "Checking if all prerequisites are met ..."
 prerequisites="git docker $COMPOSE"

From 6293dc65f03c7cedd8b6649013afba9dd9d2ed15 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 10:17:14 +0200
Subject: [PATCH 54/92] Fail in prereqs if compose does not exist

---
 lib/prerequisites.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index d90d50e..962c123 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -2,6 +2,8 @@
 
 source lib/functions.sh
 
+detectCompose
+
 if ! id "bridgehead" &>/dev/null; then
   log ERROR "User bridgehead does not exist. Please consult readme for installation."
   exit 1

From 3a668a1ccef395e8fada932bef6693edc23d8bf6 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 10:26:17 +0200
Subject: [PATCH 55/92] Generate consistent nNGM Connector password

---
 ccp/nngm-setup.sh | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index bd1b6aa..0a90813 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -5,7 +5,5 @@ function nngmSetup() {
 		log INFO "nNGM setup detected -- will start nNGM Connector."
 		OVERRIDE+="-f ./$PROJECT/nngm-compose.yml"
 	fi
+	CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -encrypt -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 }
-
-#CONNECTOR_POSTGRES_PASSWORD="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-CONNECTOR_POSTGRES_PASSWORD="$(echo -n /etc/bridgehead/pki/mannheim.priv.pem | sha256sum | head -c 20)"

From 0cba5d315ad4303df8f8393551d4c9afaa026c13 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 10:37:51 +0200
Subject: [PATCH 56/92] Sign, not encrypt, to avoid openssl salt

---
 ccp/nngm-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index 0a90813..501d8ce 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -5,5 +5,5 @@ function nngmSetup() {
 		log INFO "nNGM setup detected -- will start nNGM Connector."
 		OVERRIDE+="-f ./$PROJECT/nngm-compose.yml"
 	fi
-	CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -encrypt -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+	CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 }

From e2f92017c22e665e9ebf9d67f7dd28ccb58433b5 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 11:04:20 +0200
Subject: [PATCH 57/92] Correcting landing page indent

Original indent was one space, should have been 2 spaces, otherwise
you get parse errors.
---
 bbmri/docker-compose.yml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index b891af7..42c6d20 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -39,18 +39,18 @@ services:
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
 
- landing:
-   container_name: bridgehead-landingpage
-   image: samply/bridgehead-landingpage:master
-   labels:
-     - "traefik.enable=true"
-     - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-     - "traefik.http.services.landing.loadbalancer.server.port=80"
-     - "traefik.http.routers.landing.tls=true"
-   environment:
-     HOST: ${HOST}
-     PROJECT: ${PROJECT}
-     SITE_NAME: ${SITE_NAME}
+  landing:
+    container_name: bridgehead-landingpage
+    image: samply/bridgehead-landingpage:master
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+      - "traefik.http.services.landing.loadbalancer.server.port=80"
+      - "traefik.http.routers.landing.tls=true"
+    environment:
+      HOST: ${HOST}
+      PROJECT: ${PROJECT}
+      SITE_NAME: ${SITE_NAME}
 
   blaze:
     image: "samply/blaze:0.18"

From ef2965f72fa00cb9f75cb267441a0df61175b385 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 11:37:49 +0200
Subject: [PATCH 58/92] Make traefik use certificates at
 /etc/bridgehead/traefik-tls

---
 ccp/docker-compose.yml                      | 1 -
 lib/traefik-configuration/certificates.yaml | 8 +++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index cd6baf0..edb35c5 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -8,7 +8,6 @@ services:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
       - --providers.docker=true
-      - --providers.file.watch=true
       - --providers.file.directory=/configuration/
       - --api.dashboard=true
       - --accesslog=true # print access-logs
diff --git a/lib/traefik-configuration/certificates.yaml b/lib/traefik-configuration/certificates.yaml
index 2644333..af392c9 100644
--- a/lib/traefik-configuration/certificates.yaml
+++ b/lib/traefik-configuration/certificates.yaml
@@ -1,4 +1,6 @@
 tls:
-  certificates:
-    - certFile: /certs/fullchain.pem
-      keyFile: /certs/privkey.pem
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /certs/fullchain.pem
+        keyFile: /certs/privkey.pem

From 0dae36c9d9e21b1122621ebaf150469a058ef423 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 11:41:15 +0200
Subject: [PATCH 59/92] Reconcile BBMRI/CCP traefik configs.

---
 bbmri/docker-compose.yml | 3 +--
 ccp/docker-compose.yml   | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 42c6d20..c49fb6f 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -8,10 +8,9 @@ services:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
       - --providers.docker=true
-      - --providers.file.watch=true
       - --providers.file.directory=/configuration/
       - --api.dashboard=true
-      - --accesslog=true # print access-logs
+      - --accesslog=true
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
     labels:
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index edb35c5..2fb494c 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -10,7 +10,7 @@ services:
       - --providers.docker=true
       - --providers.file.directory=/configuration/
       - --api.dashboard=true
-      - --accesslog=true # print access-logs
+      - --accesslog=true
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
     labels:

From cfdcb8af86e26b1cacfe608d59c0f3f824635f54 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 11:53:50 +0200
Subject: [PATCH 60/92] Don't expose bridgehead http(s) services by default.

---
 bbmri/docker-compose.yml | 6 ++----
 ccp/docker-compose.yml   | 6 ++----
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index c49fb6f..ee35119 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -8,12 +8,14 @@ services:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
       - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
       - --providers.file.directory=/configuration/
       - --api.dashboard=true
       - --accesslog=true
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
     labels:
+      - "traefik.enable=true"
       - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
       - "traefik.http.routers.dashboard.entrypoints=websecure"
       - "traefik.http.routers.dashboard.service=api@internal"
@@ -82,8 +84,6 @@ services:
     depends_on:
       - "beam-proxy"
       - "blaze"
-    labels:
-      - "traefik.enable=false"
 
   beam-proxy:
     image: "samply/beam-proxy:develop"
@@ -99,8 +99,6 @@ services:
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
     secrets:
       - proxy.pem
-    labels:
-      - "traefik.enable=false"
     depends_on:
       - "forward_proxy"
     volumes:
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 2fb494c..3074f31 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -8,12 +8,14 @@ services:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
       - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
       - --providers.file.directory=/configuration/
       - --api.dashboard=true
       - --accesslog=true
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
     labels:
+      - "traefik.enable=true"
       - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
       - "traefik.http.routers.dashboard.entrypoints=websecure"
       - "traefik.http.routers.dashboard.service=api@internal"
@@ -82,8 +84,6 @@ services:
     depends_on:
       - "beam-proxy"
       - "blaze"
-    labels:
-      - "traefik.enable=false"
 
   beam-proxy:
     image: "samply/beam-proxy:develop"
@@ -101,8 +101,6 @@ services:
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
     secrets:
       - proxy.pem
-    labels:
-      - "traefik.enable=false"
     depends_on:
       - "forward_proxy"
     volumes:

From 853e1d9283451911a2e5f228c0abb1b492d2f389 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Fri, 28 Oct 2022 14:26:57 +0200
Subject: [PATCH 61/92] Make compose check not fail

---
 lib/prerequisites.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 962c123..859b690 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -14,7 +14,7 @@ checkOwner /etc/bridgehead bridgehead || exit 1
 
 ## Check if user is a su
 log INFO "Checking if all prerequisites are met ..."
-prerequisites="git docker $COMPOSE"
+prerequisites="git docker"
 for prerequisite in $prerequisites; do
   $prerequisite --version 2>&1
   is_available=$?

From 292d71b6c267a1ac631c9d173acc00adbd618034 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 15:14:34 +0200
Subject: [PATCH 62/92] Support docker installation via snap, e.g. Ubuntu 22.04

---
 lib/functions.sh                | 16 ++++++++++++++++
 lib/setup-bridgehead-units.sh   |  6 ++++++
 lib/systemd/bridgehead@.service |  2 +-
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index b5a03a0..7367c66 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -11,6 +11,22 @@ detectCompose() {
 	fi
 }
 
+# https://unix.stackexchange.com/questions/539147
+systemctl-exists() {
+	[ $(systemctl list-unit-files "${1}*" | wc -l) -gt 3 ]
+}
+
+dockerUnitName() {
+	if systemctl-exists docker.service; then
+		echo "docker.service"
+	elif systemctl-exists snap.docker.dockerd.service; then
+		echo "snap.docker.dockerd.service"
+	else
+		log ERROR "Unable to detect docker systemd unit."
+		fail_and_report 1 "Unable to detect docker systemd unit."
+	fi
+}
+
 exitIfNotRoot() {
   if [ "$EUID" -ne 0 ]; then
     log "ERROR" "Please run as root"
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index 57f7df5..fa50fd5 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -40,6 +40,12 @@ cp -v \
     lib/systemd/bridgehead-update\@.timer \
     /etc/systemd/system/
 
+log INFO "Setting Docker unit ..."
+
+for file in $(find /etc/systemd/system -mindepth 1 -maxdepth 1 -type f -name "bridgehead*"); do
+	sed -i "s/DOCKER_UNIT_NAME/$(dockerUnitName)/g" $file
+done
+
 systemctl daemon-reload
 
 log INFO "Trying to update your bridgehead ..."
diff --git a/lib/systemd/bridgehead@.service b/lib/systemd/bridgehead@.service
index 7645793..253eb8a 100644
--- a/lib/systemd/bridgehead@.service
+++ b/lib/systemd/bridgehead@.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Bridgehead (%i)
-Requires=docker.service
+Requires=DOCKER_UNIT_NAME
 
 [Service]
 User=bridgehead

From 5e31da513925d5161aaac8633d7af3596ae50408 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 15:25:06 +0200
Subject: [PATCH 63/92] Unfortunately, we cannot support docker snap
 installations, cf.
 https://askubuntu.com/questions/1374480/docker-compose-installed-with-snap-gives-error-on-yml-file

This reverts commit 292d71b6c267a1ac631c9d173acc00adbd618034.
---
 lib/functions.sh                | 16 ----------------
 lib/setup-bridgehead-units.sh   |  6 ------
 lib/systemd/bridgehead@.service |  2 +-
 3 files changed, 1 insertion(+), 23 deletions(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index 7367c66..b5a03a0 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -11,22 +11,6 @@ detectCompose() {
 	fi
 }
 
-# https://unix.stackexchange.com/questions/539147
-systemctl-exists() {
-	[ $(systemctl list-unit-files "${1}*" | wc -l) -gt 3 ]
-}
-
-dockerUnitName() {
-	if systemctl-exists docker.service; then
-		echo "docker.service"
-	elif systemctl-exists snap.docker.dockerd.service; then
-		echo "snap.docker.dockerd.service"
-	else
-		log ERROR "Unable to detect docker systemd unit."
-		fail_and_report 1 "Unable to detect docker systemd unit."
-	fi
-}
-
 exitIfNotRoot() {
   if [ "$EUID" -ne 0 ]; then
     log "ERROR" "Please run as root"
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index fa50fd5..57f7df5 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -40,12 +40,6 @@ cp -v \
     lib/systemd/bridgehead-update\@.timer \
     /etc/systemd/system/
 
-log INFO "Setting Docker unit ..."
-
-for file in $(find /etc/systemd/system -mindepth 1 -maxdepth 1 -type f -name "bridgehead*"); do
-	sed -i "s/DOCKER_UNIT_NAME/$(dockerUnitName)/g" $file
-done
-
 systemctl daemon-reload
 
 log INFO "Trying to update your bridgehead ..."
diff --git a/lib/systemd/bridgehead@.service b/lib/systemd/bridgehead@.service
index 253eb8a..7645793 100644
--- a/lib/systemd/bridgehead@.service
+++ b/lib/systemd/bridgehead@.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Bridgehead (%i)
-Requires=DOCKER_UNIT_NAME
+Requires=docker.service
 
 [Service]
 User=bridgehead

From b232fdb926236ba0e8ca817ea6e2ebca59a66f1e Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de" <p.delpy@dkfz-heidelberg.de>
Date: Wed, 2 Nov 2022 09:30:57 +0100
Subject: [PATCH 64/92] remove http ports

---
 ccp/nngm-compose.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml
index 478af29..c212fed 100644
--- a/ccp/nngm-compose.yml
+++ b/ccp/nngm-compose.yml
@@ -11,8 +11,6 @@ services:
       NNGM_CTS_APIKEY: ${NNGM_CTS_APIKEY}
       NNGM_CRYPTKEY: ${NNGM_CRYPTKEY}
     restart: always
-    ports:
-      - "8080:8080"
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.connector.rule=PathPrefix(`/ccp-connector`)"

From 0e10205f1a97179a002b650f4eb31604860ccd5b Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Tue, 25 Oct 2022 15:30:14 +0200
Subject: [PATCH 65/92] fix: LDM Password is now generated at Installation

---
 lib/setup-bridgehead-units.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index 57f7df5..f99bab0 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -33,6 +33,19 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
 bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
 
+log "INFO" "Now generating a password for the local datamangement. Please safe the password for your ETL process!"
+generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+
+log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
+parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd)
+
+mkdir /etc/systemd/system/bridgehead@${PROJECT}.service.d
+cat <<EOF > /etc/systemd/system/bridgehead@${PROJECT}.service.d/environment.conf
+[Service]
+Environment=bc_auth_users=${parsed_passwd}
+EOF
+
+
 log "INFO" "Register system units for bridgehead and bridgehead-update"
 cp -v \
     lib/systemd/bridgehead\@.service \

From ee3ea2b51416cbd2bf3c58dc333cea977cfb3e3e Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Wed, 26 Oct 2022 10:42:07 +0200
Subject: [PATCH 66/92] Updated README

---
 README.md | 129 +++++-------------------------------------------------
 1 file changed, 12 insertions(+), 117 deletions(-)

diff --git a/README.md b/README.md
index 055a008..06ffcea 100644
--- a/README.md
+++ b/README.md
@@ -204,141 +204,36 @@ To shutdown the bridgehead just run.
 /srv/docker/bridgehead/bridgehead stop <Project>
 ```
 
-### Systemd service configuration
+### Local Datamanagement Security
 
 For a server, we highly recommend that you install the system units for managing the bridgehead, provided by us. You can do this by executing the [bridgehead](./bridgehead) script:
 ``` shell
 sudo /srv/docker/bridgehead/bridgehead install <Project>
 ```
 
-This will install the systemd units to run and update the bridghead.
-
-Finally, you need to configure your sites secrets. These are places as configuration for each bridgehead system unit. Refer to the section for your specific project:
-
-For Every project you need to set the proxy this way, if you have one. This is done with the ```systemctl edit``` comand.
-
-``` shell
-sudo systemctl edit bridgehead@<project>.service;
-sudo systemctl edit bridgehead-update@<project>.service;
-```
-
-``` conf
-[Service]
-Environment=http_proxy=<proxy-url>
-Environment=https_proxy=<proxy-url>
-```
-
-There a further configurations for each project.
-
-#### CCP(DKTK/C4)
-
-For the federate search please follow the basic auth configuration step.
-
-### DKTK/C4
-
-You can create the site specific configuration with: 
-
-
-This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets. You share some of the ID-Management secrets with the central patientlist (Mainz) and controlnumbergenerator (Frankfurt). Refer to the ["Configuration" section](#configuration) for this.
-
-``` conf
-[Service]
-Environment=http_proxy=
-Environment=https_proxy=
-```
-
-To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service:
-
-``` shell
-sudo systemctl daemon-reload;
-sudo systemctl bridgehead@ccp.service;
-```
-
-You can create the site specific configuration with: 
-
-``` shell
-sudo systemctl edit bridgehead@c4.service;
-```
-
-This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets. You share some of the ID-Management secrets with the central patientlist (Mainz) and controlnumbergenerator (Frankfurt). Refer to the ["Configuration" section](#configuration) for this.
-
-``` conf
-[Service]
-Environment=http_proxy=
-Environment=https_proxy=
-Environment=HOSTIP=
-Environment=HOST=
-Environment=HTTP_PROXY_USER=
-Environment=HTTP_PROXY_PASSWORD=
-Environment=HTTPS_PROXY_USER=
-Environment=HTTPS_PROXY_PASSWORD=
-Environment=CONNECTOR_POSTGRES_PASS=
-Environment=ML_DB_PASS=
-Environment=MAGICPL_API_KEY=
-Environment=MAGICPL_MAINZELLISTE_API_KEY=
-Environment=MAGICPL_API_KEY_CONNECTOR=
-Environment=MAGICPL_MAINZELLISTE_CENTRAL_API_KEY=
-Environment=MAGICPL_CENTRAL_API_KEY=
-Environment=MAGICPL_OIDC_CLIENT_ID=
-Environment=MAGICPL_OIDC_CLIENT_SECRET=
-```
-
-To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service:
-
-``` shell
-sudo systemctl daemon-reload;
-sudo systemctl bridgehead@c4.service;
-```
-### GBA/BBMRI-ERIC
-
-You can create the site specific configuration with: 
-
-``` shell
-sudo systemctl edit bridgehead@gbn.service;
-```
-
-This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets.
-
-``` conf
-[Service]
-Environment=HOSTIP=
-Environment=HOST=
-Environment=HTTP_PROXY_USER=
-Environment=HTTP_PROXY_PASSWORD=
-Environment=HTTPS_PROXY_USER=
-Environment=HTTPS_PROXY_PASSWORD=
-Environment=CONNECTOR_POSTGRES_PASS=
-```
-
-To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service:
-
-``` shell
-sudo systemctl daemon-reload;
-sudo systemctl bridgehead@gbn.service;
-```
-
-## Configuration
+This will install the systemd units to run and update the bridghead. Also, this will generate a user and password for accessing the LDM. This will be shown only the first time you install the bridgehead.
 
 ### Basic Auth
 
-For Data protection we use basic authenfication for some services. To access those services you need an username and password combination. If you start the bridgehead without basic auth, then those services are not accesbile. We provide a script which set the needed config for you, just run the script and follow the instructions.
+For Data protection we use basic authenfication for some services. To access those services you need an username and password combination. 
+Cation: If you start the bridgehead without the authenfication, then those services are not accesbile.
+We generate such a combination at the first install. Also, we provide a script which generates such a combination for you.
 
 ``` shell
 add_user.sh
 ```
 
-The result needs to be set in either in the systemd service or in your console.
+The script will print the hashed user password combination. Please put the combination to the ```/etc/bridgehead/<project>.local.conf</project>```
 
+It should look like this
 
-#### Console
-
-When just running the bridgehead you need to export the auth variable. Be aware that this export is only for the current session in the environment and after exit it will not be accessible anymore.
-
-``` shell
-export bc_auth_user=<output>
+```conf
+LDM_Password='<project>:$...$.....$...............'
 ```
 
-Cation: you need to escape occrring dollar signs.
+You can use the ```add_bc_auth_user.sh``` script to generate an another user and add it to the ```<project>.local.conf``` wiht comma seperation.
+
+## Configuration
 
 #### systemd
 

From ce386f5a2a156f41ea371d3e5262ea601c717b15 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Wed, 26 Oct 2022 10:48:55 +0200
Subject: [PATCH 67/92] fix: Moved LDM Password to /etc/bridgehead

---
 ccp/docker-compose.yml        |  4 ++--
 lib/setup-bridgehead-units.sh | 19 +++++++++----------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 3074f31..dfc7d34 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -21,7 +21,7 @@ services:
       - "traefik.http.routers.dashboard.service=api@internal"
       - "traefik.http.routers.dashboard.tls=true"
       - "traefik.http.routers.dashboard.middlewares=auth"
-      - "traefik.http.middlewares.auth.basicauth.users=${bc_auth_users}"
+      - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}"
     ports:
       - 80:80
       - 443:443
@@ -65,7 +65,7 @@ services:
       - "blaze-data:/app/data"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}"
+      - "traefik.http.middlewares.ccp-auth.basicauth.users=${LDM_LOGIN}"
       - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-localdatamanagement`)"
       - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/ccp-localdatamanagement"
       - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index f99bab0..7518f3a 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -33,18 +33,17 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
 bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
 
-log "INFO" "Now generating a password for the local datamangement. Please safe the password for your ETL process!"
-generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+# TODO: Determine wether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
+if [ -z "$LDM_LOGIN" ]; then
+  log "INFO" "Now generating a password for the local datamangement. Please safe the password for your ETL process!"
+  generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 
-log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
-parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd)
-
-mkdir /etc/systemd/system/bridgehead@${PROJECT}.service.d
-cat <<EOF > /etc/systemd/system/bridgehead@${PROJECT}.service.d/environment.conf
-[Service]
-Environment=bc_auth_users=${parsed_passwd}
-EOF
+  log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
+  parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n')
 
+  log "INFO" "These credentials are now written to /etc/bridgehead/${PROJECT}.local.conf"
+  echo "LDM_LOGIN='${parsed_passwd}'" >> /etc/bridgehead/${PROJECT}.local.conf;
+fi
 
 log "INFO" "Register system units for bridgehead and bridgehead-update"
 cp -v \

From 7ea5e928fcf81f693b7e1e7bcd95b4b4bdcf8233 Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de" <p.delpy@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 09:26:01 +0100
Subject: [PATCH 68/92] Removed add_bc_user.sh

---
 README.md                     | 20 +++-----------------
 bbmri/docker-compose.yml      |  4 ++--
 lib/add_bc_user.sh            | 10 ----------
 lib/setup-bridgehead-units.sh |  5 +++--
 4 files changed, 8 insertions(+), 31 deletions(-)
 delete mode 100755 lib/add_bc_user.sh

diff --git a/README.md b/README.md
index 06ffcea..0e4c762 100644
--- a/README.md
+++ b/README.md
@@ -215,23 +215,9 @@ This will install the systemd units to run and update the bridghead. Also, this
 
 ### Basic Auth
 
-For Data protection we use basic authenfication for some services. To access those services you need an username and password combination. 
-Cation: If you start the bridgehead without the authenfication, then those services are not accesbile.
-We generate such a combination at the first install. Also, we provide a script which generates such a combination for you.
-
-``` shell
-add_user.sh
-```
-
-The script will print the hashed user password combination. Please put the combination to the ```/etc/bridgehead/<project>.local.conf</project>```
-
-It should look like this
-
-```conf
-LDM_Password='<project>:$...$.....$...............'
-```
-
-You can use the ```add_bc_auth_user.sh``` script to generate an another user and add it to the ```<project>.local.conf``` wiht comma seperation.
+For Data protection we use basic authentification for some services. To access those services you need an username and password combination. 
+Caution: If you start the bridgehead without the authentification, then those services are not accessible.
+We generate such a combination at the first install (`/etc/bridgehead/<Project>.local.conf`). 
 
 ## Configuration
 
diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index ee35119..4188714 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -21,7 +21,7 @@ services:
       - "traefik.http.routers.dashboard.service=api@internal"
       - "traefik.http.routers.dashboard.tls=true"
       - "traefik.http.routers.dashboard.middlewares=auth"
-      - "traefik.http.middlewares.auth.basicauth.users=${bc_auth_users}"
+      - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}"
     ports:
       - 80:80
       - 443:443
@@ -65,7 +65,7 @@ services:
       - "blaze-data:/app/data"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}"
+      - "traefik.http.middlewares.ccp-auth.basicauth.users=${LDM_LOGIN}"
       - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/bbmri-localdatamanagement`)"
       - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/bbmri-localdatamanagement"
       - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
diff --git a/lib/add_bc_user.sh b/lib/add_bc_user.sh
deleted file mode 100755
index 8185658..0000000
--- a/lib/add_bc_user.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash -e
-source lib/functions.sh
-
-log "INFO" "This script add's a user with password to the bridghead"
-
-read -p 'Username: ' bc_user
-read -sp 'Password: ' bc_password
-
-log "INFO" "\nPlease export the line in the your environment. Please replace the dollar signs with with \\\$"
-docker run --rm -it httpd:latest htpasswd -nb $bc_user $bc_password
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index 7518f3a..820d6f6 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -39,10 +39,11 @@ if [ -z "$LDM_LOGIN" ]; then
   generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 
   log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
-  parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n')
+  parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n' | tr -d '\r')
+  printf  "##Localdatamanagement basic auth\n#User: $PROJECT\n#Password: $generated_passwd\n" >> /etc/bridgehead/${PROJECT}.local.conf;
 
   log "INFO" "These credentials are now written to /etc/bridgehead/${PROJECT}.local.conf"
-  echo "LDM_LOGIN='${parsed_passwd}'" >> /etc/bridgehead/${PROJECT}.local.conf;
+  echo -n "LDM_LOGIN='${parsed_passwd}'" >> /etc/bridgehead/${PROJECT}.local.conf;
 fi
 
 log "INFO" "Register system units for bridgehead and bridgehead-update"

From 038d8d69f69be0576516eb78a2ceb23835de06e3 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 17:19:15 +0100
Subject: [PATCH 69/92] Make LDM password nicer

---
 bbmri/docker-compose.yml      | 3 +--
 bridgehead                    | 1 +
 ccp/docker-compose.yml        | 3 +--
 lib/functions.sh              | 7 +++++++
 lib/setup-bridgehead-units.sh | 7 ++-----
 5 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 4188714..b1a47b5 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -65,11 +65,10 @@ services:
       - "blaze-data:/app/data"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.middlewares.ccp-auth.basicauth.users=${LDM_LOGIN}"
       - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/bbmri-localdatamanagement`)"
       - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/bbmri-localdatamanagement"
       - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,ccp-auth"
+      - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,auth"
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   spot:
diff --git a/bridgehead b/bridgehead
index f18311a..3297c65 100755
--- a/bridgehead
+++ b/bridgehead
@@ -59,6 +59,7 @@ if [ -f "$PROJECT/docker-compose.override.yml" ]; then
 fi
 
 detectCompose
+setLdmPassword
 
 case "$ACTION" in
 	start)
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index dfc7d34..989cc84 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -65,11 +65,10 @@ services:
       - "blaze-data:/app/data"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.middlewares.ccp-auth.basicauth.users=${LDM_LOGIN}"
       - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-localdatamanagement`)"
       - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/ccp-localdatamanagement"
       - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,ccp-auth"
+      - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,auth"
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   spot:
diff --git a/lib/functions.sh b/lib/functions.sh
index b5a03a0..3dd47cb 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -11,6 +11,13 @@ detectCompose() {
 	fi
 }
 
+setLdmPassword() {
+	if [ -z "$LDM_PASSWORD" ]; then
+		log DEBUG "Transforming LDM_PASSWORD into LDM_LOGIN ..."
+		LDM_LOGIN=$(docker run --rm -it httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r')
+	fi
+}
+
 exitIfNotRoot() {
   if [ "$EUID" -ne 0 ]; then
     log "ERROR" "Please run as root"
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index 820d6f6..519f224 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -35,15 +35,12 @@ EOF
 
 # TODO: Determine wether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
 if [ -z "$LDM_LOGIN" ]; then
-  log "INFO" "Now generating a password for the local datamangement. Please safe the password for your ETL process!"
+  log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!"
   generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 
   log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
   parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n' | tr -d '\r')
-  printf  "##Localdatamanagement basic auth\n#User: $PROJECT\n#Password: $generated_passwd\n" >> /etc/bridgehead/${PROJECT}.local.conf;
-
-  log "INFO" "These credentials are now written to /etc/bridgehead/${PROJECT}.local.conf"
-  echo -n "LDM_LOGIN='${parsed_passwd}'" >> /etc/bridgehead/${PROJECT}.local.conf;
+  echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
 fi
 
 log "INFO" "Register system units for bridgehead and bridgehead-update"

From 6394e1fa822a6b295740866458a246542d64bcc1 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 17:23:25 +0100
Subject: [PATCH 70/92] Check for LDM_PASSWORD

---
 lib/functions.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index 3dd47cb..e55d31a 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -12,7 +12,7 @@ detectCompose() {
 }
 
 setLdmPassword() {
-	if [ -z "$LDM_PASSWORD" ]; then
+	if [ -n "$LDM_PASSWORD" ]; then
 		log DEBUG "Transforming LDM_PASSWORD into LDM_LOGIN ..."
 		LDM_LOGIN=$(docker run --rm -it httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r')
 	fi

From a9864a928c70c1ae42ac8c6b5eb297b3aafb8c91 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 17:26:29 +0100
Subject: [PATCH 71/92] Remove unnecessary docker run

---
 lib/setup-bridgehead-units.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index 519f224..34ab6dc 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -39,7 +39,6 @@ if [ -z "$LDM_LOGIN" ]; then
   generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 
   log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
-  parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n' | tr -d '\r')
   echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
 fi
 

From 729d4e2c1e242798c80d57ef360f169fb435644c Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 17:29:52 +0100
Subject: [PATCH 72/92] Check against LDM_PASSWORD

---
 bridgehead                    | 2 +-
 lib/setup-bridgehead-units.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/bridgehead b/bridgehead
index 3297c65..babfaab 100755
--- a/bridgehead
+++ b/bridgehead
@@ -59,13 +59,13 @@ if [ -f "$PROJECT/docker-compose.override.yml" ]; then
 fi
 
 detectCompose
-setLdmPassword
 
 case "$ACTION" in
 	start)
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
+		setLdmPassword
 		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index 34ab6dc..c5bb421 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -34,7 +34,7 @@ bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
 
 # TODO: Determine wether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
-if [ -z "$LDM_LOGIN" ]; then
+if [ -z "$LDM_PASSWORD" ]; then
   log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!"
   generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 

From 3ead08fae146b78edd50097f13ef00dec9b78c19 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 17:38:46 +0100
Subject: [PATCH 73/92] Add export

---
 lib/functions.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index e55d31a..0a0ab0a 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -14,7 +14,7 @@ detectCompose() {
 setLdmPassword() {
 	if [ -n "$LDM_PASSWORD" ]; then
 		log DEBUG "Transforming LDM_PASSWORD into LDM_LOGIN ..."
-		LDM_LOGIN=$(docker run --rm -it httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r')
+		export LDM_LOGIN=$(docker run --rm -it httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r')
 	fi
 }
 

From 6cd682e42c4b1d2c6fd4e55d2cd789a4a7855416 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 17:41:05 +0100
Subject: [PATCH 74/92] Add export

---
 bridgehead | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bridgehead b/bridgehead
index babfaab..fc454fd 100755
--- a/bridgehead
+++ b/bridgehead
@@ -65,7 +65,9 @@ case "$ACTION" in
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
+		set -a
 		setLdmPassword
+		set +a
 		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)

From 62b8cabb31bb6019f0a74a04b24538201b374ebb Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 18:14:11 +0100
Subject: [PATCH 75/92] Fix getting LDM_LOGIN

---
 bridgehead       | 4 +---
 lib/functions.sh | 7 ++++---
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/bridgehead b/bridgehead
index fc454fd..68e8933 100755
--- a/bridgehead
+++ b/bridgehead
@@ -65,9 +65,7 @@ case "$ACTION" in
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
-		set -a
-		setLdmPassword
-		set +a
+		export LDM_LOGIN=$(getLdmPassword)
 		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
diff --git a/lib/functions.sh b/lib/functions.sh
index 0a0ab0a..6c81d7b 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -11,10 +11,11 @@ detectCompose() {
 	fi
 }
 
-setLdmPassword() {
+getLdmPassword() {
 	if [ -n "$LDM_PASSWORD" ]; then
-		log DEBUG "Transforming LDM_PASSWORD into LDM_LOGIN ..."
-		export LDM_LOGIN=$(docker run --rm -it httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r')
+		docker run --rm httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r'
+	else
+		echo -n ""
 	fi
 }
 

From 1b0fd61863a81626fae76bf18699c7b88043169b Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 18:15:45 +0100
Subject: [PATCH 76/92] Make local passwords longer

---
 lib/setup-bridgehead-units.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index c5bb421..d258c0b 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -36,7 +36,7 @@ EOF
 # TODO: Determine wether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
 if [ -z "$LDM_PASSWORD" ]; then
   log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!"
-  generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+  generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
 
   log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
   echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;

From 6b2168ff1111d5e9dd679c623b633ba2664ba268 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 13:09:11 +0100
Subject: [PATCH 77/92] Allow to read hostname from config file

---
 bridgehead       | 1 +
 lib/functions.sh | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/bridgehead b/bridgehead
index 68e8933..3054ebd 100755
--- a/bridgehead
+++ b/bridgehead
@@ -59,6 +59,7 @@ if [ -f "$PROJECT/docker-compose.override.yml" ]; then
 fi
 
 detectCompose
+setHostname
 
 case "$ACTION" in
 	start)
diff --git a/lib/functions.sh b/lib/functions.sh
index 6c81d7b..1ac7d60 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -125,12 +125,17 @@ fail_and_report() {
 	exit $1
 }
 
+setHostname() {
+	if [ -z "$HOST" ]; then
+		export HOST=$(hostname -f)
+		log DEBUG "Using auto-detected hostname $HOST."
+	fi
+}
+
 ##Setting Network properties
 # currently not needed
 #export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
 
-export HOST=$(hostname -f)
-
 export PRODUCTION="false";
 if [ "$(git branch --show-current)" == "main" ]; then
 	export PRODUCTION="true";

From 9b3acb48995dee6334929537a3d4e999d9d5a0f3 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 15:26:27 +0100
Subject: [PATCH 78/92] Report git errors

---
 lib/functions.sh         | 6 +++++-
 lib/update-bridgehead.sh | 9 +++++----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index 6c81d7b..bceb34a 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -119,9 +119,13 @@ fixPermissions() {
 
 source lib/monitoring.sh
 
-fail_and_report() {
+report_error() {
 	log ERROR "$2"
 	hc_send $1 "$2"
+}
+
+fail_and_report() {
+	report_error $@
 	exit $1
 }
 
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 7212d13..636c585 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -43,12 +43,13 @@ for DIR in /etc/bridgehead $(pwd); do
   old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ -z "$HTTP_PROXY_URL" ]; then
     log "INFO" "Git is using no proxy!"
-    git -C $DIR fetch 2>&1
-    git -C $DIR pull 2>&1
+    OUT=$(git -C $DIR fetch 2>&1 && git -C $DIR pull 2>&1)
   else
     log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}"
-    git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR fetch 2>&1
-    git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1
+    OUT=$(git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR fetch 2>&1 && git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1)
+  fi
+  if [ $? -ne 0 ]; then
+    report_error 1 "Unable to update git $DIR: $OUT"
   fi
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ "$old_git_hash" != "$new_git_hash" ]; then

From ebc1b87dc2b24e01dfac6c0e28ff2c996da82923 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 15:54:08 +0100
Subject: [PATCH 79/92] feature: Added warning for modified working directories

---
 lib/update-bridgehead.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 636c585..a62f7fa 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -51,6 +51,11 @@ for DIR in /etc/bridgehead $(pwd); do
   if [ $? -ne 0 ]; then
     report_error 1 "Unable to update git $DIR: $OUT"
   fi
+  OUT="$(git -C $DIR status --porcelain)"
+  if [ -n "$OUT" ]; then
+    report_error 1 "The workingdirectory in $DIR is modified. Following files are changed: $OUT"
+  fi
+
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ "$old_git_hash" != "$new_git_hash" ]; then
     CHANGE="Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"

From 8c18426d283545323d73d96145f18ec3255695d8 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 16:12:08 +0100
Subject: [PATCH 80/92] Move warning up

---
 lib/update-bridgehead.sh | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index a62f7fa..69b3887 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -36,6 +36,11 @@ CHANGES=""
 git_updated="false"
 for DIR in /etc/bridgehead $(pwd); do
   log "INFO" "Checking for updates to git repo $DIR ..."
+  OUT="$(git -C $DIR status --porcelain)"
+  if [ -n "$OUT" ]; then
+    log WARN "The working directory $DIR is modified. Changed files: $OUT"
+    report_error 1 "The working directory $DIR is modified. Changed files: $OUT"
+  fi
   if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
     log "INFO" "Configuring repo to use bridgehead git credential helper."
     git -C $DIR config credential.helper "$CREDHELPER"
@@ -51,10 +56,6 @@ for DIR in /etc/bridgehead $(pwd); do
   if [ $? -ne 0 ]; then
     report_error 1 "Unable to update git $DIR: $OUT"
   fi
-  OUT="$(git -C $DIR status --porcelain)"
-  if [ -n "$OUT" ]; then
-    report_error 1 "The workingdirectory in $DIR is modified. Following files are changed: $OUT"
-  fi
 
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ "$old_git_hash" != "$new_git_hash" ]; then

From ceda942731361772f88eb4d890cd01a6e32a317e Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 16:12:24 +0100
Subject: [PATCH 81/92] Remove errors in old git versions

---
 lib/functions.sh | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index bceb34a..b308abb 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -134,8 +134,3 @@ fail_and_report() {
 #export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
 
 export HOST=$(hostname -f)
-
-export PRODUCTION="false";
-if [ "$(git branch --show-current)" == "main" ]; then
-	export PRODUCTION="true";
-fi

From 3234a81aa216b400d7db0beb7885148e5489ee8b Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 16:18:30 +0100
Subject: [PATCH 82/92] Report current git commits

---
 lib/prerequisites.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 859b690..c2a4e34 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -71,7 +71,10 @@ else
   exit 1
 fi
 
-log INFO "Success - all prerequisites are met!"
-hc_send log "Success - all prerequisites are met!"
+COMMIT_ETC=$(git -C /etc/bridgehead rev-parse HEAD | cut -c -8)
+COMMIT_SRV=$(git -C /srv/docker/bridgehead rev-parse HEAD | cut -c -8)
+
+log INFO "Success - all prerequisites are met! Git commits: etc:$COMMIT_ETC srv:$COMMIT_SRV"
+hc_send log "Success - all prerequisites are met! Git commits: etc:$COMMIT_ETC srv:$COMMIT_SRV"
 
 exit 0

From 895ee372964fb208ad96dff352991ee4507e957c Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 17:18:09 +0100
Subject: [PATCH 83/92] Report git commits in user agent to monitoring

---
 lib/monitoring.sh    | 11 +++++++++--
 lib/prerequisites.sh |  7 ++-----
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index 8744d7f..07509fd 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -11,6 +11,7 @@ function hc_set_service(){
 }
 
 UPTIME=
+USER_AGENT="git-unknown"
 
 function hc_send(){
     if [ -n "$MONITOR_APIKEY" ]; then
@@ -32,10 +33,16 @@ function hc_send(){
         UPTIME=$(docker ps -a --format 'table {{.Names}} \t{{.RunningFor}} \t {{.Status}} \t {{.Image}}' --filter name=bridgehead || echo "Unable to get docker statistics")
     fi
 
+    if [ -z "$USER_AGENT" ]; then
+        COMMIT_ETC=$(git -C /etc/bridgehead rev-parse HEAD | cut -c -8)
+        COMMIT_SRV=$(git -C /srv/docker/bridgehead rev-parse HEAD | cut -c -8)
+        USER_AGENT="srv:$COMMIT_SRV etc:$COMMIT_ETC"
+    fi
+
     if [ -n "$2" ]; then
         MSG="$2\n\nDocker stats:\n$UPTIME"
-        echo -e "$MSG" | https_proxy=$HTTPS_PROXY_URL curl -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+        echo -e "$MSG" | https_proxy=$HTTPS_PROXY_URL curl -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
     else
-        https_proxy=$HTTPS_PROXY_URL curl -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+        https_proxy=$HTTPS_PROXY_URL curl -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
     fi
 }
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index c2a4e34..859b690 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -71,10 +71,7 @@ else
   exit 1
 fi
 
-COMMIT_ETC=$(git -C /etc/bridgehead rev-parse HEAD | cut -c -8)
-COMMIT_SRV=$(git -C /srv/docker/bridgehead rev-parse HEAD | cut -c -8)
-
-log INFO "Success - all prerequisites are met! Git commits: etc:$COMMIT_ETC srv:$COMMIT_SRV"
-hc_send log "Success - all prerequisites are met! Git commits: etc:$COMMIT_ETC srv:$COMMIT_SRV"
+log INFO "Success - all prerequisites are met!"
+hc_send log "Success - all prerequisites are met!"
 
 exit 0

From b28fb2881cea5782b80c9e8d4367592fd400eccd Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 17:20:17 +0100
Subject: [PATCH 84/92] Bugfix

---
 lib/monitoring.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index 07509fd..daa388f 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -11,7 +11,7 @@ function hc_set_service(){
 }
 
 UPTIME=
-USER_AGENT="git-unknown"
+USER_AGENT=
 
 function hc_send(){
     if [ -n "$MONITOR_APIKEY" ]; then

From 865870ea9118af2d8a0886e4ce5dfb0cce09bf65 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 17:24:23 +0100
Subject: [PATCH 85/92] Until all BBMRI-ERIC bridgeheads are onboarded with
 git, don't consider missing git info an error

---
 lib/update-bridgehead.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 69b3887..3201fc5 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -39,7 +39,7 @@ for DIR in /etc/bridgehead $(pwd); do
   OUT="$(git -C $DIR status --porcelain)"
   if [ -n "$OUT" ]; then
     log WARN "The working directory $DIR is modified. Changed files: $OUT"
-    report_error 1 "The working directory $DIR is modified. Changed files: $OUT"
+    report_error log "The working directory $DIR is modified. Changed files: $OUT"
   fi
   if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
     log "INFO" "Configuring repo to use bridgehead git credential helper."
@@ -54,7 +54,7 @@ for DIR in /etc/bridgehead $(pwd); do
     OUT=$(git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR fetch 2>&1 && git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1)
   fi
   if [ $? -ne 0 ]; then
-    report_error 1 "Unable to update git $DIR: $OUT"
+    report_error log "Unable to update git $DIR: $OUT"
   fi
 
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"

From 23aa8f8274704220ac729574ef843ccdfeaa3bf0 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Tue, 8 Nov 2022 10:54:51 +0100
Subject: [PATCH 86/92] Extra space for nngm compose

---
 ccp/nngm-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index 501d8ce..d5b80eb 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -3,7 +3,7 @@
 function nngmSetup() {
 	if [ -n "$NNGM_CTS_APIKEY" ]; then
 		log INFO "nNGM setup detected -- will start nNGM Connector."
-		OVERRIDE+="-f ./$PROJECT/nngm-compose.yml"
+		OVERRIDE+=" -f ./$PROJECT/nngm-compose.yml"
 	fi
 	CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 }

From cb57aad9494f86d796f787870b18dad3209d6c3c Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Mon, 14 Nov 2022 11:51:29 +0100
Subject: [PATCH 87/92]  Updated Documentation

* Removed sections that are no longer relevant
* Added some additional information, particularly regarding registration with Beam and monitoring
* Moved some sections around to get a better structure
---
 README.md | 383 ++++++++++++++++++------------------------------------
 1 file changed, 124 insertions(+), 259 deletions(-)

diff --git a/README.md b/README.md
index 0e4c762..d93cd0e 100644
--- a/README.md
+++ b/README.md
@@ -1,142 +1,74 @@
 # Bridgehead
 
-This repository contains all information and tools to deploy a bridgehead. If you have any questions about deploying a bridgehead, please [contact us](mailto:verbis-support@dkfz-heidelberg.de).
+A Bridgehead is a set of components that must be installed locally, in order to connect your clinic or research centre to a federated search system. This repository contains the information and tools that you will need to deploy a Bridgehead. If you have questions, please [contact us](mailto:verbis-support@dkfz-heidelberg.de).
 
 
 TOC
 
-1. [About](#about)
-    - [Projects](#projects)
-        - [GBA/BBMRI-ERIC](#gbabbmri-eric)
-        - [CCP(DKTK/C4)](#ccpdktkc4)
-        - [NNGM](#nngm)
-    - [Bridgehead Components](#bridgehead-components)
-        - [Blaze Server](#blaze-serverhttpsgithubcomsamplyblaze)  
-        - [Connector](#connector) 
 1. [Requirements](#requirements)
     - [Hardware](#hardware)
-    - [System](#system-requirements)
-      - [git](#git)
-      - [docker](#dockerhttpsdocsdockercomget-docker)
-      - [systemd](#systemd)
-2. [Getting Started](#getting-started)
-    - [Quick Start](#quick-start)
-    - [DKTK](#dktkc4)
-    - [C4](#c4)
-    - [GBA/BBMRI-ERIC](#gbabbmri-eric)
-3. [Configuration](#configuration)
-4. [Managing your Bridgehead](#managing-your-bridgehead)
-    - [Systemd](#on-a-server)
-    - [Without Systemd](#on-developers-machine)
-4. [Pitfalls](#pitfalls)
-5. [Migration-guide](#migration-guide)
-7. [License](#license)
-
-
-## About
-
-TODO: Insert comprehensive feature list of the bridgehead? Why would anyone install it?
-
-## Projects
-
-### GBA/BBMRI-ERIC
-
-The **Sample Locator** is a tool that allows researchers to make searches for samples over a large number of geographically distributed biobanks. Each biobank runs a so-called **Bridgehead** at its site, which makes it visible to the Sample Locator.  The Bridgehead is designed to give a high degree of protection to patient data. Additionally, a tool called the [Negotiator][negotiator] puts you in complete control over which samples and which data are delivered to which researcher.
-
-You will most likely want to make your biobanks visible via the [publicly accessible Sample Locator][sl], but the possibility also exists to install your own Sample Locator for your site or organization, see the GitHub pages for [the server][sl-server-src] and [the GUI][sl-ui-src].
-
-The Bridgehead has two primary components:
-* The **Blaze Store**. This is a highly responsive FHIR data store, which you will need to fill with your data via an ETL chain.
-* The **Connector**. This is the communication portal to the Sample Locator, with specially designed features that make it possible to run it behind a corporate firewall without making any compromises on security.
-
-### CCP(DKTK/C4)
-
-TODO:
-
-### nNGM
-
-TODO:
-
-### Bridgehead Components
-
-#### [Blaze Server](https://github.com/samply/blaze)
-
-This holds the actual data being searched. This store must be filled by you, generally by running an ETL on your locally stored data to turn it into the standardized FHIR format that we require.
-
-#### [Connector]
-
-TODO:
+    - [System](#system)
+      - [Git](#git)
+      - [Docker](#docker)
+2. [Deployment](#deployment)
+    - [Installation](#installation)
+    - [Register with Beam](#register-with-beam)
+    - [Starting and stopping your Bridgehead](#starting-and-stopping-your-bridgehead)
+    - [Auto-starting your Bridgehead when the server starts](#auto-starting-your-bridgehead-when-the-server-starts)
+3. [Additional Services](#additional-Services)
+    - [Monitoring](#monitoring)
+    - [Register with a Directory](#register-with-a-Directory)
+4. [Site-specific configuration](#site-specific-configuration)
+    - [HTTPS Access](#https-access)
+    - [Locally Managed Secrets](#locally-managed-secrets)
+    - [Git Proxy Configuration](#git-proxy-configuration)
+    - [Docker Daemon Proxy Configuration](#docker-daemon-proxy-configuration)
+    - [Non-Linux OS](#non-linux-os)
+5. [License](#license)
 
 ## Requirements
 
 ### Hardware
 
-For running your bridgehead we recommend the follwing Hardware:
+To get the most out of your Bridgehead, we recommend the follwing Hardware:
 
 - 4 CPU cores
 - At least 8 GB Ram
 - 100GB Hard Drive, SSD recommended
 
+### System
 
-### System Requirements
+You are strongly recommended to install the Bridgehead under a Linux operating system (but see the section [Non-Linux OS](#non-linux-os)). You will need root (administrator) priveleges on this machine in order to perform the deployment.
 
-Before starting the installation process, please ensure that following software is available on your system:
+The following software should be installed:
 
 #### Git
 
-Check if you have at leat git 2.0 installed on the system with:
+Check if you have at least git 2.0 installed on the system with:
 
 ``` shell
 git --version
 ```
 
-#### [Docker](https://docs.docker.com/get-docker/)
+#### Docker
 
-To check your docker installation, you should execute the docker with --version:
+Check the installed Docker version:
 
 ``` shell
 docker --version
 ```
-
-The Version should be higher than "20.10.1". Otherwise you will have problems starting the bridgehead. The next step is to check ``` docker-compose```  with:
+The version should ideally be higher than "20.10.1". The next step is to check ``` docker-compose```  with:
 
 ``` shell
 docker-compose --version
 ```
+The recomended version is "2.XX" and higher.
 
-The recomended version is "2.XX" and higher. If docker-compose was not installed with docker follow these [instructions](https://docs.docker.com/compose/install/#install-compose-as-standalone-binary-on-linux-systems). To futher check your docker and docker-compose installation, please run the following command. 
+If docker or docker-compose are not installed, please refer to the [Docker website](https://docs.docker.com).
 
-``` shell
-docker-compose -f - up <<EOF
-version: "3.7"
-services:
-  hello-world:
-    image: hello-world
-EOF
-```
-Docker will now download the "hello-world" docker image and try to execute it. After the download you should see a message starting with "Hello from Docker!".
+## Deployment
 
-> NOTE: If the download of the image fails (e.g with "connection timed out" message), ensure that you have correctly set the proxy for the docker daemon. Refer to ["Docker Daemon Proxy Configuration" in the "Pitfalls" section](#docker-daemon-proxy-configuration)
-
-#### [systemd](https://systemd.io/)
-
-You shouldn't need to install it yourself, If systemd is not available on your system you should get another system.
-To check if systemd is available on your system, please execute
-
-``` shell
-systemctl --version
-```
-
-If systemd is not installed, you can start the bridgehead. However, for productive use we recomend using systemd.
-
----
-
-## Getting Started
-
-### Quick Start
-
-
-If your system passed all checks from ["Requirements" section], you are now ready to download the bridgehead.
+### Installation
 
 First, clone the repository to the directory "/srv/docker/bridgehead":
 
@@ -144,17 +76,15 @@ First, clone the repository to the directory "/srv/docker/bridgehead":
 sudo mkdir -p /srv/docker/;
 sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead;
 ```
-
-It is recomended to create a user for the bridgehead service.  This should be done after clone the repository. Since not all linux distros support ```adduser```, we provide an action for the systemcall ```useradd```. You should try the first one, when the systm can't create the user you should try the second one.
+Now create a user for the Bridgehead service:
 
 ``` shell
-useradd -M -g docker -N -s /sbin/nologin bridgehead
+sudo useradd -M -g docker -N -s /sbin/nologin bridgehead
 ```
-
-After adding the User you need to change the ownership of the directory to the bridgehead user.
+After adding the user you will need to change the ownership of the directory to the Bridgehead user.
 
 ``` shell
-chown bridgehead /srv/docker/bridgehead/ -R
+sudo chown bridgehead /srv/docker/bridgehead/ -R
 ```
 Download the configuration repository:
 
@@ -163,78 +93,120 @@ sudo git clone https://github.com/samply/bridgehead-config.git -b fix/bbmri-conf
 ```
 Change ownership:
 ``` shell
-chown bridgehead /etc/bridgehead/ -R
+sudo chown bridgehead /etc/bridgehead/ -R
 ```
-Modify SITE_ID and SITE_NAME in bbmri.conf
-RUN:
-
-
-```shell
-sudo /etc/bridgehead/bridgehead enroll bbmri
+Edit /etc/bridgehead/bbmri.conf and modify SITE_ID and SITE_NAME to be relevant to your biobank. SITE_ID should not contains spaces. By convention, it is lower-case. E.g.:
 ```
+SITE_ID="toulouse-prod"
+SITE_NAME="Toulouse"
+```
+
+### Register with Beam
+
+You will need to register with Beam in order to be able to start your Bridgehead. Please send an email to: bridgehead@helpdesk.bbmri-eric.eu, mentioning the SITE_ID that you chose above.
+
+The response will contain your private key for Beam.
+
+Create a file for this private key:
+
+``` shell
+/etc/bridgehead/pki/$SITE_ID.priv.pem
+```
+
+### Starting and stopping your Bridgehead
+
+To start your new Bridgehead, type:
 ```shell
 sudo /srv/docker/bridgehead/bridgehead start bbmri
 ```
+The script may break, because Spot tries to connect to Blaze, but Blaze is not yet ready, causing Spot to terminate. Try to start and stop the script a few times.
 
-### Configuration
-
-> NOTE: If you are part of the CCP-IT we will provide you another link for the configuration.
-
-Next, you need to configure a set of variables, specific for your site with not so high security concerns. You can clone the configuration template at [GitHub](https://github.com/samply/bridgehead-config). The confiugration of the bridgehead should be located in /etc/bridghead.
-
-``` shell
-sudo git clone https://github.com/samply/bridgehead-config.git /etc/bridgehead;
+To shut down the Bridgehead, type:
+```shell
+sudo /srv/docker/bridgehead/bridgehead stop bbmri
 ```
 
-After cloning or forking the repository you need to add value to the template. If you are a part of the CCP-IT you will get an already filled out config repo.
+### Auto-starting your Bridgehead when the server starts
 
-### Testing your bridgehead
+Using this feature is optional.
 
-We recomend to run first with the start and stop script. If you have trouble starting the bridghead have a look at the troubleshooting section.
+Many Linux distributions support the "systemctl" command, which enables you to autostart processes whenever your server is booted.
 
-Now you ready to run a bridgehead instance. The bridgehead scripts checks if your configuration is correct. To check if everything works, execute the following:
+In this repository you will find tools that allow you to take advantage of "systemctl" to automatically start the Bridgehead whenever your server gets restarted. You can set this up by executing the [bridgehead](./bridgehead) script:
 ``` shell
-/srv/docker/bridgehead/bridgehead start <Project>
+sudo /srv/docker/bridgehead/bridgehead install bbmri
 ```
 
-You should now be able to access the landing page on your system, e.g "https://<your-host>/". 
+This will install the systemd units to run and update the Bridgehead.
+
+If your site operates with a proxy, you will need to set it up with ```systemctl edit``` as follows:
 
-To shutdown the bridgehead just run.
 ``` shell
-/srv/docker/bridgehead/bridgehead stop <Project>
+sudo systemctl edit bridgehead@bbmri.service;
 ```
 
-### Local Datamanagement Security
+This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets.
 
-For a server, we highly recommend that you install the system units for managing the bridgehead, provided by us. You can do this by executing the [bridgehead](./bridgehead) script:
-``` shell
-sudo /srv/docker/bridgehead/bridgehead install <Project>
+``` conf
+[Service]
+Environment=HOSTIP=
+Environment=HOST=
+Environment=HTTP_PROXY_USER=
+Environment=HTTP_PROXY_PASSWORD=
+Environment=HTTPS_PROXY_USER=
+Environment=HTTPS_PROXY_PASSWORD=
+Environment=CONNECTOR_POSTGRES_PASS=
 ```
 
-This will install the systemd units to run and update the bridghead. Also, this will generate a user and password for accessing the LDM. This will be shown only the first time you install the bridgehead.
+To make the configuration active, you need to tell systemd to reload the configuration and restart the docker service:
 
-### Basic Auth
+``` shell
+sudo systemctl daemon-reload;
+sudo systemctl bridgehead@bbmri.service;
+```
 
-For Data protection we use basic authentification for some services. To access those services you need an username and password combination. 
-Caution: If you start the bridgehead without the authentification, then those services are not accessible.
-We generate such a combination at the first install (`/etc/bridgehead/<Project>.local.conf`). 
+## Additional Services
 
-## Configuration
+### Monitoring
 
-#### systemd
+We provide a central monitoring service, which checks the health of your Bridgehead 24/7. Using this service is optional but recommended.
 
+You can register for it by sending a request to: bridgehead@helpdesk.bbmri-eric.eu.
 
+The confirmation of your registration will contain a monitoring API key.
+
+You need to add the key to the "/etc/bridgehead/bbmri.conf" file, e.g.:
+``` conf
+MONITOR_APIKEY=1b9e5e21-8b34-5382-8590-7eae98a4f6d3
+```
+(your key will be different to the one shown above, obviously).
+
+Your site should now show up in the monitoring with grey (updates) and green (query) messages at the next full hour.
+
+### Register with a Directory
+
+The [Directory](https://directory.bbmri-eric.eu/) is a BBMRI project that aims to catalog all biobanks in Europe and beyond. Each biobank is given its own unique ID and the Directory maintains counts of the number of donors and the number of samples held at each biobank. You are strongly encouraged to register with the Directory, because this opens the door to further services, such as the [Negotiator](https://negotiator.bbmri-eric.eu/login.xhtml).
+
+Generally, you should register with the BBMRI national node for the country where your biobank is based. You can find a list of contacts for the national nodes [here](http://www.bbmri-eric.eu/national-nodes/). If your country is not in this list, or you have any questions, please contact the [BBMRI helpdesk](mailto:directory@helpdesk.bbmri-eric.eu). If your biobank is for COVID samples, you can also take advantage of an accelerated registration process [here](https://docs.google.com/forms/d/e/1FAIpQLSdIFfxADikGUf1GA0M16J0HQfc2NHJ55M_E47TXahju5BlFIQ).
+
+Your national node will give you detailed instructions for registering, but for your information, here are the basic steps:
+
+* Log in to the Directory for your country.
+* Add your biobank and enter its details, including contact information for a person involved in running the biobank.
+* You will need to create at least one collection.
+
+## Site-specific configuration
 
 ### HTTPS Access
 
-We advise to use https for all service of your bridgehead. HTTPS is enabled on default. For starting the bridghead you need a ssl certificate. You can either create it yourself or get a signed one. You need to drop the certificates in /certs.
+We recommend https for all services of your Bridgehead. HTTPS is enabled by default. For starting the Bridgehead you need an ssl certificate. You can either create it yourself or get a signed one. You need to drop the certificates in /certs.
 
-The bridgehead create one autotmatic on the first start. However, it will be unsigned and we recomend to get a signed one.
+The Bridgehead creates one autotmatically on the first start. However, it will be unsigned and we recomend getting a signed one.
 
 
 ### Locally Managed Secrets
 
-This section describes the secrets you need to configure locally through the configuration
+This section describes the secrets you may need to configure locally through the configuration
 
 | Name                                 | Recommended Value                                                                                 | Description |  
 |--------------------------------------|---------------------------------------------------------------------------------------------------| ----------- |  
@@ -255,77 +227,7 @@ This section describes the secrets you need to configure locally through the con
 | MAGICPL_OIDC_CLIENT_ID               || The client id used for your machine, to connect with the central authentication service           |
 | MAGICPL_OIDC_CLIENT_SECRET           || The client secret used for your machine, to connect with the central authentication service       |
 
-### Cooperatively Managed Secrets
-
-> TODO: Describe secrets from site-config 
-
-## Managing your Bridgehead
-
-> TODO: Rewrite this section (restart, stop, uninstall, manual updates)
-
-### On a Server
-
-#### Start
-
-This will start a not running bridgehead system unit:
-``` shell
-sudo systemctl start bridgehead@<dktk/c4/gbn>
-```
-
-#### Stop
-
-This will stop a running bridgehead system unit:
-``` shell
-sudo systemctl stop bridgehead@<dktk/c4/gbn>
-```
-
-#### Update
-
-This will update bridgehead system unit:
-``` shell
-sudo systemctl start bridgehead-update@<dktk/c4/gbn>
-```
-
-#### Remove the Bridgehead System Units
-
-If, for some reason you want to remove the installed bridgehead units, we added a command to [bridgehead](./bridgehead):
-``` shell
-sudo /srv/docker/bridgehead/bridgehead uninstall <project>
-```
-
-### On Developers Machine
-
-For developers, we provide additional scripts for starting and stopping the specif bridgehead:
-
-#### Start or stop
-
-This command starts a specified bridgehead. Choose between "dktk", "c4" and "gbn".
-``` shell
-/srv/docker/bridgehead/bridgehead start <dktk/c4/gbn>
-```
-
-#### Stop
-
-This command stops a specified bridgehead. Choose between "dktk", "c4" and "gbn".
-``` shell
-/srv/docker/bridgehead/bridgehead stop <dktk/c4/gbn>
-```
-
-#### Update
-
-This shell script updates the configuration for all bridgeheads installed on your system.
-``` shell
-/srv/docker/bridgehead/bridgehead update
-```
-> NOTE: If you want to regularly update your developing instance, you can create a CRON job that executes this script.
-
-## Migration Guide
-
-> TODO: How to transfer from windows/gbn
-
-## Pitfalls
-
-### [Git Proxy Configuration](https://gist.github.com/evantoli/f8c23a37eb3558ab8765)
+### Git Proxy Configuration
 
 Unlike most other tools, git doesn't use the default proxy variables "http_proxy" and "https_proxy". To make git use a proxy, you will need to adjust the global git configuration:
 
@@ -372,59 +274,22 @@ sudo systemctl daemon-reload;
 sudo systemctl restart docker;
 ```
 
-## After the Installtion
+### Non-Linux OS
 
-After starting your bridgehead, visit the landing page under the hostname. If you singed your own ssl certificate, there is probable an error message. However, you can accept it as exception. 
+The installation procedures described above have only been tested under Linux.
 
-On this page, there are all important links to each component, central and local. 
+Below are some suggestions for getting the installation to work on other operating systems. Note that we are not able to provide support for these routes!
 
-### Connector Administration
+We believe that it is likely that installation would also work with FreeBSD and MacOS.
 
-The Connector administration panel allows you to set many of the parameters regulating your Bridgehead. Most especially, it is the place where you can register your site with the Sample Locator. To access this page, proceed as follows:
+Under Windows, you have 2 options:
 
-* Open the Connector page: https://<hostname>/<project>-connector/
-* In the "Local components" box, click the "Samply Share" button.
-* A new page will be opened, where you will need to log in using the administrator credentials (admin/adminpass by default).
-* After log in, you will be taken to the administration dashboard, allowing you to configure the Connector.
-* If this is the first time you have logged in as an administrator, you are strongly recommended to set a more secure password! You can use the "Users" button on the dashboard to do this.
+- Virtual machine
+- WSL
 
-### GBA/BBMRI-ERIC
-
-#### Register with a Directory
-
-The [Directory][directory] is a BBMRI project that aims to catalog all biobanks in Europe and beyond. Each biobank is given its own unique ID and the Directory maintains counts of the number of donors and the number of samples held at each biobank. You are strongly encouraged to register with the Directory, because this opens the door to further services, such as the [Negotiator][negotiator].
-
-Generally, you should register with the BBMRI national node for the country where your biobank is based. You can find a list of contacts for the national nodes [here](http://www.bbmri-eric.eu/national-nodes/). If your country is not in this list, or you have any questions, please contact the [BBMRI helpdesk](mailto:directory@helpdesk.bbmri-eric.eu). If your biobank is for COVID samples, you can also take advantage of an accelerated registration process [here](https://docs.google.com/forms/d/e/1FAIpQLSdIFfxADikGUf1GA0M16J0HQfc2NHJ55M_E47TXahju5BlFIQ).
-
-Your national node will give you detailed instructions for registering, but for your information, here are the basic steps:
-
-* Log in to the Directory for your country.
-* Add your biobank and enter its details, including contact information for a person involved in running the biobank.
-* You will need to create at least one collection.
-* Note the biobank ID and the collection ID that you have created - these will be needed when you register with the Locator (see below).
-
-#### Register with a Locator
-
-* Go to the registration page http://localhost:8082/admin/broker_list.xhtml.
-* To register with a Locator, enter the following values in the three fields under "Join new Searchbroker":
-  * "Address": Depends on which Locator you want to register with:
-    * `https://locator.bbmri-eric.eu/broker/`: BBMRI Locator production service (European).
-    * `http://147.251.124.125:8088/broker/`: BBMRI Locator test service (European).
-    * `https://samplelocator.bbmri.de/broker/`: GBA Sample Locator production service (German).
-    * `https://samplelocator.test.bbmri.de/broker/`: GBA Sample Locator test service (German).
-  * "Your email address": this is the email to which the registration token will be returned.
-  * "Automatic reply": Set this to be `Total Size`
-* Click "Join" to start the registration process.
-* You should now have a list containing exactly one broker. You will notice that the "Status" box is empty.
-* Send an email to `feedback@germanbiobanknode.de` and let us know which of our Sample Locators you would like to register to. Please include the biobank ID and the collection ID from your Directory registration, if you have these available.
-* We will send you a registration token per email.
-* You will then re-open the Connector and enter the token into the "Status" box.
-* You should send us an email to let us know that you have done this.
-* We will then complete the registration process
-* We will email you to let you know that your biobank is now visible in the Sample Locator.
-
-If you are a Sample Locator administrator, you will need to understand the [registration process](./SampleLocatorRegistration.md). Normal bridgehead admins do not need to worry about this.
+We have tested the installation procedure with an Ubuntu 22.04 guest system running on a VMware virtual machine. That worked flawlessly.
 
+Installation under WSL ought to work, but we have not tested this.
 
 ## License
 

From b175c55f5ce9970308e8a25b7293153a9f57325b Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Tue, 17 May 2022 18:04:15 +0200
Subject: [PATCH 88/92] Shorten installation by including some installation
 steps into a shell script

---
 bridgehead                                    | 52 +++++++-------
 lib/functions.sh                              | 12 ++--
 ...dgehead-units.sh => install-bridgehead.sh} | 20 +++---
 lib/log.sh                                    |  4 +-
 lib/monitoring.sh                             |  9 ++-
 lib/prepare-system.sh                         | 67 +++++++++++++++++++
 lib/prerequisites.sh                          | 26 ++++---
 ...ehead-units.sh => uninstall-bridgehead.sh} |  5 --
 8 files changed, 138 insertions(+), 57 deletions(-)
 rename lib/{setup-bridgehead-units.sh => install-bridgehead.sh} (72%)
 mode change 100755 => 100644 lib/log.sh
 create mode 100755 lib/prepare-system.sh
 rename lib/{remove-bridgehead-units.sh => uninstall-bridgehead.sh} (81%)

diff --git a/bridgehead b/bridgehead
index 3054ebd..ecf4ec0 100755
--- a/bridgehead
+++ b/bridgehead
@@ -29,9 +29,6 @@ case "$PROJECT" in
 	ccp)
 		#nothing extra to do
 		;;
-	nngm)
-		#nothing extra to do
-		;;
 	bbmri)
 		#nothing extra to do
 		;;
@@ -41,28 +38,30 @@ case "$PROJECT" in
 		;;
 esac
 
-# Load variables from /etc/bridgehead and /srv/docker/bridgehead
-set -a
-source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
-if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
-	log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
-	source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
-fi
-fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
-[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
-set +a
+loadVars() {
+	# Load variables from /etc/bridgehead and /srv/docker/bridgehead
+	set -a
+	source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
+	if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
+		log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
+		source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
+	fi
+	fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
+	[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
+	set +a
 
-OVERRIDE=${OVERRIDE:=""}
-if [ -f "$PROJECT/docker-compose.override.yml" ]; then
-	log INFO "Applying $PROJECT/docker-compose.override.yml"
-	OVERRIDE+=" -f ./$PROJECT/docker-compose.override.yml"
-fi
-
-detectCompose
-setHostname
+	OVERRIDE=${OVERRIDE:=""}
+	if [ -f "$PROJECT/docker-compose.override.yml" ]; then
+		log INFO "Applying $PROJECT/docker-compose.override.yml"
+		OVERRIDE+=" -f ./$PROJECT/docker-compose.override.yml"
+	fi
+	detectCompose
+	setHostname
+}
 
 case "$ACTION" in
 	start)
+		loadVars
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
@@ -70,20 +69,25 @@ case "$ACTION" in
 		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
+		loadVars
 		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		;;
 	update)
+		loadVars
 		exec ./lib/update-bridgehead.sh $PROJECT
 		;;
 	install)
-		exec ./lib/setup-bridgehead-units.sh $PROJECT
+		source ./lib/prepare-system.sh
+		loadVars
+		exec ./lib/install-bridgehead.sh $PROJECT
 		;;
 	uninstall)
-		exec ./lib/remove-bridgehead-units.sh $PROJECT
+		exec ./lib/uninstall-bridgehead.sh $PROJECT
 		;;
 	enroll)
+		loadVars
 		if [ -e $PRIVATEKEYFILENAME ]; then
-			echo "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed."
+			log ERROR "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed."
 			exit 1
 		fi
 		docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $PROXY_ID --admin-email $SUPPORT_EMAIL
diff --git a/lib/functions.sh b/lib/functions.sh
index 9296414..a539e0d 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -1,7 +1,5 @@
 #!/bin/bash -e
 
-source lib/log.sh
-
 detectCompose() {
 	if [[ "$(docker compose version 2>/dev/null)" == *"Docker Compose version"* ]]; then
 		COMPOSE="docker compose"
@@ -37,11 +35,11 @@ checkOwner(){
 
 printUsage() {
 	echo "Usage: bridgehead start|stop|update|install|uninstall|enroll PROJECTNAME"
-	echo "PROJECTNAME should be one of ccp|nngm|bbmri"
+	echo "PROJECTNAME should be one of ccp|bbmri"
 }
 
 checkRequirements() {
-	if ! lib/prerequisites.sh; then
+	if ! lib/prerequisites.sh $@; then
 		log "ERROR" "Validating Prerequisites failed, please fix the error(s) above this line."
 		fail_and_report 1 "Validating prerequisites failed."
 	else
@@ -120,8 +118,10 @@ fixPermissions() {
 source lib/monitoring.sh
 
 report_error() {
-	log ERROR "$2"
-	hc_send $1 "$2"
+	CODE=$1
+	shift
+	log ERROR "$@"
+	hc_send $CODE "$@"
 }
 
 fail_and_report() {
diff --git a/lib/setup-bridgehead-units.sh b/lib/install-bridgehead.sh
similarity index 72%
rename from lib/setup-bridgehead-units.sh
rename to lib/install-bridgehead.sh
index d258c0b..5e3add3 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/install-bridgehead.sh
@@ -9,14 +9,9 @@ if [ $# -eq 0 ]; then
     exit 1
 fi
 
-if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "bbmri" ]; then
-    log "ERROR" "Please provide a supported project like ccp, bbmri or nngm"
-    exit 1
-fi
-
 export PROJECT=$1
 
-checkRequirements
+checkRequirements noprivkey
 
 log "INFO" "Allowing the bridgehead user to start/stop the bridgehead."
 
@@ -33,7 +28,7 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
 bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
 
-# TODO: Determine wether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
+# TODO: Determine whether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
 if [ -z "$LDM_PASSWORD" ]; then
   log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!"
   generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
@@ -42,7 +37,7 @@ if [ -z "$LDM_PASSWORD" ]; then
   echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
 fi
 
-log "INFO" "Register system units for bridgehead and bridgehead-update"
+log "INFO" "Registering system units for bridgehead and bridgehead-update"
 cp -v \
     lib/systemd/bridgehead\@.service \
     lib/systemd/bridgehead-update\@.service \
@@ -61,4 +56,11 @@ systemctl enable bridgehead@"${PROJECT}".service
 log "INFO" "Enabling auto-updates for bridgehead@${PROJECT}.service ..."
 systemctl enable --now bridgehead-update@"${PROJECT}".timer
 
-log "INFO" "\nSuccess - now start your bridgehead by running\n            systemctl start bridgehead@${PROJECT}.service\n          or by rebooting your machine."
+STR="\n\n            systemctl start bridgehead@${PROJECT}.service\n\nor by rebooting your machine."
+if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
+  STR="Success. Next, start your bridgehead by running$STR"
+else
+  STR="Success. Next, enroll into the $PROJECT broker by creating a cryptographic certificate. To do so, run\n\n            /srv/docker/bridgehead/bridgehead enroll $PROJECT\n\nThen, you may start the bridgehead by running$STR"
+fi
+
+log "INFO" "$STR"
\ No newline at end of file
diff --git a/lib/log.sh b/lib/log.sh
old mode 100755
new mode 100644
index e05eee7..c00333d
--- a/lib/log.sh
+++ b/lib/log.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
 
 log() {
-  echo -e "$(date +'%Y-%m-%d %T')" "$1:" "$2"
+  SEVERITY="$1"
+  shift
+  echo -e "$(date +'%Y-%m-%d %T')" "$SEVERITY:" "$@"
 }
diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index daa388f..0f609f6 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -34,8 +34,13 @@ function hc_send(){
     fi
 
     if [ -z "$USER_AGENT" ]; then
-        COMMIT_ETC=$(git -C /etc/bridgehead rev-parse HEAD | cut -c -8)
-        COMMIT_SRV=$(git -C /srv/docker/bridgehead rev-parse HEAD | cut -c -8)
+        if [ "$USER" != "root" ]; then
+            COMMIT_ETC=$(git -C /etc/bridgehead rev-parse HEAD | cut -c -8)
+            COMMIT_SRV=$(git -C /srv/docker/bridgehead rev-parse HEAD | cut -c -8)
+        else
+            COMMIT_ETC=$(su -c 'git -C /etc/bridgehead rev-parse HEAD' bridgehead | cut -c -8)
+            COMMIT_SRV=$(su -c 'git -C /srv/docker/bridgehead rev-parse HEAD' bridgehead | cut -c -8)
+        fi
         USER_AGENT="srv:$COMMIT_SRV etc:$COMMIT_ETC"
     fi
 
diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh
new file mode 100755
index 0000000..20285f1
--- /dev/null
+++ b/lib/prepare-system.sh
@@ -0,0 +1,67 @@
+#!/bin/bash -e
+
+source lib/log.sh
+source lib/functions.sh
+
+log "INFO" "Preparing your system for bridgehead installation ..."
+
+# Create the bridgehead user
+if id bridgehead &>/dev/null; then
+    log "INFO" "Existing user with id $(id -u bridgehead) will be used by the bridgehead system units."
+else
+    log "INFO" "Now creating a system user to own the bridgehead's files."
+    useradd -M -g docker -N bridgehead || fail_and_report ""
+fi
+
+# Clone the OpenSource repository of bridgehead
+bridgehead_repository_url="https://github.com/samply/bridgehead.git"
+if [ -d "/srv/docker/bridgehead" ]; then
+    current_owner=$(stat -c '%U' /srv/docker/bridgehead)
+    if [ "$(su -c 'git -C /srv/docker/bridgehead remote get-url origin' $current_owner)" == "$bridgehead_repository_url" ]; then
+        log "INFO" "Bridgehead's open-source repository has been found at /srv/docker/bridgehead"
+    else
+        log "ERROR" "The directory /srv/docker/bridgehead seems to exist, but doesn't contain a clone of $bridgehead_repository_url\nPlease delete the directory and try again."
+        exit 1
+    fi
+else
+    log "INFO" "Cloning $bridgehead_repository_url to /srv/docker/bridgehead"
+    mkdir -p /srv/docker/
+    git clone bridgehead_repository_url /srv/docker/bridgehead -b feature/samplyBeam
+fi
+
+case "$PROJECT" in
+	ccp)
+		site_configuration_repository_middle="git.verbis.dkfz.de/bridgehead-configurations/bridgehead-config-"
+		;;
+	bbmri)
+		site_configuration_repository_middle="git.verbis.dkfz.de/bbmri-bridgehead-configs/"
+		;;
+	*)
+		log ERROR "Internal error, this should not happen."
+        exit 1
+		;;
+esac
+
+# Clone the site-configuration
+if [ -d /etc/bridgehead ]; then
+    current_owner=$(stat -c '%U' /etc/bridgehead)
+    if [ "$(su -c 'git -C /etc/bridgehead remote get-url origin' $current_owner | grep $site_configuration_repository_middle)" ]; then
+        log "INFO" "Your site config repository in /etc/bridgehead seems to be installed correctly."
+    else
+        log "WARN" "Your site configuration repository in /etc/bridgehead seems to have another origin than git.verbis.dkfz.de. Please check if the repository is correctly cloned!"
+    fi
+else
+    log "INFO" "Now cloning your site configuration repository for you."
+    read -p "Please enter your site: " site
+    read -s -p "Please enter the bridgehead's access token for your site configuration repository (will not be echoed): " access_token
+    site_configuration_repository_url="https://bytoken:${access_token}@${site_configuration_repository_middle}$(echo $site | tr '[:upper:]' '[:lower:]').git"
+    git clone $site_configuration_repository_url /etc/bridgehead
+    if [ $? -gt 0 ]; then
+        log "ERROR" "Unable to clone your configuration repository. Please obtain correct access data and try again."
+    fi
+fi
+
+chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
+
+log INFO "System preparation is completed and private key is present."
+
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 859b690..8ce7051 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -5,11 +5,11 @@ source lib/functions.sh
 detectCompose
 
 if ! id "bridgehead" &>/dev/null; then
-  log ERROR "User bridgehead does not exist. Please consult readme for installation."
+  log ERROR "User bridgehead does not exist. Please run bridgehead install $PROJECT"
   exit 1
 fi
 
-checkOwner . bridgehead || exit 1
+checkOwner /srv/docker/bridgehead bridgehead || exit 1
 checkOwner /etc/bridgehead bridgehead || exit 1
 
 ## Check if user is a su
@@ -62,16 +62,22 @@ if [ -e /etc/bridgehead/vault.conf ]; then
   fi
 fi
 
-log INFO "Checking your beam proxy private key"
+checkPrivKey() {
+  if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
+    log INFO "Success - private key found."
+  else
+    log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run\n  bridgehead enroll ${PROJECT}\nand follow the instructions."
+    return 1
+  fi
+  log INFO "Success - all prerequisites are met!"
+  hc_send log "Success - all prerequisites are met!"
+  return 0
+}
 
-if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
-  log INFO "Success - private key found."
+if [[ "$@" =~ "noprivkey" ]]; then
+  log INFO "Skipping check for private key for now."
 else
-  log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
-  exit 1
+  checkPrivKey || exit 1
 fi
 
-log INFO "Success - all prerequisites are met!"
-hc_send log "Success - all prerequisites are met!"
-
 exit 0
diff --git a/lib/remove-bridgehead-units.sh b/lib/uninstall-bridgehead.sh
similarity index 81%
rename from lib/remove-bridgehead-units.sh
rename to lib/uninstall-bridgehead.sh
index fa63ef4..ab1108e 100755
--- a/lib/remove-bridgehead-units.sh
+++ b/lib/uninstall-bridgehead.sh
@@ -7,11 +7,6 @@ if [ $# -eq 0 ]; then
     exit 1
 fi
 
-if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "bbmri" ]; then
-    log "ERROR" "Please provide a supported project like ccp, bbmri or nngm"
-    exit 1
-fi
-
 export PROJECT=$1
 
 #checkRequirements // not needed when uninstalling

From a6b7afce40b93994c7efabcaea3f5f2cddb9c0ab Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 18 Nov 2022 19:02:13 +0100
Subject: [PATCH 89/92] Documentation

---
 README.md | 263 +++++++++++-------------------------------------------
 1 file changed, 51 insertions(+), 212 deletions(-)

diff --git a/README.md b/README.md
index d93cd0e..715c124 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,8 @@
 # Bridgehead
 
-A Bridgehead is a set of components that must be installed locally, in order to connect your clinic or research centre to a federated search system. This repository contains the information and tools that you will need to deploy a Bridgehead. If you have questions, please [contact us](mailto:verbis-support@dkfz-heidelberg.de).
+The Bridgehead is a secure, low-effort solution to connect your research institution to a federated research network. It bundles interoperable, open-source software components into a turnkey package for installation on one of your secure servers. The Bridgehead is pre-configured with sane defaults, centrally monitored and with an absolute minimum of "moving parts" on your side, making it an extremely low-maintenance gateway to data sharing.
 
-
-TOC
+This repository is the starting point for any information and tools you will need to deploy a Bridgehead. If you have questions, please [contact us](mailto:verbis-support@dkfz-heidelberg.de).
 
 1. [Requirements](#requirements)
     - [Hardware](#hardware)
@@ -12,7 +11,7 @@ TOC
       - [Docker](#docker)
 2. [Deployment](#deployment)
     - [Installation](#installation)
-    - [Register with Beam](#register-with-beam)
+    - [Register with Samply.Beam](#register-with-samplybeam)
     - [Starting and stopping your Bridgehead](#starting-and-stopping-your-bridgehead)
     - [Auto-starting your Bridgehead when the server starts](#auto-starting-your-bridgehead-when-the-server-starts)
 3. [Additional Services](#additional-Services)
@@ -30,249 +29,89 @@ TOC
 
 ### Hardware
 
-To get the most out of your Bridgehead, we recommend the follwing Hardware:
+Hardware requirements strongly depend on the specific use-cases of your network as well as on the data it is going to serve. Most use-cases are well-served with the following configuration:
 
 - 4 CPU cores
-- At least 8 GB Ram
-- 100GB Hard Drive, SSD recommended
+- 32 GB RAM
+- 160GB Hard Drive, SSD recommended
 
-### System
+### Software
 
-You are strongly recommended to install the Bridgehead under a Linux operating system (but see the section [Non-Linux OS](#non-linux-os)). You will need root (administrator) priveleges on this machine in order to perform the deployment.
+You are strongly recommended to install the Bridgehead under a Linux operating system (but see the section [Non-Linux OS](#non-linux-os)). You will need root (administrator) priveleges on this machine in order to perform the deployment. We recommend the newest Ubuntu LTS server release.
 
-The following software should be installed:
+Ensure the following software (or newer) is installed:
 
-#### Git
+- git >= 2.0
+- docker >= 20.10.1
+- docker-compose >= 2.xx (`docker-compose` and `docker compose` are both supported).
+- systemd
 
-Check if you have at least git 2.0 installed on the system with:
-
-``` shell
-git --version
-```
-
-#### Docker
-
-Check the installed Docker version:
-
-``` shell
-docker --version
-```
-The version should ideally be higher than "20.10.1". The next step is to check ``` docker-compose```  with:
-
-``` shell
-docker-compose --version
-```
-The recomended version is "2.XX" and higher.
-
-If docker or docker-compose are not installed, please refer to the [Docker website](https://docs.docker.com).
+We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com). Note for Ubuntu: Please note that snap versions of Docker are not supported.
 
 ## Deployment
 
-### Installation
+### Base Installation
 
-First, clone the repository to the directory "/srv/docker/bridgehead":
+First, clone the repository to the directory `/srv/docker/bridgehead`:
+
+```shell
+sudo mkdir -p /srv/docker/
+sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead
+```
+
+Then, run the installation script:
+
+```shell
+cd /srv/docker/bridgehead
+sudo ./bridgehead install <PROJECT>
+```
+
+... and follow the instructions on the screen. You should then be prompted to do the next step:
+
+### Register with Samply.Beam
+
+Many Bridgehead services rely on the secure, performant and flexible messaging middleware called [Samply.Beam](https://github.com/samply/beam). You will need to register ("enroll") with Samply.Beam by creating a cryptographic key pair for your bridgehead:
 
 ``` shell
-sudo mkdir -p /srv/docker/;
-sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead;
-```
-Now create a user for the Bridgehead service:
-
-``` shell
-sudo useradd -M -g docker -N -s /sbin/nologin bridgehead
-```
-After adding the user you will need to change the ownership of the directory to the Bridgehead user.
-
-``` shell
-sudo chown bridgehead /srv/docker/bridgehead/ -R
-```
-Download the configuration repository:
-
-``` shell
-sudo git clone https://github.com/samply/bridgehead-config.git -b fix/bbmri-config /etc/bridgehead;
-```
-Change ownership:
-``` shell
-sudo chown bridgehead /etc/bridgehead/ -R
-```
-Edit /etc/bridgehead/bbmri.conf and modify SITE_ID and SITE_NAME to be relevant to your biobank. SITE_ID should not contains spaces. By convention, it is lower-case. E.g.:
-```
-SITE_ID="toulouse-prod"
-SITE_NAME="Toulouse"
+cd /srv/docker/bridgehead
+sudo ./bridgehead enroll <PROJECT>
 ```
 
-### Register with Beam
-
-You will need to register with Beam in order to be able to start your Bridgehead. Please send an email to: bridgehead@helpdesk.bbmri-eric.eu, mentioning the SITE_ID that you chose above.
-
-The response will contain your private key for Beam.
-
-Create a file for this private key:
-
-``` shell
-/etc/bridgehead/pki/$SITE_ID.priv.pem
-```
+... and follow the instructions on the screen. You should then be prompted to do the next step:
 
 ### Starting and stopping your Bridgehead
 
-To start your new Bridgehead, type:
+If you followed the above steps, your Bridgehead should already be configured to autostart (via systemd). If you would like to start/stop manually:
+
+To start, run
+
 ```shell
-sudo /srv/docker/bridgehead/bridgehead start bbmri
+sudo systemctl start bridgehead@<PROJECT>.service
 ```
-The script may break, because Spot tries to connect to Blaze, but Blaze is not yet ready, causing Spot to terminate. Try to start and stop the script a few times.
 
-To shut down the Bridgehead, type:
+To stop, run
+
 ```shell
-sudo /srv/docker/bridgehead/bridgehead stop bbmri
+sudo systemctl stop bridgehead@<PROJECT>.service
 ```
 
-### Auto-starting your Bridgehead when the server starts
+To enable/disable autostart, run
 
-Using this feature is optional.
-
-Many Linux distributions support the "systemctl" command, which enables you to autostart processes whenever your server is booted.
-
-In this repository you will find tools that allow you to take advantage of "systemctl" to automatically start the Bridgehead whenever your server gets restarted. You can set this up by executing the [bridgehead](./bridgehead) script:
-``` shell
-sudo /srv/docker/bridgehead/bridgehead install bbmri
+```shell
+sudo systemctl [enable|disable] bridgehead@<PROJECT>.service
 ```
 
-This will install the systemd units to run and update the Bridgehead.
-
-If your site operates with a proxy, you will need to set it up with ```systemctl edit``` as follows:
-
-``` shell
-sudo systemctl edit bridgehead@bbmri.service;
-```
-
-This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets.
-
-``` conf
-[Service]
-Environment=HOSTIP=
-Environment=HOST=
-Environment=HTTP_PROXY_USER=
-Environment=HTTP_PROXY_PASSWORD=
-Environment=HTTPS_PROXY_USER=
-Environment=HTTPS_PROXY_PASSWORD=
-Environment=CONNECTOR_POSTGRES_PASS=
-```
-
-To make the configuration active, you need to tell systemd to reload the configuration and restart the docker service:
-
-``` shell
-sudo systemctl daemon-reload;
-sudo systemctl bridgehead@bbmri.service;
-```
-
-## Additional Services
-
-### Monitoring
-
-We provide a central monitoring service, which checks the health of your Bridgehead 24/7. Using this service is optional but recommended.
-
-You can register for it by sending a request to: bridgehead@helpdesk.bbmri-eric.eu.
-
-The confirmation of your registration will contain a monitoring API key.
-
-You need to add the key to the "/etc/bridgehead/bbmri.conf" file, e.g.:
-``` conf
-MONITOR_APIKEY=1b9e5e21-8b34-5382-8590-7eae98a4f6d3
-```
-(your key will be different to the one shown above, obviously).
-
-Your site should now show up in the monitoring with grey (updates) and green (query) messages at the next full hour.
-
-### Register with a Directory
-
-The [Directory](https://directory.bbmri-eric.eu/) is a BBMRI project that aims to catalog all biobanks in Europe and beyond. Each biobank is given its own unique ID and the Directory maintains counts of the number of donors and the number of samples held at each biobank. You are strongly encouraged to register with the Directory, because this opens the door to further services, such as the [Negotiator](https://negotiator.bbmri-eric.eu/login.xhtml).
-
-Generally, you should register with the BBMRI national node for the country where your biobank is based. You can find a list of contacts for the national nodes [here](http://www.bbmri-eric.eu/national-nodes/). If your country is not in this list, or you have any questions, please contact the [BBMRI helpdesk](mailto:directory@helpdesk.bbmri-eric.eu). If your biobank is for COVID samples, you can also take advantage of an accelerated registration process [here](https://docs.google.com/forms/d/e/1FAIpQLSdIFfxADikGUf1GA0M16J0HQfc2NHJ55M_E47TXahju5BlFIQ).
-
-Your national node will give you detailed instructions for registering, but for your information, here are the basic steps:
-
-* Log in to the Directory for your country.
-* Add your biobank and enter its details, including contact information for a person involved in running the biobank.
-* You will need to create at least one collection.
-
 ## Site-specific configuration
 
 ### HTTPS Access
 
-We recommend https for all services of your Bridgehead. HTTPS is enabled by default. For starting the Bridgehead you need an ssl certificate. You can either create it yourself or get a signed one. You need to drop the certificates in /certs.
+Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de).
 
-The Bridgehead creates one autotmatically on the first start. However, it will be unsigned and we recomend getting a signed one.
-
-
-### Locally Managed Secrets
-
-This section describes the secrets you may need to configure locally through the configuration
-
-| Name                                 | Recommended Value                                                                                 | Description |  
-|--------------------------------------|---------------------------------------------------------------------------------------------------| ----------- |  
-| HTTP_PROXY_USER                      |                                                                                                   | Your local http proxy user |
-| HOSTIP                               | Compute with: `docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}'` | The ip from which docker containers can reach your host system. |
-| HOST                                 | Compute with: `hostname`                                                                          |The hostname from which all components will eventually be available|
-| HTTP_PROXY_PASSWORD                  |                                                                                                   |Your local http proxy user's password|
-| HTTPS_PROXY_USER                     |                                                                                                   |Your local https proxy user|
-| HTTPS_PROXY_PASSWORD                 || Your local https proxy user's password                                                            |
-| CONNECTOR_POSTGRES_PASS              | Random String                                                                                     |The password for your project specific connector.|
-| STORE_POSTGRES_PASS                  | Random String                                                                                     |The password for your local datamanagements database (only relevant in c4)|
-| ML_DB_PASS                           | Random String                                                                                     |The password for your local patientlist database|
-| MAGICPL_API_KEY                      | Random String                                                                                     |The apiKey used by the local datamanagement to create pseudonymes.|
-| MAGICPL_MAINZELLISTE_API_KEY         | Random String                                                                                     |The apiKey used by the local id-manager to communicate with the local patientlist|
-| MAGICPL_API_KEY_CONNECTOR            | Random String                                                                                     |The apiKey used by the connector to communicate with the local patientlist|
-| MAGICPL_MAINZELLISTE_CENTRAL_API_KEY | You need to ask the central patientlists admin for this.                                          |The apiKey for your machine to communicate with the central patientlist|
-| MAGICPL_CENTRAL_API_KEY              | You need to ask the central controlnumbergenerator admin for this.                                |The apiKey for your machine to communicate with the central controlnumbergenerator|
-| MAGICPL_OIDC_CLIENT_ID               || The client id used for your machine, to connect with the central authentication service           |
-| MAGICPL_OIDC_CLIENT_SECRET           || The client secret used for your machine, to connect with the central authentication service       |
-
-### Git Proxy Configuration
-
-Unlike most other tools, git doesn't use the default proxy variables "http_proxy" and "https_proxy". To make git use a proxy, you will need to adjust the global git configuration:
-
-``` shell
-sudo git config --global http.proxy http://<your-proxy-host>:<your-proxy-port>;
-sudo git config --global https.proxy http://<your-proxy-host>:<your-proxy-port>;
-```
-> NOTE: Some proxies may require user and password authentication. You can adjust the settings like this: "http://<your-proxy-user>:<your-proxy-user-password>@<your-proxy-host>:<your-proxy-port>".
-> NOTE: It is also possible that a proxy requires https protocol, so you can replace this to.
-
-You can check that the updated configuration with
-
-``` shell
-sudo git config --global --list;
-```
+## Troubleshooting
 
 ### Docker Daemon Proxy Configuration
 
-Docker has a background daemon, responsible for downloading images and starting them. To configure the proxy for this daemon, use the systemctl command:
-
-``` shell
-sudo systemctl edit docker
-```
-
-This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor, replace <your-proxy-host> and <your-proxy-port> with the corresponding values for your machine and save the file:
-``` conf
-[Service]
-Environment=HTTP_PROXY=http://<your-proxy-host>:<your-proxy-port>
-Environment=HTTPS_PROXY=http://<your-proxy-host>:<your-proxy-port>
-Environment=FTP_PROXY=http://<your-proxy-host>:<your-proxy-port>
-```
-> NOTE: Some proxies may require user and password authentication. You can adjust the settings like this: "http://<your-proxy-user>:<your-proxy-user-password>@<your-proxy-host>:<your-proxy-port>".
-> NOTE: It is also possible that a proxy requires https protocol, so you can replace this to.
-
-The file should now be at the location "/etc/systemd/system/docker.service.d/override.conf". You can proof check with
-``` shell
-cat /etc/systemd/system/docker.service.d/override.conf;
-```
-
-To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service:
-
-``` shell
-sudo systemctl daemon-reload;
-sudo systemctl restart docker;
-```
+Docker has a background daemon, responsible for downloading images and starting them. Sometimes, proxy configuration from your system won't carry over and it will fail to download images. In that case, configure the proxy for this daemon as described in the [official documentation](https://docs.docker.com).
 
 ### Non-Linux OS
 

From 21f90efe968c2bde9575a5542c56932a66db2341 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 21 Nov 2022 09:27:14 +0100
Subject: [PATCH 90/92] Document network, file structure, monitoring,
 auto-updates

---
 README.md | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/README.md b/README.md
index 715c124..82010d6 100644
--- a/README.md
+++ b/README.md
@@ -48,6 +48,10 @@ Ensure the following software (or newer) is installed:
 
 We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com). Note for Ubuntu: Please note that snap versions of Docker are not supported.
 
+### Network
+
+Since it needs to carry sensitive patient data, Bridgeheads are intended to be deployed within your institution's secure network and behave well even in networks in strict security settings, e.g. firewall rules. The only connectivity required is an outgoing HTTPS proxy. TLS termination is supported, too (see [below](#tls-terminating-proxies))
+
 ## Deployment
 
 ### Base Installation
@@ -107,6 +111,39 @@ sudo systemctl [enable|disable] bridgehead@<PROJECT>.service
 
 Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de).
 
+### TLS terminating proxies
+
+All of the Bridgehead's outgoing connections are secured by transport encryption (TLS) and a Bridgehead will refuse to connect if certificate verification fails. If your local forward proxy server performs TLS termination, please place its CA certificate in `/etc/bridgehead/trusted-ca-certs` as a `.pem` file, e.g. `/etc/bridgehead/trusted-ca-certs/mylocalca.pem`. Then, all Bridgehead components will pick up this certificate and trust it for outgoing connections.
+
+### File structure
+
+- `/srv/docker/bridgehead` contains this git repository with the shell scripts and *project-specific configuration*. In here, all files are identical for all sites. You should not make any changes here.
+- `/etc/bridgehead` contains your *site-specific configuration* synchronized from your site-specific git repository as part of the [base installation](#base-installation). To change anything here, please consult your git repository (find out its URL via `git -C /etc/bridgehead remote -v`).
+  - `/etc/bridgehead/<PROJECT>.conf` is your main site-specific configuration, all bundled into one concise config file. Do not change it here but via the central git repository.
+  - `/etc/bridgehead/<PROJECT>.local.conf` contains site-specific parameters to be known to your Bridgehead only, e.g. local access credentials. The file is ignored via git, and you may edit it here via a text editor.
+  - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access).
+  - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam).
+  - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here.
+
+Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect <volume_name>`.
+
+## Things you should know
+
+### Auto-Updates
+
+Your Bridgehead will automatically and regularly check for updates. Whenever something has been updates (e.g., one of the git repositories or one of the docker images), your Bridgehead is automatically restarted. This should happen automatically and does not need any configuration.
+
+If you would like to understand what happens exactly and when, please check the systemd units deployed during the [installation](#base-installation) via `systemctl cat bridgehead-update@<PROJECT>.service` and `systemctl cat bridgehead-update@<PROJECT.timer`.
+
+### Monitoring
+
+To keep all Bridgeheads up and working and detect any errors before a user does, a central monitoring 
+
+- Your Bridgehead itself will report relevant system events, such as successful/failed updates, restarts, performance metrics or version numbers.
+- Your Bridgehead is also monitored from the outside by your network's central components. For example, the federated search will regularly perform a black-box test by sending an empty query to your Bridgehead and checking if the results make sense.
+
+In all monitoring cases, obviously no sensitive information is transmitted, in particular not any patient-related data. Aggregated data, e.g. total amount of datasets, may be transmitted for diagnostic purposes.
+
 ## Troubleshooting
 
 ### Docker Daemon Proxy Configuration

From d12f9c44dcde8eba156dbed01e5f8a0a65b9a4ce Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Mon, 21 Nov 2022 18:06:30 +0100
Subject: [PATCH 91/92] Migrate monitoring to self-hosted instance

---
 lib/monitoring.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index daa388f..4d28371 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -14,15 +14,16 @@ UPTIME=
 USER_AGENT=
 
 function hc_send(){
+    BASEURL="https://healthchecks.verbis.dkfz.de/ping"
     if [ -n "$MONITOR_APIKEY" ]; then
         hc_set_uuid $MONITOR_APIKEY
     fi
 
     if [ -n "$HCSERVICE" ]; then
-        HCURL="https://hc-ping.com/$PING_KEY/$HCSERVICE"
+        HCURL="$BASEURL/$PING_KEY/$HCSERVICE"
     fi
     if [ -n "$HCUUID" ]; then
-        HCURL="https://hc-ping.com/$HCUUID"
+        HCURL="$BASEURL/$HCUUID"
     fi
     if [ ! -n "$HCURL" ]; then
         log WARN "Did not report Healthcheck: Neither Healthcheck UUID nor service set. Please define MONITOR_APIKEY in /etc/bridgehead."

From bfb84666af02fff50531ce0bf4ea06578fee7f0b Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 21 Nov 2022 18:13:40 +0100
Subject: [PATCH 92/92] Warn about ufw

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 82010d6..b57c10e 100644
--- a/README.md
+++ b/README.md
@@ -46,12 +46,16 @@ Ensure the following software (or newer) is installed:
 - docker-compose >= 2.xx (`docker-compose` and `docker compose` are both supported).
 - systemd
 
-We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com). Note for Ubuntu: Please note that snap versions of Docker are not supported.
+We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com).
+
+Note for Ubuntu: Please note that snap versions of Docker are not supported.
 
 ### Network
 
 Since it needs to carry sensitive patient data, Bridgeheads are intended to be deployed within your institution's secure network and behave well even in networks in strict security settings, e.g. firewall rules. The only connectivity required is an outgoing HTTPS proxy. TLS termination is supported, too (see [below](#tls-terminating-proxies))
 
+Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to conflict with Docker [here](https://github.com/chaifeng/ufw-docker).
+
 ## Deployment
 
 ### Base Installation