From 8a35785a24545a995d02b605b3e0cdd057b715bc Mon Sep 17 00:00:00 2001
From: Tim Schumacher <tim@tschumacher.net>
Date: Tue, 2 Sep 2025 13:23:34 +0200
Subject: [PATCH 1/4] feat: add scout module (#339)

---
 dhki/vars                 |  3 ++-
 modules/scout-compose.yml | 40 +++++++++++++++++++++++++++++++++++++++
 modules/scout-setup.sh    |  8 ++++++++
 3 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 modules/scout-compose.yml
 create mode 100644 modules/scout-setup.sh

diff --git a/dhki/vars b/dhki/vars
index feeae45..fcaa83b 100644
--- a/dhki/vars
+++ b/dhki/vars
@@ -23,4 +23,5 @@ do
     source $module
 done
 
-transfairSetup
\ No newline at end of file
+transfairSetup
+scoutSetup
\ No newline at end of file
diff --git a/modules/scout-compose.yml b/modules/scout-compose.yml
new file mode 100644
index 0000000..e3e7e83
--- /dev/null
+++ b/modules/scout-compose.yml
@@ -0,0 +1,40 @@
+volumes:
+  scout-blaze-data:
+
+services:
+  traefik:
+    labels:
+      - "traefik.http.middlewares.additional-users-auth.basicauth.users=${SCOUT_BASIC_AUTH_USERS}"
+
+  scout-blaze:
+    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    container_name: bridgehead-scout-blaze
+    environment:
+      BASE_URL: "http://bridgehead-scout-blaze:8080"
+      ENFORCE_REFERENTIAL_INTEGRITY: "false"
+    volumes:
+      - "scout-blaze-data:/app/data"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.scout-blaze.rule=PathPrefix(`/scout-blaze`)"
+      - "traefik.http.middlewares.scout-blaze-stripprefix.stripprefix.prefixes=/scout-blaze"
+      - "traefik.http.services.scout-blaze.loadbalancer.server.port=8080"
+      - "traefik.http.routers.scout-blaze.middlewares=scout-blaze-stripprefix,additional-users-auth"
+      - "traefik.http.routers.scout-blaze.tls=true"
+
+  scout:
+    image: samply/scout:main
+    container_name: bridgehead-scout
+    configs:
+      - scout.toml
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.scout.rule=PathPrefix(`/scout`)"
+      - "traefik.http.services.scout.loadbalancer.server.port=8080"
+      - "traefik.http.routers.scout.middlewares=additional-users-auth"
+      - "traefik.http.routers.scout.tls=true"
+
+configs:
+  scout.toml:
+    content: |
+      fhir_base_url = "http://scout-blaze:8080/fhir"
diff --git a/modules/scout-setup.sh b/modules/scout-setup.sh
new file mode 100644
index 0000000..5a3b0d9
--- /dev/null
+++ b/modules/scout-setup.sh
@@ -0,0 +1,8 @@
+#!/bin/bash -e
+
+function scoutSetup() {
+    if [[ -n "$ENABLE_SCOUT" && -n "$SCOUT_BASIC_AUTH_USERS" ]]; then
+        echo "Starting scout."
+	    OVERRIDE+=" -f ./modules/scout-compose.yml"
+    fi
+}

From d1f5820d0f0695c92a1b06066dd13489945188d7 Mon Sep 17 00:00:00 2001
From: Jan <59206115+Threated@users.noreply.github.com>
Date: Tue, 30 Sep 2025 11:01:14 +0200
Subject: [PATCH 2/4] feat: allow cql queries for exliquid (#343)

---
 ccp/docker-compose.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 030fcc1..7980017 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -34,6 +34,7 @@ services:
       EPSILON: 0.28
       QUERIES_TO_CACHE: '/queries_to_cache.conf'
       ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
+      CQL_PROJECTS_ENABLED: "${CQL_ALLOWED_PROJECTS}"
     volumes:
       - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf:ro
     depends_on:

From 00b10f3ae634b1bca8d2ddcb8ecb69c43a006a55 Mon Sep 17 00:00:00 2001
From: Jan <59206115+Threated@users.noreply.github.com>
Date: Tue, 30 Sep 2025 11:39:40 +0200
Subject: [PATCH 3/4] fix: only pass CQL_PROJECTS_ENABLED to focus if set
 (#344)

---
 ccp/docker-compose.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 7980017..afe31d8 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -25,16 +25,16 @@ services:
     image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-dktk
     container_name: bridgehead-focus
     environment:
-      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      BEAM_APP_ID_LONG: focus.${PROXY_ID}
-      PROXY_ID: ${PROXY_ID}
-      BLAZE_URL: "http://bridgehead-ccp-blaze:8080/fhir/"
-      BEAM_PROXY_URL: http://beam-proxy:8081
-      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
-      EPSILON: 0.28
-      QUERIES_TO_CACHE: '/queries_to_cache.conf'
-      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
-      CQL_PROJECTS_ENABLED: "${CQL_ALLOWED_PROJECTS}"
+    - API_KEY=${FOCUS_BEAM_SECRET_SHORT}
+    - BEAM_APP_ID_LONG=focus.${PROXY_ID}
+    - PROXY_ID=${PROXY_ID}
+    - BLAZE_URL=http://bridgehead-ccp-blaze:8080/fhir/
+    - BEAM_PROXY_URL=http://beam-proxy:8081
+    - RETRY_COUNT=${FOCUS_RETRY_COUNT}
+    - EPSILON=0.28
+    - QUERIES_TO_CACHE=/queries_to_cache.conf
+    - ENDPOINT_TYPE=${FOCUS_ENDPOINT_TYPE:-blaze}
+    - CQL_PROJECTS_ENABLED
     volumes:
       - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf:ro
     depends_on:

From eab7700404ef158b0f7854b52c04334b913be4fb Mon Sep 17 00:00:00 2001
From: Jan <59206115+Threated@users.noreply.github.com>
Date: Tue, 30 Sep 2025 11:47:51 +0200
Subject: [PATCH 4/4] feat: add bridgehead check command (#342)

---
 bridgehead              |  4 +++
 lib/check-bridgehead.sh | 74 +++++++++++++++++++++++++++++++++++++++++
 lib/functions.sh        |  2 +-
 3 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100755 lib/check-bridgehead.sh

diff --git a/bridgehead b/bridgehead
index 1951a7f..9483767 100755
--- a/bridgehead
+++ b/bridgehead
@@ -146,6 +146,10 @@ case "$ACTION" in
 		loadVars
 		exec ./lib/update-bridgehead.sh $PROJECT
 		;;
+	check)
+		loadVars &> /dev/null
+		exec ./lib/check-bridgehead.sh $PROJECT
+		;;
 	install)
 		source ./lib/prepare-system.sh NODEV
 		loadVars
diff --git a/lib/check-bridgehead.sh b/lib/check-bridgehead.sh
new file mode 100755
index 0000000..57ca537
--- /dev/null
+++ b/lib/check-bridgehead.sh
@@ -0,0 +1,74 @@
+#!/bin/bash
+source lib/functions.sh
+
+log INFO "Running Bridgehead checks..."
+
+# Directory ownership
+log INFO "Checking directory ownership..."
+OWNERSHIP_OK=true
+if ! checkOwner /srv/docker/bridgehead bridgehead &> /dev/null; then
+  log ERROR "Wrong ownership for /srv/docker/bridgehead."
+  log INFO "Hint: Run 'sudo chown -R bridgehead /srv/docker/bridgehead'."
+  OWNERSHIP_OK=false
+fi
+if ! checkOwner /etc/bridgehead bridgehead &> /dev/null; then
+  log ERROR "Wrong ownership for /etc/bridgehead."
+  log INFO "Hint: Run 'sudo chown -R bridgehead /etc/bridgehead'."
+  OWNERSHIP_OK=false
+fi
+
+if [ "$OWNERSHIP_OK" = true ]; then
+  log INFO "Directory ownership is correct."
+fi
+
+# Git repository status
+log INFO "Checking Git repository status..."
+GIT_OK=true
+if [ -d "/etc/bridgehead/.git" ]; then
+  if [ -n "$(git -C "/etc/bridgehead" status --porcelain)" ]; then
+    log ERROR "The config repo at /etc/bridgehead is modified.\n$(git -C /etc/bridgehead status -s)"
+    log INFO "Hint: Review your changes with git diff if they are already upstreamed use git stash and git pull to update the repo"
+    GIT_OK=false
+  fi
+fi
+if [ -n "$(git -C "$(pwd)" status --porcelain)" ]; then
+  log ERROR "$(pwd) is modified. \n$(git -C "$(pwd)" status -s)"
+  log INFO "Hint: If these are site specific changes to docker compose files consider moving them to $PROJECT/docker-compose.override.yml which is ignored by git."
+  log INFO "      If they are already upstreamed use git stash and git pull to update the repo"
+  GIT_OK=false
+fi
+
+if [ "$GIT_OK" = true ]; then
+  log INFO "Git repositories are clean."
+fi
+
+# Git remote connection
+log INFO "Checking Git remote connection..."
+GIT_REMOTE_OK=true
+if [ -d "/etc/bridgehead/.git" ]; then
+  if ! git -C "/etc/bridgehead" fetch --dry-run >/dev/null 2>&1; then
+    log ERROR "Cannot connect to the Git remote for /etc/bridgehead."
+    log INFO "Hint: Check your network connection and Git remote configuration for /etc/bridgehead."
+    GIT_REMOTE_OK=false
+  fi
+fi
+if [ -d "$(pwd)/.git" ]; then
+  if ! git -C "$(pwd)" fetch --dry-run >/dev/null 2>&1; then
+    log ERROR "Cannot connect to the Git remote for $(pwd)."
+    log INFO "Hint: Check your network connection and Git remote configuration for $(pwd)."
+    GIT_REMOTE_OK=false
+  fi
+fi
+
+if [ "$GIT_REMOTE_OK" = true ]; then
+  log INFO "Git remote connection successful."
+fi
+
+if [ "$OWNERSHIP_OK" = true ] && [ "$GIT_OK" = true ] && [ "$GIT_REMOTE_OK" = true ]; then
+  log INFO "All checks passed."
+  exit 0
+else
+  log ERROR "Some checks failed. Please review the hints and fix the issues."
+  log ERROR "Without fixing these issues bridgehead updates may not work correctly."
+  exit 1
+fi
diff --git a/lib/functions.sh b/lib/functions.sh
index 12308c0..379e122 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -53,7 +53,7 @@ checkOwner(){
 }
 
 printUsage() {
-	echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|install|uninstall|adduser|enroll PROJECTNAME"
+	echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|check|install|uninstall|adduser|enroll PROJECTNAME"
 	echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc|kr|dhki"
 }