From 99126a89598961401469dae5b9b177bb8b47cf48 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Tue, 4 Oct 2022 10:04:32 +0200
Subject: [PATCH 001/213] Shutdown all docker containers if one fails

... will then be restarted by systemd
---
 bridgehead | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bridgehead b/bridgehead
index 35442c9..85d9348 100755
--- a/bridgehead
+++ b/bridgehead
@@ -51,7 +51,7 @@ set +a
 case "$ACTION" in
 	start)
 		checkRequirements
-		exec docker-compose -f ./$PROJECT/docker-compose.yml up
+		exec docker-compose -f ./$PROJECT/docker-compose.yml up --abort-on-container-exit
 		;;
 	stop)
 		exec docker-compose -f ./$PROJECT/docker-compose.yml down

From bba1041bed0dcda5ea021630bdb193ff811a9c20 Mon Sep 17 00:00:00 2001
From: Torben Brenner <76154651+torbrenner@users.noreply.github.com>
Date: Wed, 5 Oct 2022 12:52:39 +0200
Subject: [PATCH 002/213] Updated Blaze from v0.17 -> v0.18

---
 ccp/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 161e495..65343d6 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -52,7 +52,7 @@ services:
       SITE_NAME: ${SITE_NAME}
 
   blaze:
-    image: "samply/blaze:0.17"
+    image: "samply/blaze:0.18"
     container_name: bridgehead-ccp-blaze
     environment:
       BASE_URL: "http://bridgehead-ccp-blaze:8080"

From b41e5b23158d0a8e05b1620d3599b19a56a716cd Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Wed, 5 Oct 2022 19:58:07 +0200
Subject: [PATCH 003/213] Fix permissions on startup. Requires re-install of
 systemd units.

---
 bridgehead                             | 3 +++
 lib/systemd/bridgehead-update@.service | 1 +
 lib/systemd/bridgehead@.service        | 1 +
 3 files changed, 5 insertions(+)

diff --git a/bridgehead b/bridgehead
index 85d9348..eba542d 100755
--- a/bridgehead
+++ b/bridgehead
@@ -65,6 +65,9 @@ case "$ACTION" in
 	uninstall)
 		exec ./lib/remove-bridgehead-units.sh $PROJECT
 		;;
+	fixPermissions)
+		chown -R bridgehead /etc/bridgehead .
+		;;
 	*)
 		printUsage
 		exit 1
diff --git a/lib/systemd/bridgehead-update@.service b/lib/systemd/bridgehead-update@.service
index c1d8b4c..e8b42ea 100644
--- a/lib/systemd/bridgehead-update@.service
+++ b/lib/systemd/bridgehead-update@.service
@@ -4,6 +4,7 @@ Description=Bridgehead (%i) Update Service
 [Service]
 Type=oneshot
 User=bridgehead
+ExecStartPre=-/srv/docker/bridgehead/bridgehead fixPermissions %i
 ExecStart=/srv/docker/bridgehead/bridgehead update %i
 
 [Install]
diff --git a/lib/systemd/bridgehead@.service b/lib/systemd/bridgehead@.service
index c387c71..f109e5a 100644
--- a/lib/systemd/bridgehead@.service
+++ b/lib/systemd/bridgehead@.service
@@ -6,6 +6,7 @@ Requires=docker.service
 User=bridgehead
 Restart=always
 RestartSec=30
+ExecStartPre=-/srv/docker/bridgehead/bridgehead fixPermissions %i
 ExecStart=/srv/docker/bridgehead/bridgehead start %i
 ExecStop=/srv/docker/bridgehead/bridgehead stop %i
 

From 8a6274389459c0c15a8dfcac852c2238c1081b07 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Thu, 6 Oct 2022 10:45:50 +0200
Subject: [PATCH 004/213] Monitoring for bridgehead startup and update (#22)

---
 bridgehead                             | 12 +++++---
 lib/functions.sh                       | 23 +++++++++++----
 lib/gitpassword.sh                     |  5 ++--
 lib/log.sh                             |  5 ++++
 lib/monitoring.sh                      | 41 ++++++++++++++++++++++++++
 lib/prerequisites.sh                   | 16 ++++------
 lib/setup-bridgehead-units.sh          |  4 ++-
 lib/systemd/bridgehead-update@.service |  3 +-
 lib/systemd/bridgehead@.service        |  3 +-
 lib/update-bridgehead.sh               | 19 +++++++-----
 10 files changed, 98 insertions(+), 33 deletions(-)
 create mode 100644 lib/log.sh
 create mode 100755 lib/monitoring.sh

diff --git a/bridgehead b/bridgehead
index eba542d..87d6a1f 100755
--- a/bridgehead
+++ b/bridgehead
@@ -43,14 +43,16 @@ esac
 
 # Load variables from /etc/bridgehead and /srv/docker/bridgehead
 set -a
-source /etc/bridgehead/$PROJECT.conf
-fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || exit 1
+source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
+fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 [ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 set +a
 
 case "$ACTION" in
 	start)
+		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
+		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
 		exec docker-compose -f ./$PROJECT/docker-compose.yml up --abort-on-container-exit
 		;;
 	stop)
@@ -65,8 +67,10 @@ case "$ACTION" in
 	uninstall)
 		exec ./lib/remove-bridgehead-units.sh $PROJECT
 		;;
-	fixPermissions)
-		chown -R bridgehead /etc/bridgehead .
+	preRun | preUpdate)
+		fixPermissions
+		;;
+	postRun | postUpdate)
 		;;
 	*)
 		printUsage
diff --git a/lib/functions.sh b/lib/functions.sh
index 3d5a88f..ded0cd9 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -1,9 +1,11 @@
 #!/bin/bash -e
 
+source lib/log.sh
+
 exitIfNotRoot() {
   if [ "$EUID" -ne 0 ]; then
     log "ERROR" "Please run as root"
-    exit 1
+    fail_and_report 1 "Please run as root"
   fi
 }
 
@@ -16,10 +18,6 @@ checkOwner(){
   return 0
 }
 
-log() {
-  echo -e "$(date +'%Y-%m-%d %T')" "$1:" "$2"
-}
-
 printUsage() {
 	echo "Usage: bridgehead start|stop|update|install|uninstall PROJECTNAME"
 	echo "PROJECTNAME should be one of ccp|nngm|gbn"
@@ -28,7 +26,7 @@ printUsage() {
 checkRequirements() {
 	if ! lib/prerequisites.sh; then
 		log "ERROR" "Validating Prerequisites failed, please fix the error(s) above this line."
-		exit 1
+		fail_and_report 1 "Validating prerequisites failed."
 	else
 		return 0
 	fi
@@ -97,6 +95,19 @@ assertVarsNotEmpty() {
 	return 0
 }
 
+fixPermissions() {
+	CHOWN=$(which chown)
+	sudo $CHOWN -R bridgehead /etc/bridgehead /srv/docker/bridgehead
+}
+
+source lib/monitoring.sh
+
+fail_and_report() {
+	log ERROR "$2"
+	hc_send $1 "$2"
+	exit $1
+}
+
 ##Setting Network properties
 export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
 export HOST=$(hostname)
diff --git a/lib/gitpassword.sh b/lib/gitpassword.sh
index 25eb9ce..17756d6 100755
--- a/lib/gitpassword.sh
+++ b/lib/gitpassword.sh
@@ -22,7 +22,7 @@ cd $BASE
 
 source lib/functions.sh
 
-assertVarsNotEmpty SITE_ID || exit 1
+assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
 
 PARAMS="$(cat)"
 GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
@@ -30,8 +30,7 @@ GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
 fetchVarsFromVault GIT_PASSWORD
 
 if [ -z "${GIT_PASSWORD}" ]; then
-	log ERROR "Git password not found."
-	exit 1
+	fail_and_report 1 "gitpassword.sh failed: Git password not found."
 fi
 
 cat <<EOF
diff --git a/lib/log.sh b/lib/log.sh
new file mode 100644
index 0000000..e05eee7
--- /dev/null
+++ b/lib/log.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+log() {
+  echo -e "$(date +'%Y-%m-%d %T')" "$1:" "$2"
+}
diff --git a/lib/monitoring.sh b/lib/monitoring.sh
new file mode 100755
index 0000000..d9bbf60
--- /dev/null
+++ b/lib/monitoring.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+source lib/log.sh
+
+function hc_set_uuid(){
+    HCUUID="$1"
+}
+
+function hc_set_service(){
+    HCSERVICE="$1"
+}
+
+UPTIME=
+
+function hc_send(){
+    if [ -n "$MONITOR_APIKEY" ]; then
+        hc_set_uuid $MONITOR_APIKEY
+    fi
+
+    if [ -n "$HCSERVICE" ]; then
+        HCURL="https://hc-ping.com/$PING_KEY/$HCSERVICE"
+    fi
+    if [ -n "$HCUUID" ]; then
+        HCURL="https://hc-ping.com/$HCUUID"
+    fi
+    if [ ! -n "$HCURL" ]; then
+        log WARN "Healthcheck reporting failed: Neither Healthcheck UUID nor service set - please check config in /etc/bridgehead"
+        return 1
+    fi
+
+    if [ -z "$UPTIME" ]; then
+        UPTIME=$(docker ps --format '{{.Names}} {{.RunningFor}}' --filter name=bridgehead || echo "Unable to get docker statistics")
+    fi
+
+    if [ -n "$2" ]; then
+        MSG="$2\n\nDocker stats:\n$UPTIME"
+        echo -e "$MSG" | https_proxy=$HTTPS_PROXY_URL curl -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+    else
+        https_proxy=$HTTPS_PROXY_URL curl -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+    fi
+}
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 4e03530..f4fd3be 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -17,32 +17,28 @@ for prerequisite in $prerequisites; do
   $prerequisite --version 2>&1
   is_available=$?
   if [ $is_available -gt 0 ]; then
-    log "ERROR" "Prerequisite not fulfilled - $prerequisite is not available!"
-    exit 79
+    fail_and_report 79 "Prerequisite not fulfilled - $prerequisite is not available!"
   fi
   # TODO: Check for specific version
 done
 
 log INFO "Checking if sudo is installed ..."
 if [ ! -d /etc/sudoers.d ]; then
-  log ERROR "/etc/sudoers.d does not exist. Please install sudo package."
-  exit 1
+  fail_and_report 1 "/etc/sudoers.d does not exist. Please install sudo package."
 fi
 
 log INFO "Checking configuration ..."
 
 ## Download submodule
 if [ ! -d "/etc/bridgehead/" ]; then
-  log ERROR "Please set up the config folder at /etc/bridgehead. Instruction are in the readme."
-  exit 1
+  fail_and_report 1 "Please set up the config folder at /etc/bridgehead. Instruction are in the readme."
 fi
 
 # TODO: Check all required variables here in a generic loop
 
 #check if project env is present
 if [ -d "/etc/bridgehead/${PROJECT}.conf" ]; then
-   log ERROR "Project config not found. Please copy the template from ${PROJECT} and put it under /etc/bridgehead-config/${PROJECT}.conf."
-   exit 1
+   fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under /etc/bridgehead-config/${PROJECT}.conf."
 fi
 
 # TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
@@ -60,11 +56,11 @@ fi
 
 if [ -e /etc/bridgehead/vault.conf ]; then
 	if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
-		log ERROR "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
-		exit 1
+    fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
 	fi
 fi
 
 log INFO "Success - all prerequisites are met!"
+hc_send log "Success - all prerequisites are met!"
 
 exit 0
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index a1393c2..a96e583 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -26,7 +26,9 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
     /bin/systemctl start bridgehead@${PROJECT}.service, \\
     /bin/systemctl stop bridgehead@${PROJECT}.service, \\
     /bin/systemctl restart bridgehead@${PROJECT}.service, \\
-    /bin/systemctl restart bridgehead@*.service
+    /bin/systemctl restart bridgehead@*.service, \\
+    /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead, \\
+    /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
 
 bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
diff --git a/lib/systemd/bridgehead-update@.service b/lib/systemd/bridgehead-update@.service
index e8b42ea..3a7f347 100644
--- a/lib/systemd/bridgehead-update@.service
+++ b/lib/systemd/bridgehead-update@.service
@@ -4,8 +4,9 @@ Description=Bridgehead (%i) Update Service
 [Service]
 Type=oneshot
 User=bridgehead
-ExecStartPre=-/srv/docker/bridgehead/bridgehead fixPermissions %i
+ExecStartPre=-/srv/docker/bridgehead/bridgehead preUpdate %i
 ExecStart=/srv/docker/bridgehead/bridgehead update %i
+ExecStopPost=-/srv/docker/bridgehead/bridgehead postUpdate %i
 
 [Install]
 WantedBy=multi-user.target
diff --git a/lib/systemd/bridgehead@.service b/lib/systemd/bridgehead@.service
index f109e5a..7645793 100644
--- a/lib/systemd/bridgehead@.service
+++ b/lib/systemd/bridgehead@.service
@@ -6,9 +6,10 @@ Requires=docker.service
 User=bridgehead
 Restart=always
 RestartSec=30
-ExecStartPre=-/srv/docker/bridgehead/bridgehead fixPermissions %i
+ExecStartPre=-/srv/docker/bridgehead/bridgehead preRun %i
 ExecStart=/srv/docker/bridgehead/bridgehead start %i
 ExecStop=/srv/docker/bridgehead/bridgehead stop %i
+ExecStopPost=-/srv/docker/bridgehead/bridgehead postRun %i
 
 [Install]
 WantedBy=multi-user.target
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 9bb73bd..162d592 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -1,20 +1,21 @@
 #!/bin/bash
 source lib/functions.sh
 
+hc_send log "Updating bridgehead ..."
+
 CONFFILE=/etc/bridgehead/$1.conf
 
 if [ ! -e $CONFFILE ]; then
-  log ERROR "Configuration file $CONFFILE not found."
-  exit 1
+  fail_and_report 1 "Configuration file $CONFFILE not found."
 fi
 
 source $CONFFILE
 
-assertVarsNotEmpty SITE_ID || exit 1
+assertVarsNotEmpty SITE_ID || fail_and_report 1 "Update failed: SITE_ID empty"
 export SITE_ID
 
-checkOwner . bridgehead || exit 1
-checkOwner /etc/bridgehead bridgehead || exit 1
+checkOwner . bridgehead || fail_and_report 1 "Update failed: Wrong permissions in $(pwd)"
+checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
 
 CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 
@@ -69,10 +70,14 @@ done
 
 # If anything is updated, restart service
 if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
-  log "INFO" "Update detected, now restarting bridgehead"
+  RES="Update detected, now restarting bridgehead"
+  log "INFO" "$RES"
+  hc_send log "$RES"
   sudo /bin/systemctl restart bridgehead@*.service
 else
-  log "INFO" "Nothing updated, nothing to restart."
+  RES="Nothing updated, nothing to restart."
+  log "INFO" "$RES"
+  hc_send log "$RES"
 fi
 
 exit 0

From 2fb57980eef3a4f51fbe90025d508396045ff25a Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 6 Oct 2022 12:04:24 +0200
Subject: [PATCH 005/213] Format docker status table

---
 lib/monitoring.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index d9bbf60..b6384b0 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -29,7 +29,7 @@ function hc_send(){
     fi
 
     if [ -z "$UPTIME" ]; then
-        UPTIME=$(docker ps --format '{{.Names}} {{.RunningFor}}' --filter name=bridgehead || echo "Unable to get docker statistics")
+        UPTIME=$(docker ps --format 'table {{.Names}} \t{{.RunningFor}} \t {{.Status}} \t {{.Image}}' --filter name=bridgehead || echo "Unable to get docker statistics")
     fi
 
     if [ -n "$2" ]; then

From 0f449344195b8724a8905981d6c0afcd2288977d Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 6 Oct 2022 12:05:36 +0200
Subject: [PATCH 006/213] Clarified log message

---
 lib/update-bridgehead.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 162d592..a79fece 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 source lib/functions.sh
 
-hc_send log "Updating bridgehead ..."
+hc_send log "Checking for bridgehead updates ..."
 
 CONFFILE=/etc/bridgehead/$1.conf
 

From f7c4bf6ac5cb0def425904b6d9dc9a5a872ca479 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 6 Oct 2022 12:49:31 +0200
Subject: [PATCH 007/213] Consider stopped docker containers for reports,
 updates

---
 lib/monitoring.sh        | 2 +-
 lib/update-bridgehead.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index b6384b0..bdd9a35 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -29,7 +29,7 @@ function hc_send(){
     fi
 
     if [ -z "$UPTIME" ]; then
-        UPTIME=$(docker ps --format 'table {{.Names}} \t{{.RunningFor}} \t {{.Status}} \t {{.Image}}' --filter name=bridgehead || echo "Unable to get docker statistics")
+        UPTIME=$(docker ps -a --format 'table {{.Names}} \t{{.RunningFor}} \t {{.Status}} \t {{.Image}}' --filter name=bridgehead || echo "Unable to get docker statistics")
     fi
 
     if [ -n "$2" ]; then
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index a79fece..19dd8e7 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -60,7 +60,7 @@ done
 # Check docker updates
 log "INFO" "Checking for updates to running docker images ..."
 docker_updated="false"
-for IMAGE in $(docker ps --filter "name=bridgehead" --format {{.Image}}); do
+for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
     log "INFO" "$IMAGE updated."

From 7b15e02becda271641ebc002955c30dab025d708 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 6 Oct 2022 12:49:48 +0200
Subject: [PATCH 008/213] Use HTTPS proxy (not http proxy) for git pull

---
 lib/update-bridgehead.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 19dd8e7..ef07590 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -33,8 +33,8 @@ for DIR in /etc/bridgehead $(pwd); do
     git -C $DIR pull 2>&1
   else
     log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}"
-    git -c http.proxy=$HTTP_PROXY_URL -c http.proxy=$HTTP_PROXY_URL -C $DIR fetch 2>&1
-    git -c http.proxy=$HTTP_PROXY_URL -c http.proxy=$HTTP_PROXY_URL -C $DIR pull 2>&1
+    git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR fetch 2>&1
+    git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1
   fi
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   git_updated="false"

From 67ec348f747b8419f3ab454d9884d50c2bd13179 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 6 Oct 2022 16:27:52 +0200
Subject: [PATCH 009/213] Support docker-compose.override.yml

---
 bridgehead | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/bridgehead b/bridgehead
index 87d6a1f..6ea59e4 100755
--- a/bridgehead
+++ b/bridgehead
@@ -48,15 +48,21 @@ fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Una
 [ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 set +a
 
+OVERRIDE=""
+if [ -f "$PROJECT/docker-compose.override.yml" ]; then
+	log INFO "Apply docker-compose.override.yml"
+	OVERRIDE+="-f ./$PROJECT/docker-compose.override.yml"
+fi
+
 case "$ACTION" in
 	start)
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
-		exec docker-compose -f ./$PROJECT/docker-compose.yml up --abort-on-container-exit
+		exec docker-compose -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
-		exec docker-compose -f ./$PROJECT/docker-compose.yml down
+		exec docker-compose -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		;;
 	update)
 		exec ./lib/update-bridgehead.sh $PROJECT

From ca45a3dbe9a408e618e33adbff65b6b06c226d21 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 11 Oct 2022 11:06:52 +0200
Subject: [PATCH 010/213] Support /etc/bridgehead/PROJECT.local.conf

---
 bridgehead | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/bridgehead b/bridgehead
index 6ea59e4..5c7d121 100755
--- a/bridgehead
+++ b/bridgehead
@@ -44,13 +44,17 @@ esac
 # Load variables from /etc/bridgehead and /srv/docker/bridgehead
 set -a
 source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
+if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
+	log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
+	source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
+fi
 fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 [ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 set +a
 
 OVERRIDE=""
 if [ -f "$PROJECT/docker-compose.override.yml" ]; then
-	log INFO "Apply docker-compose.override.yml"
+	log INFO "Applying $PROJECT/docker-compose.override.yml"
 	OVERRIDE+="-f ./$PROJECT/docker-compose.override.yml"
 fi
 

From f7742f2a2bfb0e2d9292ff75c96d7a5dbaa095f7 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 11 Oct 2022 13:28:51 +0200
Subject: [PATCH 011/213] Make traefik volumes read-only

---
 ccp/docker-compose.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 65343d6..d78a842 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -25,8 +25,8 @@ services:
       - 80:80
       - 443:443
     volumes:
-      - ../certs:/tools/certs
-      - ../lib/traefik-configuration/:/configuration
+      - ../certs:/tools/certs:ro
+      - ../lib/traefik-configuration/:/configuration:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
 
   forward_proxy:

From e439510920f36c272fe8ce99efc630849ce0ac9b Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 11 Oct 2022 13:29:09 +0200
Subject: [PATCH 012/213] Rename spot container so it shows up in monitoring

---
 ccp/docker-compose.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index d78a842..3ef7f24 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -72,6 +72,7 @@ services:
 
   spot:
     image: samply/spot:latest
+    container_name: bridgehead-spot
     environment:
       SECRET: ${SPOT_BEAM_SECRET_LONG}
       APPID: spot

From 7ecb39d6cede55a820e36900ccca92554782b1f7 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 11 Oct 2022 18:29:08 +0200
Subject: [PATCH 013/213] Use new forward proxy

---
 ccp/docker-compose.yml | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 3ef7f24..c446f64 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -31,13 +31,14 @@ services:
 
   forward_proxy:
     container_name: bridgehead-forward-proxy
-    image: samply/bridgehead-forward-proxy:develop
+    image: samply/bridgehead-forward-proxy:main
     environment:
-      http_proxy: ${HTTP_PROXY_URL}
-      https_proxy: ${HTTPS_PROXY_URL}
+      HTTPS_PROXY: ${HTTPS_PROXY_URL}
+      USERNAME: ${HTTPS_PROXY_USERNAME}
+      PASSWORD: ${HTTPS_PROXY_PASSWORD}
     volumes:
-      - "bridgehead-proxy:/var/log/squid"
-    
+      - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
+
   landing:
     container_name: bridgehead-landingpage
     image: samply/bridgehead-landingpage:master
@@ -60,7 +61,7 @@ services:
       LOG_LEVEL: "debug"
       ENFORCE_REFERENTIAL_INTEGRITY: "false"
     volumes:
-    - "blaze-data:/app/data"
+      - "blaze-data:/app/data"
     labels:
       - "traefik.enable=true"
       - "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}"
@@ -98,17 +99,19 @@ services:
       PRIVKEY_FILE: /run/secrets/proxy.pem
       RUST_LOG: debug
       ALL_PROXY: http://forward_proxy:3128
+      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
     secrets:
       - proxy.pem
     labels:
       - "traefik.enable=false"
     depends_on:
       - "forward_proxy"
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
 
 
 volumes:
   blaze-data:
-  bridgehead-proxy:
 
 secrets:
   proxy.pem:

From 0f1cb966badaa95997b4636840ff1197d8b755c6 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Tue, 11 Oct 2022 18:36:42 +0200
Subject: [PATCH 014/213] Use tag latest for forward proxy

---
 ccp/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index c446f64..bc8fdf2 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -31,7 +31,7 @@ services:
 
   forward_proxy:
     container_name: bridgehead-forward-proxy
-    image: samply/bridgehead-forward-proxy:main
+    image: samply/bridgehead-forward-proxy:latest
     environment:
       HTTPS_PROXY: ${HTTPS_PROXY_URL}
       USERNAME: ${HTTPS_PROXY_USERNAME}

From e273e97d9cfa1fb351743ae4db4227e2ee6a368d Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Mon, 17 Oct 2022 14:38:34 +0200
Subject: [PATCH 015/213] Certificate enrollment (#24)

---
 bridgehead           |  8 ++++++++
 ccp/vars             |  2 ++
 lib/functions.sh     |  2 +-
 lib/prerequisites.sh | 11 ++++++++++-
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/bridgehead b/bridgehead
index 5c7d121..5548a7d 100755
--- a/bridgehead
+++ b/bridgehead
@@ -77,6 +77,14 @@ case "$ACTION" in
 	uninstall)
 		exec ./lib/remove-bridgehead-units.sh $PROJECT
 		;;
+	enroll)
+		if [ -e $PRIVATEKEYFILENAME ]; then
+			echo "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed."
+			exit 1
+		fi
+		docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $PROXY_ID --admin-email $SUPPORT_EMAIL
+		chmod 600 $PRIVATEKEYFILENAME
+		;;
 	preRun | preUpdate)
 		fixPermissions
 		;;
diff --git a/ccp/vars b/ccp/vars
index 4152fa4..ce12d1a 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -5,3 +5,5 @@ SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | he
 SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
 REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"
+SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
diff --git a/lib/functions.sh b/lib/functions.sh
index ded0cd9..5059829 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -19,7 +19,7 @@ checkOwner(){
 }
 
 printUsage() {
-	echo "Usage: bridgehead start|stop|update|install|uninstall PROJECTNAME"
+	echo "Usage: bridgehead start|stop|update|install|uninstall|enroll PROJECTNAME"
 	echo "PROJECTNAME should be one of ccp|nngm|gbn"
 }
 
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index f4fd3be..2709a6f 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -43,7 +43,7 @@ fi
 
 # TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
 
-log INFO "Checking ssl cert"
+log INFO "Checking ssl cert for accessing bridgehead via https"
 
 if [ ! -d "certs" ]; then
   log WARN "TLS cert missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...)"
@@ -60,6 +60,15 @@ if [ -e /etc/bridgehead/vault.conf ]; then
 	fi
 fi
 
+log INFO "Checking your beam proxy private key"
+
+if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
+	log INFO "Success - private key found."
+else
+	log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
+	exit 1
+fi
+
 log INFO "Success - all prerequisites are met!"
 hc_send log "Success - all prerequisites are met!"
 

From f8b9aed7f52b1c0774b94afbbac20d23aad612eb Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 15:09:18 +0200
Subject: [PATCH 016/213] Cleaning

---
 .gitignore             |   8 +--
 ccp/docker-compose.yml |   4 +-
 lib/generate.sh        | 116 -----------------------------------------
 lib/log.sh             |   0
 lib/prerequisites.sh   |  20 +++----
 site.dev.conf          |  11 ----
 6 files changed, 13 insertions(+), 146 deletions(-)
 delete mode 100755 lib/generate.sh
 mode change 100644 => 100755 lib/log.sh
 delete mode 100644 site.dev.conf

diff --git a/.gitignore b/.gitignore
index d6c86b5..2c4c7ec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,10 +3,4 @@
 site-config/*
 
 ## Ignore site configuration
-config/**/*
-!config/**/*.default
-landing/*
-docker-compose.override.yml
-site.conf
-auth/*
-certs/*
+*/docker-compose.override.yml
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 65343d6..2539d8e 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -25,8 +25,8 @@ services:
       - 80:80
       - 443:443
     volumes:
-      - ../certs:/tools/certs
-      - ../lib/traefik-configuration/:/configuration
+      - /etc/bridgehead/traefik-tls:/tools/certs:ro
+      - ../lib/traefik-configuration/:/configuration:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
 
   forward_proxy:
diff --git a/lib/generate.sh b/lib/generate.sh
deleted file mode 100755
index 9673055..0000000
--- a/lib/generate.sh
+++ /dev/null
@@ -1,116 +0,0 @@
-#!/bin/bash
-
-if [ ! -d ./landing ]
-then 
-  mkdir landing
-fi
-
-if [ ! -f ./landing/index.html ]
-then
-  touch index.html
-fi
-
-CENTRAL_SERVICES="          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://monitor.vmitro.de/icingaweb2/dashboard\">Monitoring Service</td>
-          </tr>"
-
-LOCAL_SERVICES="          <tr>
-            <td>Bridgehead</td>
-            <td>Reverse Proxy <a href=\"http://${HOST}:8080/\">Traefik</a></td>
-          </tr>"
-
-if [ "$project" = "dktk" ] || [ "$project" = "c4" ] || [ "$project" = "dktk-fed" ]
-then
-    CENTRAL_SERVICES+="          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://patientlist.ccp-it.dktk.dkfz.de\">Zentrale Patientenliste</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://decentralsearch.ccp-it.dktk.dkfz.de\">Dezentrale Suche</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://centralsearch.ccp-it.dktk.dkfz.de\">Zentrale Suche</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://deployment.ccp-it.dktk.dkfz.de\">Deployment-Server</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://dktk-kne.kgu.de\">Zentraler Kontrollnummernerzeuger</td>
-          </tr>
-          "
-fi
-
-if [ "$project" = "dktk-fed" ]
-then 
-    LOCAL_SERVICES+="         <tr>
-            <td>DKTK</td>
-            <td><a href=\"https://${HOST}/dktk-localdatamanagement/fhir/\">Blaze</a></td>
-          </tr>
-          "
-fi
-
-cat > ./landing/index.html <<EOL
-<html lang="en">
-
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <meta name="description" content="">
-  <title>Bridgehead Overview</title>
-  <!-- Bootstrap core CSS -->
-  <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet"
-    integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
-  <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"
-    integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p"
-    crossorigin="anonymous"></script>
-
-</head>
-
-<body class="d-flex flex-column min-vh-100">
-
-  <nav class="navbar navbar-light" style="background-color: #aad7f6;">
-    <h2 class="pb-2 border-bottom">Bridgehead ${site_name}</h2>
-  </nav>
-  <div class="container px-4 py-5" id="featured-3">
-    <div>
-      <h2>Components</h2>
-      <h3>Central</h3>
-      <table class="table">
-        <thead class="thead-dark">
-          <tr>
-            <th style="width: 50%">Group</th>
-            <th style="width: 50%">Service</th>
-          </tr>
-        </thead>
-        <tbody>
-          ${CENTRAL_SERVICES}
-        </tbody>
-      </table>
-    </div>
-
-    <div>
-      <h3>Local</h3>
-      <table class="table">
-        <thead class="thead-dark">
-          <tr>
-            <th style="width: 50%">Project</th>
-            <th style="width: 50%">Services</th>
-          </tr>
-        </thead>
-        <tbody>
-          ${LOCAL_SERVICES}
-        </tbody>
-      </table>
-    </div>
-    <footer class="footer mt-auto py-3">
-     <a href="https://dktk.dkfz.de/"><img src="https://www.oncoray.de/fileadmin/files/bilder_gruppen/DKTK/Logo_DKTK_neu_2016.jpg" style="max-width: 30%; height: auto;"></a> DKTK 2022<span style="float: right;"><a href="https://github.com/samply/bridgehead"><button type="button" class="btn btn-primary">Documentaion</button></a></span>
-    </footer>
-</body>
-
-</html>
-EOL
\ No newline at end of file
diff --git a/lib/log.sh b/lib/log.sh
old mode 100644
new mode 100755
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 2709a6f..689f383 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -45,28 +45,28 @@ fi
 
 log INFO "Checking ssl cert for accessing bridgehead via https"
 
-if [ ! -d "certs" ]; then
-  log WARN "TLS cert missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...)"
-  mkdir -p certs
+if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
+  log WARN "TLS certs for accessing bridgehead via https missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...) and put into /etc/bridgehead/traefik-tls"
+  mkdir -p /etc/bridgehead/traefik-tls
 fi
 
-if [ ! -e "certs/traefik.crt" ]; then
-  openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST"
+if [ ! -e "/etc/bridgehead/traefik-tls/traefik.crt" ]; then
+  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/traefik.key -out /etc/bridgehead/traefik-tls/traefik.crt -days 3650 -subj "/CN=$HOST"
 fi
 
 if [ -e /etc/bridgehead/vault.conf ]; then
-	if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
+  if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
     fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
-	fi
+  fi
 fi
 
 log INFO "Checking your beam proxy private key"
 
 if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
-	log INFO "Success - private key found."
+  log INFO "Success - private key found."
 else
-	log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
-	exit 1
+  log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
+  exit 1
 fi
 
 log INFO "Success - all prerequisites are met!"
diff --git a/site.dev.conf b/site.dev.conf
deleted file mode 100644
index 94e315d..0000000
--- a/site.dev.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-### This is the configuration file for secrets, only your site should know
-
-##Setting Network properties
-export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
-export HOST=
-
-export site_name=
-### Write the Project you want to start with the brigdehead
-##Exmaple project=dktk-fed
-export project=

From 9658f6ed2e36a6c5aa0abcda95adfbec637bc702 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 15:21:12 +0200
Subject: [PATCH 017/213] Fix traefik cert

---
 ccp/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 2539d8e..3116eac 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -25,7 +25,7 @@ services:
       - 80:80
       - 443:443
     volumes:
-      - /etc/bridgehead/traefik-tls:/tools/certs:ro
+      - /etc/bridgehead/traefik-tls:/certs:ro
       - ../lib/traefik-configuration/:/configuration:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
 

From a8a33291a75527f8f6ecef0a47eacada2d7a75f4 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 15:30:43 +0200
Subject: [PATCH 018/213] Rename traefik certificate/key

---
 lib/prerequisites.sh                        | 4 ++--
 lib/traefik-configuration/certificates.yaml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 689f383..2738620 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -50,8 +50,8 @@ if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
   mkdir -p /etc/bridgehead/traefik-tls
 fi
 
-if [ ! -e "/etc/bridgehead/traefik-tls/traefik.crt" ]; then
-  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/traefik.key -out /etc/bridgehead/traefik-tls/traefik.crt -days 3650 -subj "/CN=$HOST"
+if [ ! -e "/etc/bridgehead/traefik-tls/fullchain.pem" ]; then
+  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/privkey.pem -out /etc/bridgehead/traefik-tls/fullchain.pem -days 3650 -subj "/CN=$HOST"
 fi
 
 if [ -e /etc/bridgehead/vault.conf ]; then
diff --git a/lib/traefik-configuration/certificates.yaml b/lib/traefik-configuration/certificates.yaml
index eb9809a..2644333 100644
--- a/lib/traefik-configuration/certificates.yaml
+++ b/lib/traefik-configuration/certificates.yaml
@@ -1,4 +1,4 @@
 tls:
   certificates:
-    - certFile: /certs/traefik.crt
-      keyFile: /certs/traefik.key
+    - certFile: /certs/fullchain.pem
+      keyFile: /certs/privkey.pem

From f72a185dbba6cdd618f3e3e065b805d32e1b5555 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 16:07:25 +0200
Subject: [PATCH 019/213] Be more specific about what changed on an update

---
 lib/update-bridgehead.sh | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index ef07590..eefa38a 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -19,6 +19,8 @@ checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong
 
 CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 
+CHANGES=""
+
 # Check git updates
 for DIR in /etc/bridgehead $(pwd); do
   log "INFO" "Checking for updates to git repo $DIR ..."
@@ -39,7 +41,9 @@ for DIR in /etc/bridgehead $(pwd); do
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   git_updated="false"
   if [ "$old_git_hash" != "$new_git_hash" ]; then
-    log "INFO" "Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
+    CHANGE="Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
+    CHANGES+="$CHANGE\n"
+    log "INFO" "$CHANGE"
     # NOTE: Link generation doesn't work on repositories placed at an self-hosted instance of bitbucket.
     # See: https://community.atlassian.com/t5/Bitbucket-questions/BitBucket-4-14-diff-between-any-two-commits/qaq-p/632974
     git_repository_url="$(git -C $DIR remote get-url origin)"
@@ -63,14 +67,16 @@ docker_updated="false"
 for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
-    log "INFO" "$IMAGE updated."
+    CHANGE="Image $IMAGE updated."
+    CHANGES+="$CHANGE\n"
+    log "INFO" "$CHANGE"
     docker_updated="true"
   fi
 done
 
 # If anything is updated, restart service
 if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
-  RES="Update detected, now restarting bridgehead"
+  RES="Updates detected, now restarting bridgehead:\n$CHANGES"
   log "INFO" "$RES"
   hc_send log "$RES"
   sudo /bin/systemctl restart bridgehead@*.service

From 17c6a2b0e0d2225393836dee2f666650cc887624 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 16:11:34 +0200
Subject: [PATCH 020/213] Fix git update detection

---
 lib/update-bridgehead.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index eefa38a..dc108f5 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -22,6 +22,7 @@ CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 CHANGES=""
 
 # Check git updates
+git_updated="false"
 for DIR in /etc/bridgehead $(pwd); do
   log "INFO" "Checking for updates to git repo $DIR ..."
   if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
@@ -39,10 +40,9 @@ for DIR in /etc/bridgehead $(pwd); do
     git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1
   fi
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
-  git_updated="false"
   if [ "$old_git_hash" != "$new_git_hash" ]; then
     CHANGE="Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
-    CHANGES+="$CHANGE\n"
+    CHANGES+="- $CHANGE\n"
     log "INFO" "$CHANGE"
     # NOTE: Link generation doesn't work on repositories placed at an self-hosted instance of bitbucket.
     # See: https://community.atlassian.com/t5/Bitbucket-questions/BitBucket-4-14-diff-between-any-two-commits/qaq-p/632974
@@ -68,7 +68,7 @@ for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*im
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
     CHANGE="Image $IMAGE updated."
-    CHANGES+="$CHANGE\n"
+    CHANGES+="- $CHANGE\n"
     log "INFO" "$CHANGE"
     docker_updated="true"
   fi

From 2b788358728a786a0739f412e51dfc15b4b8bad7 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 20 Oct 2022 16:55:05 +0200
Subject: [PATCH 021/213] Add housekeeping task (docker image cleanup)

---
 lib/update-bridgehead.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index dc108f5..e64abd6 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -1,6 +1,17 @@
 #!/bin/bash
 source lib/functions.sh
 
+AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true}
+
+if [ "$AUTO_HOUSEKEEPING" == "true" ]; then
+	A="Performing automatic maintenance: Cleaning docker images."
+	hc_send log "$A"
+	log INFO "$A"
+	docker system prune -a -f
+else
+	log WARN "Automatic housekeeping disabled (variable AUTO_HOUSEKEEPING != \"true\")"
+fi
+
 hc_send log "Checking for bridgehead updates ..."
 
 CONFFILE=/etc/bridgehead/$1.conf

From 07c0c4534e4067eec5cedd10d561dd8b584f4c35 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 25 Oct 2022 11:45:01 +0200
Subject: [PATCH 022/213] Make this work for BBMRI-ERIC

---
 bbmri/docker-compose.yml       | 116 +++++++++++++++++++++++++++++++++
 bbmri/vars                     |   7 ++
 bridgehead                     |   2 +-
 gbn/docker-compose.yml         | 100 ----------------------------
 lib/functions.sh               |   2 +-
 lib/remove-bridgehead-units.sh |   4 +-
 lib/setup-bridgehead-units.sh  |   4 +-
 7 files changed, 129 insertions(+), 106 deletions(-)
 create mode 100644 bbmri/docker-compose.yml
 create mode 100644 bbmri/vars
 delete mode 100644 gbn/docker-compose.yml

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
new file mode 100644
index 0000000..825ec6a
--- /dev/null
+++ b/bbmri/docker-compose.yml
@@ -0,0 +1,116 @@
+version: "3.7"
+
+services:
+  traefik:
+    container_name: bridgehead-traefik
+    image: traefik:latest
+    command:
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --providers.docker=true
+      - --providers.file.watch=true
+      - --providers.file.directory=/configuration/
+      - --api.dashboard=true
+      - --accesslog=true # print access-logs
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
+    labels:
+      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+      - "traefik.http.routers.dashboard.entrypoints=websecure"
+      - "traefik.http.routers.dashboard.service=api@internal"
+      - "traefik.http.routers.dashboard.tls=true"
+      - "traefik.http.routers.dashboard.middlewares=auth"
+      - "traefik.http.middlewares.auth.basicauth.users=${bc_auth_users}"
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - /etc/bridgehead/traefik-tls:/certs:ro
+      - ../lib/traefik-configuration/:/configuration:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+  forward_proxy:
+    container_name: bridgehead-forward-proxy
+    image: samply/bridgehead-forward-proxy:latest
+    environment:
+      HTTPS_PROXY: ${HTTPS_PROXY_URL}
+      USERNAME: ${HTTPS_PROXY_USERNAME}
+      PASSWORD: ${HTTPS_PROXY_PASSWORD}
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
+
+  landing:
+    container_name: bridgehead-landingpage
+    image: samply/bridgehead-landingpage:master
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+      - "traefik.http.services.landing.loadbalancer.server.port=80"
+      - "traefik.http.routers.landing.tls=true"
+    environment:
+      HOST: ${HOST}
+      PROJECT: ${PROJECT}
+      SITE_NAME: ${SITE_NAME}
+
+  blaze:
+    image: "samply/blaze:0.18"
+    container_name: bridgehead-ccp-blaze
+    environment:
+      BASE_URL: "http://bridgehead-ccp-blaze:8080"
+      JAVA_TOOL_OPTIONS: "-Xmx4g"
+      LOG_LEVEL: "debug"
+      ENFORCE_REFERENTIAL_INTEGRITY: "false"
+    volumes:
+      - "blaze-data:/app/data"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}"
+      - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-localdatamanagement`)"
+      - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/ccp-localdatamanagement"
+      - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
+      - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,ccp-auth"
+      - "traefik.http.routers.blaze_ccp.tls=true"
+
+  spot:
+    image: samply/spot:latest
+    container_name: bridgehead-spot
+    environment:
+      SECRET: ${SPOT_BEAM_SECRET_LONG}
+      APPID: spot
+      PROXY_ID: ${PROXY_ID}
+      LDM_URL: http://bridgehead-ccp-blaze:8080/fhir
+      BEAM_PROXY: http://beam-proxy:8081
+    depends_on:
+      - "beam-proxy"
+      - "blaze"
+    labels:
+      - "traefik.enable=false"
+
+  beam-proxy:
+    image: "samply/beam-proxy:develop"
+    container_name: bridgehead-beam-proxy
+    environment:
+      BROKER_URL: ${BROKER_URL}
+      PROXY_ID: ${PROXY_ID}
+      APP_0_ID: spot
+      APP_0_KEY: ${SPOT_BEAM_SECRET_SHORT}
+      PRIVKEY_FILE: /run/secrets/proxy.pem
+      RUST_LOG: debug
+      ALL_PROXY: http://forward_proxy:3128
+      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
+    secrets:
+      - proxy.pem
+    labels:
+      - "traefik.enable=false"
+    depends_on:
+      - "forward_proxy"
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
+
+
+volumes:
+  blaze-data:
+
+secrets:
+  proxy.pem:
+    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
diff --git a/bbmri/vars b/bbmri/vars
new file mode 100644
index 0000000..8faa106
--- /dev/null
+++ b/bbmri/vars
@@ -0,0 +1,7 @@
+BROKER_ID=broker.bbmri.samply.de
+BROKER_URL=https://${BROKER_ID}
+PROXY_ID=${SITE_ID}.${BROKER_ID}
+SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
+SUPPORT_EMAIL=tomasik@mail.muni.cz
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
diff --git a/bridgehead b/bridgehead
index 5548a7d..fe4bb19 100755
--- a/bridgehead
+++ b/bridgehead
@@ -32,7 +32,7 @@ case "$PROJECT" in
 	nngm)
 		#nothing extra to do
 		;;
-	gbn)
+	bbmri)
 		#nothing extra to do
 		;;
 	*)
diff --git a/gbn/docker-compose.yml b/gbn/docker-compose.yml
deleted file mode 100644
index 476d355..0000000
--- a/gbn/docker-compose.yml
+++ /dev/null
@@ -1,100 +0,0 @@
-version: '3.7'
-
-volumes:
-  gbn-connector-logs:
-  gbn-connector-db-data:
-  gbn-store-db-data:
-
-services:
-  traefik:
-    container_name: bridgehead-traefik
-    image: traefik:2
-    command:
-      - --entrypoints.web.address=:80
-      - --entrypoints.websecure.address=:443
-      - --providers.docker=true
-      - --api.dashboard=true
-      - --accesslog=true # print access-logs
-      - --entrypoints.web.http.redirections.entrypoint.to=websecure
-      - --entrypoints.web.http.redirections.entrypoint.scheme=https
-    labels:
-      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
-      - "traefik.http.routers.dashboard.entrypoints=websecure"
-      - "traefik.http.routers.dashboard.service=api@internal"
-      - "traefik.http.routers.dashboard.tls=true"
-      - "traefik.http.routers.dashboard.middlewares=auth"
-      - "traefik.http.middlewares.auth.basicauth.users=${bc_auth_users}"
-    ports:
-      - 80:80
-      - 443:443
-    volumes:
-      - ../certs:/tools/certs
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    extra_hosts:
-      - "host.docker.internal:host-gateway"
-
-  forward_proxy:
-    container_name: bridgehead-forward-proxy
-    image: ubuntu/squid
-    environment:
-      http_proxy: ${http_proxy}
-      https_proxy: ${https_proxy}
-    volumes:
-      - "bridgehead-proxy:/var/log/squid"
-    
-  landing:
-    container_name: bridgehead-landingpage
-    image: samply/bridgehead-landingpage
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
-    environment:
-      HOST: ${HOST}
-      PROJECT: ${PROJECT}
-      SITE_NAME: ${SITE_NAME}
-
-  blaze:
-    image: "samply/blaze:0.17"
-    container_name: bridgehead-gbn-blaze
-    environment:
-      BASE_URL: "http://blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx4g"
-      LOG_LEVEL: "debug"
-      ENFORCE_REFERENTIAL_INTEGRITY: "false"
-    volumes:
-    - "blaze-data:/app/data"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.middlewares.gbn-auth.basicauth.users=${bc_auth_users}"
-      - "traefik.http.routers.blaze_gbn.rule=PathPrefix(`/gbn-localdatamanagement`)"
-      - "traefik.http.middlewares.gbn_b_strip.stripprefix.prefixes=/gbn-localdatamanagement"
-      - "traefik.http.services.blaze_gbn.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze_gbn.middlewares=gbn_b_strip,gbn-auth"
-      - "traefik.http.routers.blaze_gbn.tls=true"
-
-  gbn-connector:
-    container_name: bridgehead-gbn-connector
-    image: "samply/share-client:gbn-feature-environmentPreconfiguration"
-    environment:
-      POSTGRES_PASSWORD: ${CONNECTOR_POSTGRES_PASS}
-    volumes:
-      - "gbn-connector-logs:/usr/local/tomcat/logs"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.gbn_connector.rule=PathPrefix(`/gbn-connector`)"
-      - "traefik.http.services.gbn_connector.loadbalancer.server.port=8080"
-    depends_on:
-      - "gbn-connector-db"
-    restart: "always"
-
-  gbn-connector-db:
-    image: "postgres:10.17"
-    environment:
-      POSTGRES_DB: "samply.connector"
-      POSTGRES_USER: "samply"
-      POSTGRES_PASSWORD: ${CONNECTOR_POSTGRES_PASS}
-    volumes:
-      - "gbn-connector-db-data:/var/lib/postgresql/data"
-    restart: "always"
diff --git a/lib/functions.sh b/lib/functions.sh
index 5059829..e26d452 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -20,7 +20,7 @@ checkOwner(){
 
 printUsage() {
 	echo "Usage: bridgehead start|stop|update|install|uninstall|enroll PROJECTNAME"
-	echo "PROJECTNAME should be one of ccp|nngm|gbn"
+	echo "PROJECTNAME should be one of ccp|nngm|bbmri"
 }
 
 checkRequirements() {
diff --git a/lib/remove-bridgehead-units.sh b/lib/remove-bridgehead-units.sh
index 36d1dad..fa63ef4 100755
--- a/lib/remove-bridgehead-units.sh
+++ b/lib/remove-bridgehead-units.sh
@@ -7,8 +7,8 @@ if [ $# -eq 0 ]; then
     exit 1
 fi
 
-if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "gbn" ]; then
-    log "ERROR" "Please provide a supported project like ccp, gbn or nngm"
+if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "bbmri" ]; then
+    log "ERROR" "Please provide a supported project like ccp, bbmri or nngm"
     exit 1
 fi
 
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index a96e583..57f7df5 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -9,8 +9,8 @@ if [ $# -eq 0 ]; then
     exit 1
 fi
 
-if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "gbn" ]; then
-    log "ERROR" "Please provide a supported project like ccp, gbn or nngm"
+if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "bbmri" ]; then
+    log "ERROR" "Please provide a supported project like ccp, bbmri or nngm"
     exit 1
 fi
 

From aa595d2ea250afc49d8bb9e30faa325bbbd86887 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 25 Oct 2022 12:07:07 +0200
Subject: [PATCH 023/213] Remove landing page for BBMRI

---
 bbmri/docker-compose.yml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 825ec6a..4b22589 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -39,18 +39,18 @@ services:
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
 
-  landing:
-    container_name: bridgehead-landingpage
-    image: samply/bridgehead-landingpage:master
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
-    environment:
-      HOST: ${HOST}
-      PROJECT: ${PROJECT}
-      SITE_NAME: ${SITE_NAME}
+#  landing:
+#    container_name: bridgehead-landingpage
+#    image: samply/bridgehead-landingpage:master
+#    labels:
+#      - "traefik.enable=true"
+#      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+#      - "traefik.http.services.landing.loadbalancer.server.port=80"
+#      - "traefik.http.routers.landing.tls=true"
+#    environment:
+#      HOST: ${HOST}
+#      PROJECT: ${PROJECT}
+#      SITE_NAME: ${SITE_NAME}
 
   blaze:
     image: "samply/blaze:0.18"

From b18b98e7929557b4a190cfc504a03a1abb60a9b0 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Wed, 26 Oct 2022 10:10:31 +0200
Subject: [PATCH 024/213] Make bridgehead-update ignore commented out docker
 images

---
 lib/update-bridgehead.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index e64abd6..7212d13 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -75,7 +75,7 @@ done
 # Check docker updates
 log "INFO" "Checking for updates to running docker images ..."
 docker_updated="false"
-for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
+for IMAGE in $(cat $PROJECT/docker-compose.yml | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
     CHANGE="Image $IMAGE updated."

From d2848342893fcce331852f0cd81a10f325b4422e Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Wed, 26 Oct 2022 10:13:38 +0200
Subject: [PATCH 025/213] Use official BBMRI-ERIC support e-mail

---
 bbmri/vars | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bbmri/vars b/bbmri/vars
index 8faa106..6fb693d 100644
--- a/bbmri/vars
+++ b/bbmri/vars
@@ -3,5 +3,5 @@ BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
-SUPPORT_EMAIL=tomasik@mail.muni.cz
+SUPPORT_EMAIL=bridgehead@helpdesk.bbmri-eric.eu
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem

From 3351e696af7416226fa52e391c7a3e6eee945198 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Wed, 26 Oct 2022 10:44:32 +0200
Subject: [PATCH 026/213] Don't pull ubuntu image on every startup. Use
 server's full hostname.

---
 lib/functions.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index e26d452..e3df4ad 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -109,8 +109,11 @@ fail_and_report() {
 }
 
 ##Setting Network properties
-export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
-export HOST=$(hostname)
+# currently not needed
+#export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
+
+export HOST=$(hostname -f)
+
 export PRODUCTION="false";
 if [ "$(git branch --show-current)" == "main" ]; then
 	export PRODUCTION="true";

From 404e5440b8aa136b65fa7aa5f23a62e66e8dda6d Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Wed, 26 Oct 2022 11:50:21 +0200
Subject: [PATCH 027/213] Support nngm within CCP bridgehead

---
 bridgehead              |  4 +-
 ccp/nngm-compose.yml    | 32 +++++++++++++++
 ccp/nngm-setup.sh       | 10 +++++
 ccp/vars                |  4 ++
 nngm/docker-compose.yml | 86 -----------------------------------------
 5 files changed, 48 insertions(+), 88 deletions(-)
 create mode 100644 ccp/nngm-compose.yml
 create mode 100644 ccp/nngm-setup.sh
 delete mode 100644 nngm/docker-compose.yml

diff --git a/bridgehead b/bridgehead
index fe4bb19..e1e1d0b 100755
--- a/bridgehead
+++ b/bridgehead
@@ -52,10 +52,10 @@ fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Una
 [ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 set +a
 
-OVERRIDE=""
+OVERRIDE=${OVERRIDE:=""}
 if [ -f "$PROJECT/docker-compose.override.yml" ]; then
 	log INFO "Applying $PROJECT/docker-compose.override.yml"
-	OVERRIDE+="-f ./$PROJECT/docker-compose.override.yml"
+	OVERRIDE+=" -f ./$PROJECT/docker-compose.override.yml"
 fi
 
 case "$ACTION" in
diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml
new file mode 100644
index 0000000..c212fed
--- /dev/null
+++ b/ccp/nngm-compose.yml
@@ -0,0 +1,32 @@
+version: "3.7"
+
+services:
+  connector:
+    container_name: bridgehead-connector
+    image: docker.verbis.dkfz.de/ccp/connector:bk2
+    environment:
+      POSTGRES_PASSWORD: ${CONNECTOR_POSTGRES_PASSWORD}
+      NNGM_MAGICPL_APIKEY: ${NNGM_MAGICPL_APIKEY}
+      NNGM_MAINZELLISTE_APIKEY: ${NNGM_MAINZELLISTE_APIKEY}
+      NNGM_CTS_APIKEY: ${NNGM_CTS_APIKEY}
+      NNGM_CRYPTKEY: ${NNGM_CRYPTKEY}
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.connector.rule=PathPrefix(`/ccp-connector`)"
+      - "traefik.http.services.connector.loadbalancer.server.port=8080"
+      - "traefik.http.routers.connector.tls=true"
+
+  connector_db:
+    image: postgres:9.5-alpine
+    container_name: bridgehead-ccp-connector-db
+    volumes:
+      - "connector_db_data:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_DB: "samplyconnector"
+      POSTGRES_USER: "samplyconnector"
+      POSTGRES_PASSWORD: ${CONNECTOR_POSTGRES_PASSWORD}
+    restart: always
+
+volumes:
+  connector_db_data:
diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
new file mode 100644
index 0000000..08a6d43
--- /dev/null
+++ b/ccp/nngm-setup.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+function nngmSetup() {
+	if [ -n "$NNGM_CTS_APIKEY" ]; then
+		log INFO "nNGM setup detected -- will start nNGM Connector."
+		OVERRIDE+="-f ./$PROJECT/nngm-compose.yml"
+	fi
+}
+
+CONNECTOR_POSTGRES_PASSWORD="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
diff --git a/ccp/vars b/ccp/vars
index ce12d1a..f5f734e 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -7,3 +7,7 @@ REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g'
 REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"
 SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
+
+# This will load nngm setup. Effective only if nngm configuration is defined.
+source $PROJECT/nngm-setup.sh
+nngmSetup
diff --git a/nngm/docker-compose.yml b/nngm/docker-compose.yml
deleted file mode 100644
index 3b28580..0000000
--- a/nngm/docker-compose.yml
+++ /dev/null
@@ -1,86 +0,0 @@
-version: "3.7"
-
-services:
-  traefik:
-    container_name: bridgehead-traefik
-    image: traefik:2.4
-    command:
-      - --api.insecure=true
-      - --entrypoints.web.address=:80
-      - --entrypoints.websecure.address=:443
-      - --providers.docker=true
-      - --entrypoints.web.http.redirections.entrypoint.to=websecure
-      - --entrypoints.web.http.redirections.entrypoint.scheme=https
-    ports:
-      - 80:80
-      - 443:443
-      - 8080:8080
-    volumes:
-      - ../certs:/tools/certs
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    extra_hosts:
-      - "host.docker.internal:host-gateway"
-
-  ### Does need to know the outside proxy to connect central components
-  forward_proxy:
-    container_name: bridgehead-squid
-    image: ubuntu/squid
-    environment:
-      http_proxy: ${http_proxy}
-      https_proxy: ${https_proxy}
-    volumes:
-      - "bridgehead-proxy:/var/log/squid"
-    
-## Needs internal proxy config
-  landing:
-    container_name: bridgehead-landingpage
-    image: samply/bridgehead-landingpage
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
-    environment:
-      HOST: ${HOST}
-      PROJECT: ${PROJECT}
-      SITE_NAME: ${SITE_NAME}
-
-  nngm-connector:
-      container_name: bridgehead-nngm-connector
-      image: "samply/share-client:nngm-feature-environmentPreconfiguration"
-      environment:
-        POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
-        NNGM_MAGICPL_APIKEY: ${NNGM_MAGICPL_APIKEY}
-        NNGM_MAINZELLISTE_APIKEY: ${NNGM_MAINZELLISTE_APIKEY}
-        NNGM_CTS_APIKEY: ${NNGM_CTS_APIKEY}
-        NNGM_CRYPTKEY: ${NNGM_CRYPTKEY}
-      volumes:
-        - "nngm-connector-logs:/usr/local/tomcat/logs"
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.routers.nngm_connector.rule=PathPrefix(`/nngm-connector`)"
-        - "traefik.http.services.nngm_connector.loadbalancer.server.port=8080"
-        - "traefik.http.routers.nngm_connector.tls=true"
-
-      depends_on:
-        - "nngm-connector-db"
-        - "forward_proxy"
-      ports:
-      - 5005:5005
-      restart: "always"
-
-  nngm-connector-db:
-      container_name: bridgehead-nngm-connector-db
-      image: "postgres:10.17"
-      environment:
-        POSTGRES_DB: "share_v2"
-        POSTGRES_USER: "samplyweb"
-        POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
-      volumes:
-        - "nngm-connector-db-data:/var/lib/postgresql/data"
-      restart: "always"
-
-volumes:
-  nngm-connector-db-data:
-  nngm-connector-logs:
-  bridgehead-proxy:

From c70be3d5c94dcbaf5919de5d7a58c180510380ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Radovan=20Tom=C3=A1=C5=A1ik?= <tomasik@mail.muni.cz>
Date: Wed, 26 Oct 2022 16:18:10 +0200
Subject: [PATCH 028/213] Update README.md

---
 README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index 0bb72e1..ef0118d 100644
--- a/README.md
+++ b/README.md
@@ -132,6 +132,16 @@ If systemd is not installed, you can start the bridgehead. However, for producti
 
 ## Getting Started
 
+### Quick Start
+
+```mkdir /etc/bridgehead/ && chown -R bridgehead . /etc/bridgehead/```
+```git clone https://github.com/samply/bridgehead.git -b feature/samplyBeam```
+### Migration
+Run:
+```docker-compose down```
+For the old installation of the BH. Then replace the docker volume name for the blaze store in the BH 2.0 docker-compose.yml with the docker volume of the old Blaze store. 
+
+
 ### Installation 
 
 If your system passed all checks from ["Requirements" section], you are now ready to download the bridgehead.

From 5c65ae96383e358a141be986c35c403cca719604 Mon Sep 17 00:00:00 2001
From: PierreDelpy <p.delpy@dkfz-heidelberg.de>
Date: Wed, 26 Oct 2022 14:33:38 +0000
Subject: [PATCH 029/213] add port quick solution for ssl cert verification
 with portnumber; genereate persistent connector password

---
 ccp/nngm-compose.yml | 2 ++
 ccp/nngm-setup.sh    | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml
index c212fed..478af29 100644
--- a/ccp/nngm-compose.yml
+++ b/ccp/nngm-compose.yml
@@ -11,6 +11,8 @@ services:
       NNGM_CTS_APIKEY: ${NNGM_CTS_APIKEY}
       NNGM_CRYPTKEY: ${NNGM_CRYPTKEY}
     restart: always
+    ports:
+      - "8080:8080"
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.connector.rule=PathPrefix(`/ccp-connector`)"
diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index 08a6d43..bd1b6aa 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -7,4 +7,5 @@ function nngmSetup() {
 	fi
 }
 
-CONNECTOR_POSTGRES_PASSWORD="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+#CONNECTOR_POSTGRES_PASSWORD="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+CONNECTOR_POSTGRES_PASSWORD="$(echo -n /etc/bridgehead/pki/mannheim.priv.pem | sha256sum | head -c 20)"

From 5e5ed73c919621013e72492810995ac13543d038 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Radovan=20Tom=C3=A1=C5=A1ik?= <tomasik@mail.muni.cz>
Date: Wed, 26 Oct 2022 16:34:47 +0200
Subject: [PATCH 030/213] Update README.md

---
 README.md | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index ef0118d..055a008 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,7 @@ TOC
       - [docker](#dockerhttpsdocsdockercomget-docker)
       - [systemd](#systemd)
 2. [Getting Started](#getting-started)
+    - [Quick Start](#quick-start)
     - [DKTK](#dktkc4)
     - [C4](#c4)
     - [GBA/BBMRI-ERIC](#gbabbmri-eric)
@@ -134,15 +135,6 @@ If systemd is not installed, you can start the bridgehead. However, for producti
 
 ### Quick Start
 
-```mkdir /etc/bridgehead/ && chown -R bridgehead . /etc/bridgehead/```
-```git clone https://github.com/samply/bridgehead.git -b feature/samplyBeam```
-### Migration
-Run:
-```docker-compose down```
-For the old installation of the BH. Then replace the docker volume name for the blaze store in the BH 2.0 docker-compose.yml with the docker volume of the old Blaze store. 
-
-
-### Installation 
 
 If your system passed all checks from ["Requirements" section], you are now ready to download the bridgehead.
 
@@ -155,10 +147,6 @@ sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead;
 
 It is recomended to create a user for the bridgehead service.  This should be done after clone the repository. Since not all linux distros support ```adduser```, we provide an action for the systemcall ```useradd```. You should try the first one, when the systm can't create the user you should try the second one.
 
-``` shell
-adduser --no-create-home --disabled-login --ingroup docker --gecos "" bridgehead
-```
-
 ``` shell
 useradd -M -g docker -N -s /sbin/nologin bridgehead
 ```
@@ -168,6 +156,25 @@ After adding the User you need to change the ownership of the directory to the b
 ``` shell
 chown bridgehead /srv/docker/bridgehead/ -R
 ```
+Download the configuration repository:
+
+``` shell
+sudo git clone https://github.com/samply/bridgehead-config.git -b fix/bbmri-config /etc/bridgehead;
+```
+Change ownership:
+``` shell
+chown bridgehead /etc/bridgehead/ -R
+```
+Modify SITE_ID and SITE_NAME in bbmri.conf
+RUN:
+
+
+```shell
+sudo /etc/bridgehead/bridgehead enroll bbmri
+```
+```shell
+sudo /srv/docker/bridgehead/bridgehead start bbmri
+```
 
 ### Configuration
 

From 6a27b9a5ad90feb972ebacfb59e5cbe3215986dc Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Thu, 27 Oct 2022 11:58:24 +0200
Subject: [PATCH 031/213] Issue a warning (but don't crash) on missing
 MONITOR_APIKEY

---
 lib/monitoring.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index bdd9a35..8744d7f 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -24,8 +24,8 @@ function hc_send(){
         HCURL="https://hc-ping.com/$HCUUID"
     fi
     if [ ! -n "$HCURL" ]; then
-        log WARN "Healthcheck reporting failed: Neither Healthcheck UUID nor service set - please check config in /etc/bridgehead"
-        return 1
+        log WARN "Did not report Healthcheck: Neither Healthcheck UUID nor service set. Please define MONITOR_APIKEY in /etc/bridgehead."
+        return 0
     fi
 
     if [ -z "$UPTIME" ]; then

From c7f727afff1e69421020d1b6e400e3cf26e662e8 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 08:23:55 +0200
Subject: [PATCH 032/213] Fixed links to bbmri, instead of ccp

---
 bbmri/docker-compose.yml | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 4b22589..b891af7 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -39,24 +39,24 @@ services:
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
 
-#  landing:
-#    container_name: bridgehead-landingpage
-#    image: samply/bridgehead-landingpage:master
-#    labels:
-#      - "traefik.enable=true"
-#      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-#      - "traefik.http.services.landing.loadbalancer.server.port=80"
-#      - "traefik.http.routers.landing.tls=true"
-#    environment:
-#      HOST: ${HOST}
-#      PROJECT: ${PROJECT}
-#      SITE_NAME: ${SITE_NAME}
+ landing:
+   container_name: bridgehead-landingpage
+   image: samply/bridgehead-landingpage:master
+   labels:
+     - "traefik.enable=true"
+     - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+     - "traefik.http.services.landing.loadbalancer.server.port=80"
+     - "traefik.http.routers.landing.tls=true"
+   environment:
+     HOST: ${HOST}
+     PROJECT: ${PROJECT}
+     SITE_NAME: ${SITE_NAME}
 
   blaze:
     image: "samply/blaze:0.18"
-    container_name: bridgehead-ccp-blaze
+    container_name: bridgehead-bbmri-blaze
     environment:
-      BASE_URL: "http://bridgehead-ccp-blaze:8080"
+      BASE_URL: "http://bridgehead-bbmri-blaze:8080"
       JAVA_TOOL_OPTIONS: "-Xmx4g"
       LOG_LEVEL: "debug"
       ENFORCE_REFERENTIAL_INTEGRITY: "false"
@@ -65,8 +65,8 @@ services:
     labels:
       - "traefik.enable=true"
       - "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}"
-      - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-localdatamanagement`)"
-      - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/ccp-localdatamanagement"
+      - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/bbmri-localdatamanagement`)"
+      - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/bbmri-localdatamanagement"
       - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
       - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,ccp-auth"
       - "traefik.http.routers.blaze_ccp.tls=true"
@@ -78,7 +78,7 @@ services:
       SECRET: ${SPOT_BEAM_SECRET_LONG}
       APPID: spot
       PROXY_ID: ${PROXY_ID}
-      LDM_URL: http://bridgehead-ccp-blaze:8080/fhir
+      LDM_URL: http://bridgehead-bbmri-blaze:8080/fhir
       BEAM_PROXY: http://beam-proxy:8081
     depends_on:
       - "beam-proxy"

From 5755baaf009e8c332750baf44048285ae93d74c6 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 10:06:43 +0200
Subject: [PATCH 033/213] Support docker compose as well as docker-compose

---
 bridgehead           | 4 ++--
 lib/prerequisites.sh | 8 +++++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/bridgehead b/bridgehead
index e1e1d0b..b204383 100755
--- a/bridgehead
+++ b/bridgehead
@@ -63,10 +63,10 @@ case "$ACTION" in
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
-		exec docker-compose -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
+		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
-		exec docker-compose -f ./$PROJECT/docker-compose.yml $OVERRIDE down
+		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		;;
 	update)
 		exec ./lib/update-bridgehead.sh $PROJECT
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 2738620..dfd3cdd 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -10,9 +10,15 @@ fi
 checkOwner . bridgehead || exit 1
 checkOwner /etc/bridgehead bridgehead || exit 1
 
+if [[ "$(docker compose version 2>/dev/null)" == *"Docker Compose version"* ]]; then
+	COMPOSE="docker compose"
+else
+	COMPOSE="docker-compose"
+fi
+
 ## Check if user is a su
 log INFO "Checking if all prerequisites are met ..."
-prerequisites="git docker docker-compose"
+prerequisites="git docker $COMPOSE"
 for prerequisite in $prerequisites; do
   $prerequisite --version 2>&1
   is_available=$?

From 2aef5f29c304d157967f21eaefe78301692009c6 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 10:12:21 +0200
Subject: [PATCH 034/213] Move to functions.sh

---
 bridgehead           | 2 ++
 lib/functions.sh     | 9 +++++++++
 lib/prerequisites.sh | 6 ------
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/bridgehead b/bridgehead
index b204383..f18311a 100755
--- a/bridgehead
+++ b/bridgehead
@@ -58,6 +58,8 @@ if [ -f "$PROJECT/docker-compose.override.yml" ]; then
 	OVERRIDE+=" -f ./$PROJECT/docker-compose.override.yml"
 fi
 
+detectCompose
+
 case "$ACTION" in
 	start)
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
diff --git a/lib/functions.sh b/lib/functions.sh
index e3df4ad..b5a03a0 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -2,6 +2,15 @@
 
 source lib/log.sh
 
+detectCompose() {
+	if [[ "$(docker compose version 2>/dev/null)" == *"Docker Compose version"* ]]; then
+		COMPOSE="docker compose"
+	else
+		COMPOSE="docker-compose"
+		# This is intended to fail on startup in the next prereq check.
+	fi
+}
+
 exitIfNotRoot() {
   if [ "$EUID" -ne 0 ]; then
     log "ERROR" "Please run as root"
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index dfd3cdd..d90d50e 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -10,12 +10,6 @@ fi
 checkOwner . bridgehead || exit 1
 checkOwner /etc/bridgehead bridgehead || exit 1
 
-if [[ "$(docker compose version 2>/dev/null)" == *"Docker Compose version"* ]]; then
-	COMPOSE="docker compose"
-else
-	COMPOSE="docker-compose"
-fi
-
 ## Check if user is a su
 log INFO "Checking if all prerequisites are met ..."
 prerequisites="git docker $COMPOSE"

From 6293dc65f03c7cedd8b6649013afba9dd9d2ed15 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 10:17:14 +0200
Subject: [PATCH 035/213] Fail in prereqs if compose does not exist

---
 lib/prerequisites.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index d90d50e..962c123 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -2,6 +2,8 @@
 
 source lib/functions.sh
 
+detectCompose
+
 if ! id "bridgehead" &>/dev/null; then
   log ERROR "User bridgehead does not exist. Please consult readme for installation."
   exit 1

From 3a668a1ccef395e8fada932bef6693edc23d8bf6 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 10:26:17 +0200
Subject: [PATCH 036/213] Generate consistent nNGM Connector password

---
 ccp/nngm-setup.sh | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index bd1b6aa..0a90813 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -5,7 +5,5 @@ function nngmSetup() {
 		log INFO "nNGM setup detected -- will start nNGM Connector."
 		OVERRIDE+="-f ./$PROJECT/nngm-compose.yml"
 	fi
+	CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -encrypt -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 }
-
-#CONNECTOR_POSTGRES_PASSWORD="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-CONNECTOR_POSTGRES_PASSWORD="$(echo -n /etc/bridgehead/pki/mannheim.priv.pem | sha256sum | head -c 20)"

From 0cba5d315ad4303df8f8393551d4c9afaa026c13 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 10:37:51 +0200
Subject: [PATCH 037/213] Sign, not encrypt, to avoid openssl salt

---
 ccp/nngm-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index 0a90813..501d8ce 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -5,5 +5,5 @@ function nngmSetup() {
 		log INFO "nNGM setup detected -- will start nNGM Connector."
 		OVERRIDE+="-f ./$PROJECT/nngm-compose.yml"
 	fi
-	CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -encrypt -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+	CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 }

From e2f92017c22e665e9ebf9d67f7dd28ccb58433b5 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 11:04:20 +0200
Subject: [PATCH 038/213] Correcting landing page indent

Original indent was one space, should have been 2 spaces, otherwise
you get parse errors.
---
 bbmri/docker-compose.yml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index b891af7..42c6d20 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -39,18 +39,18 @@ services:
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
 
- landing:
-   container_name: bridgehead-landingpage
-   image: samply/bridgehead-landingpage:master
-   labels:
-     - "traefik.enable=true"
-     - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-     - "traefik.http.services.landing.loadbalancer.server.port=80"
-     - "traefik.http.routers.landing.tls=true"
-   environment:
-     HOST: ${HOST}
-     PROJECT: ${PROJECT}
-     SITE_NAME: ${SITE_NAME}
+  landing:
+    container_name: bridgehead-landingpage
+    image: samply/bridgehead-landingpage:master
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+      - "traefik.http.services.landing.loadbalancer.server.port=80"
+      - "traefik.http.routers.landing.tls=true"
+    environment:
+      HOST: ${HOST}
+      PROJECT: ${PROJECT}
+      SITE_NAME: ${SITE_NAME}
 
   blaze:
     image: "samply/blaze:0.18"

From ef2965f72fa00cb9f75cb267441a0df61175b385 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 11:37:49 +0200
Subject: [PATCH 039/213] Make traefik use certificates at
 /etc/bridgehead/traefik-tls

---
 ccp/docker-compose.yml                      | 1 -
 lib/traefik-configuration/certificates.yaml | 8 +++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index cd6baf0..edb35c5 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -8,7 +8,6 @@ services:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
       - --providers.docker=true
-      - --providers.file.watch=true
       - --providers.file.directory=/configuration/
       - --api.dashboard=true
       - --accesslog=true # print access-logs
diff --git a/lib/traefik-configuration/certificates.yaml b/lib/traefik-configuration/certificates.yaml
index 2644333..af392c9 100644
--- a/lib/traefik-configuration/certificates.yaml
+++ b/lib/traefik-configuration/certificates.yaml
@@ -1,4 +1,6 @@
 tls:
-  certificates:
-    - certFile: /certs/fullchain.pem
-      keyFile: /certs/privkey.pem
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /certs/fullchain.pem
+        keyFile: /certs/privkey.pem

From 0dae36c9d9e21b1122621ebaf150469a058ef423 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 11:41:15 +0200
Subject: [PATCH 040/213] Reconcile BBMRI/CCP traefik configs.

---
 bbmri/docker-compose.yml | 3 +--
 ccp/docker-compose.yml   | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 42c6d20..c49fb6f 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -8,10 +8,9 @@ services:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
       - --providers.docker=true
-      - --providers.file.watch=true
       - --providers.file.directory=/configuration/
       - --api.dashboard=true
-      - --accesslog=true # print access-logs
+      - --accesslog=true
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
     labels:
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index edb35c5..2fb494c 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -10,7 +10,7 @@ services:
       - --providers.docker=true
       - --providers.file.directory=/configuration/
       - --api.dashboard=true
-      - --accesslog=true # print access-logs
+      - --accesslog=true
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
     labels:

From cfdcb8af86e26b1cacfe608d59c0f3f824635f54 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 11:53:50 +0200
Subject: [PATCH 041/213] Don't expose bridgehead http(s) services by default.

---
 bbmri/docker-compose.yml | 6 ++----
 ccp/docker-compose.yml   | 6 ++----
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index c49fb6f..ee35119 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -8,12 +8,14 @@ services:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
       - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
       - --providers.file.directory=/configuration/
       - --api.dashboard=true
       - --accesslog=true
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
     labels:
+      - "traefik.enable=true"
       - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
       - "traefik.http.routers.dashboard.entrypoints=websecure"
       - "traefik.http.routers.dashboard.service=api@internal"
@@ -82,8 +84,6 @@ services:
     depends_on:
       - "beam-proxy"
       - "blaze"
-    labels:
-      - "traefik.enable=false"
 
   beam-proxy:
     image: "samply/beam-proxy:develop"
@@ -99,8 +99,6 @@ services:
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
     secrets:
       - proxy.pem
-    labels:
-      - "traefik.enable=false"
     depends_on:
       - "forward_proxy"
     volumes:
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 2fb494c..3074f31 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -8,12 +8,14 @@ services:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
       - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
       - --providers.file.directory=/configuration/
       - --api.dashboard=true
       - --accesslog=true
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
     labels:
+      - "traefik.enable=true"
       - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
       - "traefik.http.routers.dashboard.entrypoints=websecure"
       - "traefik.http.routers.dashboard.service=api@internal"
@@ -82,8 +84,6 @@ services:
     depends_on:
       - "beam-proxy"
       - "blaze"
-    labels:
-      - "traefik.enable=false"
 
   beam-proxy:
     image: "samply/beam-proxy:develop"
@@ -101,8 +101,6 @@ services:
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
     secrets:
       - proxy.pem
-    labels:
-      - "traefik.enable=false"
     depends_on:
       - "forward_proxy"
     volumes:

From 853e1d9283451911a2e5f228c0abb1b492d2f389 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Fri, 28 Oct 2022 14:26:57 +0200
Subject: [PATCH 042/213] Make compose check not fail

---
 lib/prerequisites.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 962c123..859b690 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -14,7 +14,7 @@ checkOwner /etc/bridgehead bridgehead || exit 1
 
 ## Check if user is a su
 log INFO "Checking if all prerequisites are met ..."
-prerequisites="git docker $COMPOSE"
+prerequisites="git docker"
 for prerequisite in $prerequisites; do
   $prerequisite --version 2>&1
   is_available=$?

From 292d71b6c267a1ac631c9d173acc00adbd618034 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 15:14:34 +0200
Subject: [PATCH 043/213] Support docker installation via snap, e.g. Ubuntu
 22.04

---
 lib/functions.sh                | 16 ++++++++++++++++
 lib/setup-bridgehead-units.sh   |  6 ++++++
 lib/systemd/bridgehead@.service |  2 +-
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index b5a03a0..7367c66 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -11,6 +11,22 @@ detectCompose() {
 	fi
 }
 
+# https://unix.stackexchange.com/questions/539147
+systemctl-exists() {
+	[ $(systemctl list-unit-files "${1}*" | wc -l) -gt 3 ]
+}
+
+dockerUnitName() {
+	if systemctl-exists docker.service; then
+		echo "docker.service"
+	elif systemctl-exists snap.docker.dockerd.service; then
+		echo "snap.docker.dockerd.service"
+	else
+		log ERROR "Unable to detect docker systemd unit."
+		fail_and_report 1 "Unable to detect docker systemd unit."
+	fi
+}
+
 exitIfNotRoot() {
   if [ "$EUID" -ne 0 ]; then
     log "ERROR" "Please run as root"
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index 57f7df5..fa50fd5 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -40,6 +40,12 @@ cp -v \
     lib/systemd/bridgehead-update\@.timer \
     /etc/systemd/system/
 
+log INFO "Setting Docker unit ..."
+
+for file in $(find /etc/systemd/system -mindepth 1 -maxdepth 1 -type f -name "bridgehead*"); do
+	sed -i "s/DOCKER_UNIT_NAME/$(dockerUnitName)/g" $file
+done
+
 systemctl daemon-reload
 
 log INFO "Trying to update your bridgehead ..."
diff --git a/lib/systemd/bridgehead@.service b/lib/systemd/bridgehead@.service
index 7645793..253eb8a 100644
--- a/lib/systemd/bridgehead@.service
+++ b/lib/systemd/bridgehead@.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Bridgehead (%i)
-Requires=docker.service
+Requires=DOCKER_UNIT_NAME
 
 [Service]
 User=bridgehead

From 5e31da513925d5161aaac8633d7af3596ae50408 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 28 Oct 2022 15:25:06 +0200
Subject: [PATCH 044/213] Unfortunately, we cannot support docker snap
 installations, cf.
 https://askubuntu.com/questions/1374480/docker-compose-installed-with-snap-gives-error-on-yml-file

This reverts commit 292d71b6c267a1ac631c9d173acc00adbd618034.
---
 lib/functions.sh                | 16 ----------------
 lib/setup-bridgehead-units.sh   |  6 ------
 lib/systemd/bridgehead@.service |  2 +-
 3 files changed, 1 insertion(+), 23 deletions(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index 7367c66..b5a03a0 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -11,22 +11,6 @@ detectCompose() {
 	fi
 }
 
-# https://unix.stackexchange.com/questions/539147
-systemctl-exists() {
-	[ $(systemctl list-unit-files "${1}*" | wc -l) -gt 3 ]
-}
-
-dockerUnitName() {
-	if systemctl-exists docker.service; then
-		echo "docker.service"
-	elif systemctl-exists snap.docker.dockerd.service; then
-		echo "snap.docker.dockerd.service"
-	else
-		log ERROR "Unable to detect docker systemd unit."
-		fail_and_report 1 "Unable to detect docker systemd unit."
-	fi
-}
-
 exitIfNotRoot() {
   if [ "$EUID" -ne 0 ]; then
     log "ERROR" "Please run as root"
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index fa50fd5..57f7df5 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -40,12 +40,6 @@ cp -v \
     lib/systemd/bridgehead-update\@.timer \
     /etc/systemd/system/
 
-log INFO "Setting Docker unit ..."
-
-for file in $(find /etc/systemd/system -mindepth 1 -maxdepth 1 -type f -name "bridgehead*"); do
-	sed -i "s/DOCKER_UNIT_NAME/$(dockerUnitName)/g" $file
-done
-
 systemctl daemon-reload
 
 log INFO "Trying to update your bridgehead ..."
diff --git a/lib/systemd/bridgehead@.service b/lib/systemd/bridgehead@.service
index 253eb8a..7645793 100644
--- a/lib/systemd/bridgehead@.service
+++ b/lib/systemd/bridgehead@.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Bridgehead (%i)
-Requires=DOCKER_UNIT_NAME
+Requires=docker.service
 
 [Service]
 User=bridgehead

From c6a807d717ed5bcd50c50e0f481a9b56a8fef6d8 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Mon, 31 Oct 2022 08:26:25 +0100
Subject: [PATCH 045/213] Added Report Hub for EXLIQUID

---
 ccp/exliquid-compose.yml | 38 ++++++++++++++++++++++++++++++++++++++
 ccp/exliquid-setup.sh    |  8 ++++++++
 ccp/vars                 |  2 ++
 3 files changed, 48 insertions(+)
 create mode 100644 ccp/exliquid-compose.yml
 create mode 100644 ccp/exliquid-setup.sh

diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml
new file mode 100644
index 0000000..0967ead
--- /dev/null
+++ b/ccp/exliquid-compose.yml
@@ -0,0 +1,38 @@
+version: "3.7"
+
+services:
+  task-store:
+    image: "samply/blaze:0.18"
+    container_name: bridgehead-task-store
+    environment:
+      BASE_URL: "http://localhost:8083"
+      JAVA_TOOL_OPTIONS: "-Xmx1g"
+      LOG_LEVEL: "debug"
+    volumes:
+    - "task-store-data:/app/data"
+    labels:
+      - "traefik.enable=false"
+
+  report-hub:
+    image: "samply/report-hub:latest"
+    container_name: bridgehead-report-hub
+    environment:
+      BASE_URL: "http://ccp-task-store:8080"
+      JAVA_TOOL_OPTIONS: "-Xmx1g"
+      LOG_LEVEL: "debug"
+      PROXY_ID: "report-hub.${PROXY_ID}"
+      SECRET: ${REPORTHUB_BEAM_SECRET_SHORT}
+      TASK_STORE: "http://bridgehead-task-store:8080/fhir"
+      LDM_URL:  http://bridgehead-ccp-blaze:8080/fhir
+      BEAM_PROXY: "http://beam-proxy:8081"
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-report-hub`)"
+      - "traefik.http.middlewares.ccp_t_strip.stripprefix.prefixes=/ccp-report-hub"
+      - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
+      - "traefik.http.routers.blaze_ccp.middlewares=ccp_t_strip,ccp-auth"
+      - "traefik.http.routers.blaze_ccp.tls=true"
+
+volumes:
+  task-store-data:
\ No newline at end of file
diff --git a/ccp/exliquid-setup.sh b/ccp/exliquid-setup.sh
new file mode 100644
index 0000000..59d8877
--- /dev/null
+++ b/ccp/exliquid-setup.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+function exliquidSetup() {
+	if [ -n "$EXLIQUID" ]; then
+		log INFO "EXLIQUID setup detected -- will start Reporthub."
+		OVERRIDE+="-f ./$PROJECT/exliquid-compose.yml"
+	fi
+}
\ No newline at end of file
diff --git a/ccp/vars b/ccp/vars
index f5f734e..63def80 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -11,3 +11,5 @@ PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 # This will load nngm setup. Effective only if nngm configuration is defined.
 source $PROJECT/nngm-setup.sh
 nngmSetup
+source $PROJECT/exliquid-setup.sh
+exliquidSetup

From 3f5463318d9c4d0920223f22ef1c9ac1f343eac7 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Mon, 31 Oct 2022 11:26:00 +0100
Subject: [PATCH 046/213] Fixed labels

---
 ccp/exliquid-compose.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml
index 0967ead..60aeb1b 100644
--- a/ccp/exliquid-compose.yml
+++ b/ccp/exliquid-compose.yml
@@ -28,11 +28,11 @@ services:
     restart: always
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-report-hub`)"
+      - "traefik.http.routers.report-ccp.rule=PathPrefix(`/ccp-report-hub`)"
       - "traefik.http.middlewares.ccp_t_strip.stripprefix.prefixes=/ccp-report-hub"
-      - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze_ccp.middlewares=ccp_t_strip,ccp-auth"
-      - "traefik.http.routers.blaze_ccp.tls=true"
+      - "traefik.http.services.report-ccp.loadbalancer.server.port=8080"
+      - "traefik.http.routers.report-ccp.middlewares=ccp_t_strip"
+      - "traefik.http.routers.report-ccp.tls=true"
 
 volumes:
   task-store-data:
\ No newline at end of file

From fc3198d22c848d1d381ad8eeda9aabe0a4ee2873 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Mon, 31 Oct 2022 15:30:32 +0100
Subject: [PATCH 047/213] Fixed task store base url

---
 ccp/exliquid-compose.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml
index 60aeb1b..2c97b83 100644
--- a/ccp/exliquid-compose.yml
+++ b/ccp/exliquid-compose.yml
@@ -5,7 +5,7 @@ services:
     image: "samply/blaze:0.18"
     container_name: bridgehead-task-store
     environment:
-      BASE_URL: "http://localhost:8083"
+      BASE_URL: "http://bridgehead-task-store:8080"
       JAVA_TOOL_OPTIONS: "-Xmx1g"
       LOG_LEVEL: "debug"
     volumes:
@@ -17,7 +17,7 @@ services:
     image: "samply/report-hub:latest"
     container_name: bridgehead-report-hub
     environment:
-      BASE_URL: "http://ccp-task-store:8080"
+      BASE_URL: "http://bridgehead-report-hub:8080"
       JAVA_TOOL_OPTIONS: "-Xmx1g"
       LOG_LEVEL: "debug"
       PROXY_ID: "report-hub.${PROXY_ID}"

From b232fdb926236ba0e8ca817ea6e2ebca59a66f1e Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de" <p.delpy@dkfz-heidelberg.de>
Date: Wed, 2 Nov 2022 09:30:57 +0100
Subject: [PATCH 048/213] remove http ports

---
 ccp/nngm-compose.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml
index 478af29..c212fed 100644
--- a/ccp/nngm-compose.yml
+++ b/ccp/nngm-compose.yml
@@ -11,8 +11,6 @@ services:
       NNGM_CTS_APIKEY: ${NNGM_CTS_APIKEY}
       NNGM_CRYPTKEY: ${NNGM_CRYPTKEY}
     restart: always
-    ports:
-      - "8080:8080"
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.connector.rule=PathPrefix(`/ccp-connector`)"

From 0e10205f1a97179a002b650f4eb31604860ccd5b Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Tue, 25 Oct 2022 15:30:14 +0200
Subject: [PATCH 049/213] fix: LDM Password is now generated at Installation

---
 lib/setup-bridgehead-units.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index 57f7df5..f99bab0 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -33,6 +33,19 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
 bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
 
+log "INFO" "Now generating a password for the local datamangement. Please safe the password for your ETL process!"
+generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+
+log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
+parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd)
+
+mkdir /etc/systemd/system/bridgehead@${PROJECT}.service.d
+cat <<EOF > /etc/systemd/system/bridgehead@${PROJECT}.service.d/environment.conf
+[Service]
+Environment=bc_auth_users=${parsed_passwd}
+EOF
+
+
 log "INFO" "Register system units for bridgehead and bridgehead-update"
 cp -v \
     lib/systemd/bridgehead\@.service \

From ee3ea2b51416cbd2bf3c58dc333cea977cfb3e3e Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Wed, 26 Oct 2022 10:42:07 +0200
Subject: [PATCH 050/213] Updated README

---
 README.md | 129 +++++-------------------------------------------------
 1 file changed, 12 insertions(+), 117 deletions(-)

diff --git a/README.md b/README.md
index 055a008..06ffcea 100644
--- a/README.md
+++ b/README.md
@@ -204,141 +204,36 @@ To shutdown the bridgehead just run.
 /srv/docker/bridgehead/bridgehead stop <Project>
 ```
 
-### Systemd service configuration
+### Local Datamanagement Security
 
 For a server, we highly recommend that you install the system units for managing the bridgehead, provided by us. You can do this by executing the [bridgehead](./bridgehead) script:
 ``` shell
 sudo /srv/docker/bridgehead/bridgehead install <Project>
 ```
 
-This will install the systemd units to run and update the bridghead.
-
-Finally, you need to configure your sites secrets. These are places as configuration for each bridgehead system unit. Refer to the section for your specific project:
-
-For Every project you need to set the proxy this way, if you have one. This is done with the ```systemctl edit``` comand.
-
-``` shell
-sudo systemctl edit bridgehead@<project>.service;
-sudo systemctl edit bridgehead-update@<project>.service;
-```
-
-``` conf
-[Service]
-Environment=http_proxy=<proxy-url>
-Environment=https_proxy=<proxy-url>
-```
-
-There a further configurations for each project.
-
-#### CCP(DKTK/C4)
-
-For the federate search please follow the basic auth configuration step.
-
-### DKTK/C4
-
-You can create the site specific configuration with: 
-
-
-This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets. You share some of the ID-Management secrets with the central patientlist (Mainz) and controlnumbergenerator (Frankfurt). Refer to the ["Configuration" section](#configuration) for this.
-
-``` conf
-[Service]
-Environment=http_proxy=
-Environment=https_proxy=
-```
-
-To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service:
-
-``` shell
-sudo systemctl daemon-reload;
-sudo systemctl bridgehead@ccp.service;
-```
-
-You can create the site specific configuration with: 
-
-``` shell
-sudo systemctl edit bridgehead@c4.service;
-```
-
-This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets. You share some of the ID-Management secrets with the central patientlist (Mainz) and controlnumbergenerator (Frankfurt). Refer to the ["Configuration" section](#configuration) for this.
-
-``` conf
-[Service]
-Environment=http_proxy=
-Environment=https_proxy=
-Environment=HOSTIP=
-Environment=HOST=
-Environment=HTTP_PROXY_USER=
-Environment=HTTP_PROXY_PASSWORD=
-Environment=HTTPS_PROXY_USER=
-Environment=HTTPS_PROXY_PASSWORD=
-Environment=CONNECTOR_POSTGRES_PASS=
-Environment=ML_DB_PASS=
-Environment=MAGICPL_API_KEY=
-Environment=MAGICPL_MAINZELLISTE_API_KEY=
-Environment=MAGICPL_API_KEY_CONNECTOR=
-Environment=MAGICPL_MAINZELLISTE_CENTRAL_API_KEY=
-Environment=MAGICPL_CENTRAL_API_KEY=
-Environment=MAGICPL_OIDC_CLIENT_ID=
-Environment=MAGICPL_OIDC_CLIENT_SECRET=
-```
-
-To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service:
-
-``` shell
-sudo systemctl daemon-reload;
-sudo systemctl bridgehead@c4.service;
-```
-### GBA/BBMRI-ERIC
-
-You can create the site specific configuration with: 
-
-``` shell
-sudo systemctl edit bridgehead@gbn.service;
-```
-
-This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets.
-
-``` conf
-[Service]
-Environment=HOSTIP=
-Environment=HOST=
-Environment=HTTP_PROXY_USER=
-Environment=HTTP_PROXY_PASSWORD=
-Environment=HTTPS_PROXY_USER=
-Environment=HTTPS_PROXY_PASSWORD=
-Environment=CONNECTOR_POSTGRES_PASS=
-```
-
-To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service:
-
-``` shell
-sudo systemctl daemon-reload;
-sudo systemctl bridgehead@gbn.service;
-```
-
-## Configuration
+This will install the systemd units to run and update the bridghead. Also, this will generate a user and password for accessing the LDM. This will be shown only the first time you install the bridgehead.
 
 ### Basic Auth
 
-For Data protection we use basic authenfication for some services. To access those services you need an username and password combination. If you start the bridgehead without basic auth, then those services are not accesbile. We provide a script which set the needed config for you, just run the script and follow the instructions.
+For Data protection we use basic authenfication for some services. To access those services you need an username and password combination. 
+Cation: If you start the bridgehead without the authenfication, then those services are not accesbile.
+We generate such a combination at the first install. Also, we provide a script which generates such a combination for you.
 
 ``` shell
 add_user.sh
 ```
 
-The result needs to be set in either in the systemd service or in your console.
+The script will print the hashed user password combination. Please put the combination to the ```/etc/bridgehead/<project>.local.conf</project>```
 
+It should look like this
 
-#### Console
-
-When just running the bridgehead you need to export the auth variable. Be aware that this export is only for the current session in the environment and after exit it will not be accessible anymore.
-
-``` shell
-export bc_auth_user=<output>
+```conf
+LDM_Password='<project>:$...$.....$...............'
 ```
 
-Cation: you need to escape occrring dollar signs.
+You can use the ```add_bc_auth_user.sh``` script to generate an another user and add it to the ```<project>.local.conf``` wiht comma seperation.
+
+## Configuration
 
 #### systemd
 

From ce386f5a2a156f41ea371d3e5262ea601c717b15 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Wed, 26 Oct 2022 10:48:55 +0200
Subject: [PATCH 051/213] fix: Moved LDM Password to /etc/bridgehead

---
 ccp/docker-compose.yml        |  4 ++--
 lib/setup-bridgehead-units.sh | 19 +++++++++----------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 3074f31..dfc7d34 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -21,7 +21,7 @@ services:
       - "traefik.http.routers.dashboard.service=api@internal"
       - "traefik.http.routers.dashboard.tls=true"
       - "traefik.http.routers.dashboard.middlewares=auth"
-      - "traefik.http.middlewares.auth.basicauth.users=${bc_auth_users}"
+      - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}"
     ports:
       - 80:80
       - 443:443
@@ -65,7 +65,7 @@ services:
       - "blaze-data:/app/data"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}"
+      - "traefik.http.middlewares.ccp-auth.basicauth.users=${LDM_LOGIN}"
       - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-localdatamanagement`)"
       - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/ccp-localdatamanagement"
       - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index f99bab0..7518f3a 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -33,18 +33,17 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
 bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
 
-log "INFO" "Now generating a password for the local datamangement. Please safe the password for your ETL process!"
-generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+# TODO: Determine wether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
+if [ -z "$LDM_LOGIN" ]; then
+  log "INFO" "Now generating a password for the local datamangement. Please safe the password for your ETL process!"
+  generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 
-log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
-parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd)
-
-mkdir /etc/systemd/system/bridgehead@${PROJECT}.service.d
-cat <<EOF > /etc/systemd/system/bridgehead@${PROJECT}.service.d/environment.conf
-[Service]
-Environment=bc_auth_users=${parsed_passwd}
-EOF
+  log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
+  parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n')
 
+  log "INFO" "These credentials are now written to /etc/bridgehead/${PROJECT}.local.conf"
+  echo "LDM_LOGIN='${parsed_passwd}'" >> /etc/bridgehead/${PROJECT}.local.conf;
+fi
 
 log "INFO" "Register system units for bridgehead and bridgehead-update"
 cp -v \

From 7ea5e928fcf81f693b7e1e7bcd95b4b4bdcf8233 Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de" <p.delpy@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 09:26:01 +0100
Subject: [PATCH 052/213] Removed add_bc_user.sh

---
 README.md                     | 20 +++-----------------
 bbmri/docker-compose.yml      |  4 ++--
 lib/add_bc_user.sh            | 10 ----------
 lib/setup-bridgehead-units.sh |  5 +++--
 4 files changed, 8 insertions(+), 31 deletions(-)
 delete mode 100755 lib/add_bc_user.sh

diff --git a/README.md b/README.md
index 06ffcea..0e4c762 100644
--- a/README.md
+++ b/README.md
@@ -215,23 +215,9 @@ This will install the systemd units to run and update the bridghead. Also, this
 
 ### Basic Auth
 
-For Data protection we use basic authenfication for some services. To access those services you need an username and password combination. 
-Cation: If you start the bridgehead without the authenfication, then those services are not accesbile.
-We generate such a combination at the first install. Also, we provide a script which generates such a combination for you.
-
-``` shell
-add_user.sh
-```
-
-The script will print the hashed user password combination. Please put the combination to the ```/etc/bridgehead/<project>.local.conf</project>```
-
-It should look like this
-
-```conf
-LDM_Password='<project>:$...$.....$...............'
-```
-
-You can use the ```add_bc_auth_user.sh``` script to generate an another user and add it to the ```<project>.local.conf``` wiht comma seperation.
+For Data protection we use basic authentification for some services. To access those services you need an username and password combination. 
+Caution: If you start the bridgehead without the authentification, then those services are not accessible.
+We generate such a combination at the first install (`/etc/bridgehead/<Project>.local.conf`). 
 
 ## Configuration
 
diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index ee35119..4188714 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -21,7 +21,7 @@ services:
       - "traefik.http.routers.dashboard.service=api@internal"
       - "traefik.http.routers.dashboard.tls=true"
       - "traefik.http.routers.dashboard.middlewares=auth"
-      - "traefik.http.middlewares.auth.basicauth.users=${bc_auth_users}"
+      - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}"
     ports:
       - 80:80
       - 443:443
@@ -65,7 +65,7 @@ services:
       - "blaze-data:/app/data"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}"
+      - "traefik.http.middlewares.ccp-auth.basicauth.users=${LDM_LOGIN}"
       - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/bbmri-localdatamanagement`)"
       - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/bbmri-localdatamanagement"
       - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
diff --git a/lib/add_bc_user.sh b/lib/add_bc_user.sh
deleted file mode 100755
index 8185658..0000000
--- a/lib/add_bc_user.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash -e
-source lib/functions.sh
-
-log "INFO" "This script add's a user with password to the bridghead"
-
-read -p 'Username: ' bc_user
-read -sp 'Password: ' bc_password
-
-log "INFO" "\nPlease export the line in the your environment. Please replace the dollar signs with with \\\$"
-docker run --rm -it httpd:latest htpasswd -nb $bc_user $bc_password
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index 7518f3a..820d6f6 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -39,10 +39,11 @@ if [ -z "$LDM_LOGIN" ]; then
   generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 
   log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
-  parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n')
+  parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n' | tr -d '\r')
+  printf  "##Localdatamanagement basic auth\n#User: $PROJECT\n#Password: $generated_passwd\n" >> /etc/bridgehead/${PROJECT}.local.conf;
 
   log "INFO" "These credentials are now written to /etc/bridgehead/${PROJECT}.local.conf"
-  echo "LDM_LOGIN='${parsed_passwd}'" >> /etc/bridgehead/${PROJECT}.local.conf;
+  echo -n "LDM_LOGIN='${parsed_passwd}'" >> /etc/bridgehead/${PROJECT}.local.conf;
 fi
 
 log "INFO" "Register system units for bridgehead and bridgehead-update"

From 038d8d69f69be0576516eb78a2ceb23835de06e3 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 17:19:15 +0100
Subject: [PATCH 053/213] Make LDM password nicer

---
 bbmri/docker-compose.yml      | 3 +--
 bridgehead                    | 1 +
 ccp/docker-compose.yml        | 3 +--
 lib/functions.sh              | 7 +++++++
 lib/setup-bridgehead-units.sh | 7 ++-----
 5 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 4188714..b1a47b5 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -65,11 +65,10 @@ services:
       - "blaze-data:/app/data"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.middlewares.ccp-auth.basicauth.users=${LDM_LOGIN}"
       - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/bbmri-localdatamanagement`)"
       - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/bbmri-localdatamanagement"
       - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,ccp-auth"
+      - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,auth"
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   spot:
diff --git a/bridgehead b/bridgehead
index f18311a..3297c65 100755
--- a/bridgehead
+++ b/bridgehead
@@ -59,6 +59,7 @@ if [ -f "$PROJECT/docker-compose.override.yml" ]; then
 fi
 
 detectCompose
+setLdmPassword
 
 case "$ACTION" in
 	start)
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index dfc7d34..989cc84 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -65,11 +65,10 @@ services:
       - "blaze-data:/app/data"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.middlewares.ccp-auth.basicauth.users=${LDM_LOGIN}"
       - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-localdatamanagement`)"
       - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/ccp-localdatamanagement"
       - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,ccp-auth"
+      - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,auth"
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   spot:
diff --git a/lib/functions.sh b/lib/functions.sh
index b5a03a0..3dd47cb 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -11,6 +11,13 @@ detectCompose() {
 	fi
 }
 
+setLdmPassword() {
+	if [ -z "$LDM_PASSWORD" ]; then
+		log DEBUG "Transforming LDM_PASSWORD into LDM_LOGIN ..."
+		LDM_LOGIN=$(docker run --rm -it httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r')
+	fi
+}
+
 exitIfNotRoot() {
   if [ "$EUID" -ne 0 ]; then
     log "ERROR" "Please run as root"
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index 820d6f6..519f224 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -35,15 +35,12 @@ EOF
 
 # TODO: Determine wether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
 if [ -z "$LDM_LOGIN" ]; then
-  log "INFO" "Now generating a password for the local datamangement. Please safe the password for your ETL process!"
+  log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!"
   generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 
   log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
   parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n' | tr -d '\r')
-  printf  "##Localdatamanagement basic auth\n#User: $PROJECT\n#Password: $generated_passwd\n" >> /etc/bridgehead/${PROJECT}.local.conf;
-
-  log "INFO" "These credentials are now written to /etc/bridgehead/${PROJECT}.local.conf"
-  echo -n "LDM_LOGIN='${parsed_passwd}'" >> /etc/bridgehead/${PROJECT}.local.conf;
+  echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
 fi
 
 log "INFO" "Register system units for bridgehead and bridgehead-update"

From 6394e1fa822a6b295740866458a246542d64bcc1 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 17:23:25 +0100
Subject: [PATCH 054/213] Check for LDM_PASSWORD

---
 lib/functions.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index 3dd47cb..e55d31a 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -12,7 +12,7 @@ detectCompose() {
 }
 
 setLdmPassword() {
-	if [ -z "$LDM_PASSWORD" ]; then
+	if [ -n "$LDM_PASSWORD" ]; then
 		log DEBUG "Transforming LDM_PASSWORD into LDM_LOGIN ..."
 		LDM_LOGIN=$(docker run --rm -it httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r')
 	fi

From a9864a928c70c1ae42ac8c6b5eb297b3aafb8c91 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 17:26:29 +0100
Subject: [PATCH 055/213] Remove unnecessary docker run

---
 lib/setup-bridgehead-units.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index 519f224..34ab6dc 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -39,7 +39,6 @@ if [ -z "$LDM_LOGIN" ]; then
   generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 
   log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
-  parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n' | tr -d '\r')
   echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
 fi
 

From 729d4e2c1e242798c80d57ef360f169fb435644c Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 17:29:52 +0100
Subject: [PATCH 056/213] Check against LDM_PASSWORD

---
 bridgehead                    | 2 +-
 lib/setup-bridgehead-units.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/bridgehead b/bridgehead
index 3297c65..babfaab 100755
--- a/bridgehead
+++ b/bridgehead
@@ -59,13 +59,13 @@ if [ -f "$PROJECT/docker-compose.override.yml" ]; then
 fi
 
 detectCompose
-setLdmPassword
 
 case "$ACTION" in
 	start)
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
+		setLdmPassword
 		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index 34ab6dc..c5bb421 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -34,7 +34,7 @@ bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
 
 # TODO: Determine wether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
-if [ -z "$LDM_LOGIN" ]; then
+if [ -z "$LDM_PASSWORD" ]; then
   log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!"
   generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 

From 3ead08fae146b78edd50097f13ef00dec9b78c19 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 17:38:46 +0100
Subject: [PATCH 057/213] Add export

---
 lib/functions.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index e55d31a..0a0ab0a 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -14,7 +14,7 @@ detectCompose() {
 setLdmPassword() {
 	if [ -n "$LDM_PASSWORD" ]; then
 		log DEBUG "Transforming LDM_PASSWORD into LDM_LOGIN ..."
-		LDM_LOGIN=$(docker run --rm -it httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r')
+		export LDM_LOGIN=$(docker run --rm -it httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r')
 	fi
 }
 

From 6cd682e42c4b1d2c6fd4e55d2cd789a4a7855416 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 17:41:05 +0100
Subject: [PATCH 058/213] Add export

---
 bridgehead | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bridgehead b/bridgehead
index babfaab..fc454fd 100755
--- a/bridgehead
+++ b/bridgehead
@@ -65,7 +65,9 @@ case "$ACTION" in
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
+		set -a
 		setLdmPassword
+		set +a
 		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)

From 62b8cabb31bb6019f0a74a04b24538201b374ebb Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 18:14:11 +0100
Subject: [PATCH 059/213] Fix getting LDM_LOGIN

---
 bridgehead       | 4 +---
 lib/functions.sh | 7 ++++---
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/bridgehead b/bridgehead
index fc454fd..68e8933 100755
--- a/bridgehead
+++ b/bridgehead
@@ -65,9 +65,7 @@ case "$ACTION" in
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
-		set -a
-		setLdmPassword
-		set +a
+		export LDM_LOGIN=$(getLdmPassword)
 		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
diff --git a/lib/functions.sh b/lib/functions.sh
index 0a0ab0a..6c81d7b 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -11,10 +11,11 @@ detectCompose() {
 	fi
 }
 
-setLdmPassword() {
+getLdmPassword() {
 	if [ -n "$LDM_PASSWORD" ]; then
-		log DEBUG "Transforming LDM_PASSWORD into LDM_LOGIN ..."
-		export LDM_LOGIN=$(docker run --rm -it httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r')
+		docker run --rm httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r'
+	else
+		echo -n ""
 	fi
 }
 

From 1b0fd61863a81626fae76bf18699c7b88043169b Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 3 Nov 2022 18:15:45 +0100
Subject: [PATCH 060/213] Make local passwords longer

---
 lib/setup-bridgehead-units.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index c5bb421..d258c0b 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -36,7 +36,7 @@ EOF
 # TODO: Determine wether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
 if [ -z "$LDM_PASSWORD" ]; then
   log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!"
-  generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+  generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
 
   log "INFO" "Your generated credentials are:\n            user: $PROJECT\n            password: $generated_passwd"
   echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;

From 6b2168ff1111d5e9dd679c623b633ba2664ba268 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 13:09:11 +0100
Subject: [PATCH 061/213] Allow to read hostname from config file

---
 bridgehead       | 1 +
 lib/functions.sh | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/bridgehead b/bridgehead
index 68e8933..3054ebd 100755
--- a/bridgehead
+++ b/bridgehead
@@ -59,6 +59,7 @@ if [ -f "$PROJECT/docker-compose.override.yml" ]; then
 fi
 
 detectCompose
+setHostname
 
 case "$ACTION" in
 	start)
diff --git a/lib/functions.sh b/lib/functions.sh
index 6c81d7b..1ac7d60 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -125,12 +125,17 @@ fail_and_report() {
 	exit $1
 }
 
+setHostname() {
+	if [ -z "$HOST" ]; then
+		export HOST=$(hostname -f)
+		log DEBUG "Using auto-detected hostname $HOST."
+	fi
+}
+
 ##Setting Network properties
 # currently not needed
 #export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
 
-export HOST=$(hostname -f)
-
 export PRODUCTION="false";
 if [ "$(git branch --show-current)" == "main" ]; then
 	export PRODUCTION="true";

From 9b3acb48995dee6334929537a3d4e999d9d5a0f3 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 15:26:27 +0100
Subject: [PATCH 062/213] Report git errors

---
 lib/functions.sh         | 6 +++++-
 lib/update-bridgehead.sh | 9 +++++----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index 6c81d7b..bceb34a 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -119,9 +119,13 @@ fixPermissions() {
 
 source lib/monitoring.sh
 
-fail_and_report() {
+report_error() {
 	log ERROR "$2"
 	hc_send $1 "$2"
+}
+
+fail_and_report() {
+	report_error $@
 	exit $1
 }
 
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 7212d13..636c585 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -43,12 +43,13 @@ for DIR in /etc/bridgehead $(pwd); do
   old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ -z "$HTTP_PROXY_URL" ]; then
     log "INFO" "Git is using no proxy!"
-    git -C $DIR fetch 2>&1
-    git -C $DIR pull 2>&1
+    OUT=$(git -C $DIR fetch 2>&1 && git -C $DIR pull 2>&1)
   else
     log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}"
-    git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR fetch 2>&1
-    git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1
+    OUT=$(git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR fetch 2>&1 && git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1)
+  fi
+  if [ $? -ne 0 ]; then
+    report_error 1 "Unable to update git $DIR: $OUT"
   fi
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ "$old_git_hash" != "$new_git_hash" ]; then

From ebc1b87dc2b24e01dfac6c0e28ff2c996da82923 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 15:54:08 +0100
Subject: [PATCH 063/213] feature: Added warning for modified working
 directories

---
 lib/update-bridgehead.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 636c585..a62f7fa 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -51,6 +51,11 @@ for DIR in /etc/bridgehead $(pwd); do
   if [ $? -ne 0 ]; then
     report_error 1 "Unable to update git $DIR: $OUT"
   fi
+  OUT="$(git -C $DIR status --porcelain)"
+  if [ -n "$OUT" ]; then
+    report_error 1 "The workingdirectory in $DIR is modified. Following files are changed: $OUT"
+  fi
+
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ "$old_git_hash" != "$new_git_hash" ]; then
     CHANGE="Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"

From 8c18426d283545323d73d96145f18ec3255695d8 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 16:12:08 +0100
Subject: [PATCH 064/213] Move warning up

---
 lib/update-bridgehead.sh | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index a62f7fa..69b3887 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -36,6 +36,11 @@ CHANGES=""
 git_updated="false"
 for DIR in /etc/bridgehead $(pwd); do
   log "INFO" "Checking for updates to git repo $DIR ..."
+  OUT="$(git -C $DIR status --porcelain)"
+  if [ -n "$OUT" ]; then
+    log WARN "The working directory $DIR is modified. Changed files: $OUT"
+    report_error 1 "The working directory $DIR is modified. Changed files: $OUT"
+  fi
   if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
     log "INFO" "Configuring repo to use bridgehead git credential helper."
     git -C $DIR config credential.helper "$CREDHELPER"
@@ -51,10 +56,6 @@ for DIR in /etc/bridgehead $(pwd); do
   if [ $? -ne 0 ]; then
     report_error 1 "Unable to update git $DIR: $OUT"
   fi
-  OUT="$(git -C $DIR status --porcelain)"
-  if [ -n "$OUT" ]; then
-    report_error 1 "The workingdirectory in $DIR is modified. Following files are changed: $OUT"
-  fi
 
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ "$old_git_hash" != "$new_git_hash" ]; then

From ceda942731361772f88eb4d890cd01a6e32a317e Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 16:12:24 +0100
Subject: [PATCH 065/213] Remove errors in old git versions

---
 lib/functions.sh | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index bceb34a..b308abb 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -134,8 +134,3 @@ fail_and_report() {
 #export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
 
 export HOST=$(hostname -f)
-
-export PRODUCTION="false";
-if [ "$(git branch --show-current)" == "main" ]; then
-	export PRODUCTION="true";
-fi

From 3234a81aa216b400d7db0beb7885148e5489ee8b Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 16:18:30 +0100
Subject: [PATCH 066/213] Report current git commits

---
 lib/prerequisites.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 859b690..c2a4e34 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -71,7 +71,10 @@ else
   exit 1
 fi
 
-log INFO "Success - all prerequisites are met!"
-hc_send log "Success - all prerequisites are met!"
+COMMIT_ETC=$(git -C /etc/bridgehead rev-parse HEAD | cut -c -8)
+COMMIT_SRV=$(git -C /srv/docker/bridgehead rev-parse HEAD | cut -c -8)
+
+log INFO "Success - all prerequisites are met! Git commits: etc:$COMMIT_ETC srv:$COMMIT_SRV"
+hc_send log "Success - all prerequisites are met! Git commits: etc:$COMMIT_ETC srv:$COMMIT_SRV"
 
 exit 0

From 895ee372964fb208ad96dff352991ee4507e957c Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 17:18:09 +0100
Subject: [PATCH 067/213] Report git commits in user agent to monitoring

---
 lib/monitoring.sh    | 11 +++++++++--
 lib/prerequisites.sh |  7 ++-----
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index 8744d7f..07509fd 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -11,6 +11,7 @@ function hc_set_service(){
 }
 
 UPTIME=
+USER_AGENT="git-unknown"
 
 function hc_send(){
     if [ -n "$MONITOR_APIKEY" ]; then
@@ -32,10 +33,16 @@ function hc_send(){
         UPTIME=$(docker ps -a --format 'table {{.Names}} \t{{.RunningFor}} \t {{.Status}} \t {{.Image}}' --filter name=bridgehead || echo "Unable to get docker statistics")
     fi
 
+    if [ -z "$USER_AGENT" ]; then
+        COMMIT_ETC=$(git -C /etc/bridgehead rev-parse HEAD | cut -c -8)
+        COMMIT_SRV=$(git -C /srv/docker/bridgehead rev-parse HEAD | cut -c -8)
+        USER_AGENT="srv:$COMMIT_SRV etc:$COMMIT_ETC"
+    fi
+
     if [ -n "$2" ]; then
         MSG="$2\n\nDocker stats:\n$UPTIME"
-        echo -e "$MSG" | https_proxy=$HTTPS_PROXY_URL curl -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+        echo -e "$MSG" | https_proxy=$HTTPS_PROXY_URL curl -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
     else
-        https_proxy=$HTTPS_PROXY_URL curl -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+        https_proxy=$HTTPS_PROXY_URL curl -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
     fi
 }
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index c2a4e34..859b690 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -71,10 +71,7 @@ else
   exit 1
 fi
 
-COMMIT_ETC=$(git -C /etc/bridgehead rev-parse HEAD | cut -c -8)
-COMMIT_SRV=$(git -C /srv/docker/bridgehead rev-parse HEAD | cut -c -8)
-
-log INFO "Success - all prerequisites are met! Git commits: etc:$COMMIT_ETC srv:$COMMIT_SRV"
-hc_send log "Success - all prerequisites are met! Git commits: etc:$COMMIT_ETC srv:$COMMIT_SRV"
+log INFO "Success - all prerequisites are met!"
+hc_send log "Success - all prerequisites are met!"
 
 exit 0

From b28fb2881cea5782b80c9e8d4367592fd400eccd Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 17:20:17 +0100
Subject: [PATCH 068/213] Bugfix

---
 lib/monitoring.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index 07509fd..daa388f 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -11,7 +11,7 @@ function hc_set_service(){
 }
 
 UPTIME=
-USER_AGENT="git-unknown"
+USER_AGENT=
 
 function hc_send(){
     if [ -n "$MONITOR_APIKEY" ]; then

From 865870ea9118af2d8a0886e4ce5dfb0cce09bf65 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 4 Nov 2022 17:24:23 +0100
Subject: [PATCH 069/213] Until all BBMRI-ERIC bridgeheads are onboarded with
 git, don't consider missing git info an error

---
 lib/update-bridgehead.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 69b3887..3201fc5 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -39,7 +39,7 @@ for DIR in /etc/bridgehead $(pwd); do
   OUT="$(git -C $DIR status --porcelain)"
   if [ -n "$OUT" ]; then
     log WARN "The working directory $DIR is modified. Changed files: $OUT"
-    report_error 1 "The working directory $DIR is modified. Changed files: $OUT"
+    report_error log "The working directory $DIR is modified. Changed files: $OUT"
   fi
   if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
     log "INFO" "Configuring repo to use bridgehead git credential helper."
@@ -54,7 +54,7 @@ for DIR in /etc/bridgehead $(pwd); do
     OUT=$(git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR fetch 2>&1 && git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1)
   fi
   if [ $? -ne 0 ]; then
-    report_error 1 "Unable to update git $DIR: $OUT"
+    report_error log "Unable to update git $DIR: $OUT"
   fi
 
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"

From bece71441ce9bf7106bdc96558411a72746af6e3 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 8 Nov 2022 10:39:11 +0100
Subject: [PATCH 070/213] Support DNPM

---
 ccp/vars                        |   4 ++
 dnpm/dnpm-compose.yml           | 104 ++++++++++++++++++++++++++++++++
 dnpm/dnpm-setup.sh              |  11 ++++
 dnpm/origin/Backend.Dockerfile  |  66 ++++++++++++++++++++
 dnpm/origin/Frontend.Dockerfile |  39 ++++++++++++
 dnpm/origin/logback.xml         |  37 ++++++++++++
 6 files changed, 261 insertions(+)
 create mode 100644 dnpm/dnpm-compose.yml
 create mode 100644 dnpm/dnpm-setup.sh
 create mode 100644 dnpm/origin/Backend.Dockerfile
 create mode 100644 dnpm/origin/Frontend.Dockerfile
 create mode 100644 dnpm/origin/logback.xml

diff --git a/ccp/vars b/ccp/vars
index f5f734e..c334d4e 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -11,3 +11,7 @@ PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 # This will load nngm setup. Effective only if nngm configuration is defined.
 source $PROJECT/nngm-setup.sh
 nngmSetup
+
+# This will load DNPM setup. Effective only if DNPM configuration is defined in /etc/bridgehead/dnpm.
+source dnpm/dnpm-setup.sh
+dnpmSetup
diff --git a/dnpm/dnpm-compose.yml b/dnpm/dnpm-compose.yml
new file mode 100644
index 0000000..1904123
--- /dev/null
+++ b/dnpm/dnpm-compose.yml
@@ -0,0 +1,104 @@
+version: "3.7"
+
+secrets:
+  connect_targets.json:
+    file: /etc/bridgehead/dnpm/local_targets.json
+
+services:
+#  traefik:
+#    command:
+#      - --entrypoints.dnpm-frontend.address=:3000
+#      - --entrypoints.dnpm-backend.address=:9000
+#    ports:
+#      - 3000:3000
+#      - 9000:9000
+  beam-proxy:
+    environment:
+      APP_2_ID: dnpm
+      APP_2_KEY: ${DNPM_BEAM_SECRET_SHORT}
+
+  dnpm-beam-connect:
+    depends_on: [ beam-proxy ]
+    image: samply/beam-connect:sites-without-auth
+    environment:
+      PROXY_URL: http://beam-proxy:8081
+      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
+      APP_ID: dnpm.${PROXY_ID}
+      DISCOVERY_URL: ${DNPM_DISCOVERY_URL}
+      LOCAL_TARGETS_FILE: /run/secrets/connect_targets.json
+      HTTP_PROXY: http://forward_proxy:3128
+      HTTPS_PROXY: http://forward_proxy:3128
+      NO_PROXY: proxy,dnpm-backend
+      RUST_LOG: ${RUST_LOG:-info}
+    secrets:
+      - connect_targets.json
+# Enable this if you disable the internal DNPM backend/frontend
+#    ports:
+#      - 8062:8062
+# or the same via traefik:
+#    labels:
+#      - "traefik.enable=true"
+#      - "traefik.http.routers.connector.rule=PathPrefix(`/dnpm-connector`)"
+#      - "traefik.http.services.connector.loadbalancer.server.port=8062"
+#      - "traefik.http.routers.connector.tls=true"
+
+  dnpm-frontend:
+    depends_on: [ dnpm-backend ]
+    build:
+      context: ./dnpm/origin
+      dockerfile: Frontend.Dockerfile
+      args:
+        NUXT_HOST: 0.0.0.0
+        NUXT_PORT: 3000
+        BACKEND_PROTOCOL: http
+        BACKEND_HOSTNAME: localhost
+        BACKEND_PORT: 9000
+        DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
+    ports:
+        - 3000:3000
+    environment:
+        BACKEND_PROTOCOL: http
+        BACKEND_HOSTNAME: localhost
+        BACKEND_PORT: 9000
+        no_proxy: dnpm-backend
+#    labels:
+#      - "traefik.enable=true"
+#      - "traefik.http.routers.dnpm-frontend.entrypoints=dnpm-frontend"
+#      - "traefik.http.routers.dnpm-frontend.tls=true"
+#      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
+##      - "traefik.http.routers.dashboard.entrypoints=websecure"
+##      - "traefik.http.routers.dashboard.service=api@internal"
+##      - "traefik.http.routers.dashboard.tls=true"
+##      - "traefik.http.routers.dashboard.middlewares=auth"
+##      - "traefik.http.routers.dnpm-frontend.service=dnpm-frontend"
+
+  dnpm-backend:
+    build:
+      context: ./dnpm/origin
+      dockerfile: Backend.Dockerfile
+      args:
+        BWHC_BASE_DIR: /bwhc-backend
+        DNPM_BWHC_BACKEND_ZIP: ${DNPM_BWHC_BACKEND_ZIP}
+    ports:
+      - 9000:9000
+    environment:
+      APPLICATION_SECRET: ${DNPM_APPLICATION_SECRET}
+      ZPM_SITE: ${ZPM_SITE}
+      noproxy: dnpm-frontend,connect
+      # PLAY_HTTP_PORT: 9000
+      # PLAY_HTTP_ADDRESS: 0.0.0.0
+    volumes:
+      - ./origin/logback.xml:/bwhc-backend/logback.xml:ro
+      - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
+      - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
+      - bwhc_data:/bwhc-backend/data/
+      - bwhc_hgnc_data:/bwhc-backend/hgnc_data/
+#    labels:
+#      - "traefik.enable=true"
+#      - "traefik.http.routers.connector.rule=PathPrefix(`/dnpm-backend`)"
+#      - "traefik.http.services.connector.loadbalancer.server.port=9000"
+#      - "traefik.http.routers.connector.tls=true"
+
+volumes:
+  bwhc_data:
+  bwhc_hgnc_data:
diff --git a/dnpm/dnpm-setup.sh b/dnpm/dnpm-setup.sh
new file mode 100644
index 0000000..f8893a3
--- /dev/null
+++ b/dnpm/dnpm-setup.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+function dnpmSetup() {
+	if [ -e /etc/bridgehead/dnpm/local_targets.json ]; then
+		log INFO "DNPM setup detected -- will start DNPM Connector."
+		source /etc/bridgehead/dnpm/shared-but-secret-vars || fail_and_report 1 "Unable to load /etc/bridgehead/dnpm/shared-but-secret-vars"
+		OVERRIDE+="-f ./dnpm/dnpm-compose.yml"
+		DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+		DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+	fi
+}
diff --git a/dnpm/origin/Backend.Dockerfile b/dnpm/origin/Backend.Dockerfile
new file mode 100644
index 0000000..e37c008
--- /dev/null
+++ b/dnpm/origin/Backend.Dockerfile
@@ -0,0 +1,66 @@
+FROM openjdk:11-jre AS builder
+
+ARG DNPM_BWHC_BACKEND_ZIP
+
+# Change to latest release
+ARG VERSION=broker
+
+ARG BWHC_BASE_DIR=/bwhc-backend
+
+ENV BWHC_BASE_DIR=$BWHC_BASE_DIR
+ENV BWHC_USER_DB_DIR=$BWHC_BASE_DIR/data/user-db
+ENV BWHC_DATA_ENTRY_DIR=$BWHC_BASE_DIR/data/data-entry
+ENV BWHC_QUERY_DATA_DIR=$BWHC_BASE_DIR/data/query-data
+
+ADD ${DNPM_BWHC_BACKEND_ZIP} /
+RUN unzip $(basename ${DNPM_BWHC_BACKEND_ZIP}) && rm $(basename ${DNPM_BWHC_BACKEND_ZIP})
+
+WORKDIR $BWHC_BASE_DIR
+
+# Prepare config file to use environment variables from docker
+RUN sed -i -r "s/APPLICATION_SECRET(.*)/#APPLICATION_SECRET\1/" ./config
+RUN sed -i -r "s/ZPM_SITE(.*)/#ZPM_SITE\1/" ./config
+
+# Prepare config file to use fix environment variables for this image
+RUN sed -i -r "s~BWHC_DATA_ENTRY_DIR.*~BWHC_DATA_ENTRY_DIR=$BWHC_DATA_ENTRY_DIR~" ./config
+RUN sed -i -r "s~BWHC_QUERY_DATA_DIR.*~BWHC_QUERY_DATA_DIR=$BWHC_QUERY_DATA_DIR~" ./config
+RUN sed -i -r "s~BWHC_USER_DB_DIR.*~BWHC_USER_DB_DIR=$BWHC_USER_DB_DIR~" ./config
+
+RUN ./install.sh $BWHC_BASE_DIR
+
+RUN mv bwhc-rest-api-gateway-*/  bwhc-rest-api-gateway/
+
+FROM openjdk:11-jre
+
+ARG BWHC_BASE_DIR=/bwhc-backend
+
+ENV BWHC_BASE_DIR=$BWHC_BASE_DIR
+ENV BWHC_USER_DB_DIR=$BWHC_BASE_DIR/data/user-db
+ENV BWHC_DATA_ENTRY_DIR=$BWHC_BASE_DIR/data/data-entry
+ENV BWHC_QUERY_DATA_DIR=$BWHC_BASE_DIR/data/query-data
+ENV BWHC_CONNECTOR_CONFIG=$BWHC_BASE_DIR/bwhcConnectorConfig.xml
+
+COPY --from=builder $BWHC_BASE_DIR/config $BWHC_BASE_DIR/
+COPY --from=builder $BWHC_BASE_DIR/bwhcConnectorConfig.xml $BWHC_BASE_DIR/
+COPY --from=builder $BWHC_BASE_DIR/logback.xml $BWHC_BASE_DIR/
+COPY --from=builder $BWHC_BASE_DIR/production.conf $BWHC_BASE_DIR/
+COPY --from=builder $BWHC_BASE_DIR/bwhc-rest-api-gateway/ $BWHC_BASE_DIR/bwhc-rest-api-gateway/
+
+VOLUME $BWHC_BASE_DIR/data
+VOLUME $BWHC_BASE_DIR/hgnc_data
+
+EXPOSE ${BWHC_BACKEND_PORT}
+
+WORKDIR $BWHC_BASE_DIR
+
+CMD $BWHC_BASE_DIR/bwhc-rest-api-gateway/bin/bwhc-rest-api-gateway \
+    -Dplay.http.secret.key=$APPLICATION_SECRET \
+    -Dconfig.file=$BWHC_BASE_DIR/production.conf \
+    -Dlogger.file=$BWHC_BASE_DIR/logback.xml \
+    -Dpidfile.path=/dev/null \
+    -Dbwhc.zpm.site=$ZPM_SITE \
+    -Dbwhc.data.entry.dir=$BWHC_DATA_ENTRY_DIR \
+    -Dbwhc.query.data.dir=$BWHC_QUERY_DATA_DIR \
+    -Dbwhc.user.data.dir=$BWHC_USER_DB_DIR \
+    -Dbwhc.hgnc.dir=$BWHC_HGNC_DIR \
+    -Dbwhc.connector.configFile=$BWHC_CONNECTOR_CONFIG
diff --git a/dnpm/origin/Frontend.Dockerfile b/dnpm/origin/Frontend.Dockerfile
new file mode 100644
index 0000000..60f7d3d
--- /dev/null
+++ b/dnpm/origin/Frontend.Dockerfile
@@ -0,0 +1,39 @@
+FROM node:10-alpine
+
+ARG DNPM_BWHC_FRONTEND_ZIP
+
+# Change to latest release
+# Required for image build using local copy of zip file
+ARG VERSION=2207
+
+# nuxt host and port to be replaced in package.json. (See 2.3 in bwHCPrototypeManual)
+# NUXT_HOST should have a value with public available IP address from within container.
+# If changing NUXT_PORT, also change exposed port.
+ARG NUXT_HOST=0.0.0.0
+ARG NUXT_PORT=3000
+
+# Backend access setup. (See 2.4 in bwHCPrototypeManual)
+ARG BACKEND_PROTOCOL=http
+ARG BACKEND_HOSTNAME=localhost
+ARG BACKEND_PORT=8080
+
+ADD ${DNPM_BWHC_FRONTEND_ZIP} /
+RUN unzip $(basename ${DNPM_BWHC_FRONTEND_ZIP}) && rm $(basename ${DNPM_BWHC_FRONTEND_ZIP})
+
+WORKDIR /bwhc-frontend
+
+RUN npm install
+
+# Prepare package.json
+RUN sed -i -r "s/^(\s*)\"host\"[^,]*(,?)/\1\"host\": \"$NUXT_HOST\"\2/" ./package.json
+RUN sed -i -r "s/^(\s*)\"port\"[^,]*(,?)/\1\"port\": \"$NUXT_PORT\"\2/" ./package.json
+
+# Prepare nuxt.config.js
+RUN sed -i -r "s/^(\s*)baseUrl[^,]*(,?)/\1baseUrl: process.env.BASE_URL || '$BACKEND_PROTOCOL:\/\/$BACKEND_HOSTNAME'\2/" ./nuxt.config.js
+RUN sed -i -r "s/^(\s*)port[^,]*(,?)/\1port: process.env.port || ':$BACKEND_PORT'\2/" ./nuxt.config.js
+
+RUN npm run generate
+
+EXPOSE $NUXT_PORT
+
+CMD npm start
diff --git a/dnpm/origin/logback.xml b/dnpm/origin/logback.xml
new file mode 100644
index 0000000..c25cda6
--- /dev/null
+++ b/dnpm/origin/logback.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<configuration scan="true">
+
+  <property name="LOG_DIR"  value="./bwhc_logs/"/>
+  <property name="LOG_FILE" value="bwhealthcloud"/>
+
+  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+    <encoder>
+      <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
+    </encoder>
+  </appender>
+
+<!--
+  <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
+    <file>${LOG_DIR}/${LOG_FILE}.log</file>
+
+    <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+      <fileNamePattern>${LOG_DIR}/${LOG_FILE}-%d{yyyy-MM-dd}.log</fileNamePattern>
+
+      <maxHistory>30</maxHistory>
+      <totalSizeCap>3GB</totalSizeCap>
+    </rollingPolicy>
+
+    <encoder>
+      <pattern>%d [%thread] %-5level %logger{36} - %msg%n</pattern>
+    </encoder>
+  </appender>
+-->
+  <root level="DEBUG">
+    <appender-ref ref="STDOUT"/>
+<!--
+    <appender-ref ref="FILE"/>
+-->
+  </root>
+
+</configuration>

From 23aa8f8274704220ac729574ef843ccdfeaa3bf0 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Tue, 8 Nov 2022 10:54:51 +0100
Subject: [PATCH 071/213] Extra space for nngm compose

---
 ccp/nngm-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index 501d8ce..d5b80eb 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -3,7 +3,7 @@
 function nngmSetup() {
 	if [ -n "$NNGM_CTS_APIKEY" ]; then
 		log INFO "nNGM setup detected -- will start nNGM Connector."
-		OVERRIDE+="-f ./$PROJECT/nngm-compose.yml"
+		OVERRIDE+=" -f ./$PROJECT/nngm-compose.yml"
 	fi
 	CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 }

From 3a5444dec05eeef7fe4cb31d00058c8a5297f501 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 8 Nov 2022 10:55:18 +0100
Subject: [PATCH 072/213] Allow to run DNPM with Connect or with BWHC included

---
 dnpm/dnpm-compose-beamconnect.yml |  29 +++++++++
 dnpm/dnpm-compose-bwhc.yml        |  48 ++++++++++++++
 dnpm/dnpm-compose.yml             | 104 ------------------------------
 dnpm/dnpm-setup.sh                |  10 ++-
 4 files changed, 84 insertions(+), 107 deletions(-)
 create mode 100644 dnpm/dnpm-compose-beamconnect.yml
 create mode 100644 dnpm/dnpm-compose-bwhc.yml
 delete mode 100644 dnpm/dnpm-compose.yml

diff --git a/dnpm/dnpm-compose-beamconnect.yml b/dnpm/dnpm-compose-beamconnect.yml
new file mode 100644
index 0000000..57c46eb
--- /dev/null
+++ b/dnpm/dnpm-compose-beamconnect.yml
@@ -0,0 +1,29 @@
+version: "3.7"
+
+services:
+  beam-proxy:
+    environment:
+      APP_2_ID: dnpm
+      APP_2_KEY: ${DNPM_BEAM_SECRET_SHORT}
+
+  dnpm-beam-connect:
+    depends_on: [ beam-proxy ]
+    image: samply/beam-connect:sites-without-auth
+    environment:
+      PROXY_URL: http://beam-proxy:8081
+      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
+      APP_ID: dnpm.${PROXY_ID}
+      DISCOVERY_URL: ${DNPM_DISCOVERY_URL}
+      LOCAL_TARGETS_FILE: /run/secrets/connect_targets.json
+      HTTP_PROXY: http://forward_proxy:3128
+      HTTPS_PROXY: http://forward_proxy:3128
+      NO_PROXY: beam-proxy,dnpm-backend
+      RUST_LOG: ${RUST_LOG:-info}
+    secrets:
+      - connect_targets.json
+    ports:
+      - 8062:8062
+
+secrets:
+  connect_targets.json:
+    file: /etc/bridgehead/dnpm/local_targets.json
diff --git a/dnpm/dnpm-compose-bwhc.yml b/dnpm/dnpm-compose-bwhc.yml
new file mode 100644
index 0000000..1953ca5
--- /dev/null
+++ b/dnpm/dnpm-compose-bwhc.yml
@@ -0,0 +1,48 @@
+version: "3.7"
+
+services:
+  dnpm-frontend:
+    depends_on: [ dnpm-backend ]
+    build:
+      context: ./dnpm/origin
+      dockerfile: Frontend.Dockerfile
+      args:
+        NUXT_HOST: 0.0.0.0
+        NUXT_PORT: 3000
+        BACKEND_PROTOCOL: http
+        BACKEND_HOSTNAME: localhost
+        BACKEND_PORT: 9000
+        DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
+    ports:
+        - 3000:3000
+    environment:
+        BACKEND_PROTOCOL: http
+        BACKEND_HOSTNAME: localhost
+        BACKEND_PORT: 9000
+        no_proxy: dnpm-backend
+
+  dnpm-backend:
+    build:
+      context: ./dnpm/origin
+      dockerfile: Backend.Dockerfile
+      args:
+        BWHC_BASE_DIR: /bwhc-backend
+        DNPM_BWHC_BACKEND_ZIP: ${DNPM_BWHC_BACKEND_ZIP}
+    ports:
+      - 9000:9000
+    environment:
+      APPLICATION_SECRET: ${DNPM_APPLICATION_SECRET}
+      ZPM_SITE: ${ZPM_SITE}
+      noproxy: dnpm-frontend,connect
+      # PLAY_HTTP_PORT: 9000
+      # PLAY_HTTP_ADDRESS: 0.0.0.0
+    volumes:
+      - ./origin/logback.xml:/bwhc-backend/logback.xml:ro
+      - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
+      - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
+      - bwhc_data:/bwhc-backend/data/
+      - bwhc_hgnc_data:/bwhc-backend/hgnc_data/
+
+volumes:
+  bwhc_data:
+  bwhc_hgnc_data:
diff --git a/dnpm/dnpm-compose.yml b/dnpm/dnpm-compose.yml
deleted file mode 100644
index 1904123..0000000
--- a/dnpm/dnpm-compose.yml
+++ /dev/null
@@ -1,104 +0,0 @@
-version: "3.7"
-
-secrets:
-  connect_targets.json:
-    file: /etc/bridgehead/dnpm/local_targets.json
-
-services:
-#  traefik:
-#    command:
-#      - --entrypoints.dnpm-frontend.address=:3000
-#      - --entrypoints.dnpm-backend.address=:9000
-#    ports:
-#      - 3000:3000
-#      - 9000:9000
-  beam-proxy:
-    environment:
-      APP_2_ID: dnpm
-      APP_2_KEY: ${DNPM_BEAM_SECRET_SHORT}
-
-  dnpm-beam-connect:
-    depends_on: [ beam-proxy ]
-    image: samply/beam-connect:sites-without-auth
-    environment:
-      PROXY_URL: http://beam-proxy:8081
-      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
-      APP_ID: dnpm.${PROXY_ID}
-      DISCOVERY_URL: ${DNPM_DISCOVERY_URL}
-      LOCAL_TARGETS_FILE: /run/secrets/connect_targets.json
-      HTTP_PROXY: http://forward_proxy:3128
-      HTTPS_PROXY: http://forward_proxy:3128
-      NO_PROXY: proxy,dnpm-backend
-      RUST_LOG: ${RUST_LOG:-info}
-    secrets:
-      - connect_targets.json
-# Enable this if you disable the internal DNPM backend/frontend
-#    ports:
-#      - 8062:8062
-# or the same via traefik:
-#    labels:
-#      - "traefik.enable=true"
-#      - "traefik.http.routers.connector.rule=PathPrefix(`/dnpm-connector`)"
-#      - "traefik.http.services.connector.loadbalancer.server.port=8062"
-#      - "traefik.http.routers.connector.tls=true"
-
-  dnpm-frontend:
-    depends_on: [ dnpm-backend ]
-    build:
-      context: ./dnpm/origin
-      dockerfile: Frontend.Dockerfile
-      args:
-        NUXT_HOST: 0.0.0.0
-        NUXT_PORT: 3000
-        BACKEND_PROTOCOL: http
-        BACKEND_HOSTNAME: localhost
-        BACKEND_PORT: 9000
-        DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
-    ports:
-        - 3000:3000
-    environment:
-        BACKEND_PROTOCOL: http
-        BACKEND_HOSTNAME: localhost
-        BACKEND_PORT: 9000
-        no_proxy: dnpm-backend
-#    labels:
-#      - "traefik.enable=true"
-#      - "traefik.http.routers.dnpm-frontend.entrypoints=dnpm-frontend"
-#      - "traefik.http.routers.dnpm-frontend.tls=true"
-#      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
-##      - "traefik.http.routers.dashboard.entrypoints=websecure"
-##      - "traefik.http.routers.dashboard.service=api@internal"
-##      - "traefik.http.routers.dashboard.tls=true"
-##      - "traefik.http.routers.dashboard.middlewares=auth"
-##      - "traefik.http.routers.dnpm-frontend.service=dnpm-frontend"
-
-  dnpm-backend:
-    build:
-      context: ./dnpm/origin
-      dockerfile: Backend.Dockerfile
-      args:
-        BWHC_BASE_DIR: /bwhc-backend
-        DNPM_BWHC_BACKEND_ZIP: ${DNPM_BWHC_BACKEND_ZIP}
-    ports:
-      - 9000:9000
-    environment:
-      APPLICATION_SECRET: ${DNPM_APPLICATION_SECRET}
-      ZPM_SITE: ${ZPM_SITE}
-      noproxy: dnpm-frontend,connect
-      # PLAY_HTTP_PORT: 9000
-      # PLAY_HTTP_ADDRESS: 0.0.0.0
-    volumes:
-      - ./origin/logback.xml:/bwhc-backend/logback.xml:ro
-      - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
-      - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
-      - bwhc_data:/bwhc-backend/data/
-      - bwhc_hgnc_data:/bwhc-backend/hgnc_data/
-#    labels:
-#      - "traefik.enable=true"
-#      - "traefik.http.routers.connector.rule=PathPrefix(`/dnpm-backend`)"
-#      - "traefik.http.services.connector.loadbalancer.server.port=9000"
-#      - "traefik.http.routers.connector.tls=true"
-
-volumes:
-  bwhc_data:
-  bwhc_hgnc_data:
diff --git a/dnpm/dnpm-setup.sh b/dnpm/dnpm-setup.sh
index f8893a3..360a7cc 100644
--- a/dnpm/dnpm-setup.sh
+++ b/dnpm/dnpm-setup.sh
@@ -2,10 +2,14 @@
 
 function dnpmSetup() {
 	if [ -e /etc/bridgehead/dnpm/local_targets.json ]; then
-		log INFO "DNPM setup detected -- will start DNPM Connector."
-		source /etc/bridgehead/dnpm/shared-but-secret-vars || fail_and_report 1 "Unable to load /etc/bridgehead/dnpm/shared-but-secret-vars"
-		OVERRIDE+="-f ./dnpm/dnpm-compose.yml"
+		log INFO "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
+		OVERRIDE+=" -f ./dnpm/dnpm-compose-beamconnect.yml"
 		DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 		DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+		if [ -e /etc/bridgehead/dnpm/bwhcConnectorConfig.xml ]; then
+			log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend."
+			source /etc/bridgehead/dnpm/shared-but-secret-vars || fail_and_report 1 "Unable to load /etc/bridgehead/dnpm/shared-but-secret-vars"
+			OVERRIDE+=" -f ./dnpm/dnpm-compose-bwhc.yml"
+		fi
 	fi
 }

From 6c2d970d01ed07f3cdacf9bc9d607a026c0efba6 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 8 Nov 2022 10:56:45 +0100
Subject: [PATCH 073/213] Support DNPM Discovery URL

---
 dnpm/dnpm-setup.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dnpm/dnpm-setup.sh b/dnpm/dnpm-setup.sh
index 360a7cc..3b94a86 100644
--- a/dnpm/dnpm-setup.sh
+++ b/dnpm/dnpm-setup.sh
@@ -6,9 +6,10 @@ function dnpmSetup() {
 		OVERRIDE+=" -f ./dnpm/dnpm-compose-beamconnect.yml"
 		DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 		DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+		source /etc/bridgehead/dnpm/shared-but-secret-vars || fail_and_report 1 "Unable to load /etc/bridgehead/dnpm/shared-but-secret-vars"
+		export DNPM_DISCOVERY_URL
 		if [ -e /etc/bridgehead/dnpm/bwhcConnectorConfig.xml ]; then
 			log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend."
-			source /etc/bridgehead/dnpm/shared-but-secret-vars || fail_and_report 1 "Unable to load /etc/bridgehead/dnpm/shared-but-secret-vars"
 			OVERRIDE+=" -f ./dnpm/dnpm-compose-bwhc.yml"
 		fi
 	fi

From 455d45603c974acca24c79ac61342eae24fcbc96 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Tue, 8 Nov 2022 12:45:29 +0000
Subject: [PATCH 074/213] Fix dnpm volume mounting path

---
 dnpm/dnpm-compose-bwhc.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dnpm/dnpm-compose-bwhc.yml b/dnpm/dnpm-compose-bwhc.yml
index 1953ca5..4e7343c 100644
--- a/dnpm/dnpm-compose-bwhc.yml
+++ b/dnpm/dnpm-compose-bwhc.yml
@@ -37,7 +37,7 @@ services:
       # PLAY_HTTP_PORT: 9000
       # PLAY_HTTP_ADDRESS: 0.0.0.0
     volumes:
-      - ./origin/logback.xml:/bwhc-backend/logback.xml:ro
+      - ../dnpm/origin/logback.xml:/bwhc-backend/logback.xml:ro
       - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
       - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
       - bwhc_data:/bwhc-backend/data/

From e11b24bf70e9f9883aea5c44792866f56cad9ad0 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 9 Nov 2022 09:46:30 +0000
Subject: [PATCH 075/213] Fix dnpm build context

---
 dnpm/dnpm-compose-bwhc.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dnpm/dnpm-compose-bwhc.yml b/dnpm/dnpm-compose-bwhc.yml
index 4e7343c..9ff0f47 100644
--- a/dnpm/dnpm-compose-bwhc.yml
+++ b/dnpm/dnpm-compose-bwhc.yml
@@ -4,7 +4,7 @@ services:
   dnpm-frontend:
     depends_on: [ dnpm-backend ]
     build:
-      context: ./dnpm/origin
+      context: ../dnpm/origin
       dockerfile: Frontend.Dockerfile
       args:
         NUXT_HOST: 0.0.0.0
@@ -23,7 +23,7 @@ services:
 
   dnpm-backend:
     build:
-      context: ./dnpm/origin
+      context: ../dnpm/origin
       dockerfile: Backend.Dockerfile
       args:
         BWHC_BASE_DIR: /bwhc-backend

From b6f0cd7a135c61ee451bf936a00f45fc70a9e3c4 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 9 Nov 2022 10:43:08 +0000
Subject: [PATCH 076/213] Set HTTP(S) Proxy for bwhc frontend build

---
 dnpm/dnpm-compose-bwhc.yml      | 2 ++
 dnpm/origin/Frontend.Dockerfile | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/dnpm/dnpm-compose-bwhc.yml b/dnpm/dnpm-compose-bwhc.yml
index 9ff0f47..c40b4d8 100644
--- a/dnpm/dnpm-compose-bwhc.yml
+++ b/dnpm/dnpm-compose-bwhc.yml
@@ -13,6 +13,8 @@ services:
         BACKEND_HOSTNAME: localhost
         BACKEND_PORT: 9000
         DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
+        HTTP_PROXY: ${http_proxy}
+        HTTPS_PROXY: ${https_proxy}
     ports:
         - 3000:3000
     environment:
diff --git a/dnpm/origin/Frontend.Dockerfile b/dnpm/origin/Frontend.Dockerfile
index 60f7d3d..1d4bb30 100644
--- a/dnpm/origin/Frontend.Dockerfile
+++ b/dnpm/origin/Frontend.Dockerfile
@@ -17,6 +17,9 @@ ARG BACKEND_PROTOCOL=http
 ARG BACKEND_HOSTNAME=localhost
 ARG BACKEND_PORT=8080
 
+ARG HTTP_PROXY=""
+ARG HTTPS_PROXY=""
+
 ADD ${DNPM_BWHC_FRONTEND_ZIP} /
 RUN unzip $(basename ${DNPM_BWHC_FRONTEND_ZIP}) && rm $(basename ${DNPM_BWHC_FRONTEND_ZIP})
 

From bec42764bbd7a740cd6fa170de9605c1da808bf7 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 9 Nov 2022 11:39:21 +0000
Subject: [PATCH 077/213] Build the dnpm frontend in host network mode

---
 dnpm/dnpm-compose-bwhc.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dnpm/dnpm-compose-bwhc.yml b/dnpm/dnpm-compose-bwhc.yml
index c40b4d8..d8f4ebb 100644
--- a/dnpm/dnpm-compose-bwhc.yml
+++ b/dnpm/dnpm-compose-bwhc.yml
@@ -6,6 +6,7 @@ services:
     build:
       context: ../dnpm/origin
       dockerfile: Frontend.Dockerfile
+      network: host
       args:
         NUXT_HOST: 0.0.0.0
         NUXT_PORT: 3000

From 4a53bb3fb269d0ab392d462c120fcf73a183c886 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 9 Nov 2022 12:36:58 +0000
Subject: [PATCH 078/213] Expose dnpm backend hostname

---
 dnpm/dnpm-compose-bwhc.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/dnpm/dnpm-compose-bwhc.yml b/dnpm/dnpm-compose-bwhc.yml
index d8f4ebb..60fe3f0 100644
--- a/dnpm/dnpm-compose-bwhc.yml
+++ b/dnpm/dnpm-compose-bwhc.yml
@@ -10,8 +10,8 @@ services:
       args:
         NUXT_HOST: 0.0.0.0
         NUXT_PORT: 3000
-        BACKEND_PROTOCOL: http
-        BACKEND_HOSTNAME: localhost
+        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
+        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
         BACKEND_PORT: 9000
         DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
         HTTP_PROXY: ${http_proxy}
@@ -19,8 +19,8 @@ services:
     ports:
         - 3000:3000
     environment:
-        BACKEND_PROTOCOL: http
-        BACKEND_HOSTNAME: localhost
+        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
+        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
         BACKEND_PORT: 9000
         no_proxy: dnpm-backend
 

From cb57aad9494f86d796f787870b18dad3209d6c3c Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Mon, 14 Nov 2022 11:51:29 +0100
Subject: [PATCH 079/213]  Updated Documentation

* Removed sections that are no longer relevant
* Added some additional information, particularly regarding registration with Beam and monitoring
* Moved some sections around to get a better structure
---
 README.md | 383 ++++++++++++++++++------------------------------------
 1 file changed, 124 insertions(+), 259 deletions(-)

diff --git a/README.md b/README.md
index 0e4c762..d93cd0e 100644
--- a/README.md
+++ b/README.md
@@ -1,142 +1,74 @@
 # Bridgehead
 
-This repository contains all information and tools to deploy a bridgehead. If you have any questions about deploying a bridgehead, please [contact us](mailto:verbis-support@dkfz-heidelberg.de).
+A Bridgehead is a set of components that must be installed locally, in order to connect your clinic or research centre to a federated search system. This repository contains the information and tools that you will need to deploy a Bridgehead. If you have questions, please [contact us](mailto:verbis-support@dkfz-heidelberg.de).
 
 
 TOC
 
-1. [About](#about)
-    - [Projects](#projects)
-        - [GBA/BBMRI-ERIC](#gbabbmri-eric)
-        - [CCP(DKTK/C4)](#ccpdktkc4)
-        - [NNGM](#nngm)
-    - [Bridgehead Components](#bridgehead-components)
-        - [Blaze Server](#blaze-serverhttpsgithubcomsamplyblaze)  
-        - [Connector](#connector) 
 1. [Requirements](#requirements)
     - [Hardware](#hardware)
-    - [System](#system-requirements)
-      - [git](#git)
-      - [docker](#dockerhttpsdocsdockercomget-docker)
-      - [systemd](#systemd)
-2. [Getting Started](#getting-started)
-    - [Quick Start](#quick-start)
-    - [DKTK](#dktkc4)
-    - [C4](#c4)
-    - [GBA/BBMRI-ERIC](#gbabbmri-eric)
-3. [Configuration](#configuration)
-4. [Managing your Bridgehead](#managing-your-bridgehead)
-    - [Systemd](#on-a-server)
-    - [Without Systemd](#on-developers-machine)
-4. [Pitfalls](#pitfalls)
-5. [Migration-guide](#migration-guide)
-7. [License](#license)
-
-
-## About
-
-TODO: Insert comprehensive feature list of the bridgehead? Why would anyone install it?
-
-## Projects
-
-### GBA/BBMRI-ERIC
-
-The **Sample Locator** is a tool that allows researchers to make searches for samples over a large number of geographically distributed biobanks. Each biobank runs a so-called **Bridgehead** at its site, which makes it visible to the Sample Locator.  The Bridgehead is designed to give a high degree of protection to patient data. Additionally, a tool called the [Negotiator][negotiator] puts you in complete control over which samples and which data are delivered to which researcher.
-
-You will most likely want to make your biobanks visible via the [publicly accessible Sample Locator][sl], but the possibility also exists to install your own Sample Locator for your site or organization, see the GitHub pages for [the server][sl-server-src] and [the GUI][sl-ui-src].
-
-The Bridgehead has two primary components:
-* The **Blaze Store**. This is a highly responsive FHIR data store, which you will need to fill with your data via an ETL chain.
-* The **Connector**. This is the communication portal to the Sample Locator, with specially designed features that make it possible to run it behind a corporate firewall without making any compromises on security.
-
-### CCP(DKTK/C4)
-
-TODO:
-
-### nNGM
-
-TODO:
-
-### Bridgehead Components
-
-#### [Blaze Server](https://github.com/samply/blaze)
-
-This holds the actual data being searched. This store must be filled by you, generally by running an ETL on your locally stored data to turn it into the standardized FHIR format that we require.
-
-#### [Connector]
-
-TODO:
+    - [System](#system)
+      - [Git](#git)
+      - [Docker](#docker)
+2. [Deployment](#deployment)
+    - [Installation](#installation)
+    - [Register with Beam](#register-with-beam)
+    - [Starting and stopping your Bridgehead](#starting-and-stopping-your-bridgehead)
+    - [Auto-starting your Bridgehead when the server starts](#auto-starting-your-bridgehead-when-the-server-starts)
+3. [Additional Services](#additional-Services)
+    - [Monitoring](#monitoring)
+    - [Register with a Directory](#register-with-a-Directory)
+4. [Site-specific configuration](#site-specific-configuration)
+    - [HTTPS Access](#https-access)
+    - [Locally Managed Secrets](#locally-managed-secrets)
+    - [Git Proxy Configuration](#git-proxy-configuration)
+    - [Docker Daemon Proxy Configuration](#docker-daemon-proxy-configuration)
+    - [Non-Linux OS](#non-linux-os)
+5. [License](#license)
 
 ## Requirements
 
 ### Hardware
 
-For running your bridgehead we recommend the follwing Hardware:
+To get the most out of your Bridgehead, we recommend the follwing Hardware:
 
 - 4 CPU cores
 - At least 8 GB Ram
 - 100GB Hard Drive, SSD recommended
 
+### System
 
-### System Requirements
+You are strongly recommended to install the Bridgehead under a Linux operating system (but see the section [Non-Linux OS](#non-linux-os)). You will need root (administrator) priveleges on this machine in order to perform the deployment.
 
-Before starting the installation process, please ensure that following software is available on your system:
+The following software should be installed:
 
 #### Git
 
-Check if you have at leat git 2.0 installed on the system with:
+Check if you have at least git 2.0 installed on the system with:
 
 ``` shell
 git --version
 ```
 
-#### [Docker](https://docs.docker.com/get-docker/)
+#### Docker
 
-To check your docker installation, you should execute the docker with --version:
+Check the installed Docker version:
 
 ``` shell
 docker --version
 ```
-
-The Version should be higher than "20.10.1". Otherwise you will have problems starting the bridgehead. The next step is to check ``` docker-compose```  with:
+The version should ideally be higher than "20.10.1". The next step is to check ``` docker-compose```  with:
 
 ``` shell
 docker-compose --version
 ```
+The recomended version is "2.XX" and higher.
 
-The recomended version is "2.XX" and higher. If docker-compose was not installed with docker follow these [instructions](https://docs.docker.com/compose/install/#install-compose-as-standalone-binary-on-linux-systems). To futher check your docker and docker-compose installation, please run the following command. 
+If docker or docker-compose are not installed, please refer to the [Docker website](https://docs.docker.com).
 
-``` shell
-docker-compose -f - up <<EOF
-version: "3.7"
-services:
-  hello-world:
-    image: hello-world
-EOF
-```
-Docker will now download the "hello-world" docker image and try to execute it. After the download you should see a message starting with "Hello from Docker!".
+## Deployment
 
-> NOTE: If the download of the image fails (e.g with "connection timed out" message), ensure that you have correctly set the proxy for the docker daemon. Refer to ["Docker Daemon Proxy Configuration" in the "Pitfalls" section](#docker-daemon-proxy-configuration)
-
-#### [systemd](https://systemd.io/)
-
-You shouldn't need to install it yourself, If systemd is not available on your system you should get another system.
-To check if systemd is available on your system, please execute
-
-``` shell
-systemctl --version
-```
-
-If systemd is not installed, you can start the bridgehead. However, for productive use we recomend using systemd.
-
----
-
-## Getting Started
-
-### Quick Start
-
-
-If your system passed all checks from ["Requirements" section], you are now ready to download the bridgehead.
+### Installation
 
 First, clone the repository to the directory "/srv/docker/bridgehead":
 
@@ -144,17 +76,15 @@ First, clone the repository to the directory "/srv/docker/bridgehead":
 sudo mkdir -p /srv/docker/;
 sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead;
 ```
-
-It is recomended to create a user for the bridgehead service.  This should be done after clone the repository. Since not all linux distros support ```adduser```, we provide an action for the systemcall ```useradd```. You should try the first one, when the systm can't create the user you should try the second one.
+Now create a user for the Bridgehead service:
 
 ``` shell
-useradd -M -g docker -N -s /sbin/nologin bridgehead
+sudo useradd -M -g docker -N -s /sbin/nologin bridgehead
 ```
-
-After adding the User you need to change the ownership of the directory to the bridgehead user.
+After adding the user you will need to change the ownership of the directory to the Bridgehead user.
 
 ``` shell
-chown bridgehead /srv/docker/bridgehead/ -R
+sudo chown bridgehead /srv/docker/bridgehead/ -R
 ```
 Download the configuration repository:
 
@@ -163,78 +93,120 @@ sudo git clone https://github.com/samply/bridgehead-config.git -b fix/bbmri-conf
 ```
 Change ownership:
 ``` shell
-chown bridgehead /etc/bridgehead/ -R
+sudo chown bridgehead /etc/bridgehead/ -R
 ```
-Modify SITE_ID and SITE_NAME in bbmri.conf
-RUN:
-
-
-```shell
-sudo /etc/bridgehead/bridgehead enroll bbmri
+Edit /etc/bridgehead/bbmri.conf and modify SITE_ID and SITE_NAME to be relevant to your biobank. SITE_ID should not contains spaces. By convention, it is lower-case. E.g.:
 ```
+SITE_ID="toulouse-prod"
+SITE_NAME="Toulouse"
+```
+
+### Register with Beam
+
+You will need to register with Beam in order to be able to start your Bridgehead. Please send an email to: bridgehead@helpdesk.bbmri-eric.eu, mentioning the SITE_ID that you chose above.
+
+The response will contain your private key for Beam.
+
+Create a file for this private key:
+
+``` shell
+/etc/bridgehead/pki/$SITE_ID.priv.pem
+```
+
+### Starting and stopping your Bridgehead
+
+To start your new Bridgehead, type:
 ```shell
 sudo /srv/docker/bridgehead/bridgehead start bbmri
 ```
+The script may break, because Spot tries to connect to Blaze, but Blaze is not yet ready, causing Spot to terminate. Try to start and stop the script a few times.
 
-### Configuration
-
-> NOTE: If you are part of the CCP-IT we will provide you another link for the configuration.
-
-Next, you need to configure a set of variables, specific for your site with not so high security concerns. You can clone the configuration template at [GitHub](https://github.com/samply/bridgehead-config). The confiugration of the bridgehead should be located in /etc/bridghead.
-
-``` shell
-sudo git clone https://github.com/samply/bridgehead-config.git /etc/bridgehead;
+To shut down the Bridgehead, type:
+```shell
+sudo /srv/docker/bridgehead/bridgehead stop bbmri
 ```
 
-After cloning or forking the repository you need to add value to the template. If you are a part of the CCP-IT you will get an already filled out config repo.
+### Auto-starting your Bridgehead when the server starts
 
-### Testing your bridgehead
+Using this feature is optional.
 
-We recomend to run first with the start and stop script. If you have trouble starting the bridghead have a look at the troubleshooting section.
+Many Linux distributions support the "systemctl" command, which enables you to autostart processes whenever your server is booted.
 
-Now you ready to run a bridgehead instance. The bridgehead scripts checks if your configuration is correct. To check if everything works, execute the following:
+In this repository you will find tools that allow you to take advantage of "systemctl" to automatically start the Bridgehead whenever your server gets restarted. You can set this up by executing the [bridgehead](./bridgehead) script:
 ``` shell
-/srv/docker/bridgehead/bridgehead start <Project>
+sudo /srv/docker/bridgehead/bridgehead install bbmri
 ```
 
-You should now be able to access the landing page on your system, e.g "https://<your-host>/". 
+This will install the systemd units to run and update the Bridgehead.
+
+If your site operates with a proxy, you will need to set it up with ```systemctl edit``` as follows:
 
-To shutdown the bridgehead just run.
 ``` shell
-/srv/docker/bridgehead/bridgehead stop <Project>
+sudo systemctl edit bridgehead@bbmri.service;
 ```
 
-### Local Datamanagement Security
+This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets.
 
-For a server, we highly recommend that you install the system units for managing the bridgehead, provided by us. You can do this by executing the [bridgehead](./bridgehead) script:
-``` shell
-sudo /srv/docker/bridgehead/bridgehead install <Project>
+``` conf
+[Service]
+Environment=HOSTIP=
+Environment=HOST=
+Environment=HTTP_PROXY_USER=
+Environment=HTTP_PROXY_PASSWORD=
+Environment=HTTPS_PROXY_USER=
+Environment=HTTPS_PROXY_PASSWORD=
+Environment=CONNECTOR_POSTGRES_PASS=
 ```
 
-This will install the systemd units to run and update the bridghead. Also, this will generate a user and password for accessing the LDM. This will be shown only the first time you install the bridgehead.
+To make the configuration active, you need to tell systemd to reload the configuration and restart the docker service:
 
-### Basic Auth
+``` shell
+sudo systemctl daemon-reload;
+sudo systemctl bridgehead@bbmri.service;
+```
 
-For Data protection we use basic authentification for some services. To access those services you need an username and password combination. 
-Caution: If you start the bridgehead without the authentification, then those services are not accessible.
-We generate such a combination at the first install (`/etc/bridgehead/<Project>.local.conf`). 
+## Additional Services
 
-## Configuration
+### Monitoring
 
-#### systemd
+We provide a central monitoring service, which checks the health of your Bridgehead 24/7. Using this service is optional but recommended.
 
+You can register for it by sending a request to: bridgehead@helpdesk.bbmri-eric.eu.
 
+The confirmation of your registration will contain a monitoring API key.
+
+You need to add the key to the "/etc/bridgehead/bbmri.conf" file, e.g.:
+``` conf
+MONITOR_APIKEY=1b9e5e21-8b34-5382-8590-7eae98a4f6d3
+```
+(your key will be different to the one shown above, obviously).
+
+Your site should now show up in the monitoring with grey (updates) and green (query) messages at the next full hour.
+
+### Register with a Directory
+
+The [Directory](https://directory.bbmri-eric.eu/) is a BBMRI project that aims to catalog all biobanks in Europe and beyond. Each biobank is given its own unique ID and the Directory maintains counts of the number of donors and the number of samples held at each biobank. You are strongly encouraged to register with the Directory, because this opens the door to further services, such as the [Negotiator](https://negotiator.bbmri-eric.eu/login.xhtml).
+
+Generally, you should register with the BBMRI national node for the country where your biobank is based. You can find a list of contacts for the national nodes [here](http://www.bbmri-eric.eu/national-nodes/). If your country is not in this list, or you have any questions, please contact the [BBMRI helpdesk](mailto:directory@helpdesk.bbmri-eric.eu). If your biobank is for COVID samples, you can also take advantage of an accelerated registration process [here](https://docs.google.com/forms/d/e/1FAIpQLSdIFfxADikGUf1GA0M16J0HQfc2NHJ55M_E47TXahju5BlFIQ).
+
+Your national node will give you detailed instructions for registering, but for your information, here are the basic steps:
+
+* Log in to the Directory for your country.
+* Add your biobank and enter its details, including contact information for a person involved in running the biobank.
+* You will need to create at least one collection.
+
+## Site-specific configuration
 
 ### HTTPS Access
 
-We advise to use https for all service of your bridgehead. HTTPS is enabled on default. For starting the bridghead you need a ssl certificate. You can either create it yourself or get a signed one. You need to drop the certificates in /certs.
+We recommend https for all services of your Bridgehead. HTTPS is enabled by default. For starting the Bridgehead you need an ssl certificate. You can either create it yourself or get a signed one. You need to drop the certificates in /certs.
 
-The bridgehead create one autotmatic on the first start. However, it will be unsigned and we recomend to get a signed one.
+The Bridgehead creates one autotmatically on the first start. However, it will be unsigned and we recomend getting a signed one.
 
 
 ### Locally Managed Secrets
 
-This section describes the secrets you need to configure locally through the configuration
+This section describes the secrets you may need to configure locally through the configuration
 
 | Name                                 | Recommended Value                                                                                 | Description |  
 |--------------------------------------|---------------------------------------------------------------------------------------------------| ----------- |  
@@ -255,77 +227,7 @@ This section describes the secrets you need to configure locally through the con
 | MAGICPL_OIDC_CLIENT_ID               || The client id used for your machine, to connect with the central authentication service           |
 | MAGICPL_OIDC_CLIENT_SECRET           || The client secret used for your machine, to connect with the central authentication service       |
 
-### Cooperatively Managed Secrets
-
-> TODO: Describe secrets from site-config 
-
-## Managing your Bridgehead
-
-> TODO: Rewrite this section (restart, stop, uninstall, manual updates)
-
-### On a Server
-
-#### Start
-
-This will start a not running bridgehead system unit:
-``` shell
-sudo systemctl start bridgehead@<dktk/c4/gbn>
-```
-
-#### Stop
-
-This will stop a running bridgehead system unit:
-``` shell
-sudo systemctl stop bridgehead@<dktk/c4/gbn>
-```
-
-#### Update
-
-This will update bridgehead system unit:
-``` shell
-sudo systemctl start bridgehead-update@<dktk/c4/gbn>
-```
-
-#### Remove the Bridgehead System Units
-
-If, for some reason you want to remove the installed bridgehead units, we added a command to [bridgehead](./bridgehead):
-``` shell
-sudo /srv/docker/bridgehead/bridgehead uninstall <project>
-```
-
-### On Developers Machine
-
-For developers, we provide additional scripts for starting and stopping the specif bridgehead:
-
-#### Start or stop
-
-This command starts a specified bridgehead. Choose between "dktk", "c4" and "gbn".
-``` shell
-/srv/docker/bridgehead/bridgehead start <dktk/c4/gbn>
-```
-
-#### Stop
-
-This command stops a specified bridgehead. Choose between "dktk", "c4" and "gbn".
-``` shell
-/srv/docker/bridgehead/bridgehead stop <dktk/c4/gbn>
-```
-
-#### Update
-
-This shell script updates the configuration for all bridgeheads installed on your system.
-``` shell
-/srv/docker/bridgehead/bridgehead update
-```
-> NOTE: If you want to regularly update your developing instance, you can create a CRON job that executes this script.
-
-## Migration Guide
-
-> TODO: How to transfer from windows/gbn
-
-## Pitfalls
-
-### [Git Proxy Configuration](https://gist.github.com/evantoli/f8c23a37eb3558ab8765)
+### Git Proxy Configuration
 
 Unlike most other tools, git doesn't use the default proxy variables "http_proxy" and "https_proxy". To make git use a proxy, you will need to adjust the global git configuration:
 
@@ -372,59 +274,22 @@ sudo systemctl daemon-reload;
 sudo systemctl restart docker;
 ```
 
-## After the Installtion
+### Non-Linux OS
 
-After starting your bridgehead, visit the landing page under the hostname. If you singed your own ssl certificate, there is probable an error message. However, you can accept it as exception. 
+The installation procedures described above have only been tested under Linux.
 
-On this page, there are all important links to each component, central and local. 
+Below are some suggestions for getting the installation to work on other operating systems. Note that we are not able to provide support for these routes!
 
-### Connector Administration
+We believe that it is likely that installation would also work with FreeBSD and MacOS.
 
-The Connector administration panel allows you to set many of the parameters regulating your Bridgehead. Most especially, it is the place where you can register your site with the Sample Locator. To access this page, proceed as follows:
+Under Windows, you have 2 options:
 
-* Open the Connector page: https://<hostname>/<project>-connector/
-* In the "Local components" box, click the "Samply Share" button.
-* A new page will be opened, where you will need to log in using the administrator credentials (admin/adminpass by default).
-* After log in, you will be taken to the administration dashboard, allowing you to configure the Connector.
-* If this is the first time you have logged in as an administrator, you are strongly recommended to set a more secure password! You can use the "Users" button on the dashboard to do this.
+- Virtual machine
+- WSL
 
-### GBA/BBMRI-ERIC
-
-#### Register with a Directory
-
-The [Directory][directory] is a BBMRI project that aims to catalog all biobanks in Europe and beyond. Each biobank is given its own unique ID and the Directory maintains counts of the number of donors and the number of samples held at each biobank. You are strongly encouraged to register with the Directory, because this opens the door to further services, such as the [Negotiator][negotiator].
-
-Generally, you should register with the BBMRI national node for the country where your biobank is based. You can find a list of contacts for the national nodes [here](http://www.bbmri-eric.eu/national-nodes/). If your country is not in this list, or you have any questions, please contact the [BBMRI helpdesk](mailto:directory@helpdesk.bbmri-eric.eu). If your biobank is for COVID samples, you can also take advantage of an accelerated registration process [here](https://docs.google.com/forms/d/e/1FAIpQLSdIFfxADikGUf1GA0M16J0HQfc2NHJ55M_E47TXahju5BlFIQ).
-
-Your national node will give you detailed instructions for registering, but for your information, here are the basic steps:
-
-* Log in to the Directory for your country.
-* Add your biobank and enter its details, including contact information for a person involved in running the biobank.
-* You will need to create at least one collection.
-* Note the biobank ID and the collection ID that you have created - these will be needed when you register with the Locator (see below).
-
-#### Register with a Locator
-
-* Go to the registration page http://localhost:8082/admin/broker_list.xhtml.
-* To register with a Locator, enter the following values in the three fields under "Join new Searchbroker":
-  * "Address": Depends on which Locator you want to register with:
-    * `https://locator.bbmri-eric.eu/broker/`: BBMRI Locator production service (European).
-    * `http://147.251.124.125:8088/broker/`: BBMRI Locator test service (European).
-    * `https://samplelocator.bbmri.de/broker/`: GBA Sample Locator production service (German).
-    * `https://samplelocator.test.bbmri.de/broker/`: GBA Sample Locator test service (German).
-  * "Your email address": this is the email to which the registration token will be returned.
-  * "Automatic reply": Set this to be `Total Size`
-* Click "Join" to start the registration process.
-* You should now have a list containing exactly one broker. You will notice that the "Status" box is empty.
-* Send an email to `feedback@germanbiobanknode.de` and let us know which of our Sample Locators you would like to register to. Please include the biobank ID and the collection ID from your Directory registration, if you have these available.
-* We will send you a registration token per email.
-* You will then re-open the Connector and enter the token into the "Status" box.
-* You should send us an email to let us know that you have done this.
-* We will then complete the registration process
-* We will email you to let you know that your biobank is now visible in the Sample Locator.
-
-If you are a Sample Locator administrator, you will need to understand the [registration process](./SampleLocatorRegistration.md). Normal bridgehead admins do not need to worry about this.
+We have tested the installation procedure with an Ubuntu 22.04 guest system running on a VMware virtual machine. That worked flawlessly.
 
+Installation under WSL ought to work, but we have not tested this.
 
 ## License
 

From b175c55f5ce9970308e8a25b7293153a9f57325b Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Tue, 17 May 2022 18:04:15 +0200
Subject: [PATCH 080/213] Shorten installation by including some installation
 steps into a shell script

---
 bridgehead                                    | 52 +++++++-------
 lib/functions.sh                              | 12 ++--
 ...dgehead-units.sh => install-bridgehead.sh} | 20 +++---
 lib/log.sh                                    |  4 +-
 lib/monitoring.sh                             |  9 ++-
 lib/prepare-system.sh                         | 67 +++++++++++++++++++
 lib/prerequisites.sh                          | 26 ++++---
 ...ehead-units.sh => uninstall-bridgehead.sh} |  5 --
 8 files changed, 138 insertions(+), 57 deletions(-)
 rename lib/{setup-bridgehead-units.sh => install-bridgehead.sh} (72%)
 mode change 100755 => 100644 lib/log.sh
 create mode 100755 lib/prepare-system.sh
 rename lib/{remove-bridgehead-units.sh => uninstall-bridgehead.sh} (81%)

diff --git a/bridgehead b/bridgehead
index 3054ebd..ecf4ec0 100755
--- a/bridgehead
+++ b/bridgehead
@@ -29,9 +29,6 @@ case "$PROJECT" in
 	ccp)
 		#nothing extra to do
 		;;
-	nngm)
-		#nothing extra to do
-		;;
 	bbmri)
 		#nothing extra to do
 		;;
@@ -41,28 +38,30 @@ case "$PROJECT" in
 		;;
 esac
 
-# Load variables from /etc/bridgehead and /srv/docker/bridgehead
-set -a
-source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
-if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
-	log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
-	source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
-fi
-fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
-[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
-set +a
+loadVars() {
+	# Load variables from /etc/bridgehead and /srv/docker/bridgehead
+	set -a
+	source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
+	if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
+		log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
+		source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
+	fi
+	fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
+	[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
+	set +a
 
-OVERRIDE=${OVERRIDE:=""}
-if [ -f "$PROJECT/docker-compose.override.yml" ]; then
-	log INFO "Applying $PROJECT/docker-compose.override.yml"
-	OVERRIDE+=" -f ./$PROJECT/docker-compose.override.yml"
-fi
-
-detectCompose
-setHostname
+	OVERRIDE=${OVERRIDE:=""}
+	if [ -f "$PROJECT/docker-compose.override.yml" ]; then
+		log INFO "Applying $PROJECT/docker-compose.override.yml"
+		OVERRIDE+=" -f ./$PROJECT/docker-compose.override.yml"
+	fi
+	detectCompose
+	setHostname
+}
 
 case "$ACTION" in
 	start)
+		loadVars
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
@@ -70,20 +69,25 @@ case "$ACTION" in
 		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
+		loadVars
 		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		;;
 	update)
+		loadVars
 		exec ./lib/update-bridgehead.sh $PROJECT
 		;;
 	install)
-		exec ./lib/setup-bridgehead-units.sh $PROJECT
+		source ./lib/prepare-system.sh
+		loadVars
+		exec ./lib/install-bridgehead.sh $PROJECT
 		;;
 	uninstall)
-		exec ./lib/remove-bridgehead-units.sh $PROJECT
+		exec ./lib/uninstall-bridgehead.sh $PROJECT
 		;;
 	enroll)
+		loadVars
 		if [ -e $PRIVATEKEYFILENAME ]; then
-			echo "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed."
+			log ERROR "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed."
 			exit 1
 		fi
 		docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $PROXY_ID --admin-email $SUPPORT_EMAIL
diff --git a/lib/functions.sh b/lib/functions.sh
index 9296414..a539e0d 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -1,7 +1,5 @@
 #!/bin/bash -e
 
-source lib/log.sh
-
 detectCompose() {
 	if [[ "$(docker compose version 2>/dev/null)" == *"Docker Compose version"* ]]; then
 		COMPOSE="docker compose"
@@ -37,11 +35,11 @@ checkOwner(){
 
 printUsage() {
 	echo "Usage: bridgehead start|stop|update|install|uninstall|enroll PROJECTNAME"
-	echo "PROJECTNAME should be one of ccp|nngm|bbmri"
+	echo "PROJECTNAME should be one of ccp|bbmri"
 }
 
 checkRequirements() {
-	if ! lib/prerequisites.sh; then
+	if ! lib/prerequisites.sh $@; then
 		log "ERROR" "Validating Prerequisites failed, please fix the error(s) above this line."
 		fail_and_report 1 "Validating prerequisites failed."
 	else
@@ -120,8 +118,10 @@ fixPermissions() {
 source lib/monitoring.sh
 
 report_error() {
-	log ERROR "$2"
-	hc_send $1 "$2"
+	CODE=$1
+	shift
+	log ERROR "$@"
+	hc_send $CODE "$@"
 }
 
 fail_and_report() {
diff --git a/lib/setup-bridgehead-units.sh b/lib/install-bridgehead.sh
similarity index 72%
rename from lib/setup-bridgehead-units.sh
rename to lib/install-bridgehead.sh
index d258c0b..5e3add3 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/install-bridgehead.sh
@@ -9,14 +9,9 @@ if [ $# -eq 0 ]; then
     exit 1
 fi
 
-if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "bbmri" ]; then
-    log "ERROR" "Please provide a supported project like ccp, bbmri or nngm"
-    exit 1
-fi
-
 export PROJECT=$1
 
-checkRequirements
+checkRequirements noprivkey
 
 log "INFO" "Allowing the bridgehead user to start/stop the bridgehead."
 
@@ -33,7 +28,7 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
 bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
 
-# TODO: Determine wether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
+# TODO: Determine whether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
 if [ -z "$LDM_PASSWORD" ]; then
   log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!"
   generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
@@ -42,7 +37,7 @@ if [ -z "$LDM_PASSWORD" ]; then
   echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
 fi
 
-log "INFO" "Register system units for bridgehead and bridgehead-update"
+log "INFO" "Registering system units for bridgehead and bridgehead-update"
 cp -v \
     lib/systemd/bridgehead\@.service \
     lib/systemd/bridgehead-update\@.service \
@@ -61,4 +56,11 @@ systemctl enable bridgehead@"${PROJECT}".service
 log "INFO" "Enabling auto-updates for bridgehead@${PROJECT}.service ..."
 systemctl enable --now bridgehead-update@"${PROJECT}".timer
 
-log "INFO" "\nSuccess - now start your bridgehead by running\n            systemctl start bridgehead@${PROJECT}.service\n          or by rebooting your machine."
+STR="\n\n            systemctl start bridgehead@${PROJECT}.service\n\nor by rebooting your machine."
+if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
+  STR="Success. Next, start your bridgehead by running$STR"
+else
+  STR="Success. Next, enroll into the $PROJECT broker by creating a cryptographic certificate. To do so, run\n\n            /srv/docker/bridgehead/bridgehead enroll $PROJECT\n\nThen, you may start the bridgehead by running$STR"
+fi
+
+log "INFO" "$STR"
\ No newline at end of file
diff --git a/lib/log.sh b/lib/log.sh
old mode 100755
new mode 100644
index e05eee7..c00333d
--- a/lib/log.sh
+++ b/lib/log.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
 
 log() {
-  echo -e "$(date +'%Y-%m-%d %T')" "$1:" "$2"
+  SEVERITY="$1"
+  shift
+  echo -e "$(date +'%Y-%m-%d %T')" "$SEVERITY:" "$@"
 }
diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index daa388f..0f609f6 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -34,8 +34,13 @@ function hc_send(){
     fi
 
     if [ -z "$USER_AGENT" ]; then
-        COMMIT_ETC=$(git -C /etc/bridgehead rev-parse HEAD | cut -c -8)
-        COMMIT_SRV=$(git -C /srv/docker/bridgehead rev-parse HEAD | cut -c -8)
+        if [ "$USER" != "root" ]; then
+            COMMIT_ETC=$(git -C /etc/bridgehead rev-parse HEAD | cut -c -8)
+            COMMIT_SRV=$(git -C /srv/docker/bridgehead rev-parse HEAD | cut -c -8)
+        else
+            COMMIT_ETC=$(su -c 'git -C /etc/bridgehead rev-parse HEAD' bridgehead | cut -c -8)
+            COMMIT_SRV=$(su -c 'git -C /srv/docker/bridgehead rev-parse HEAD' bridgehead | cut -c -8)
+        fi
         USER_AGENT="srv:$COMMIT_SRV etc:$COMMIT_ETC"
     fi
 
diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh
new file mode 100755
index 0000000..20285f1
--- /dev/null
+++ b/lib/prepare-system.sh
@@ -0,0 +1,67 @@
+#!/bin/bash -e
+
+source lib/log.sh
+source lib/functions.sh
+
+log "INFO" "Preparing your system for bridgehead installation ..."
+
+# Create the bridgehead user
+if id bridgehead &>/dev/null; then
+    log "INFO" "Existing user with id $(id -u bridgehead) will be used by the bridgehead system units."
+else
+    log "INFO" "Now creating a system user to own the bridgehead's files."
+    useradd -M -g docker -N bridgehead || fail_and_report ""
+fi
+
+# Clone the OpenSource repository of bridgehead
+bridgehead_repository_url="https://github.com/samply/bridgehead.git"
+if [ -d "/srv/docker/bridgehead" ]; then
+    current_owner=$(stat -c '%U' /srv/docker/bridgehead)
+    if [ "$(su -c 'git -C /srv/docker/bridgehead remote get-url origin' $current_owner)" == "$bridgehead_repository_url" ]; then
+        log "INFO" "Bridgehead's open-source repository has been found at /srv/docker/bridgehead"
+    else
+        log "ERROR" "The directory /srv/docker/bridgehead seems to exist, but doesn't contain a clone of $bridgehead_repository_url\nPlease delete the directory and try again."
+        exit 1
+    fi
+else
+    log "INFO" "Cloning $bridgehead_repository_url to /srv/docker/bridgehead"
+    mkdir -p /srv/docker/
+    git clone bridgehead_repository_url /srv/docker/bridgehead -b feature/samplyBeam
+fi
+
+case "$PROJECT" in
+	ccp)
+		site_configuration_repository_middle="git.verbis.dkfz.de/bridgehead-configurations/bridgehead-config-"
+		;;
+	bbmri)
+		site_configuration_repository_middle="git.verbis.dkfz.de/bbmri-bridgehead-configs/"
+		;;
+	*)
+		log ERROR "Internal error, this should not happen."
+        exit 1
+		;;
+esac
+
+# Clone the site-configuration
+if [ -d /etc/bridgehead ]; then
+    current_owner=$(stat -c '%U' /etc/bridgehead)
+    if [ "$(su -c 'git -C /etc/bridgehead remote get-url origin' $current_owner | grep $site_configuration_repository_middle)" ]; then
+        log "INFO" "Your site config repository in /etc/bridgehead seems to be installed correctly."
+    else
+        log "WARN" "Your site configuration repository in /etc/bridgehead seems to have another origin than git.verbis.dkfz.de. Please check if the repository is correctly cloned!"
+    fi
+else
+    log "INFO" "Now cloning your site configuration repository for you."
+    read -p "Please enter your site: " site
+    read -s -p "Please enter the bridgehead's access token for your site configuration repository (will not be echoed): " access_token
+    site_configuration_repository_url="https://bytoken:${access_token}@${site_configuration_repository_middle}$(echo $site | tr '[:upper:]' '[:lower:]').git"
+    git clone $site_configuration_repository_url /etc/bridgehead
+    if [ $? -gt 0 ]; then
+        log "ERROR" "Unable to clone your configuration repository. Please obtain correct access data and try again."
+    fi
+fi
+
+chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
+
+log INFO "System preparation is completed and private key is present."
+
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 859b690..8ce7051 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -5,11 +5,11 @@ source lib/functions.sh
 detectCompose
 
 if ! id "bridgehead" &>/dev/null; then
-  log ERROR "User bridgehead does not exist. Please consult readme for installation."
+  log ERROR "User bridgehead does not exist. Please run bridgehead install $PROJECT"
   exit 1
 fi
 
-checkOwner . bridgehead || exit 1
+checkOwner /srv/docker/bridgehead bridgehead || exit 1
 checkOwner /etc/bridgehead bridgehead || exit 1
 
 ## Check if user is a su
@@ -62,16 +62,22 @@ if [ -e /etc/bridgehead/vault.conf ]; then
   fi
 fi
 
-log INFO "Checking your beam proxy private key"
+checkPrivKey() {
+  if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
+    log INFO "Success - private key found."
+  else
+    log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run\n  bridgehead enroll ${PROJECT}\nand follow the instructions."
+    return 1
+  fi
+  log INFO "Success - all prerequisites are met!"
+  hc_send log "Success - all prerequisites are met!"
+  return 0
+}
 
-if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
-  log INFO "Success - private key found."
+if [[ "$@" =~ "noprivkey" ]]; then
+  log INFO "Skipping check for private key for now."
 else
-  log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
-  exit 1
+  checkPrivKey || exit 1
 fi
 
-log INFO "Success - all prerequisites are met!"
-hc_send log "Success - all prerequisites are met!"
-
 exit 0
diff --git a/lib/remove-bridgehead-units.sh b/lib/uninstall-bridgehead.sh
similarity index 81%
rename from lib/remove-bridgehead-units.sh
rename to lib/uninstall-bridgehead.sh
index fa63ef4..ab1108e 100755
--- a/lib/remove-bridgehead-units.sh
+++ b/lib/uninstall-bridgehead.sh
@@ -7,11 +7,6 @@ if [ $# -eq 0 ]; then
     exit 1
 fi
 
-if [ $1 != "ccp" ] && [ $1 != "nngm" ] && [ $1 != "bbmri" ]; then
-    log "ERROR" "Please provide a supported project like ccp, bbmri or nngm"
-    exit 1
-fi
-
 export PROJECT=$1
 
 #checkRequirements // not needed when uninstalling

From a6b7afce40b93994c7efabcaea3f5f2cddb9c0ab Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 18 Nov 2022 19:02:13 +0100
Subject: [PATCH 081/213] Documentation

---
 README.md | 263 +++++++++++-------------------------------------------
 1 file changed, 51 insertions(+), 212 deletions(-)

diff --git a/README.md b/README.md
index d93cd0e..715c124 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,8 @@
 # Bridgehead
 
-A Bridgehead is a set of components that must be installed locally, in order to connect your clinic or research centre to a federated search system. This repository contains the information and tools that you will need to deploy a Bridgehead. If you have questions, please [contact us](mailto:verbis-support@dkfz-heidelberg.de).
+The Bridgehead is a secure, low-effort solution to connect your research institution to a federated research network. It bundles interoperable, open-source software components into a turnkey package for installation on one of your secure servers. The Bridgehead is pre-configured with sane defaults, centrally monitored and with an absolute minimum of "moving parts" on your side, making it an extremely low-maintenance gateway to data sharing.
 
-
-TOC
+This repository is the starting point for any information and tools you will need to deploy a Bridgehead. If you have questions, please [contact us](mailto:verbis-support@dkfz-heidelberg.de).
 
 1. [Requirements](#requirements)
     - [Hardware](#hardware)
@@ -12,7 +11,7 @@ TOC
       - [Docker](#docker)
 2. [Deployment](#deployment)
     - [Installation](#installation)
-    - [Register with Beam](#register-with-beam)
+    - [Register with Samply.Beam](#register-with-samplybeam)
     - [Starting and stopping your Bridgehead](#starting-and-stopping-your-bridgehead)
     - [Auto-starting your Bridgehead when the server starts](#auto-starting-your-bridgehead-when-the-server-starts)
 3. [Additional Services](#additional-Services)
@@ -30,249 +29,89 @@ TOC
 
 ### Hardware
 
-To get the most out of your Bridgehead, we recommend the follwing Hardware:
+Hardware requirements strongly depend on the specific use-cases of your network as well as on the data it is going to serve. Most use-cases are well-served with the following configuration:
 
 - 4 CPU cores
-- At least 8 GB Ram
-- 100GB Hard Drive, SSD recommended
+- 32 GB RAM
+- 160GB Hard Drive, SSD recommended
 
-### System
+### Software
 
-You are strongly recommended to install the Bridgehead under a Linux operating system (but see the section [Non-Linux OS](#non-linux-os)). You will need root (administrator) priveleges on this machine in order to perform the deployment.
+You are strongly recommended to install the Bridgehead under a Linux operating system (but see the section [Non-Linux OS](#non-linux-os)). You will need root (administrator) priveleges on this machine in order to perform the deployment. We recommend the newest Ubuntu LTS server release.
 
-The following software should be installed:
+Ensure the following software (or newer) is installed:
 
-#### Git
+- git >= 2.0
+- docker >= 20.10.1
+- docker-compose >= 2.xx (`docker-compose` and `docker compose` are both supported).
+- systemd
 
-Check if you have at least git 2.0 installed on the system with:
-
-``` shell
-git --version
-```
-
-#### Docker
-
-Check the installed Docker version:
-
-``` shell
-docker --version
-```
-The version should ideally be higher than "20.10.1". The next step is to check ``` docker-compose```  with:
-
-``` shell
-docker-compose --version
-```
-The recomended version is "2.XX" and higher.
-
-If docker or docker-compose are not installed, please refer to the [Docker website](https://docs.docker.com).
+We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com). Note for Ubuntu: Please note that snap versions of Docker are not supported.
 
 ## Deployment
 
-### Installation
+### Base Installation
 
-First, clone the repository to the directory "/srv/docker/bridgehead":
+First, clone the repository to the directory `/srv/docker/bridgehead`:
+
+```shell
+sudo mkdir -p /srv/docker/
+sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead
+```
+
+Then, run the installation script:
+
+```shell
+cd /srv/docker/bridgehead
+sudo ./bridgehead install <PROJECT>
+```
+
+... and follow the instructions on the screen. You should then be prompted to do the next step:
+
+### Register with Samply.Beam
+
+Many Bridgehead services rely on the secure, performant and flexible messaging middleware called [Samply.Beam](https://github.com/samply/beam). You will need to register ("enroll") with Samply.Beam by creating a cryptographic key pair for your bridgehead:
 
 ``` shell
-sudo mkdir -p /srv/docker/;
-sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead;
-```
-Now create a user for the Bridgehead service:
-
-``` shell
-sudo useradd -M -g docker -N -s /sbin/nologin bridgehead
-```
-After adding the user you will need to change the ownership of the directory to the Bridgehead user.
-
-``` shell
-sudo chown bridgehead /srv/docker/bridgehead/ -R
-```
-Download the configuration repository:
-
-``` shell
-sudo git clone https://github.com/samply/bridgehead-config.git -b fix/bbmri-config /etc/bridgehead;
-```
-Change ownership:
-``` shell
-sudo chown bridgehead /etc/bridgehead/ -R
-```
-Edit /etc/bridgehead/bbmri.conf and modify SITE_ID and SITE_NAME to be relevant to your biobank. SITE_ID should not contains spaces. By convention, it is lower-case. E.g.:
-```
-SITE_ID="toulouse-prod"
-SITE_NAME="Toulouse"
+cd /srv/docker/bridgehead
+sudo ./bridgehead enroll <PROJECT>
 ```
 
-### Register with Beam
-
-You will need to register with Beam in order to be able to start your Bridgehead. Please send an email to: bridgehead@helpdesk.bbmri-eric.eu, mentioning the SITE_ID that you chose above.
-
-The response will contain your private key for Beam.
-
-Create a file for this private key:
-
-``` shell
-/etc/bridgehead/pki/$SITE_ID.priv.pem
-```
+... and follow the instructions on the screen. You should then be prompted to do the next step:
 
 ### Starting and stopping your Bridgehead
 
-To start your new Bridgehead, type:
+If you followed the above steps, your Bridgehead should already be configured to autostart (via systemd). If you would like to start/stop manually:
+
+To start, run
+
 ```shell
-sudo /srv/docker/bridgehead/bridgehead start bbmri
+sudo systemctl start bridgehead@<PROJECT>.service
 ```
-The script may break, because Spot tries to connect to Blaze, but Blaze is not yet ready, causing Spot to terminate. Try to start and stop the script a few times.
 
-To shut down the Bridgehead, type:
+To stop, run
+
 ```shell
-sudo /srv/docker/bridgehead/bridgehead stop bbmri
+sudo systemctl stop bridgehead@<PROJECT>.service
 ```
 
-### Auto-starting your Bridgehead when the server starts
+To enable/disable autostart, run
 
-Using this feature is optional.
-
-Many Linux distributions support the "systemctl" command, which enables you to autostart processes whenever your server is booted.
-
-In this repository you will find tools that allow you to take advantage of "systemctl" to automatically start the Bridgehead whenever your server gets restarted. You can set this up by executing the [bridgehead](./bridgehead) script:
-``` shell
-sudo /srv/docker/bridgehead/bridgehead install bbmri
+```shell
+sudo systemctl [enable|disable] bridgehead@<PROJECT>.service
 ```
 
-This will install the systemd units to run and update the Bridgehead.
-
-If your site operates with a proxy, you will need to set it up with ```systemctl edit``` as follows:
-
-``` shell
-sudo systemctl edit bridgehead@bbmri.service;
-```
-
-This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets.
-
-``` conf
-[Service]
-Environment=HOSTIP=
-Environment=HOST=
-Environment=HTTP_PROXY_USER=
-Environment=HTTP_PROXY_PASSWORD=
-Environment=HTTPS_PROXY_USER=
-Environment=HTTPS_PROXY_PASSWORD=
-Environment=CONNECTOR_POSTGRES_PASS=
-```
-
-To make the configuration active, you need to tell systemd to reload the configuration and restart the docker service:
-
-``` shell
-sudo systemctl daemon-reload;
-sudo systemctl bridgehead@bbmri.service;
-```
-
-## Additional Services
-
-### Monitoring
-
-We provide a central monitoring service, which checks the health of your Bridgehead 24/7. Using this service is optional but recommended.
-
-You can register for it by sending a request to: bridgehead@helpdesk.bbmri-eric.eu.
-
-The confirmation of your registration will contain a monitoring API key.
-
-You need to add the key to the "/etc/bridgehead/bbmri.conf" file, e.g.:
-``` conf
-MONITOR_APIKEY=1b9e5e21-8b34-5382-8590-7eae98a4f6d3
-```
-(your key will be different to the one shown above, obviously).
-
-Your site should now show up in the monitoring with grey (updates) and green (query) messages at the next full hour.
-
-### Register with a Directory
-
-The [Directory](https://directory.bbmri-eric.eu/) is a BBMRI project that aims to catalog all biobanks in Europe and beyond. Each biobank is given its own unique ID and the Directory maintains counts of the number of donors and the number of samples held at each biobank. You are strongly encouraged to register with the Directory, because this opens the door to further services, such as the [Negotiator](https://negotiator.bbmri-eric.eu/login.xhtml).
-
-Generally, you should register with the BBMRI national node for the country where your biobank is based. You can find a list of contacts for the national nodes [here](http://www.bbmri-eric.eu/national-nodes/). If your country is not in this list, or you have any questions, please contact the [BBMRI helpdesk](mailto:directory@helpdesk.bbmri-eric.eu). If your biobank is for COVID samples, you can also take advantage of an accelerated registration process [here](https://docs.google.com/forms/d/e/1FAIpQLSdIFfxADikGUf1GA0M16J0HQfc2NHJ55M_E47TXahju5BlFIQ).
-
-Your national node will give you detailed instructions for registering, but for your information, here are the basic steps:
-
-* Log in to the Directory for your country.
-* Add your biobank and enter its details, including contact information for a person involved in running the biobank.
-* You will need to create at least one collection.
-
 ## Site-specific configuration
 
 ### HTTPS Access
 
-We recommend https for all services of your Bridgehead. HTTPS is enabled by default. For starting the Bridgehead you need an ssl certificate. You can either create it yourself or get a signed one. You need to drop the certificates in /certs.
+Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de).
 
-The Bridgehead creates one autotmatically on the first start. However, it will be unsigned and we recomend getting a signed one.
-
-
-### Locally Managed Secrets
-
-This section describes the secrets you may need to configure locally through the configuration
-
-| Name                                 | Recommended Value                                                                                 | Description |  
-|--------------------------------------|---------------------------------------------------------------------------------------------------| ----------- |  
-| HTTP_PROXY_USER                      |                                                                                                   | Your local http proxy user |
-| HOSTIP                               | Compute with: `docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}'` | The ip from which docker containers can reach your host system. |
-| HOST                                 | Compute with: `hostname`                                                                          |The hostname from which all components will eventually be available|
-| HTTP_PROXY_PASSWORD                  |                                                                                                   |Your local http proxy user's password|
-| HTTPS_PROXY_USER                     |                                                                                                   |Your local https proxy user|
-| HTTPS_PROXY_PASSWORD                 || Your local https proxy user's password                                                            |
-| CONNECTOR_POSTGRES_PASS              | Random String                                                                                     |The password for your project specific connector.|
-| STORE_POSTGRES_PASS                  | Random String                                                                                     |The password for your local datamanagements database (only relevant in c4)|
-| ML_DB_PASS                           | Random String                                                                                     |The password for your local patientlist database|
-| MAGICPL_API_KEY                      | Random String                                                                                     |The apiKey used by the local datamanagement to create pseudonymes.|
-| MAGICPL_MAINZELLISTE_API_KEY         | Random String                                                                                     |The apiKey used by the local id-manager to communicate with the local patientlist|
-| MAGICPL_API_KEY_CONNECTOR            | Random String                                                                                     |The apiKey used by the connector to communicate with the local patientlist|
-| MAGICPL_MAINZELLISTE_CENTRAL_API_KEY | You need to ask the central patientlists admin for this.                                          |The apiKey for your machine to communicate with the central patientlist|
-| MAGICPL_CENTRAL_API_KEY              | You need to ask the central controlnumbergenerator admin for this.                                |The apiKey for your machine to communicate with the central controlnumbergenerator|
-| MAGICPL_OIDC_CLIENT_ID               || The client id used for your machine, to connect with the central authentication service           |
-| MAGICPL_OIDC_CLIENT_SECRET           || The client secret used for your machine, to connect with the central authentication service       |
-
-### Git Proxy Configuration
-
-Unlike most other tools, git doesn't use the default proxy variables "http_proxy" and "https_proxy". To make git use a proxy, you will need to adjust the global git configuration:
-
-``` shell
-sudo git config --global http.proxy http://<your-proxy-host>:<your-proxy-port>;
-sudo git config --global https.proxy http://<your-proxy-host>:<your-proxy-port>;
-```
-> NOTE: Some proxies may require user and password authentication. You can adjust the settings like this: "http://<your-proxy-user>:<your-proxy-user-password>@<your-proxy-host>:<your-proxy-port>".
-> NOTE: It is also possible that a proxy requires https protocol, so you can replace this to.
-
-You can check that the updated configuration with
-
-``` shell
-sudo git config --global --list;
-```
+## Troubleshooting
 
 ### Docker Daemon Proxy Configuration
 
-Docker has a background daemon, responsible for downloading images and starting them. To configure the proxy for this daemon, use the systemctl command:
-
-``` shell
-sudo systemctl edit docker
-```
-
-This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor, replace <your-proxy-host> and <your-proxy-port> with the corresponding values for your machine and save the file:
-``` conf
-[Service]
-Environment=HTTP_PROXY=http://<your-proxy-host>:<your-proxy-port>
-Environment=HTTPS_PROXY=http://<your-proxy-host>:<your-proxy-port>
-Environment=FTP_PROXY=http://<your-proxy-host>:<your-proxy-port>
-```
-> NOTE: Some proxies may require user and password authentication. You can adjust the settings like this: "http://<your-proxy-user>:<your-proxy-user-password>@<your-proxy-host>:<your-proxy-port>".
-> NOTE: It is also possible that a proxy requires https protocol, so you can replace this to.
-
-The file should now be at the location "/etc/systemd/system/docker.service.d/override.conf". You can proof check with
-``` shell
-cat /etc/systemd/system/docker.service.d/override.conf;
-```
-
-To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service:
-
-``` shell
-sudo systemctl daemon-reload;
-sudo systemctl restart docker;
-```
+Docker has a background daemon, responsible for downloading images and starting them. Sometimes, proxy configuration from your system won't carry over and it will fail to download images. In that case, configure the proxy for this daemon as described in the [official documentation](https://docs.docker.com).
 
 ### Non-Linux OS
 

From 21f90efe968c2bde9575a5542c56932a66db2341 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 21 Nov 2022 09:27:14 +0100
Subject: [PATCH 082/213] Document network, file structure, monitoring,
 auto-updates

---
 README.md | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/README.md b/README.md
index 715c124..82010d6 100644
--- a/README.md
+++ b/README.md
@@ -48,6 +48,10 @@ Ensure the following software (or newer) is installed:
 
 We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com). Note for Ubuntu: Please note that snap versions of Docker are not supported.
 
+### Network
+
+Since it needs to carry sensitive patient data, Bridgeheads are intended to be deployed within your institution's secure network and behave well even in networks in strict security settings, e.g. firewall rules. The only connectivity required is an outgoing HTTPS proxy. TLS termination is supported, too (see [below](#tls-terminating-proxies))
+
 ## Deployment
 
 ### Base Installation
@@ -107,6 +111,39 @@ sudo systemctl [enable|disable] bridgehead@<PROJECT>.service
 
 Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de).
 
+### TLS terminating proxies
+
+All of the Bridgehead's outgoing connections are secured by transport encryption (TLS) and a Bridgehead will refuse to connect if certificate verification fails. If your local forward proxy server performs TLS termination, please place its CA certificate in `/etc/bridgehead/trusted-ca-certs` as a `.pem` file, e.g. `/etc/bridgehead/trusted-ca-certs/mylocalca.pem`. Then, all Bridgehead components will pick up this certificate and trust it for outgoing connections.
+
+### File structure
+
+- `/srv/docker/bridgehead` contains this git repository with the shell scripts and *project-specific configuration*. In here, all files are identical for all sites. You should not make any changes here.
+- `/etc/bridgehead` contains your *site-specific configuration* synchronized from your site-specific git repository as part of the [base installation](#base-installation). To change anything here, please consult your git repository (find out its URL via `git -C /etc/bridgehead remote -v`).
+  - `/etc/bridgehead/<PROJECT>.conf` is your main site-specific configuration, all bundled into one concise config file. Do not change it here but via the central git repository.
+  - `/etc/bridgehead/<PROJECT>.local.conf` contains site-specific parameters to be known to your Bridgehead only, e.g. local access credentials. The file is ignored via git, and you may edit it here via a text editor.
+  - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access).
+  - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam).
+  - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here.
+
+Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect <volume_name>`.
+
+## Things you should know
+
+### Auto-Updates
+
+Your Bridgehead will automatically and regularly check for updates. Whenever something has been updates (e.g., one of the git repositories or one of the docker images), your Bridgehead is automatically restarted. This should happen automatically and does not need any configuration.
+
+If you would like to understand what happens exactly and when, please check the systemd units deployed during the [installation](#base-installation) via `systemctl cat bridgehead-update@<PROJECT>.service` and `systemctl cat bridgehead-update@<PROJECT.timer`.
+
+### Monitoring
+
+To keep all Bridgeheads up and working and detect any errors before a user does, a central monitoring 
+
+- Your Bridgehead itself will report relevant system events, such as successful/failed updates, restarts, performance metrics or version numbers.
+- Your Bridgehead is also monitored from the outside by your network's central components. For example, the federated search will regularly perform a black-box test by sending an empty query to your Bridgehead and checking if the results make sense.
+
+In all monitoring cases, obviously no sensitive information is transmitted, in particular not any patient-related data. Aggregated data, e.g. total amount of datasets, may be transmitted for diagnostic purposes.
+
 ## Troubleshooting
 
 ### Docker Daemon Proxy Configuration

From d12f9c44dcde8eba156dbed01e5f8a0a65b9a4ce Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Mon, 21 Nov 2022 18:06:30 +0100
Subject: [PATCH 083/213] Migrate monitoring to self-hosted instance

---
 lib/monitoring.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index daa388f..4d28371 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -14,15 +14,16 @@ UPTIME=
 USER_AGENT=
 
 function hc_send(){
+    BASEURL="https://healthchecks.verbis.dkfz.de/ping"
     if [ -n "$MONITOR_APIKEY" ]; then
         hc_set_uuid $MONITOR_APIKEY
     fi
 
     if [ -n "$HCSERVICE" ]; then
-        HCURL="https://hc-ping.com/$PING_KEY/$HCSERVICE"
+        HCURL="$BASEURL/$PING_KEY/$HCSERVICE"
     fi
     if [ -n "$HCUUID" ]; then
-        HCURL="https://hc-ping.com/$HCUUID"
+        HCURL="$BASEURL/$HCUUID"
     fi
     if [ ! -n "$HCURL" ]; then
         log WARN "Did not report Healthcheck: Neither Healthcheck UUID nor service set. Please define MONITOR_APIKEY in /etc/bridgehead."

From bfb84666af02fff50531ce0bf4ea06578fee7f0b Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 21 Nov 2022 18:13:40 +0100
Subject: [PATCH 084/213] Warn about ufw

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 82010d6..b57c10e 100644
--- a/README.md
+++ b/README.md
@@ -46,12 +46,16 @@ Ensure the following software (or newer) is installed:
 - docker-compose >= 2.xx (`docker-compose` and `docker compose` are both supported).
 - systemd
 
-We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com). Note for Ubuntu: Please note that snap versions of Docker are not supported.
+We recommend to install Docker(-compose) from its official sources as described on the [Docker website](https://docs.docker.com).
+
+Note for Ubuntu: Please note that snap versions of Docker are not supported.
 
 ### Network
 
 Since it needs to carry sensitive patient data, Bridgeheads are intended to be deployed within your institution's secure network and behave well even in networks in strict security settings, e.g. firewall rules. The only connectivity required is an outgoing HTTPS proxy. TLS termination is supported, too (see [below](#tls-terminating-proxies))
 
+Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to conflict with Docker [here](https://github.com/chaifeng/ufw-docker).
+
 ## Deployment
 
 ### Base Installation

From f359e06875147cdc7121622799f4ba5742c8544d Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 22 Nov 2022 14:24:56 +0100
Subject: [PATCH 085/213] Encryption: Add root certs for CCP, BBMRI

---
 bbmri/docker-compose.yml |  3 ++-
 bbmri/root.crt.pem       | 20 ++++++++++++++++++++
 ccp/docker-compose.yml   |  2 ++
 ccp/root.crt.pem         | 20 ++++++++++++++++++++
 4 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 bbmri/root.crt.pem
 create mode 100644 ccp/root.crt.pem

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index b1a47b5..9a97d3a 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -96,13 +96,14 @@ services:
       RUST_LOG: debug
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
+      ROOTCERT_FILE: /conf/root.crt.pem
     secrets:
       - proxy.pem
     depends_on:
       - "forward_proxy"
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-
+      - ./root.crt.pem:/conf/root.crt.pem:ro
 
 volumes:
   blaze-data:
diff --git a/bbmri/root.crt.pem b/bbmri/root.crt.pem
new file mode 100644
index 0000000..eae0d4d
--- /dev/null
+++ b/bbmri/root.crt.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUMy/n0zFRihhVR3aAD54LumzeYdwwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjIxMDI1MDczNTA4WhcNMzIx
+MDIyMDczNTM3WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAL3qWliHIlIT1Qlsyq/NKJ1uj6/AF0STNg5NTNpb
+Xqe5rmUqs6jmQepputGStBVe5TthFw56whISv9FqD5s1PZUGyFikW1pJUnF7ZYRf
+MfrJHRi1vUnD3Gw36FCot+i6BAxfw/rdp9hoqFZ6erRkULLaYZ5S2cDHN0DWc18V
+3VgZ66ah8QXSx7ERRNa/eWRkHrPIYhyVSoKuyZfvbVgsYZADSlviCgIHPrGLerLr
+ylNUyuTxJ5RKStOwPn7A+Jp7nRT+MRh9BphA7s6NuK9h+eVe1DiLbIETWyCEfN3Y
+INpunatn3QDhqOIfNcuBArjsAj7mg8l5KNba8nUP4v0EJYECAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMvc5Fizz1vO
+MEG3MIsy7UY69ZNIMB8GA1UdIwQYMBaAFMvc5Fizz1vOMEG3MIsy7UY69ZNIMBYG
+A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQBb8a5su820
+h8JStJC+KpvXmDrGkwx9bHlEZMgQQejIrwPLEbA32KBvNxdoUxF9q1Y773MKdqbc
+cCJwzQXE/NPZ13hCGrEIXs8DgH52GhEB5592k5/bRNcAvUwbZSXPPiT0rgq/eUOt
+BYhgN0ov7h1MC5L6CYB/rQwqck7JPlmrXTkh2gix4/dEdBRzsHsn/xlo8ay5QYHG
+rx2Adit76eZu/MJoJNzl1r8MPxLqyAie3KcIU54A+UMozLrWEQP/TyOyWZdjUjJt
+cBYgkKJTjwdRhc+ehI3kFo7b/a/Z/jl9szKsAPHozMixSi8lGnsYwN80oqeRvT7h
+wcMUK+igv3/K
+-----END CERTIFICATE-----
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 989cc84..4f417ab 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -98,12 +98,14 @@ services:
       RUST_LOG: debug
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
+      ROOTCERT_FILE: /conf/root.crt.pem
     secrets:
       - proxy.pem
     depends_on:
       - "forward_proxy"
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
+      - ./root.crt.pem:/conf/root.crt.pem:ro
 
 
 volumes:
diff --git a/ccp/root.crt.pem b/ccp/root.crt.pem
new file mode 100644
index 0000000..b561218
--- /dev/null
+++ b/ccp/root.crt.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUMeGRSrNPhRdQ1tU7uK5+lUa4f38wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjIwOTI5MTQxMjU1WhcNMzIw
+OTI2MTQxMzI1WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMYyroOUeb27mYzClOrjCmgIceLalsFA0aVCh5mZ
+KtP8+1U3oq/7exP30gXiJojxW7xoerfyQY9s0Sz5YYbxYbuskFOYEtyAILB/pxgd
++k+J3tlZKolpfmo7WT5tZiHxH/zjrtAYGnuB2xPHRMCWh/tHYrELgXQuilNol24y
+GBa1plTlARy0aKEDUHp87WLhD2qH7B8sFlLgo0+gunE1UtR2HMSPF45w3VXszyG6
+fJNrAj0yPnKy3Dm1BMO3jDO2e0A9lCQ71a4j4TeKePfCk1xCArSu6PpiwiacKplF
+c6CRR6KrWVm2g+8Y2hFcOBG/Py2xusm3PWbpylGq6vtFRkkCAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEFxD6BQwQO5
+xsJ+3cvZypsnh6dDMB8GA1UdIwQYMBaAFEFxD6BQwQO5xsJ+3cvZypsnh6dDMBYG
+A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQB5zTeIhV/3
+3Am6O144EFtnIeaZ2w0D6aEHqHAZp50vJv3+uQfOliCOzgw7VDxI4Zz2JALjlR/i
+uOYHsu3YIRMIOmPOjqrdDJa6auB0ufL4oUPfCRln7Fh0f3JVlz3BUoHsSDt949p4
+g0nnsciL2JHuzlqjn7Jyt3L7dAHrlFKulCcuidG5D3cqXrRCbF83f+k3TC/HRiNd
+25oMi7I4MP/SOCdfQGUGIsHIf/0hSm3pNjDOrC/XuI/8gh2f5io+Y8V+hMwMBcm4
+JbH8bdyBB+EIhsNbTwf2MWntD5bmg47sf7hh23aNvKXI67Li1pTI2t1CqiGnFR0U
+fCEpeaEAHs0k
+-----END CERTIFICATE-----

From 31f4ec9a1db43d8099ac16d4fa4836ccefc294a7 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Wed, 23 Nov 2022 13:37:25 +0100
Subject: [PATCH 086/213] Removed feature branch in install script

---
 lib/prepare-system.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh
index 20285f1..2cba2e2 100755
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@@ -26,7 +26,7 @@ if [ -d "/srv/docker/bridgehead" ]; then
 else
     log "INFO" "Cloning $bridgehead_repository_url to /srv/docker/bridgehead"
     mkdir -p /srv/docker/
-    git clone bridgehead_repository_url /srv/docker/bridgehead -b feature/samplyBeam
+    git clone bridgehead_repository_url /srv/docker/bridgehead
 fi
 
 case "$PROJECT" in

From 6297373ed0c1a435235b65ef5d91f9c0fecb6523 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 25 Nov 2022 09:22:17 +0100
Subject: [PATCH 087/213] refactor: Removed Debug Logging from Beam Proxy

---
 bbmri/docker-compose.yml | 1 -
 ccp/docker-compose.yml   | 1 -
 2 files changed, 2 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 9a97d3a..2433234 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -93,7 +93,6 @@ services:
       APP_0_ID: spot
       APP_0_KEY: ${SPOT_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
-      RUST_LOG: debug
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
       ROOTCERT_FILE: /conf/root.crt.pem
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 4f417ab..54b2daa 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -95,7 +95,6 @@ services:
       APP_1_ID: report-hub
       APP_1_KEY: ${REPORTHUB_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
-      RUST_LOG: debug
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
       ROOTCERT_FILE: /conf/root.crt.pem

From 5593ae38bb969288372c4975f2c70aecbef256e4 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 29 Nov 2022 07:36:05 +0000
Subject: [PATCH 088/213] Retry git fetch/pull to make it more resilient to
 e.g. network outages

---
 lib/functions.sh         | 22 ++++++++++++++++++++++
 lib/update-bridgehead.sh |  4 ++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index a539e0d..4f40fd0 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -136,6 +136,28 @@ setHostname() {
 	fi
 }
 
+# from: https://gist.github.com/sj26/88e1c6584397bb7c13bd11108a579746
+# ex. use: retry 5 /bin/false
+function retry {
+  local retries=$1
+  shift
+
+  local count=0
+  until "$@"; do
+    exit=$?
+    wait=$((2 ** $count))
+    count=$(($count + 1))
+    if [ $count -lt $retries ]; then
+      echo "Retry $count/$retries exited with code $exit, retrying in $wait seconds..."
+      sleep $wait
+    else
+      echo "Retry $count/$retries exited with code $exit, giving up."
+      return $exit
+    fi
+  done
+  return 0
+}
+
 ##Setting Network properties
 # currently not needed
 #export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 3201fc5..fd4806b 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -48,10 +48,10 @@ for DIR in /etc/bridgehead $(pwd); do
   old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ -z "$HTTP_PROXY_URL" ]; then
     log "INFO" "Git is using no proxy!"
-    OUT=$(git -C $DIR fetch 2>&1 && git -C $DIR pull 2>&1)
+    OUT=$(retry 5 git -C $DIR fetch 2>&1 && retry 5 git -C $DIR pull 2>&1)
   else
     log "INFO" "Git is using proxy ${HTTP_PROXY_URL} from ${CONFFILE}"
-    OUT=$(git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR fetch 2>&1 && git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1)
+    OUT=$(retry 5 git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1)
   fi
   if [ $? -ne 0 ]; then
     report_error log "Unable to update git $DIR: $OUT"

From eea0c665a2142dccc090d03b9f65eed617df7372 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 29 Nov 2022 08:20:51 +0000
Subject: [PATCH 089/213] Don't warn about modified git dir twice

---
 lib/update-bridgehead.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 3201fc5..cc8d56f 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -38,7 +38,6 @@ for DIR in /etc/bridgehead $(pwd); do
   log "INFO" "Checking for updates to git repo $DIR ..."
   OUT="$(git -C $DIR status --porcelain)"
   if [ -n "$OUT" ]; then
-    log WARN "The working directory $DIR is modified. Changed files: $OUT"
     report_error log "The working directory $DIR is modified. Changed files: $OUT"
   fi
   if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then

From b061bf635039803736066367c154aad8be6c862e Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Mon, 5 Dec 2022 13:18:14 +0100
Subject: [PATCH 090/213] Fixed compose file for exliquid

---
 ccp/exliquid-compose.yml | 8 +++-----
 ccp/exliquid-setup.sh    | 2 +-
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml
index 2c97b83..95bcbea 100644
--- a/ccp/exliquid-compose.yml
+++ b/ccp/exliquid-compose.yml
@@ -17,21 +17,19 @@ services:
     image: "samply/report-hub:latest"
     container_name: bridgehead-report-hub
     environment:
-      BASE_URL: "http://bridgehead-report-hub:8080"
+      SPRING_WEBFLUX_BASE_PATH: "/ccp-report-hub"
       JAVA_TOOL_OPTIONS: "-Xmx1g"
       LOG_LEVEL: "debug"
       PROXY_ID: "report-hub.${PROXY_ID}"
       SECRET: ${REPORTHUB_BEAM_SECRET_SHORT}
-      TASK_STORE: "http://bridgehead-task-store:8080/fhir"
-      LDM_URL:  http://bridgehead-ccp-blaze:8080/fhir
+      APP_TASKSTORE_BASEURL: "http://bridgehead-task-store:8080/fhir"
+      APP_DATASTORE_BASEURL:  http://bridgehead-ccp-blaze:8080/fhir
       BEAM_PROXY: "http://beam-proxy:8081"
     restart: always
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.report-ccp.rule=PathPrefix(`/ccp-report-hub`)"
-      - "traefik.http.middlewares.ccp_t_strip.stripprefix.prefixes=/ccp-report-hub"
       - "traefik.http.services.report-ccp.loadbalancer.server.port=8080"
-      - "traefik.http.routers.report-ccp.middlewares=ccp_t_strip"
       - "traefik.http.routers.report-ccp.tls=true"
 
 volumes:
diff --git a/ccp/exliquid-setup.sh b/ccp/exliquid-setup.sh
index 59d8877..e1daa11 100644
--- a/ccp/exliquid-setup.sh
+++ b/ccp/exliquid-setup.sh
@@ -2,7 +2,7 @@
 
 function exliquidSetup() {
 	if [ -n "$EXLIQUID" ]; then
-		log INFO "EXLIQUID setup detected -- will start Reporthub."
+		log INFO "EXLIQUID setup detected -- will start Report-Hub."
 		OVERRIDE+="-f ./$PROJECT/exliquid-compose.yml"
 	fi
 }
\ No newline at end of file

From ece0dec9c9c044b64f77ccf9801d17dc10644007 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 6 Dec 2022 11:33:45 +0100
Subject: [PATCH 091/213] Rename exliquid docker containers

---
 ccp/exliquid-compose.yml | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml
index 95bcbea..9f05977 100644
--- a/ccp/exliquid-compose.yml
+++ b/ccp/exliquid-compose.yml
@@ -1,36 +1,34 @@
 version: "3.7"
 
 services:
-  task-store:
+  exliquid-task-store:
     image: "samply/blaze:0.18"
-    container_name: bridgehead-task-store
+    container_name: bridgehead-exliquid-task-store
     environment:
-      BASE_URL: "http://bridgehead-task-store:8080"
+      BASE_URL: "http://bridgehead-exliquid-task-store:8080"
       JAVA_TOOL_OPTIONS: "-Xmx1g"
-      LOG_LEVEL: "debug"
     volumes:
-    - "task-store-data:/app/data"
+    - "exliquid-task-store-data:/app/data"
     labels:
       - "traefik.enable=false"
 
-  report-hub:
+  exliquid-report-hub:
     image: "samply/report-hub:latest"
-    container_name: bridgehead-report-hub
+    container_name: bridgehead-exliquid-report-hub
     environment:
-      SPRING_WEBFLUX_BASE_PATH: "/ccp-report-hub"
+      SPRING_WEBFLUX_BASE_PATH: "/exliquid"
       JAVA_TOOL_OPTIONS: "-Xmx1g"
-      LOG_LEVEL: "debug"
       PROXY_ID: "report-hub.${PROXY_ID}"
       SECRET: ${REPORTHUB_BEAM_SECRET_SHORT}
-      APP_TASKSTORE_BASEURL: "http://bridgehead-task-store:8080/fhir"
+      APP_TASKSTORE_BASEURL: "http://bridgehead-exliquid-task-store:8080/fhir"
       APP_DATASTORE_BASEURL:  http://bridgehead-ccp-blaze:8080/fhir
       BEAM_PROXY: "http://beam-proxy:8081"
     restart: always
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.report-ccp.rule=PathPrefix(`/ccp-report-hub`)"
+      - "traefik.http.routers.report-ccp.rule=PathPrefix(`/exliquid`)"
       - "traefik.http.services.report-ccp.loadbalancer.server.port=8080"
       - "traefik.http.routers.report-ccp.tls=true"
 
 volumes:
-  task-store-data:
\ No newline at end of file
+  exliquid-task-store-data:
\ No newline at end of file

From af54f0ca04ef8efad53fc72975f7599e8fb615d8 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 6 Dec 2022 11:42:18 +0100
Subject: [PATCH 092/213] Define exliquid sites right inside the common
 bridgehead scripts

---
 ccp/exliquid-setup.sh | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/ccp/exliquid-setup.sh b/ccp/exliquid-setup.sh
index e1daa11..8102fcb 100644
--- a/ccp/exliquid-setup.sh
+++ b/ccp/exliquid-setup.sh
@@ -1,7 +1,18 @@
 #!/bin/bash
 
 function exliquidSetup() {
-	if [ -n "$EXLIQUID" ]; then
+	case ${SITE_ID} in
+		berlin|dresden|essen|frankfurt|freiburg|luebeck|mainz|muenchen-lmu|muenchen-tu|mannheim|tuebingen)
+			EXLIQUID=1
+			;;
+		dktk-test)
+			EXLIQUID=1
+			;;
+		*)
+			EXLIQUID=0
+			;;
+	esac
+	if [[ $EXLIQUID -eq 1 ]]; then
 		log INFO "EXLIQUID setup detected -- will start Report-Hub."
 		OVERRIDE+="-f ./$PROJECT/exliquid-compose.yml"
 	fi

From 66999178bfd804297416ec24d2e6601270daba74 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Mon, 12 Dec 2022 09:22:20 +0100
Subject: [PATCH 093/213] Added space to Override

---
 ccp/exliquid-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/exliquid-setup.sh b/ccp/exliquid-setup.sh
index 8102fcb..83daa45 100644
--- a/ccp/exliquid-setup.sh
+++ b/ccp/exliquid-setup.sh
@@ -14,6 +14,6 @@ function exliquidSetup() {
 	esac
 	if [[ $EXLIQUID -eq 1 ]]; then
 		log INFO "EXLIQUID setup detected -- will start Report-Hub."
-		OVERRIDE+="-f ./$PROJECT/exliquid-compose.yml"
+		OVERRIDE+=" -f ./$PROJECT/exliquid-compose.yml"
 	fi
 }
\ No newline at end of file

From 54fbb58f0d8fc8363a9120a6f205923b9b1919ba Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Mon, 12 Dec 2022 09:27:50 +0100
Subject: [PATCH 094/213] Added proxy base url

---
 ccp/exliquid-compose.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml
index 9f05977..e629de9 100644
--- a/ccp/exliquid-compose.yml
+++ b/ccp/exliquid-compose.yml
@@ -20,6 +20,7 @@ services:
       JAVA_TOOL_OPTIONS: "-Xmx1g"
       PROXY_ID: "report-hub.${PROXY_ID}"
       SECRET: ${REPORTHUB_BEAM_SECRET_SHORT}
+      APP_PROXY_BASEURL: http://beam-proxy:8081
       APP_TASKSTORE_BASEURL: "http://bridgehead-exliquid-task-store:8080/fhir"
       APP_DATASTORE_BASEURL:  http://bridgehead-ccp-blaze:8080/fhir
       BEAM_PROXY: "http://beam-proxy:8081"

From 813dbcc76a95b98c52e7c12f7d6055e48d7caf8d Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Mon, 12 Dec 2022 10:41:18 +0100
Subject: [PATCH 095/213] Fixed beam proxy var url

---
 ccp/exliquid-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml
index e629de9..6ada73a 100644
--- a/ccp/exliquid-compose.yml
+++ b/ccp/exliquid-compose.yml
@@ -20,7 +20,7 @@ services:
       JAVA_TOOL_OPTIONS: "-Xmx1g"
       PROXY_ID: "report-hub.${PROXY_ID}"
       SECRET: ${REPORTHUB_BEAM_SECRET_SHORT}
-      APP_PROXY_BASEURL: http://beam-proxy:8081
+      APP_BEAM_PROXY_BASEURL: http://beam-proxy:8081
       APP_TASKSTORE_BASEURL: "http://bridgehead-exliquid-task-store:8080/fhir"
       APP_DATASTORE_BASEURL:  http://bridgehead-ccp-blaze:8080/fhir
       BEAM_PROXY: "http://beam-proxy:8081"

From 99c0e7f28354bcb6ae49f30556df78d1a9e1da07 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Wed, 7 Dec 2022 15:46:19 +0100
Subject: [PATCH 096/213] Added Configuration for Local ID-Management

---
 ccp/modules/id-management-compose.yml | 75 +++++++++++++++++++++++++++
 ccp/modules/id-management-setup.sh    | 17 ++++++
 ccp/vars                              |  3 ++
 lib/functions.sh                      |  2 +-
 4 files changed, 96 insertions(+), 1 deletion(-)
 create mode 100644 ccp/modules/id-management-compose.yml
 create mode 100644 ccp/modules/id-management-setup.sh

diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
new file mode 100644
index 0000000..0968048
--- /dev/null
+++ b/ccp/modules/id-management-compose.yml
@@ -0,0 +1,75 @@
+version: "3.7"
+services:
+  id-manager:
+    image: docker.verbis.dkfz.de/bridgehead/magicpl
+    environment:
+      TOMCAT_REVERSEPROXY_FQDN: ${HOST}
+      MAGICPL_SITE: ${SITE_ID}
+      MAGICPL_ALLOWED_ORIGINS: https://${HOST}
+      MAGICPL_LOCAL_PATIENTLIST_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
+      MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_CENTRAXX_APIKEY}
+      MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_CONNECTOR_APIKEY}
+      MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
+      MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
+      MAGICPL_OIDC_CLIENT_ID: ${IDMANAGER_AUTH_CLIENT_ID}
+      MAGICPL_OIDC_CLIENT_SECRET: ${IDMANAGER_AUTH_CLIENT_SECRET}
+    depends_on:
+      - patientlist
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)"
+      - "traefik.http.services.id-manager.loadbalancer.server.port=8080"
+      - "traefik.http.routers.id-manager.tls=true"
+
+  patientlist:
+    image: docker.verbis.dkfz.de/bridgehead/mainzelliste
+    environment:
+      - TOMCAT_REVERSEPROXY_FQDN=${HOST}
+      - ML_SITE=${SITE_ID}
+      - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
+      - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
+      # Add Variables from /etc/patientlist-id-generators.env
+      - ML_BK_IDGENERATOR_RANDOM_1
+      - ML_BK_IDGENERATOR_RANDOM_2
+      - ML_BK_IDGENERATOR_RANDOM_3
+      - ML_MDS_IDGENERATOR_RANDOM_1
+      - ML_MDS_IDGENERATOR_RANDOM_2
+      - ML_MDS_IDGENERATOR_RANDOM_3
+      - ML_DKTK000001985_IDGENERATOR_RANDOM_1
+      - ML_DKTK000001985_IDGENERATOR_RANDOM_2
+      - ML_DKTK000001985_IDGENERATOR_RANDOM_3
+      - ML_DKTK000001986_IDGENERATOR_RANDOM_1
+      - ML_DKTK000001986_IDGENERATOR_RANDOM_2
+      - ML_DKTK000001986_IDGENERATOR_RANDOM_3
+      - ML_DKTK000001950_IDGENERATOR_RANDOM_1
+      - ML_DKTK000001950_IDGENERATOR_RANDOM_2
+      - ML_DKTK000001950_IDGENERATOR_RANDOM_3
+      - ML_DKTK000001951_IDGENERATOR_RANDOM_1
+      - ML_DKTK000001951_IDGENERATOR_RANDOM_2
+      - ML_DKTK000001951_IDGENERATOR_RANDOM_3
+      - ML_DKTK999999999_IDGENERATOR_RANDOM_1
+      - ML_DKTK999999999_IDGENERATOR_RANDOM_2
+      - ML_DKTK999999999_IDGENERATOR_RANDOM_3
+      - ML_DKTK000002089_IDGENERATOR_RANDOM_1
+      - ML_DKTK000002089_IDGENERATOR_RANDOM_2
+      - ML_DKTK000002089_IDGENERATOR_RANDOM_3
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.patientlist.rule=PathPrefix(`/patientlist`)"
+      - "traefik.http.services.patientlist.loadbalancer.server.port=8080"
+      - "traefik.http.routers.patientlist.tls=true"
+    depends_on:
+      - patientlist-db
+
+  patientlist-db:
+    image: postgres:14-alpine
+    environment:
+      POSTGRES_USER: "mainzelliste"
+      POSTGRES_DB: "mainzelliste"
+      POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD}
+    volumes:
+      - "patientlist-db-data:/var/lib/postgresql/data"
+
+volumes:
+  patientlist-db-data:
+
diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh
new file mode 100644
index 0000000..ca939fb
--- /dev/null
+++ b/ccp/modules/id-management-setup.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+function idManagementSetup() {
+	if [ -n "$ENABLE_ID_MANAGEMENT" ]; then
+		log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)."
+		OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
+
+		# Auto Generate local Passwords
+		PATIENTLIST_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+		IDMANAGER_LOCAL_PATIENTLIST_APIKEY="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+
+		# Source the ID Generators Configuration
+		source /etc/bridgehead/patientlist-id-generators.env
+		log INFO "ID-Management Generator 1: ${ML_BK_IDGENERATOR_RANDOM_1}"
+	fi
+
+}
diff --git a/ccp/vars b/ccp/vars
index 63def80..89deae0 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -8,6 +8,9 @@ REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRE
 SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 
+# This will load id-management setup. Effective only if id-management configuration is defined.
+source $PROJECT/modules/id-management-setup.sh
+idManagementSetup
 # This will load nngm setup. Effective only if nngm configuration is defined.
 source $PROJECT/nngm-setup.sh
 nngmSetup
diff --git a/lib/functions.sh b/lib/functions.sh
index 4f40fd0..355ebaa 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -131,7 +131,7 @@ fail_and_report() {
 
 setHostname() {
 	if [ -z "$HOST" ]; then
-		export HOST=$(hostname -f)
+		export HOST=$(hostname -f | tr "[:upper:]" "[:lower:]")
 		log DEBUG "Using auto-detected hostname $HOST."
 	fi
 }

From 5e063003ace490b3835e30fcebbafd6465ed4586 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Tue, 13 Dec 2022 16:51:32 +0100
Subject: [PATCH 097/213] feature: Added automated Backups for PostgreSQL

---
 README.md                             |  9 +++++++
 ccp/modules/id-management-compose.yml | 11 ++++----
 lib/functions.sh                      | 11 ++++++++
 lib/install-bridgehead.sh             | 10 ++++---
 lib/update-bridgehead.sh              | 39 +++++++++++++++++++++++++++
 5 files changed, 72 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index b57c10e..24ebdf2 100644
--- a/README.md
+++ b/README.md
@@ -128,6 +128,8 @@ All of the Bridgehead's outgoing connections are secured by transport encryption
   - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access).
   - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam).
   - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here.
+- `/var/data/bridgehead` contains persistent data of the bridgehead
+  - `/var/data/bridgehead/backups` contains automatically created backups of the databases.
 
 Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect <volume_name>`.
 
@@ -139,6 +141,13 @@ Your Bridgehead will automatically and regularly check for updates. Whenever som
 
 If you would like to understand what happens exactly and when, please check the systemd units deployed during the [installation](#base-installation) via `systemctl cat bridgehead-update@<PROJECT>.service` and `systemctl cat bridgehead-update@<PROJECT.timer`.
 
+### Auto-Backups
+Some of the components in the bridgehead will store persistent data. For those components, we integrated an automated backup solution in the bridgehead updates. It will automatically save the backup in multiple files
+
+1) Last-XX, were XX represents a weekday to allow re-import of at least one version of the database for each of the past seven days.
+2) Year-KW-XX, were XX represents the calendar week to allow re-import of at least one version per calendar week
+3) Year-Month, to allow re-import of at least one version per month
+
 ### Monitoring
 
 To keep all Bridgeheads up and working and detect any errors before a user does, a central monitoring 
diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
index 0968048..d1639af 100644
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -2,6 +2,7 @@ version: "3.7"
 services:
   id-manager:
     image: docker.verbis.dkfz.de/bridgehead/magicpl
+    container_name: bridgehead-id-manager
     environment:
       TOMCAT_REVERSEPROXY_FQDN: ${HOST}
       MAGICPL_SITE: ${SITE_ID}
@@ -23,6 +24,7 @@ services:
 
   patientlist:
     image: docker.verbis.dkfz.de/bridgehead/mainzelliste
+    container_name: bridgehead-patientlist
     environment:
       - TOMCAT_REVERSEPROXY_FQDN=${HOST}
       - ML_SITE=${SITE_ID}
@@ -63,13 +65,12 @@ services:
 
   patientlist-db:
     image: postgres:14-alpine
+    container_name: bridgehead-patientlist-db
     environment:
       POSTGRES_USER: "mainzelliste"
       POSTGRES_DB: "mainzelliste"
       POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD}
     volumes:
-      - "patientlist-db-data:/var/lib/postgresql/data"
-
-volumes:
-  patientlist-db-data:
-
+      - "/var/data/bridgehead/patientlist:/var/lib/postgresql/data"
+      # NOTE: Add backups here. This is only imported if /var/data/bridgehead/patientlist/ is empty!!!
+      - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"
diff --git a/lib/functions.sh b/lib/functions.sh
index 355ebaa..23fb939 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -136,6 +136,17 @@ setHostname() {
 	fi
 }
 
+# Takes 1) The Backup Directory Path 2) The name of the Service to be backuped
+# Creates 3 Backups: 1) For the past seven days 2) For the current month and 3) for each calendar week
+createEncryptedPostgresBackup(){
+  docker exec "$2" bash -c 'pg_dump -U $POSTGRES_USER $POSTGRES_DB --format=p --no-owner --no-privileges' | \
+      # TODO: Encrypt using /etc/bridgehead/pki/${SITE_ID}.priv.pem | \
+      tee "$1/$2/$(date +Last-%A).sql" | \
+      tee "$1/$2/$(date +%Y-%m).sql" > \
+      "$1/$2/$(date +%Y-KW%V).sql"
+}
+
+
 # from: https://gist.github.com/sj26/88e1c6584397bb7c13bd11108a579746
 # ex. use: retry 5 /bin/false
 function retry {
diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh
index 5e3add3..7cbd8ef 100755
--- a/lib/install-bridgehead.sh
+++ b/lib/install-bridgehead.sh
@@ -22,8 +22,8 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
     /bin/systemctl stop bridgehead@${PROJECT}.service, \\
     /bin/systemctl restart bridgehead@${PROJECT}.service, \\
     /bin/systemctl restart bridgehead@*.service, \\
-    /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead, \\
-    /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
+    /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead, \\
+    /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead
 
 bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
@@ -37,6 +37,10 @@ if [ -z "$LDM_PASSWORD" ]; then
   echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
 fi
 
+log "INFO" "Creating directory /var/data/bridgehead for storage of persistent data."
+mkdir -p /var/data/bridgehead
+chown -R bridgehead /var/data/bridgehead
+
 log "INFO" "Registering system units for bridgehead and bridgehead-update"
 cp -v \
     lib/systemd/bridgehead\@.service \
@@ -63,4 +67,4 @@ else
   STR="Success. Next, enroll into the $PROJECT broker by creating a cryptographic certificate. To do so, run\n\n            /srv/docker/bridgehead/bridgehead enroll $PROJECT\n\nThen, you may start the bridgehead by running$STR"
 fi
 
-log "INFO" "$STR"
\ No newline at end of file
+log "INFO" "$STR"
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 897c8a2..cc1d55f 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -1,6 +1,45 @@
 #!/bin/bash
 source lib/functions.sh
 
+AUTO_BACKUP=${AUTO_BACKUP:-true}
+
+if [ "$AUTO_BACKUP" == "true" ]; then
+  BACKUP_DIRECTORY="/var/data/bridgehead/backups"
+  if [ ! -d /var/data ]; then
+    log DEBUG "Created /var/data"
+    mkdir /var/data
+  fi
+  if [ ! -d /var/data/bridgehead ]; then
+    log DEBUG "Created /var/data/bridgehead"
+    mkdir /var/data/bridgehead
+  fi
+  if [ ! -d $BACKUP_DIRECTORY ]; then
+    message="Performing automatic maintenance: Creating Backup directory $BACKUP_DIRECTORY."
+    hc_send log "$message"
+    log INFO "$message"
+    mkdir -p $BACKUP_DIRECTORY
+  fi
+  BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")"
+  log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES";
+  for service in $BACKUP_SERVICES; do
+    if [ ! -d $BACKUP_DIRECTORY/$service ]; then
+      message="Performing automatic maintenance: Creating Backup directory for $service in $BACKUP_DIRECTORY."
+      hc_send log "$message"
+      log INFO "$message"
+      mkdir -p $BACKUP_DIRECTORY/$service
+    fi
+    if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then
+      message="Performing automatic maintenance: Stored encrypted Backup for $service in $BACKUP_DIRECTORY."
+      hc_send log "$message"
+      log INFO "$message"
+    else
+      fail_and_report 5 "Failed to create encrypted update for $service"
+    fi
+  done
+else
+  log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")"
+fi
+
 AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true}
 
 if [ "$AUTO_HOUSEKEEPING" == "true" ]; then

From 125bb5e26232be6f5279d1fb771a99710d8fe012 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Thu, 15 Dec 2022 16:39:03 +0100
Subject: [PATCH 098/213] refactor: Changed Trigger of the IDM Module

---
 ccp/modules/id-management-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh
index ca939fb..790f846 100644
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 function idManagementSetup() {
-	if [ -n "$ENABLE_ID_MANAGEMENT" ]; then
+	if [ -n "$IDMANAGER_CENTRAXX_APIKEY" ]; then
 		log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)."
 		OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
 

From bc72093be9c42db534d12a4d418106cf7e21409d Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Thu, 15 Dec 2022 16:39:23 +0100
Subject: [PATCH 099/213] docs: Added Documentation for the IDM Module

---
 ccp/modules/id-management.md | 58 ++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 ccp/modules/id-management.md

diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md
new file mode 100644
index 0000000..8de2f5a
--- /dev/null
+++ b/ccp/modules/id-management.md
@@ -0,0 +1,58 @@
+# Module: Id-Management
+This module provides integration with the CCP-Pseudonymiziation Service. To learn more on the backgrounds of this service, you can refer to the [CCP-DSK](https://dktk.dkfz.de/application/files/5016/2030/2474/20_11_23_Datenschutzkonzept_CCP-IT_inkl_Anlagen.pdf).
+
+## Getting Started
+You must add following configuration variables to your sites-configuration repository:
+
+```
+IDMANAGER_CENTRAXX_APIKEY="<random-string>"
+IDMANAGER_CONNECTOR_APIKEY="<random-string>"
+IDMANAGER_CENTRAL_PATIENTLIST_APIKEY="<given-to-you-by-ccp-it>"
+IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY="<given-to-you-by-ccp-it>"
+IDMANAGER_AUTH_CLIENT_ID="<given-to-you-by-ccp-it>"
+IDMANAGER_AUTH_CLIENT_SECRET="<given-to-you-by-ccp-it>"
+```
+
+Additionally, the ccp-it needs to add a new file "patientlist-id-generators.env" to your site configuration. This file will hold the seeds for the different id-generators used in all projects.
+
+After adding the configuration, you simply need to update your bridgehead and 3 new services will run on your server:
+
+- `bridgehead-id-manager`, accessible by "https://<your-host>/id-manager". This component adds a common interface for creating pseudonymes in the bridgehead.
+- `bridgehead-patientlist`, accessible by "https://<your-host/patientlist". It's a local instance of the open-source software [Mainzelliste](https://mainzelliste.de). This service primary task is to map patients IDAT to pseudonymes identifying them along the different CCP projects.
+- `bridgehead-patientlist-db`, not accessible outside of docker. This is a local instance of postgres storing the database of `bridgehead-patientlist`. The data is persisted in `/var/data/bridgehead/patientlist` and backups are automatically created in `/var/data/bridgehead/backups/bridgehead-patientlist-db`.
+
+## Things you need to know
+### How to import an existing database (e.g from Legacy Windows or from Backups)
+First you must shutdown your local bridgehead instance:
+```
+systemctl stop bridgehead@ccp
+```
+
+Next you need to remove the current patientlist database:
+```
+rm -rf /var/data/bridgehead/patientlist
+```
+
+Third, you need to place your postgres dump in the import directory `/tmp/bridgehead/patientlist/some-dump.sql`. This will only be imported, then /var/data/bridgehead/patientlist is empty. 
+> NOTE: Please create the postgres dump with the options "--no-owner" and "--no-privileges". Additionally ensure the dump is created in the plain format (SQL).
+
+After this, you can restart your bridgehead and the dump will be imported:
+```
+systemctl start bridgehead@ccp
+```
+
+### How to connect your local data-management
+Typically, the sites connect their local data-management for the pseudonym creation with the id-management in the bridgehead. In the following two sections, you can read where you can change the configuration:
+#### Sites using CentraXX
+On your CentraXX Server, you need to change following settings in the "centraxx-dev.properties" file.
+```
+dktk.idmanagement.url=https://<your-linux-bk-host>/id-manager/translator/getId
+dktk.idmanagement.apiKey=<your-setting-for-IDMANAGER_CENTRAXX_APIKEY>
+```
+They typically already exist, but need to be changed to the new values!
+#### Sites using ADT2FHIR
+@Pierre
+
+
+### How to connect the legacy windows bridgehead
+You need to change the configuration file "..." of your Windows Bridgehead. TODO... 

From 276be28db1792c4f276191e24bbb3b7cbd8f852c Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 16 Dec 2022 12:02:49 +0100
Subject: [PATCH 100/213] fix: Included Legacy ID-Mapping (Please Complete)

---
 ccp/modules/id-management-compose.yml |  6 +++---
 ccp/modules/id-management-setup.sh    | 24 ++++++++++++++++++++++--
 ccp/modules/id-management.md          |  6 +++---
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
index d1639af..4baaba7 100644
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -5,11 +5,11 @@ services:
     container_name: bridgehead-id-manager
     environment:
       TOMCAT_REVERSEPROXY_FQDN: ${HOST}
-      MAGICPL_SITE: ${SITE_ID}
+      MAGICPL_SITE: ${IDMANAGEMENT_FRIENDLY_ID}
       MAGICPL_ALLOWED_ORIGINS: https://${HOST}
       MAGICPL_LOCAL_PATIENTLIST_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
-      MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_CENTRAXX_APIKEY}
-      MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_CONNECTOR_APIKEY}
+      MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_UPLOAD_APIKEY}
+      MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY}
       MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
       MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
       MAGICPL_OIDC_CLIENT_ID: ${IDMANAGER_AUTH_CLIENT_ID}
diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh
index 790f846..d2449c7 100644
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 function idManagementSetup() {
-	if [ -n "$IDMANAGER_CENTRAXX_APIKEY" ]; then
+	if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
 		log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)."
 		OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
 
@@ -11,7 +11,27 @@ function idManagementSetup() {
 
 		# Source the ID Generators Configuration
 		source /etc/bridgehead/patientlist-id-generators.env
-		log INFO "ID-Management Generator 1: ${ML_BK_IDGENERATOR_RANDOM_1}"
+
+		# Ensure old ids are working !!!
+		legacyIdMapping
 	fi
 
 }
+
+# TODO: Map all old site ids to the new ones
+function legacyIdMapping() {
+    case ${SITE_ID} in
+	"berlin")
+		export IDMANAGEMENT_FRIENDLY_ID=Berlin
+		;;
+	"dresden")
+		export IDMANAGEMENT_FRIENDLY_ID=Dresden
+		;;
+	"frankfurt")
+		export IDMANAGEMENT_FRIENDLY_ID=Frankfurt
+		;;
+	*)
+		export IDMANAGEMENT_FRIENDLY_ID=$SITE_ID
+		;;
+    esac
+}
diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md
index 8de2f5a..89ff65c 100644
--- a/ccp/modules/id-management.md
+++ b/ccp/modules/id-management.md
@@ -5,8 +5,8 @@ This module provides integration with the CCP-Pseudonymiziation Service. To lear
 You must add following configuration variables to your sites-configuration repository:
 
 ```
-IDMANAGER_CENTRAXX_APIKEY="<random-string>"
-IDMANAGER_CONNECTOR_APIKEY="<random-string>"
+IDMANAGER_UPLOAD_APIKEY="<random-string>"
+IDMANAGER_READ_APIKEY="<random-string>"
 IDMANAGER_CENTRAL_PATIENTLIST_APIKEY="<given-to-you-by-ccp-it>"
 IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY="<given-to-you-by-ccp-it>"
 IDMANAGER_AUTH_CLIENT_ID="<given-to-you-by-ccp-it>"
@@ -47,7 +47,7 @@ Typically, the sites connect their local data-management for the pseudonym creat
 On your CentraXX Server, you need to change following settings in the "centraxx-dev.properties" file.
 ```
 dktk.idmanagement.url=https://<your-linux-bk-host>/id-manager/translator/getId
-dktk.idmanagement.apiKey=<your-setting-for-IDMANAGER_CENTRAXX_APIKEY>
+dktk.idmanagement.apiKey=<your-setting-for-IDMANAGER_UPLOAD_APIKEY>
 ```
 They typically already exist, but need to be changed to the new values!
 #### Sites using ADT2FHIR

From 828312e04510315dd9ee87c3d5b9f53a4099852d Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de" <p.delpy@dkfz-heidelberg.de>
Date: Fri, 2 Dec 2022 15:38:33 +0100
Subject: [PATCH 101/213] Added MTBA Module

---
 ccp/mtba-compose.yml | 33 +++++++++++++++++++++++++++++++++
 ccp/nngm-setup.sh    | 12 ++++++++++++
 ccp/vars             |  1 +
 3 files changed, 46 insertions(+)
 create mode 100644 ccp/mtba-compose.yml

diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml
new file mode 100644
index 0000000..53fd327
--- /dev/null
+++ b/ccp/mtba-compose.yml
@@ -0,0 +1,33 @@
+version: "3.7"
+
+services:
+  mtba:
+    image: samply/mtba:develop
+    container_name: bridgehead-mtba
+    environment:
+      BLAZE_STORE_URL: http://bridgehead-ccp-blaze:8080/fhir
+      # NOTE: Aktuell Berechtigungen wie MagicPL!!!
+      # TODO: Add separate ApiKey to Patientlist only for MTBA!
+      ID_MANAGER_API_KEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
+      ID_MANAGER_PSEUDONYM_ID_TYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
+      ID_MANAGER_URL: http://bridgehead-id-manager:8080
+      PATIENT_CSV_FIRST_NAME_HEADER: ${PATIENT_CSV_FIRST_NAME_HEADER:-"FIRST_NAME"}
+      PATIENT_CSV_LAST_NAME_HEADER: ${PATIENT_CSV_LAST_NAME_HEADER:-"LAST_NAME"}
+      PATIENT_CSV_GENDER_HEADER: ${PATIENT_CSV_GENDER_HEADER:-"GENDER"}
+      PATIENT_CSV_BIRTHDAY_HEADER: ${PATIENT_CSV_BIRTHDAY_HEADER:-"BIRTHDAY"}
+      CBIOPORTAL_URL:  http://bridgehead-ccp-cbioportal:8080
+      MUTATIONS_CSV_SCRIPT_INTERPRETER: "python3"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.mtba.rule=PathPrefix(`/`)"
+      - "traefik.http.services.mtba.loadbalancer.server.port=80"
+      - "traefik.http.routers.mtba.tls=true"
+    volumes:
+      # This directory persists the FHIR Resources that are needed to import data into blaze.
+      - /var/data/bridgehead/mtba:/app/mtba-files/persist
+      # Place new import files in this directory
+      - /tmp/bridgehead/mtba/:/app/mtba-files/input
+
+  # TODO: Include CBioPortal in Deployment ...
+  # NOTE: CBioPortal can't load data while the system is running. So after import of data bridgehead needs to be restarted!
+  # TODO: Find a trigger to let mtba signal a restart for CBioPortal
diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index d5b80eb..b55d48e 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -7,3 +7,15 @@ function nngmSetup() {
 	fi
 	CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 }
+
+function mtbaSetup() {
+	# TODO: Check if ID-Management Module is activated!
+	if [ -n "$ENABLE_MTBA" ];then
+		log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal."
+		if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
+			log ERROR "Detected MTBA Module configuration but ID-Management Module seems not to be configured!"
+			exit 1;
+		fi
+		OVERRIDE+=" -f ./$PROJECT/mtba-compose.yml"
+	fi
+}
diff --git a/ccp/vars b/ccp/vars
index 89deae0..5172d24 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -16,3 +16,4 @@ source $PROJECT/nngm-setup.sh
 nngmSetup
 source $PROJECT/exliquid-setup.sh
 exliquidSetup
+mtbaSetup
\ No newline at end of file

From e1e7ffece8899a57ce6c22b1e5f55ebdf083225c Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de" <p.delpy@dkfz-heidelberg.de>
Date: Fri, 16 Dec 2022 15:01:04 +0100
Subject: [PATCH 102/213] set magicpl instead of patientlist

---
 ccp/mtba-compose.yml | 4 ++--
 ccp/nngm-setup.sh    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml
index 53fd327..d492ae0 100644
--- a/ccp/mtba-compose.yml
+++ b/ccp/mtba-compose.yml
@@ -7,8 +7,8 @@ services:
     environment:
       BLAZE_STORE_URL: http://bridgehead-ccp-blaze:8080/fhir
       # NOTE: Aktuell Berechtigungen wie MagicPL!!!
-      # TODO: Add separate ApiKey to Patientlist only for MTBA!
-      ID_MANAGER_API_KEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
+      # TODO: Add separate ApiKey to MagicPL only for MTBA!
+      ID_MANAGER_API_KEY: ${IDMANAGER_UPLOAD_APIKEY}
       ID_MANAGER_PSEUDONYM_ID_TYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
       ID_MANAGER_URL: http://bridgehead-id-manager:8080
       PATIENT_CSV_FIRST_NAME_HEADER: ${PATIENT_CSV_FIRST_NAME_HEADER:-"FIRST_NAME"}
diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index b55d48e..ba2e77f 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -12,7 +12,7 @@ function mtbaSetup() {
 	# TODO: Check if ID-Management Module is activated!
 	if [ -n "$ENABLE_MTBA" ];then
 		log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal."
-		if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
+		if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
 			log ERROR "Detected MTBA Module configuration but ID-Management Module seems not to be configured!"
 			exit 1;
 		fi

From c9bb317cd2d79e3a226510a956593c0053ceaa28 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Wed, 4 Jan 2023 14:00:08 +0100
Subject: [PATCH 103/213] Fixed vars in exliquid compose

---
 ccp/exliquid-compose.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml
index 6ada73a..e21617a 100644
--- a/ccp/exliquid-compose.yml
+++ b/ccp/exliquid-compose.yml
@@ -18,12 +18,11 @@ services:
     environment:
       SPRING_WEBFLUX_BASE_PATH: "/exliquid"
       JAVA_TOOL_OPTIONS: "-Xmx1g"
-      PROXY_ID: "report-hub.${PROXY_ID}"
-      SECRET: ${REPORTHUB_BEAM_SECRET_SHORT}
+      APP_BEAM_APPID: "report-hub.${PROXY_ID}"
+      APP_BEAM_SECRET: ${REPORTHUB_BEAM_SECRET_SHORT}
       APP_BEAM_PROXY_BASEURL: http://beam-proxy:8081
       APP_TASKSTORE_BASEURL: "http://bridgehead-exliquid-task-store:8080/fhir"
       APP_DATASTORE_BASEURL:  http://bridgehead-ccp-blaze:8080/fhir
-      BEAM_PROXY: "http://beam-proxy:8081"
     restart: always
     labels:
       - "traefik.enable=true"

From 6d24dbce7f9710dc4050ec62fc6016273bd38cd4 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Wed, 7 Dec 2022 15:46:19 +0100
Subject: [PATCH 104/213] Added Configuration for Local ID-Management

---
 ccp/modules/id-management-compose.yml | 75 +++++++++++++++++++++++++++
 ccp/modules/id-management-setup.sh    | 17 ++++++
 ccp/vars                              |  3 ++
 lib/functions.sh                      |  2 +-
 4 files changed, 96 insertions(+), 1 deletion(-)
 create mode 100644 ccp/modules/id-management-compose.yml
 create mode 100644 ccp/modules/id-management-setup.sh

diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
new file mode 100644
index 0000000..0968048
--- /dev/null
+++ b/ccp/modules/id-management-compose.yml
@@ -0,0 +1,75 @@
+version: "3.7"
+services:
+  id-manager:
+    image: docker.verbis.dkfz.de/bridgehead/magicpl
+    environment:
+      TOMCAT_REVERSEPROXY_FQDN: ${HOST}
+      MAGICPL_SITE: ${SITE_ID}
+      MAGICPL_ALLOWED_ORIGINS: https://${HOST}
+      MAGICPL_LOCAL_PATIENTLIST_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
+      MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_CENTRAXX_APIKEY}
+      MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_CONNECTOR_APIKEY}
+      MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
+      MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
+      MAGICPL_OIDC_CLIENT_ID: ${IDMANAGER_AUTH_CLIENT_ID}
+      MAGICPL_OIDC_CLIENT_SECRET: ${IDMANAGER_AUTH_CLIENT_SECRET}
+    depends_on:
+      - patientlist
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)"
+      - "traefik.http.services.id-manager.loadbalancer.server.port=8080"
+      - "traefik.http.routers.id-manager.tls=true"
+
+  patientlist:
+    image: docker.verbis.dkfz.de/bridgehead/mainzelliste
+    environment:
+      - TOMCAT_REVERSEPROXY_FQDN=${HOST}
+      - ML_SITE=${SITE_ID}
+      - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
+      - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
+      # Add Variables from /etc/patientlist-id-generators.env
+      - ML_BK_IDGENERATOR_RANDOM_1
+      - ML_BK_IDGENERATOR_RANDOM_2
+      - ML_BK_IDGENERATOR_RANDOM_3
+      - ML_MDS_IDGENERATOR_RANDOM_1
+      - ML_MDS_IDGENERATOR_RANDOM_2
+      - ML_MDS_IDGENERATOR_RANDOM_3
+      - ML_DKTK000001985_IDGENERATOR_RANDOM_1
+      - ML_DKTK000001985_IDGENERATOR_RANDOM_2
+      - ML_DKTK000001985_IDGENERATOR_RANDOM_3
+      - ML_DKTK000001986_IDGENERATOR_RANDOM_1
+      - ML_DKTK000001986_IDGENERATOR_RANDOM_2
+      - ML_DKTK000001986_IDGENERATOR_RANDOM_3
+      - ML_DKTK000001950_IDGENERATOR_RANDOM_1
+      - ML_DKTK000001950_IDGENERATOR_RANDOM_2
+      - ML_DKTK000001950_IDGENERATOR_RANDOM_3
+      - ML_DKTK000001951_IDGENERATOR_RANDOM_1
+      - ML_DKTK000001951_IDGENERATOR_RANDOM_2
+      - ML_DKTK000001951_IDGENERATOR_RANDOM_3
+      - ML_DKTK999999999_IDGENERATOR_RANDOM_1
+      - ML_DKTK999999999_IDGENERATOR_RANDOM_2
+      - ML_DKTK999999999_IDGENERATOR_RANDOM_3
+      - ML_DKTK000002089_IDGENERATOR_RANDOM_1
+      - ML_DKTK000002089_IDGENERATOR_RANDOM_2
+      - ML_DKTK000002089_IDGENERATOR_RANDOM_3
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.patientlist.rule=PathPrefix(`/patientlist`)"
+      - "traefik.http.services.patientlist.loadbalancer.server.port=8080"
+      - "traefik.http.routers.patientlist.tls=true"
+    depends_on:
+      - patientlist-db
+
+  patientlist-db:
+    image: postgres:14-alpine
+    environment:
+      POSTGRES_USER: "mainzelliste"
+      POSTGRES_DB: "mainzelliste"
+      POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD}
+    volumes:
+      - "patientlist-db-data:/var/lib/postgresql/data"
+
+volumes:
+  patientlist-db-data:
+
diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh
new file mode 100644
index 0000000..ca939fb
--- /dev/null
+++ b/ccp/modules/id-management-setup.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+function idManagementSetup() {
+	if [ -n "$ENABLE_ID_MANAGEMENT" ]; then
+		log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)."
+		OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
+
+		# Auto Generate local Passwords
+		PATIENTLIST_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+		IDMANAGER_LOCAL_PATIENTLIST_APIKEY="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+
+		# Source the ID Generators Configuration
+		source /etc/bridgehead/patientlist-id-generators.env
+		log INFO "ID-Management Generator 1: ${ML_BK_IDGENERATOR_RANDOM_1}"
+	fi
+
+}
diff --git a/ccp/vars b/ccp/vars
index 63def80..89deae0 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -8,6 +8,9 @@ REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRE
 SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 
+# This will load id-management setup. Effective only if id-management configuration is defined.
+source $PROJECT/modules/id-management-setup.sh
+idManagementSetup
 # This will load nngm setup. Effective only if nngm configuration is defined.
 source $PROJECT/nngm-setup.sh
 nngmSetup
diff --git a/lib/functions.sh b/lib/functions.sh
index 4f40fd0..355ebaa 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -131,7 +131,7 @@ fail_and_report() {
 
 setHostname() {
 	if [ -z "$HOST" ]; then
-		export HOST=$(hostname -f)
+		export HOST=$(hostname -f | tr "[:upper:]" "[:lower:]")
 		log DEBUG "Using auto-detected hostname $HOST."
 	fi
 }

From 1ffc9b9cd581e592c42a8ac2c881045aa39c1c3c Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Tue, 13 Dec 2022 16:51:32 +0100
Subject: [PATCH 105/213] feature: Added automated Backups for PostgreSQL

---
 README.md                             |  9 +++++++
 ccp/modules/id-management-compose.yml | 11 ++++----
 lib/functions.sh                      | 11 ++++++++
 lib/install-bridgehead.sh             | 10 ++++---
 lib/update-bridgehead.sh              | 39 +++++++++++++++++++++++++++
 5 files changed, 72 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index b57c10e..24ebdf2 100644
--- a/README.md
+++ b/README.md
@@ -128,6 +128,8 @@ All of the Bridgehead's outgoing connections are secured by transport encryption
   - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access).
   - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam).
   - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here.
+- `/var/data/bridgehead` contains persistent data of the bridgehead
+  - `/var/data/bridgehead/backups` contains automatically created backups of the databases.
 
 Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect <volume_name>`.
 
@@ -139,6 +141,13 @@ Your Bridgehead will automatically and regularly check for updates. Whenever som
 
 If you would like to understand what happens exactly and when, please check the systemd units deployed during the [installation](#base-installation) via `systemctl cat bridgehead-update@<PROJECT>.service` and `systemctl cat bridgehead-update@<PROJECT.timer`.
 
+### Auto-Backups
+Some of the components in the bridgehead will store persistent data. For those components, we integrated an automated backup solution in the bridgehead updates. It will automatically save the backup in multiple files
+
+1) Last-XX, were XX represents a weekday to allow re-import of at least one version of the database for each of the past seven days.
+2) Year-KW-XX, were XX represents the calendar week to allow re-import of at least one version per calendar week
+3) Year-Month, to allow re-import of at least one version per month
+
 ### Monitoring
 
 To keep all Bridgeheads up and working and detect any errors before a user does, a central monitoring 
diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
index 0968048..d1639af 100644
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -2,6 +2,7 @@ version: "3.7"
 services:
   id-manager:
     image: docker.verbis.dkfz.de/bridgehead/magicpl
+    container_name: bridgehead-id-manager
     environment:
       TOMCAT_REVERSEPROXY_FQDN: ${HOST}
       MAGICPL_SITE: ${SITE_ID}
@@ -23,6 +24,7 @@ services:
 
   patientlist:
     image: docker.verbis.dkfz.de/bridgehead/mainzelliste
+    container_name: bridgehead-patientlist
     environment:
       - TOMCAT_REVERSEPROXY_FQDN=${HOST}
       - ML_SITE=${SITE_ID}
@@ -63,13 +65,12 @@ services:
 
   patientlist-db:
     image: postgres:14-alpine
+    container_name: bridgehead-patientlist-db
     environment:
       POSTGRES_USER: "mainzelliste"
       POSTGRES_DB: "mainzelliste"
       POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD}
     volumes:
-      - "patientlist-db-data:/var/lib/postgresql/data"
-
-volumes:
-  patientlist-db-data:
-
+      - "/var/data/bridgehead/patientlist:/var/lib/postgresql/data"
+      # NOTE: Add backups here. This is only imported if /var/data/bridgehead/patientlist/ is empty!!!
+      - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"
diff --git a/lib/functions.sh b/lib/functions.sh
index 355ebaa..23fb939 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -136,6 +136,17 @@ setHostname() {
 	fi
 }
 
+# Takes 1) The Backup Directory Path 2) The name of the Service to be backuped
+# Creates 3 Backups: 1) For the past seven days 2) For the current month and 3) for each calendar week
+createEncryptedPostgresBackup(){
+  docker exec "$2" bash -c 'pg_dump -U $POSTGRES_USER $POSTGRES_DB --format=p --no-owner --no-privileges' | \
+      # TODO: Encrypt using /etc/bridgehead/pki/${SITE_ID}.priv.pem | \
+      tee "$1/$2/$(date +Last-%A).sql" | \
+      tee "$1/$2/$(date +%Y-%m).sql" > \
+      "$1/$2/$(date +%Y-KW%V).sql"
+}
+
+
 # from: https://gist.github.com/sj26/88e1c6584397bb7c13bd11108a579746
 # ex. use: retry 5 /bin/false
 function retry {
diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh
index 5e3add3..7cbd8ef 100755
--- a/lib/install-bridgehead.sh
+++ b/lib/install-bridgehead.sh
@@ -22,8 +22,8 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
     /bin/systemctl stop bridgehead@${PROJECT}.service, \\
     /bin/systemctl restart bridgehead@${PROJECT}.service, \\
     /bin/systemctl restart bridgehead@*.service, \\
-    /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead, \\
-    /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
+    /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead, \\
+    /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead
 
 bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
@@ -37,6 +37,10 @@ if [ -z "$LDM_PASSWORD" ]; then
   echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
 fi
 
+log "INFO" "Creating directory /var/data/bridgehead for storage of persistent data."
+mkdir -p /var/data/bridgehead
+chown -R bridgehead /var/data/bridgehead
+
 log "INFO" "Registering system units for bridgehead and bridgehead-update"
 cp -v \
     lib/systemd/bridgehead\@.service \
@@ -63,4 +67,4 @@ else
   STR="Success. Next, enroll into the $PROJECT broker by creating a cryptographic certificate. To do so, run\n\n            /srv/docker/bridgehead/bridgehead enroll $PROJECT\n\nThen, you may start the bridgehead by running$STR"
 fi
 
-log "INFO" "$STR"
\ No newline at end of file
+log "INFO" "$STR"
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 897c8a2..cc1d55f 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -1,6 +1,45 @@
 #!/bin/bash
 source lib/functions.sh
 
+AUTO_BACKUP=${AUTO_BACKUP:-true}
+
+if [ "$AUTO_BACKUP" == "true" ]; then
+  BACKUP_DIRECTORY="/var/data/bridgehead/backups"
+  if [ ! -d /var/data ]; then
+    log DEBUG "Created /var/data"
+    mkdir /var/data
+  fi
+  if [ ! -d /var/data/bridgehead ]; then
+    log DEBUG "Created /var/data/bridgehead"
+    mkdir /var/data/bridgehead
+  fi
+  if [ ! -d $BACKUP_DIRECTORY ]; then
+    message="Performing automatic maintenance: Creating Backup directory $BACKUP_DIRECTORY."
+    hc_send log "$message"
+    log INFO "$message"
+    mkdir -p $BACKUP_DIRECTORY
+  fi
+  BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")"
+  log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES";
+  for service in $BACKUP_SERVICES; do
+    if [ ! -d $BACKUP_DIRECTORY/$service ]; then
+      message="Performing automatic maintenance: Creating Backup directory for $service in $BACKUP_DIRECTORY."
+      hc_send log "$message"
+      log INFO "$message"
+      mkdir -p $BACKUP_DIRECTORY/$service
+    fi
+    if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then
+      message="Performing automatic maintenance: Stored encrypted Backup for $service in $BACKUP_DIRECTORY."
+      hc_send log "$message"
+      log INFO "$message"
+    else
+      fail_and_report 5 "Failed to create encrypted update for $service"
+    fi
+  done
+else
+  log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")"
+fi
+
 AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true}
 
 if [ "$AUTO_HOUSEKEEPING" == "true" ]; then

From 2a46bd00fd31a5278ac23f1f434b21ca355d516d Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Thu, 15 Dec 2022 16:39:03 +0100
Subject: [PATCH 106/213] refactor: Changed Trigger of the IDM Module

---
 ccp/modules/id-management-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh
index ca939fb..790f846 100644
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 function idManagementSetup() {
-	if [ -n "$ENABLE_ID_MANAGEMENT" ]; then
+	if [ -n "$IDMANAGER_CENTRAXX_APIKEY" ]; then
 		log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)."
 		OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
 

From 4f0526ddf4de73836c74f0607676f3f2fc583f40 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Thu, 15 Dec 2022 16:39:23 +0100
Subject: [PATCH 107/213] docs: Added Documentation for the IDM Module

---
 ccp/modules/id-management.md | 58 ++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 ccp/modules/id-management.md

diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md
new file mode 100644
index 0000000..8de2f5a
--- /dev/null
+++ b/ccp/modules/id-management.md
@@ -0,0 +1,58 @@
+# Module: Id-Management
+This module provides integration with the CCP-Pseudonymiziation Service. To learn more on the backgrounds of this service, you can refer to the [CCP-DSK](https://dktk.dkfz.de/application/files/5016/2030/2474/20_11_23_Datenschutzkonzept_CCP-IT_inkl_Anlagen.pdf).
+
+## Getting Started
+You must add following configuration variables to your sites-configuration repository:
+
+```
+IDMANAGER_CENTRAXX_APIKEY="<random-string>"
+IDMANAGER_CONNECTOR_APIKEY="<random-string>"
+IDMANAGER_CENTRAL_PATIENTLIST_APIKEY="<given-to-you-by-ccp-it>"
+IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY="<given-to-you-by-ccp-it>"
+IDMANAGER_AUTH_CLIENT_ID="<given-to-you-by-ccp-it>"
+IDMANAGER_AUTH_CLIENT_SECRET="<given-to-you-by-ccp-it>"
+```
+
+Additionally, the ccp-it needs to add a new file "patientlist-id-generators.env" to your site configuration. This file will hold the seeds for the different id-generators used in all projects.
+
+After adding the configuration, you simply need to update your bridgehead and 3 new services will run on your server:
+
+- `bridgehead-id-manager`, accessible by "https://<your-host>/id-manager". This component adds a common interface for creating pseudonymes in the bridgehead.
+- `bridgehead-patientlist`, accessible by "https://<your-host/patientlist". It's a local instance of the open-source software [Mainzelliste](https://mainzelliste.de). This service primary task is to map patients IDAT to pseudonymes identifying them along the different CCP projects.
+- `bridgehead-patientlist-db`, not accessible outside of docker. This is a local instance of postgres storing the database of `bridgehead-patientlist`. The data is persisted in `/var/data/bridgehead/patientlist` and backups are automatically created in `/var/data/bridgehead/backups/bridgehead-patientlist-db`.
+
+## Things you need to know
+### How to import an existing database (e.g from Legacy Windows or from Backups)
+First you must shutdown your local bridgehead instance:
+```
+systemctl stop bridgehead@ccp
+```
+
+Next you need to remove the current patientlist database:
+```
+rm -rf /var/data/bridgehead/patientlist
+```
+
+Third, you need to place your postgres dump in the import directory `/tmp/bridgehead/patientlist/some-dump.sql`. This will only be imported, then /var/data/bridgehead/patientlist is empty. 
+> NOTE: Please create the postgres dump with the options "--no-owner" and "--no-privileges". Additionally ensure the dump is created in the plain format (SQL).
+
+After this, you can restart your bridgehead and the dump will be imported:
+```
+systemctl start bridgehead@ccp
+```
+
+### How to connect your local data-management
+Typically, the sites connect their local data-management for the pseudonym creation with the id-management in the bridgehead. In the following two sections, you can read where you can change the configuration:
+#### Sites using CentraXX
+On your CentraXX Server, you need to change following settings in the "centraxx-dev.properties" file.
+```
+dktk.idmanagement.url=https://<your-linux-bk-host>/id-manager/translator/getId
+dktk.idmanagement.apiKey=<your-setting-for-IDMANAGER_CENTRAXX_APIKEY>
+```
+They typically already exist, but need to be changed to the new values!
+#### Sites using ADT2FHIR
+@Pierre
+
+
+### How to connect the legacy windows bridgehead
+You need to change the configuration file "..." of your Windows Bridgehead. TODO... 

From 4d49351ad21f734ec1fcd7aaf9f4ee9bf475a10d Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 16 Dec 2022 12:02:49 +0100
Subject: [PATCH 108/213] fix: Included Legacy ID-Mapping (Please Complete)

---
 ccp/modules/id-management-compose.yml |  6 +++---
 ccp/modules/id-management-setup.sh    | 24 ++++++++++++++++++++++--
 ccp/modules/id-management.md          |  6 +++---
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
index d1639af..4baaba7 100644
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -5,11 +5,11 @@ services:
     container_name: bridgehead-id-manager
     environment:
       TOMCAT_REVERSEPROXY_FQDN: ${HOST}
-      MAGICPL_SITE: ${SITE_ID}
+      MAGICPL_SITE: ${IDMANAGEMENT_FRIENDLY_ID}
       MAGICPL_ALLOWED_ORIGINS: https://${HOST}
       MAGICPL_LOCAL_PATIENTLIST_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
-      MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_CENTRAXX_APIKEY}
-      MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_CONNECTOR_APIKEY}
+      MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_UPLOAD_APIKEY}
+      MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY}
       MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
       MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
       MAGICPL_OIDC_CLIENT_ID: ${IDMANAGER_AUTH_CLIENT_ID}
diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh
index 790f846..d2449c7 100644
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 function idManagementSetup() {
-	if [ -n "$IDMANAGER_CENTRAXX_APIKEY" ]; then
+	if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
 		log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)."
 		OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
 
@@ -11,7 +11,27 @@ function idManagementSetup() {
 
 		# Source the ID Generators Configuration
 		source /etc/bridgehead/patientlist-id-generators.env
-		log INFO "ID-Management Generator 1: ${ML_BK_IDGENERATOR_RANDOM_1}"
+
+		# Ensure old ids are working !!!
+		legacyIdMapping
 	fi
 
 }
+
+# TODO: Map all old site ids to the new ones
+function legacyIdMapping() {
+    case ${SITE_ID} in
+	"berlin")
+		export IDMANAGEMENT_FRIENDLY_ID=Berlin
+		;;
+	"dresden")
+		export IDMANAGEMENT_FRIENDLY_ID=Dresden
+		;;
+	"frankfurt")
+		export IDMANAGEMENT_FRIENDLY_ID=Frankfurt
+		;;
+	*)
+		export IDMANAGEMENT_FRIENDLY_ID=$SITE_ID
+		;;
+    esac
+}
diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md
index 8de2f5a..89ff65c 100644
--- a/ccp/modules/id-management.md
+++ b/ccp/modules/id-management.md
@@ -5,8 +5,8 @@ This module provides integration with the CCP-Pseudonymiziation Service. To lear
 You must add following configuration variables to your sites-configuration repository:
 
 ```
-IDMANAGER_CENTRAXX_APIKEY="<random-string>"
-IDMANAGER_CONNECTOR_APIKEY="<random-string>"
+IDMANAGER_UPLOAD_APIKEY="<random-string>"
+IDMANAGER_READ_APIKEY="<random-string>"
 IDMANAGER_CENTRAL_PATIENTLIST_APIKEY="<given-to-you-by-ccp-it>"
 IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY="<given-to-you-by-ccp-it>"
 IDMANAGER_AUTH_CLIENT_ID="<given-to-you-by-ccp-it>"
@@ -47,7 +47,7 @@ Typically, the sites connect their local data-management for the pseudonym creat
 On your CentraXX Server, you need to change following settings in the "centraxx-dev.properties" file.
 ```
 dktk.idmanagement.url=https://<your-linux-bk-host>/id-manager/translator/getId
-dktk.idmanagement.apiKey=<your-setting-for-IDMANAGER_CENTRAXX_APIKEY>
+dktk.idmanagement.apiKey=<your-setting-for-IDMANAGER_UPLOAD_APIKEY>
 ```
 They typically already exist, but need to be changed to the new values!
 #### Sites using ADT2FHIR

From e0c9a5ced38a61da718b0bdf2b01208c2371f094 Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de" <p.delpy@dkfz-heidelberg.de>
Date: Fri, 2 Dec 2022 15:38:33 +0100
Subject: [PATCH 109/213] Added MTBA Module

---
 ccp/mtba-compose.yml | 33 +++++++++++++++++++++++++++++++++
 ccp/nngm-setup.sh    | 12 ++++++++++++
 ccp/vars             |  1 +
 3 files changed, 46 insertions(+)
 create mode 100644 ccp/mtba-compose.yml

diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml
new file mode 100644
index 0000000..53fd327
--- /dev/null
+++ b/ccp/mtba-compose.yml
@@ -0,0 +1,33 @@
+version: "3.7"
+
+services:
+  mtba:
+    image: samply/mtba:develop
+    container_name: bridgehead-mtba
+    environment:
+      BLAZE_STORE_URL: http://bridgehead-ccp-blaze:8080/fhir
+      # NOTE: Aktuell Berechtigungen wie MagicPL!!!
+      # TODO: Add separate ApiKey to Patientlist only for MTBA!
+      ID_MANAGER_API_KEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
+      ID_MANAGER_PSEUDONYM_ID_TYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
+      ID_MANAGER_URL: http://bridgehead-id-manager:8080
+      PATIENT_CSV_FIRST_NAME_HEADER: ${PATIENT_CSV_FIRST_NAME_HEADER:-"FIRST_NAME"}
+      PATIENT_CSV_LAST_NAME_HEADER: ${PATIENT_CSV_LAST_NAME_HEADER:-"LAST_NAME"}
+      PATIENT_CSV_GENDER_HEADER: ${PATIENT_CSV_GENDER_HEADER:-"GENDER"}
+      PATIENT_CSV_BIRTHDAY_HEADER: ${PATIENT_CSV_BIRTHDAY_HEADER:-"BIRTHDAY"}
+      CBIOPORTAL_URL:  http://bridgehead-ccp-cbioportal:8080
+      MUTATIONS_CSV_SCRIPT_INTERPRETER: "python3"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.mtba.rule=PathPrefix(`/`)"
+      - "traefik.http.services.mtba.loadbalancer.server.port=80"
+      - "traefik.http.routers.mtba.tls=true"
+    volumes:
+      # This directory persists the FHIR Resources that are needed to import data into blaze.
+      - /var/data/bridgehead/mtba:/app/mtba-files/persist
+      # Place new import files in this directory
+      - /tmp/bridgehead/mtba/:/app/mtba-files/input
+
+  # TODO: Include CBioPortal in Deployment ...
+  # NOTE: CBioPortal can't load data while the system is running. So after import of data bridgehead needs to be restarted!
+  # TODO: Find a trigger to let mtba signal a restart for CBioPortal
diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index d5b80eb..b55d48e 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -7,3 +7,15 @@ function nngmSetup() {
 	fi
 	CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 }
+
+function mtbaSetup() {
+	# TODO: Check if ID-Management Module is activated!
+	if [ -n "$ENABLE_MTBA" ];then
+		log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal."
+		if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
+			log ERROR "Detected MTBA Module configuration but ID-Management Module seems not to be configured!"
+			exit 1;
+		fi
+		OVERRIDE+=" -f ./$PROJECT/mtba-compose.yml"
+	fi
+}
diff --git a/ccp/vars b/ccp/vars
index 89deae0..5172d24 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -16,3 +16,4 @@ source $PROJECT/nngm-setup.sh
 nngmSetup
 source $PROJECT/exliquid-setup.sh
 exliquidSetup
+mtbaSetup
\ No newline at end of file

From e7b238de9d023abf69b88699eb132f67acdbe8f9 Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de" <p.delpy@dkfz-heidelberg.de>
Date: Fri, 16 Dec 2022 15:01:04 +0100
Subject: [PATCH 110/213] set magicpl instead of patientlist

---
 ccp/mtba-compose.yml | 4 ++--
 ccp/nngm-setup.sh    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml
index 53fd327..d492ae0 100644
--- a/ccp/mtba-compose.yml
+++ b/ccp/mtba-compose.yml
@@ -7,8 +7,8 @@ services:
     environment:
       BLAZE_STORE_URL: http://bridgehead-ccp-blaze:8080/fhir
       # NOTE: Aktuell Berechtigungen wie MagicPL!!!
-      # TODO: Add separate ApiKey to Patientlist only for MTBA!
-      ID_MANAGER_API_KEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
+      # TODO: Add separate ApiKey to MagicPL only for MTBA!
+      ID_MANAGER_API_KEY: ${IDMANAGER_UPLOAD_APIKEY}
       ID_MANAGER_PSEUDONYM_ID_TYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
       ID_MANAGER_URL: http://bridgehead-id-manager:8080
       PATIENT_CSV_FIRST_NAME_HEADER: ${PATIENT_CSV_FIRST_NAME_HEADER:-"FIRST_NAME"}
diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index b55d48e..ba2e77f 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -12,7 +12,7 @@ function mtbaSetup() {
 	# TODO: Check if ID-Management Module is activated!
 	if [ -n "$ENABLE_MTBA" ];then
 		log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal."
-		if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
+		if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
 			log ERROR "Detected MTBA Module configuration but ID-Management Module seems not to be configured!"
 			exit 1;
 		fi

From ee6f60ef6542adcf41ca827f54fe7ad45b7609ec Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Thu, 19 Jan 2023 09:59:47 +0100
Subject: [PATCH 111/213] Enhanced the installation documentation.

Explained the following:

* Bridgehead projects
* Configuration repository
---
 README.md | 41 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index b57c10e..e559842 100644
--- a/README.md
+++ b/README.md
@@ -57,10 +57,43 @@ Since it needs to carry sensitive patient data, Bridgeheads are intended to be d
 Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to conflict with Docker [here](https://github.com/chaifeng/ufw-docker).
 
 ## Deployment
+You will need to choose a short name for your site. This is not a URL, just a simple identifying string. For the examples below, we will use "your-site-name", but you should obviously choose something that is meaningful to you and which is unique.
+
+### Projects
+
+The following "projects" are known to the Bridgehead installation:
+
+- bbmri
+- ccp
+
+Use "bbmri" if you are in the BBMRI-ERIC European biobank network or the GBA (German Biobank Alliance) network.
+
+Use "ccp" if you are in the DKTK network, the C4 network or the nNGM network.
+
+### GitLab repository
+
+In order to be able to install, you will need to have your own repository in GitLab for your site's configuration settings. This allows automated updates of the Bridgehead software.
+
+To request a new repository, please send an email to bridgehead@helpdesk.bbmri-eric.eu. Mention which project you belong to, i.e. "bbmri" or "ccp", plus your chosen site name.
+
+We will set the repository up for you. We will then send you the repository's URL plus a token to access it.
+
+Before installation, you must set up your site's configuration in GitLab.
+
+To do this, visit the configuration repository's URL and click on the configuration file. Depending on your project, this will be called either ```bbmri.conf```or ```ccp.conf```. Use the blue button to edit it. You will need to change, as a minimum, the following variables:
+
+- SITE_NAME
+- SITE_ID
+- OPERATOR_FIRST_NAME
+- OPERATOR_LAST_NAME
+- OPERATOR_EMAIL
+- OPERATOR_PHONE
+
+SITE_NAME and SITE_ID can be set to the chosen name for your site, e.g. "your-site-name". OPERATOR_* should be set to values appropriate for the administrator of your site.
 
 ### Base Installation
 
-First, clone the repository to the directory `/srv/docker/bridgehead`:
+First, get the Bridgehead:
 
 ```shell
 sudo mkdir -p /srv/docker/
@@ -74,7 +107,11 @@ cd /srv/docker/bridgehead
 sudo ./bridgehead install <PROJECT>
 ```
 
-... and follow the instructions on the screen. You should then be prompted to do the next step:
+When prompted with "Please enter your site", you should enter the name you have given to your site (not its URL). E.g., in the example in the previous section, that would be "your-site-name".
+
+When prompted with "Please enter the bridgehead's access token for your site configuration repository", you should enter the token for the GitLab repository that was given to you.
+
+You should then be prompted to do the next step:
 
 ### Register with Samply.Beam
 

From af7960e036deb3ddff22d42354f554ee71942649 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 19 Jan 2023 10:05:03 +0000
Subject: [PATCH 112/213] Improve documentation

---
 ccp/modules/id-management.md | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md
index 89ff65c..4c929b9 100644
--- a/ccp/modules/id-management.md
+++ b/ccp/modules/id-management.md
@@ -1,8 +1,8 @@
 # Module: Id-Management
-This module provides integration with the CCP-Pseudonymiziation Service. To learn more on the backgrounds of this service, you can refer to the [CCP-DSK](https://dktk.dkfz.de/application/files/5016/2030/2474/20_11_23_Datenschutzkonzept_CCP-IT_inkl_Anlagen.pdf).
+This module provides integration with the CCP-Pseudonymiziation Service. To learn more on the backgrounds of this service, you can refer to the [CCP Data Protection Concept](https://dktk.dkfz.de/klinische-plattformen/documents-download).
 
 ## Getting Started
-You must add following configuration variables to your sites-configuration repository:
+The following configuration variables are added to your sites-configuration repository:
 
 ```
 IDMANAGER_UPLOAD_APIKEY="<random-string>"
@@ -13,15 +13,19 @@ IDMANAGER_AUTH_CLIENT_ID="<given-to-you-by-ccp-it>"
 IDMANAGER_AUTH_CLIENT_SECRET="<given-to-you-by-ccp-it>"
 ```
 
-Additionally, the ccp-it needs to add a new file "patientlist-id-generators.env" to your site configuration. This file will hold the seeds for the different id-generators used in all projects.
+Most of the configuration is kept identical across all sites. Some site-specific variables, however, go into a file called `/etc/bridgehead/ccp/id-management.local`.
 
-After adding the configuration, you simply need to update your bridgehead and 3 new services will run on your server:
+After adding the configuration, you simply need to update your bridgehead. You're all set!
 
-- `bridgehead-id-manager`, accessible by "https://<your-host>/id-manager". This component adds a common interface for creating pseudonymes in the bridgehead.
-- `bridgehead-patientlist`, accessible by "https://<your-host/patientlist". It's a local instance of the open-source software [Mainzelliste](https://mainzelliste.de). This service primary task is to map patients IDAT to pseudonymes identifying them along the different CCP projects.
-- `bridgehead-patientlist-db`, not accessible outside of docker. This is a local instance of postgres storing the database of `bridgehead-patientlist`. The data is persisted in `/var/data/bridgehead/patientlist` and backups are automatically created in `/var/data/bridgehead/backups/bridgehead-patientlist-db`.
+## Additional information you may want to know
+### Services
+
+Upon configuration, the Bridgehead will spawn the following services:
+
+- The `bridgehead-id-manager` at https://bridgehead.local/id-manager, provides a common interface for creating pseudonyms in the bridgehead.
+- The `bridgehead-patientlist` at https://bridgehead.local/patientlist is a local instance of the open-source software [Mainzelliste](https://mainzelliste.de). This service's primary task is to map patients IDAT to pseudonyms identifying them along the different CCP projects.
+- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted in `/var/data/bridgehead/patientlist` and backups are automatically created in `/var/data/bridgehead/backups/bridgehead-patientlist-db`.
 
-## Things you need to know
 ### How to import an existing database (e.g from Legacy Windows or from Backups)
 First you must shutdown your local bridgehead instance:
 ```

From 4efe356005217eb2fd879c53c6de11c1fe82445e Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 19 Jan 2023 10:15:12 +0000
Subject: [PATCH 113/213] Made it even easier for sites

---
 ccp/modules/id-management.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md
index 4c929b9..60cb5b1 100644
--- a/ccp/modules/id-management.md
+++ b/ccp/modules/id-management.md
@@ -11,11 +11,13 @@ IDMANAGER_CENTRAL_PATIENTLIST_APIKEY="<given-to-you-by-ccp-it>"
 IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY="<given-to-you-by-ccp-it>"
 IDMANAGER_AUTH_CLIENT_ID="<given-to-you-by-ccp-it>"
 IDMANAGER_AUTH_CLIENT_SECRET="<given-to-you-by-ccp-it>"
+
+IDMANAGER_SEEDS_BK="<three-numbers>"
+IDMANAGER_SEEDS_MDS="<three-numbers>"
+IDMANAGER_SEEDS_DKTK000001985="<three-numbers>"
 ```
 
-Most of the configuration is kept identical across all sites. Some site-specific variables, however, go into a file called `/etc/bridgehead/ccp/id-management.local`.
-
-After adding the configuration, you simply need to update your bridgehead. You're all set!
+Once your Bridgehead is updated and restarted, you're all set!
 
 ## Additional information you may want to know
 ### Services

From 0c2873132a946a2daf52631de69e612e8454ef80 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Thu, 19 Jan 2023 11:22:48 +0100
Subject: [PATCH 114/213] Included site naming conventions

---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index e559842..8a0e274 100644
--- a/README.md
+++ b/README.md
@@ -59,6 +59,14 @@ Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to c
 ## Deployment
 You will need to choose a short name for your site. This is not a URL, just a simple identifying string. For the examples below, we will use "your-site-name", but you should obviously choose something that is meaningful to you and which is unique.
 
+Site names should adhere to the following conventions:
+
+- They should be lower-case.
+- They should generally be named after the city where your site is based, e.g. ```karlsruhe```.
+- If you have a multi-part name, please use a hypen ("-") as separator, e.g. ```le-havre```.
+- If your site is for testing purposes, rather than production, please prepend with "test-", e.g. ```test-zaragoza```.
+- If you are a developer and you are making changes to the Bridgehead, please use your name and prepend with "dev-", e.g. ```dev-joe-doe```.
+
 ### Projects
 
 The following "projects" are known to the Bridgehead installation:

From 92ccb7867452f0999cd701fc916ab7d2a2fada89 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Mon, 23 Jan 2023 14:49:03 +0100
Subject: [PATCH 115/213] Fix for Tobias' comment in PR52

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 8a0e274..4ac1c84 100644
--- a/README.md
+++ b/README.md
@@ -99,6 +99,8 @@ To do this, visit the configuration repository's URL and click on the configurat
 
 SITE_NAME and SITE_ID can be set to the chosen name for your site, e.g. "your-site-name". OPERATOR_* should be set to values appropriate for the administrator of your site.
 
+Once you have made your changes, these will need to be reviewed by members of our team before you can proceed with the installation.
+
 ### Base Installation
 
 First, get the Bridgehead:

From d2c5ec0418c3f306717f3e2cccd65d1dce0718a6 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Wed, 25 Jan 2023 14:09:14 +0100
Subject: [PATCH 116/213] Added instructions for Bridgehead de-install

---
 README.md | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/README.md b/README.md
index 4ac1c84..31fc0b0 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,9 @@ Since it needs to carry sensitive patient data, Bridgeheads are intended to be d
 Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to conflict with Docker [here](https://github.com/chaifeng/ufw-docker).
 
 ## Deployment
+
+### Site name
+
 You will need to choose a short name for your site. This is not a URL, just a simple identifying string. For the examples below, we will use "your-site-name", but you should obviously choose something that is meaningful to you and which is unique.
 
 Site names should adhere to the following conventions:
@@ -156,6 +159,35 @@ To enable/disable autostart, run
 sudo systemctl [enable|disable] bridgehead@<PROJECT>.service
 ```
 
+### De-installing a Bridgehead
+
+You may decide that you want to remove a Bridgehead installation from your machine, e.g. if you want to migrate it to a new location or if you want to start a fresh installation because the initial attempts did not work.
+
+The following steps will remove all traces of the Bridgehead from your machine. All locally stored data pertaining to the Bridgehead will be lost.
+
+First, purge the Bridgehead from ```systemctl```:
+
+```shell
+sudo systemctl stop bridgehead@bbmri.service
+sudo systemctl disable bridgehead@bbmri.service
+sudo systemctl daemon-reload
+sudo systemctl reset-failed
+```
+
+Now remove the directories where the Bridgehead files reside:
+
+```shell
+sudo rm -rf /srv/docker/bridgehead /etc/bridgehead
+```
+
+Finally, get rid of the Docker images:
+
+```shell
+docker image rm traefik:latest samply/beam-proxy:develop samply/blaze:0.18 samply/bridgehead-forward-proxy:latest samply/bridgehead-landingpage:master samply/spot:latest
+```
+
+Note that you will still have a functioning Beam certificate and a functioning GitLab configuration repository, even after you have removed everything locally.
+
 ## Site-specific configuration
 
 ### HTTPS Access

From 92d88ad815c58d52aa53e46faaaaedf76e973e4e Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Thu, 26 Jan 2023 09:37:44 +0100
Subject: [PATCH 117/213] Added new section for testing the Bridgehead

---
 README.md | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/README.md b/README.md
index 31fc0b0..6fe2e2e 100644
--- a/README.md
+++ b/README.md
@@ -159,6 +159,46 @@ To enable/disable autostart, run
 sudo systemctl [enable|disable] bridgehead@<PROJECT>.service
 ```
 
+### Testing your new Bridgehead
+
+After starting the Bridgehead, you can watch the initialization process with the following command:
+
+```shell
+sudo journalctl -xefu bridgehead@bbmri.service
+```
+
+if this exits with the following:
+
+```
+bridgehead@bbmri.service: Main process exited, code=exited, status=1/FAILURE
+```
+
+Then you know that there was a problem with starting the Bridgehead. Scroll up the printout to find the cause of the error.
+
+Once the Bridgehead is running, you can also view the individual Docker processes with:
+
+```shell
+docker ps
+```
+
+There should be 6 Docker proceses. If there are fewer, then you know that something has gone wrong.
+
+Once the Bridgehead has passed these checks, take a look at the landing page:
+
+```
+https://localhost
+```
+
+You can either do this in a browser or with curl. If you visit the URL in the browser, you will neet to click through several warnings, because you will initially be using a self-signed certificate. With curl, you can bypass these checks:
+
+```shell
+curl -k https://localhost
+```
+
+If you get errors when you do this, you need to use ```docker logs``` to examine your landing page container in order to determine what is going wrong.
+
+If you have chosen to take part in our monitoring program (by setting the ```MONITOR_APIKEY``` variable in the configuration), you will be informed by email when problems are detected in your Bridgehead.
+
 ### De-installing a Bridgehead
 
 You may decide that you want to remove a Bridgehead installation from your machine, e.g. if you want to migrate it to a new location or if you want to start a fresh installation because the initial attempts did not work.

From 90fe31b6c9a6794937bc9ee886283ae9514a3697 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Thu, 26 Jan 2023 11:15:55 +0100
Subject: [PATCH 118/213] Described Docker logging in README

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6fe2e2e..6d4a0f8 100644
--- a/README.md
+++ b/README.md
@@ -181,7 +181,11 @@ Once the Bridgehead is running, you can also view the individual Docker processe
 docker ps
 ```
 
-There should be 6 Docker proceses. If there are fewer, then you know that something has gone wrong.
+There should be 6 Docker proceses. If there are fewer, then you know that something has gone wrong. To see what is going on, run:
+
+```shell
+docker-compose -f bbmri/docker-compose.yml logs --follow
+```
 
 Once the Bridgehead has passed these checks, take a look at the landing page:
 

From 7d9cec562ea5d00d744ac3610fe32c7eaeaef22d Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Fri, 27 Jan 2023 09:46:30 +0100
Subject: [PATCH 119/213] Corrected site naming convention to comply with DKTK

---
 README.md | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 6d4a0f8..1a43eed 100644
--- a/README.md
+++ b/README.md
@@ -67,8 +67,8 @@ Site names should adhere to the following conventions:
 - They should be lower-case.
 - They should generally be named after the city where your site is based, e.g. ```karlsruhe```.
 - If you have a multi-part name, please use a hypen ("-") as separator, e.g. ```le-havre```.
-- If your site is for testing purposes, rather than production, please prepend with "test-", e.g. ```test-zaragoza```.
-- If you are a developer and you are making changes to the Bridgehead, please use your name and prepend with "dev-", e.g. ```dev-joe-doe```.
+- If your site is for testing purposes, rather than production, please append "-test", e.g. ```zaragoza-test```.
+- If you are a developer and you are making changes to the Bridgehead, please use your name and append "-dev", e.g. ```joe-doe-dev```.
 
 ### Projects
 
@@ -87,7 +87,11 @@ In order to be able to install, you will need to have your own repository in Git
 
 To request a new repository, please send an email to bridgehead@helpdesk.bbmri-eric.eu. Mention which project you belong to, i.e. "bbmri" or "ccp", plus your chosen site name.
 
-We will set the repository up for you. We will then send you the repository's URL plus a token to access it.
+We will set the repository up for you. We will then send you:
+
+- A Repository Short Name (RSN). Beware: this is distinct from your site name.
+- The repository's URL.
+- A token to access the repository.
 
 Before installation, you must set up your site's configuration in GitLab.
 
@@ -120,7 +124,7 @@ cd /srv/docker/bridgehead
 sudo ./bridgehead install <PROJECT>
 ```
 
-When prompted with "Please enter your site", you should enter the name you have given to your site (not its URL). E.g., in the example in the previous section, that would be "your-site-name".
+When prompted with "Please enter your site", you should enter the Repository Short Name (RSN) for GitLab that you were given in the previous section.
 
 When prompted with "Please enter the bridgehead's access token for your site configuration repository", you should enter the token for the GitLab repository that was given to you.
 

From 6123a9aeba60d0ac27f19f72905c0b166ef10fb7 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Fri, 27 Jan 2023 11:08:00 +0100
Subject: [PATCH 120/213] Addressed Torben's comments to PR 52

- Included email for CCP repositories.
- Used journalctl instead of docker ps for Bridgehead status.
---
 README.md | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 1a43eed..1a11d87 100644
--- a/README.md
+++ b/README.md
@@ -85,7 +85,12 @@ Use "ccp" if you are in the DKTK network, the C4 network or the nNGM network.
 
 In order to be able to install, you will need to have your own repository in GitLab for your site's configuration settings. This allows automated updates of the Bridgehead software.
 
-To request a new repository, please send an email to bridgehead@helpdesk.bbmri-eric.eu. Mention which project you belong to, i.e. "bbmri" or "ccp", plus your chosen site name.
+To request a new repository, please send an email to one of the following:
+
+- For the bbmri project: bridgehead@helpdesk.bbmri-eric.eu.
+- For the ccp project: support-ccp@dkfz-heidelberg.de
+
+Mention which project you belong to, i.e. "bbmri" or "ccp", plus your chosen site name.
 
 We will set the repository up for you. We will then send you:
 
@@ -168,7 +173,7 @@ sudo systemctl [enable|disable] bridgehead@<PROJECT>.service
 After starting the Bridgehead, you can watch the initialization process with the following command:
 
 ```shell
-sudo journalctl -xefu bridgehead@bbmri.service
+journalctl -u bridgehead@bbmri -f
 ```
 
 if this exits with the following:
@@ -188,7 +193,7 @@ docker ps
 There should be 6 Docker proceses. If there are fewer, then you know that something has gone wrong. To see what is going on, run:
 
 ```shell
-docker-compose -f bbmri/docker-compose.yml logs --follow
+journalctl -u bridgehead@bbmri -f
 ```
 
 Once the Bridgehead has passed these checks, take a look at the landing page:

From 3e55030b1bfa1871d66b31503bb8ed44d535a312 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Fri, 27 Jan 2023 13:49:52 +0100
Subject: [PATCH 121/213] Added a Directory sync component

* Added new container to bbmri/docker-compose.yml.
* Added set up documentation to README.
---
 README.md                | 35 +++++++++++++++++++++++++++++++++++
 bbmri/docker-compose.yml | 11 +++++++++++
 2 files changed, 46 insertions(+)

diff --git a/README.md b/README.md
index b57c10e..79655a8 100644
--- a/README.md
+++ b/README.md
@@ -131,6 +131,41 @@ All of the Bridgehead's outgoing connections are secured by transport encryption
 
 Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect <volume_name>`.
 
+### Directory sync
+
+This is an optional feature for bbmri projects.  It keeps the [BBMRI Directory](https://directory.bbmri-eric.eu/) up to date with the number of samples, etc.  kept in your biobank. It also updates the local FHIR store with the latest contact details etc. from the Directory.  You must explicitly enable this feature if you want to make use of it.
+
+Full details can be found in [directory_sync_service](https://github.com/samply/directory_sync_service).
+
+To enable it, you will need to add some extra variables to the ```bbmri.conf``` file in your GitLab repository, like so:
+
+```
+### Directory sync service
+DIRECTORY_URL=https://directory.bbmri-eric.eu
+DIRECTORY_USER_NAME=your_directory_username
+DIRECTORY_PASS_CODE=qwdnqwswdvqHBVGFR9887
+TIMER_CRON="0 22 * * *"
+```
+You must contact the Directory for your national node to find the URL, and to register as a user.
+
+Additionally, you should choose when you want Directory sync to run. In the example above, this is set to happen at 10 pm every evening. You can modify this to suit your requirements. The timer specification should follow the cron convention.
+
+Once you have made the changes, update your local configuration:
+
+```shell
+cd /etc/bridgehead
+sudo git pull
+sudo chown -R bridgehead * .git*
+```
+
+Then restart the Bridgehead:
+
+```shell
+sudo systemctl restart bridgehead@bbmri.service
+```
+
+There will be a delay before the effects of Directory sync become visible. First, you will need to wait until the time you have specified in ```TIMER_CRON```. Second, the information will then be synchronized from your national node with the central European Directory. This can take up to 24 hours.
+
 ## Things you should know
 
 ### Auto-Updates
diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 2433234..b4bc9a9 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -104,6 +104,17 @@ services:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - ./root.crt.pem:/conf/root.crt.pem:ro
 
+  directory_sync_service:
+    image: "samply/directory_sync_service"
+    environment:
+      DIRECTORY_URL: ${DIRECTORY_URL}
+      DIRECTORY_USER_NAME: ${DIRECTORY_USER_NAME}
+      DIRECTORY_PASS_CODE: ${DIRECTORY_PASS_CODE}
+      FHIR_STORE_URL: "http://bridgehead-bbmri-blaze:8080"
+      TIMER_CRON: ${TIMER_CRON}
+      RETRY_MAX: ${RETRY_MAX}
+      RETRY_INTERVAL: ${RETRY_INTERVAL}
+
 volumes:
   blaze-data:
 

From 92dd4b84c1e78eca5942535f100ae1f16bc961a2 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Tue, 31 Jan 2023 09:43:26 +0100
Subject: [PATCH 122/213] Incorporated new environemnt variable nameing for
 Directory sync

---
 README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 79655a8..3cb8822 100644
--- a/README.md
+++ b/README.md
@@ -137,14 +137,14 @@ This is an optional feature for bbmri projects.  It keeps the [BBMRI Directory](
 
 Full details can be found in [directory_sync_service](https://github.com/samply/directory_sync_service).
 
-To enable it, you will need to add some extra variables to the ```bbmri.conf``` file in your GitLab repository, like so:
+To enable it, you will need to add some extra variables to the ```bbmri.conf``` file in your GitLab repository, for example:
 
 ```
 ### Directory sync service
-DIRECTORY_URL=https://directory.bbmri-eric.eu
-DIRECTORY_USER_NAME=your_directory_username
-DIRECTORY_PASS_CODE=qwdnqwswdvqHBVGFR9887
-TIMER_CRON="0 22 * * *"
+DS_DIRECTORY_URL=https://directory.bbmri-eric.eu
+DS_DIRECTORY_USER_NAME=your_directory_username
+DS_DIRECTORY_USER_PASS=qwdnqwswdvqHBVGFR9887
+DS_TIMER_CRON="0 22 * * *"
 ```
 You must contact the Directory for your national node to find the URL, and to register as a user.
 

From eb37d16b847800cfb4ba31bb7423a7815ceb0a4c Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Tue, 31 Jan 2023 15:44:30 +0100
Subject: [PATCH 123/213] Updated Blaze to 0.19

---
 bbmri/docker-compose.yml | 2 +-
 ccp/docker-compose.yml   | 2 +-
 ccp/exliquid-compose.yml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 2433234..cbe2263 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -54,7 +54,7 @@ services:
       SITE_NAME: ${SITE_NAME}
 
   blaze:
-    image: "samply/blaze:0.18"
+    image: "samply/blaze:0.19"
     container_name: bridgehead-bbmri-blaze
     environment:
       BASE_URL: "http://bridgehead-bbmri-blaze:8080"
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 54b2daa..6715a69 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -54,7 +54,7 @@ services:
       SITE_NAME: ${SITE_NAME}
 
   blaze:
-    image: "samply/blaze:0.18"
+    image: "samply/blaze:0.19"
     container_name: bridgehead-ccp-blaze
     environment:
       BASE_URL: "http://bridgehead-ccp-blaze:8080"
diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml
index e21617a..eb8d194 100644
--- a/ccp/exliquid-compose.yml
+++ b/ccp/exliquid-compose.yml
@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   exliquid-task-store:
-    image: "samply/blaze:0.18"
+    image: "samply/blaze:0.19"
     container_name: bridgehead-exliquid-task-store
     environment:
       BASE_URL: "http://bridgehead-exliquid-task-store:8080"

From 6d8e877899870ba8a9a0191d80995f2b947db110 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Fri, 3 Feb 2023 13:28:44 +0100
Subject: [PATCH 124/213] Use beam-proxy "main" tag

---
 bbmri/docker-compose.yml | 2 +-
 ccp/docker-compose.yml   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index cbe2263..3291326 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -85,7 +85,7 @@ services:
       - "blaze"
 
   beam-proxy:
-    image: "samply/beam-proxy:develop"
+    image: samply/beam-proxy:main
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 6715a69..4c26d5e 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -85,7 +85,7 @@ services:
       - "blaze"
 
   beam-proxy:
-    image: "samply/beam-proxy:develop"
+    image: samply/beam-proxy:main
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}

From 1c3fa4fa3fb6c21f886f2c9fdb4fe19b73a6545c Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Tue, 17 Jan 2023 08:56:02 +0100
Subject: [PATCH 125/213] refactor: Changed Paths for persistent Data

---
 README.md                             |  4 ++--
 ccp/modules/id-management-compose.yml |  4 ++--
 ccp/modules/id-management.md          |  6 +++---
 ccp/mtba-compose.yml                  |  2 +-
 lib/install-bridgehead.sh             | 15 ++++++++++-----
 lib/update-bridgehead.sh              | 10 +---------
 6 files changed, 19 insertions(+), 22 deletions(-)

diff --git a/README.md b/README.md
index 24ebdf2..134e1ae 100644
--- a/README.md
+++ b/README.md
@@ -128,8 +128,8 @@ All of the Bridgehead's outgoing connections are secured by transport encryption
   - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access).
   - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam).
   - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here.
-- `/var/data/bridgehead` contains persistent data of the bridgehead
-  - `/var/data/bridgehead/backups` contains automatically created backups of the databases.
+  - `/var/lib/bridgehead/data` contains persistent data of the bridgehead
+  - `/var/cache/bridgehead/backup` contains automatically created backups of the databases.
 
 Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect <volume_name>`.
 
diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
index 4baaba7..896663b 100644
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -71,6 +71,6 @@ services:
       POSTGRES_DB: "mainzelliste"
       POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD}
     volumes:
-      - "/var/data/bridgehead/patientlist:/var/lib/postgresql/data"
-      # NOTE: Add backups here. This is only imported if /var/data/bridgehead/patientlist/ is empty!!!
+      - "/var/lib/bridgehead/data/patientlist:/var/lib/postgresql/data"
+      # NOTE: Add backups here. This is only imported if /var/lib/bridgehead/data/patientlist/ is empty!!!
       - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"
diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md
index 60cb5b1..c45b95a 100644
--- a/ccp/modules/id-management.md
+++ b/ccp/modules/id-management.md
@@ -26,7 +26,7 @@ Upon configuration, the Bridgehead will spawn the following services:
 
 - The `bridgehead-id-manager` at https://bridgehead.local/id-manager, provides a common interface for creating pseudonyms in the bridgehead.
 - The `bridgehead-patientlist` at https://bridgehead.local/patientlist is a local instance of the open-source software [Mainzelliste](https://mainzelliste.de). This service's primary task is to map patients IDAT to pseudonyms identifying them along the different CCP projects.
-- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted in `/var/data/bridgehead/patientlist` and backups are automatically created in `/var/data/bridgehead/backups/bridgehead-patientlist-db`.
+- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted in `/var/lib/bridgehead/data/patientlist` and backups are automatically created in `/var/cache/bridgehead/backup/bridgehead-patientlist-db`.
 
 ### How to import an existing database (e.g from Legacy Windows or from Backups)
 First you must shutdown your local bridgehead instance:
@@ -36,10 +36,10 @@ systemctl stop bridgehead@ccp
 
 Next you need to remove the current patientlist database:
 ```
-rm -rf /var/data/bridgehead/patientlist
+rm -rf /var/lib/bridgehead/data/patientlist
 ```
 
-Third, you need to place your postgres dump in the import directory `/tmp/bridgehead/patientlist/some-dump.sql`. This will only be imported, then /var/data/bridgehead/patientlist is empty. 
+Third, you need to place your postgres dump in the import directory `/tmp/bridgehead/patientlist/some-dump.sql`. This will only be imported, then /var/lib/bridgehead/data/patientlist is empty. 
 > NOTE: Please create the postgres dump with the options "--no-owner" and "--no-privileges". Additionally ensure the dump is created in the plain format (SQL).
 
 After this, you can restart your bridgehead and the dump will be imported:
diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml
index d492ae0..1c62989 100644
--- a/ccp/mtba-compose.yml
+++ b/ccp/mtba-compose.yml
@@ -24,7 +24,7 @@ services:
       - "traefik.http.routers.mtba.tls=true"
     volumes:
       # This directory persists the FHIR Resources that are needed to import data into blaze.
-      - /var/data/bridgehead/mtba:/app/mtba-files/persist
+      - /var/lib/bridgehead/data/mtba:/app/mtba-files/persist
       # Place new import files in this directory
       - /tmp/bridgehead/mtba/:/app/mtba-files/input
 
diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh
index 7cbd8ef..04503e3 100755
--- a/lib/install-bridgehead.sh
+++ b/lib/install-bridgehead.sh
@@ -22,8 +22,8 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
     /bin/systemctl stop bridgehead@${PROJECT}.service, \\
     /bin/systemctl restart bridgehead@${PROJECT}.service, \\
     /bin/systemctl restart bridgehead@*.service, \\
-    /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead, \\
-    /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/data/bridgehead
+    /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/lib/bridgehead /var/cache/bridgehead, \\
+    /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/lib/bridgehead /var/cache/bridgehead
 
 bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
@@ -37,9 +37,14 @@ if [ -z "$LDM_PASSWORD" ]; then
   echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
 fi
 
-log "INFO" "Creating directory /var/data/bridgehead for storage of persistent data."
-mkdir -p /var/data/bridgehead
-chown -R bridgehead /var/data/bridgehead
+log "INFO" "Creating directory /var/lib/bridgehead for storage of persistent data."
+mkdir -p /var/lib/bridgehead
+chown -R bridgehead /var/lib/bridgehead
+
+
+log "INFO" "Creating directory /var/cache/bridgehead for storage of backups."
+mkdir -p /var/cache/bridgehead
+chown -R bridgehead /var/cache/bridgehead
 
 log "INFO" "Registering system units for bridgehead and bridgehead-update"
 cp -v \
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index cc1d55f..65560ea 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -4,15 +4,7 @@ source lib/functions.sh
 AUTO_BACKUP=${AUTO_BACKUP:-true}
 
 if [ "$AUTO_BACKUP" == "true" ]; then
-  BACKUP_DIRECTORY="/var/data/bridgehead/backups"
-  if [ ! -d /var/data ]; then
-    log DEBUG "Created /var/data"
-    mkdir /var/data
-  fi
-  if [ ! -d /var/data/bridgehead ]; then
-    log DEBUG "Created /var/data/bridgehead"
-    mkdir /var/data/bridgehead
-  fi
+  BACKUP_DIRECTORY="/var/cache/bridgehead/backup"
   if [ ! -d $BACKUP_DIRECTORY ]; then
     message="Performing automatic maintenance: Creating Backup directory $BACKUP_DIRECTORY."
     hc_send log "$message"

From 0d998ab8716a2e2c5c92fa84e65ccc608524ccef Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 27 Jan 2023 10:55:44 +0100
Subject: [PATCH 126/213] refactor: Move persistent data to named volumes

---
 README.md                             | 1 -
 ccp/modules/id-management-compose.yml | 5 ++++-
 ccp/modules/id-management.md          | 6 +++---
 ccp/mtba-compose.yml                  | 5 ++++-
 lib/install-bridgehead.sh             | 9 ++-------
 5 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 134e1ae..e1d3286 100644
--- a/README.md
+++ b/README.md
@@ -128,7 +128,6 @@ All of the Bridgehead's outgoing connections are secured by transport encryption
   - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access).
   - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam).
   - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here.
-  - `/var/lib/bridgehead/data` contains persistent data of the bridgehead
   - `/var/cache/bridgehead/backup` contains automatically created backups of the databases.
 
 Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect <volume_name>`.
diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
index 896663b..72aebcc 100644
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -71,6 +71,9 @@ services:
       POSTGRES_DB: "mainzelliste"
       POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD}
     volumes:
-      - "/var/lib/bridgehead/data/patientlist:/var/lib/postgresql/data"
+      - "patientlist-db-data:/var/lib/postgresql/data"
       # NOTE: Add backups here. This is only imported if /var/lib/bridgehead/data/patientlist/ is empty!!!
       - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"
+
+volumes:
+  patientlist-db-data:
diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md
index c45b95a..e18d3f8 100644
--- a/ccp/modules/id-management.md
+++ b/ccp/modules/id-management.md
@@ -26,7 +26,7 @@ Upon configuration, the Bridgehead will spawn the following services:
 
 - The `bridgehead-id-manager` at https://bridgehead.local/id-manager, provides a common interface for creating pseudonyms in the bridgehead.
 - The `bridgehead-patientlist` at https://bridgehead.local/patientlist is a local instance of the open-source software [Mainzelliste](https://mainzelliste.de). This service's primary task is to map patients IDAT to pseudonyms identifying them along the different CCP projects.
-- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted in `/var/lib/bridgehead/data/patientlist` and backups are automatically created in `/var/cache/bridgehead/backup/bridgehead-patientlist-db`.
+- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted as a named volume `patientlist-db-data` and backups are automatically created in `/var/cache/bridgehead/backup/bridgehead-patientlist-db`.
 
 ### How to import an existing database (e.g from Legacy Windows or from Backups)
 First you must shutdown your local bridgehead instance:
@@ -36,10 +36,10 @@ systemctl stop bridgehead@ccp
 
 Next you need to remove the current patientlist database:
 ```
-rm -rf /var/lib/bridgehead/data/patientlist
+docker volume rm patientlist-db-data;
 ```
 
-Third, you need to place your postgres dump in the import directory `/tmp/bridgehead/patientlist/some-dump.sql`. This will only be imported, then /var/lib/bridgehead/data/patientlist is empty. 
+Third, you need to place your postgres dump in the import directory `/tmp/bridgehead/patientlist/some-dump.sql`. This will only be imported, then the volume `patientlist-db-data` was removed previously. 
 > NOTE: Please create the postgres dump with the options "--no-owner" and "--no-privileges". Additionally ensure the dump is created in the plain format (SQL).
 
 After this, you can restart your bridgehead and the dump will be imported:
diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml
index 1c62989..857ff34 100644
--- a/ccp/mtba-compose.yml
+++ b/ccp/mtba-compose.yml
@@ -24,10 +24,13 @@ services:
       - "traefik.http.routers.mtba.tls=true"
     volumes:
       # This directory persists the FHIR Resources that are needed to import data into blaze.
-      - /var/lib/bridgehead/data/mtba:/app/mtba-files/persist
+      - mtba-data:/app/mtba-files/persist
       # Place new import files in this directory
       - /tmp/bridgehead/mtba/:/app/mtba-files/input
 
   # TODO: Include CBioPortal in Deployment ...
   # NOTE: CBioPortal can't load data while the system is running. So after import of data bridgehead needs to be restarted!
   # TODO: Find a trigger to let mtba signal a restart for CBioPortal
+
+volumes:
+  mtba-data:
diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh
index 04503e3..f1aff73 100755
--- a/lib/install-bridgehead.sh
+++ b/lib/install-bridgehead.sh
@@ -22,8 +22,8 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
     /bin/systemctl stop bridgehead@${PROJECT}.service, \\
     /bin/systemctl restart bridgehead@${PROJECT}.service, \\
     /bin/systemctl restart bridgehead@*.service, \\
-    /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/lib/bridgehead /var/cache/bridgehead, \\
-    /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/lib/bridgehead /var/cache/bridgehead
+    /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/cache/bridgehead, \\
+    /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/cache/bridgehead
 
 bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
@@ -37,11 +37,6 @@ if [ -z "$LDM_PASSWORD" ]; then
   echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
 fi
 
-log "INFO" "Creating directory /var/lib/bridgehead for storage of persistent data."
-mkdir -p /var/lib/bridgehead
-chown -R bridgehead /var/lib/bridgehead
-
-
 log "INFO" "Creating directory /var/cache/bridgehead for storage of backups."
 mkdir -p /var/cache/bridgehead
 chown -R bridgehead /var/cache/bridgehead

From 1befa65f35033f9383aae88b7fdcf5fd0244e156 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 27 Jan 2023 10:59:29 +0100
Subject: [PATCH 127/213] refactor: Changed Salt for patientlist db password

---
 ccp/modules/id-management-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh
index d2449c7..98c4217 100644
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@@ -6,7 +6,7 @@ function idManagementSetup() {
 		OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
 
 		# Auto Generate local Passwords
-		PATIENTLIST_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+		PATIENTLIST_POSTGRES_PASSWORD="$(echo \"id-management-module-db-password-salt\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 		IDMANAGER_LOCAL_PATIENTLIST_APIKEY="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 
 		# Source the ID Generators Configuration

From 713dc5f4e9564596fb2a47afaceeb2a28cd2ea1d Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 27 Jan 2023 11:15:09 +0100
Subject: [PATCH 128/213] refactor: Move Backups after the Update

---
 lib/update-bridgehead.sh | 62 ++++++++++++++++++++--------------------
 1 file changed, 31 insertions(+), 31 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 65560ea..7fb3688 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -1,37 +1,6 @@
 #!/bin/bash
 source lib/functions.sh
 
-AUTO_BACKUP=${AUTO_BACKUP:-true}
-
-if [ "$AUTO_BACKUP" == "true" ]; then
-  BACKUP_DIRECTORY="/var/cache/bridgehead/backup"
-  if [ ! -d $BACKUP_DIRECTORY ]; then
-    message="Performing automatic maintenance: Creating Backup directory $BACKUP_DIRECTORY."
-    hc_send log "$message"
-    log INFO "$message"
-    mkdir -p $BACKUP_DIRECTORY
-  fi
-  BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")"
-  log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES";
-  for service in $BACKUP_SERVICES; do
-    if [ ! -d $BACKUP_DIRECTORY/$service ]; then
-      message="Performing automatic maintenance: Creating Backup directory for $service in $BACKUP_DIRECTORY."
-      hc_send log "$message"
-      log INFO "$message"
-      mkdir -p $BACKUP_DIRECTORY/$service
-    fi
-    if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then
-      message="Performing automatic maintenance: Stored encrypted Backup for $service in $BACKUP_DIRECTORY."
-      hc_send log "$message"
-      log INFO "$message"
-    else
-      fail_and_report 5 "Failed to create encrypted update for $service"
-    fi
-  done
-else
-  log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")"
-fi
-
 AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true}
 
 if [ "$AUTO_HOUSEKEEPING" == "true" ]; then
@@ -134,6 +103,37 @@ else
   hc_send log "$RES"
 fi
 
+AUTO_BACKUP=${AUTO_BACKUP:-true}
+
+if [ "$AUTO_BACKUP" == "true" ]; then
+  BACKUP_DIRECTORY="/var/cache/bridgehead/backup"
+  if [ ! -d $BACKUP_DIRECTORY ]; then
+    message="Performing automatic maintenance: Creating Backup directory $BACKUP_DIRECTORY."
+    hc_send log "$message"
+    log INFO "$message"
+    mkdir -p $BACKUP_DIRECTORY
+  fi
+  BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")"
+  log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES";
+  for service in $BACKUP_SERVICES; do
+    if [ ! -d $BACKUP_DIRECTORY/$service ]; then
+      message="Performing automatic maintenance: Creating Backup directory for $service in $BACKUP_DIRECTORY."
+      hc_send log "$message"
+      log INFO "$message"
+      mkdir -p $BACKUP_DIRECTORY/$service
+    fi
+    if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then
+      message="Performing automatic maintenance: Stored encrypted Backup for $service in $BACKUP_DIRECTORY."
+      hc_send log "$message"
+      log INFO "$message"
+    else
+      fail_and_report 5 "Failed to create encrypted update for $service"
+    fi
+  done
+else
+  log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")"
+fi
+
 exit 0
 
 # TODO: Print last commit explicit

From 17d48a3636c812d7d2ac1a07b6adab20c930d75c Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 27 Jan 2023 11:26:31 +0100
Subject: [PATCH 129/213] refactor: Expect User to select a Backup Directory

---
 README.md                    |  3 ++-
 ccp/modules/id-management.md |  2 +-
 lib/install-bridgehead.sh    |  8 ++------
 lib/update-bridgehead.sh     | 19 ++++++++-----------
 4 files changed, 13 insertions(+), 19 deletions(-)

diff --git a/README.md b/README.md
index e1d3286..8fba0c9 100644
--- a/README.md
+++ b/README.md
@@ -128,7 +128,6 @@ All of the Bridgehead's outgoing connections are secured by transport encryption
   - `/etc/bridgehead/traefik-tls` contains your Bridgehead's reverse proxies TLS certificates for [HTTPS access](#https-access).
   - `/etc/bridgehead/pki` contains your Bridgehead's private key (e.g., but not limited to Samply.Beam), generated as part of the [Samply.Beam enrollment](#register-with-samplybeam).
   - `/etc/bridgehead/trusted-ca-certs` contains third-party certificates to be trusted by the Bridgehead. For example, you want to place the certificates of your [TLS-terminating proxy](#network) here.
-  - `/var/cache/bridgehead/backup` contains automatically created backups of the databases.
 
 Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect <volume_name>`.
 
@@ -147,6 +146,8 @@ Some of the components in the bridgehead will store persistent data. For those c
 2) Year-KW-XX, were XX represents the calendar week to allow re-import of at least one version per calendar week
 3) Year-Month, to allow re-import of at least one version per month
 
+To enable the Auto-Backup feature, please set the Variable `BACKUP_DIRECTORY` in your sites configuration.
+
 ### Monitoring
 
 To keep all Bridgeheads up and working and detect any errors before a user does, a central monitoring 
diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md
index e18d3f8..98da3d1 100644
--- a/ccp/modules/id-management.md
+++ b/ccp/modules/id-management.md
@@ -26,7 +26,7 @@ Upon configuration, the Bridgehead will spawn the following services:
 
 - The `bridgehead-id-manager` at https://bridgehead.local/id-manager, provides a common interface for creating pseudonyms in the bridgehead.
 - The `bridgehead-patientlist` at https://bridgehead.local/patientlist is a local instance of the open-source software [Mainzelliste](https://mainzelliste.de). This service's primary task is to map patients IDAT to pseudonyms identifying them along the different CCP projects.
-- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted as a named volume `patientlist-db-data` and backups are automatically created in `/var/cache/bridgehead/backup/bridgehead-patientlist-db`.
+- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted as a named volume `patientlist-db-data`.
 
 ### How to import an existing database (e.g from Legacy Windows or from Backups)
 First you must shutdown your local bridgehead instance:
diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh
index f1aff73..c42119f 100755
--- a/lib/install-bridgehead.sh
+++ b/lib/install-bridgehead.sh
@@ -22,8 +22,8 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
     /bin/systemctl stop bridgehead@${PROJECT}.service, \\
     /bin/systemctl restart bridgehead@${PROJECT}.service, \\
     /bin/systemctl restart bridgehead@*.service, \\
-    /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/cache/bridgehead, \\
-    /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead /var/cache/bridgehead
+    /bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead, \\
+    /usr/bin/chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
 
 bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
 EOF
@@ -37,10 +37,6 @@ if [ -z "$LDM_PASSWORD" ]; then
   echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
 fi
 
-log "INFO" "Creating directory /var/cache/bridgehead for storage of backups."
-mkdir -p /var/cache/bridgehead
-chown -R bridgehead /var/cache/bridgehead
-
 log "INFO" "Registering system units for bridgehead and bridgehead-update"
 cp -v \
     lib/systemd/bridgehead\@.service \
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 7fb3688..276f60c 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -103,27 +103,24 @@ else
   hc_send log "$RES"
 fi
 
-AUTO_BACKUP=${AUTO_BACKUP:-true}
-
-if [ "$AUTO_BACKUP" == "true" ]; then
-  BACKUP_DIRECTORY="/var/cache/bridgehead/backup"
-  if [ ! -d $BACKUP_DIRECTORY ]; then
-    message="Performing automatic maintenance: Creating Backup directory $BACKUP_DIRECTORY."
+if [ -z "${BACKUP_DIRECTORY}" ]; then
+  if [ ! -d "$BACKUP_DIRECTORY" ]; then
+    message="Performing automatic maintenance: Attempting to create backup directory $BACKUP_DIRECTORY."
     hc_send log "$message"
     log INFO "$message"
-    mkdir -p $BACKUP_DIRECTORY
+    mkdir -p "$BACKUP_DIRECTORY"
   fi
   BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")"
   log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES";
   for service in $BACKUP_SERVICES; do
-    if [ ! -d $BACKUP_DIRECTORY/$service ]; then
-      message="Performing automatic maintenance: Creating Backup directory for $service in $BACKUP_DIRECTORY."
+    if [ ! -d "$BACKUP_DIRECTORY/$service" ]; then
+      message="Performing automatic maintenance: Attempting to create backup directory for $service in $BACKUP_DIRECTORY."
       hc_send log "$message"
       log INFO "$message"
-      mkdir -p $BACKUP_DIRECTORY/$service
+      mkdir -p "$BACKUP_DIRECTORY/$service"
     fi
     if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then
-      message="Performing automatic maintenance: Stored encrypted Backup for $service in $BACKUP_DIRECTORY."
+      message="Performing automatic maintenance: Stored encrypted backup for $service in $BACKUP_DIRECTORY."
       hc_send log "$message"
       log INFO "$message"
     else

From a37bf79c030908e80284c981975161bb31b989cc Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 27 Jan 2023 11:31:36 +0100
Subject: [PATCH 130/213] refactor: Added Monitoring for backup permissions

---
 lib/update-bridgehead.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 276f60c..0f1c413 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -109,7 +109,9 @@ if [ -z "${BACKUP_DIRECTORY}" ]; then
     hc_send log "$message"
     log INFO "$message"
     mkdir -p "$BACKUP_DIRECTORY"
+    chown -R "$BACKUP_DIRECTORY" bridgehead;
   fi
+  checkOwner "$BACKUP_DIRECTORY" bridgehead || fail_and_report 1 "Automatic maintenance failed: Wrong permissions for backup directory $(pwd)"
   BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")"
   log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES";
   for service in $BACKUP_SERVICES; do

From 98afeac701f0065d0052f07a8c9b27ce9e2ff779 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 27 Jan 2023 11:49:18 +0100
Subject: [PATCH 131/213] refactor: Use -db as Indicator for Backups

---
 lib/update-bridgehead.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 0f1c413..ab39cca 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -112,7 +112,8 @@ if [ -z "${BACKUP_DIRECTORY}" ]; then
     chown -R "$BACKUP_DIRECTORY" bridgehead;
   fi
   checkOwner "$BACKUP_DIRECTORY" bridgehead || fail_and_report 1 "Automatic maintenance failed: Wrong permissions for backup directory $(pwd)"
-  BACKUP_SERVICES="$(docker ps --filter ancestor=postgres:14-alpine --format "{{.Names}}" | tr "\n" "\ ")"
+  # Collect all container names that contain '-db'
+  BACKUP_SERVICES="$(docker ps --filter name=-db --format "{{.Names}}" | tr "\n" "\ ")"
   log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES";
   for service in $BACKUP_SERVICES; do
     if [ ! -d "$BACKUP_DIRECTORY/$service" ]; then

From 2445a5978506bd7d3b84d85fafe7e8a16d6f239d Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Fri, 27 Jan 2023 11:52:09 +0100
Subject: [PATCH 132/213] refacotr: Restructured passing Patientlist Seeds

---
 ccp/modules/id-management-compose.yml | 25 +------------------------
 ccp/modules/id-management-setup.sh    |  4 ++--
 ccp/modules/id-management.md          |  2 ++
 3 files changed, 5 insertions(+), 26 deletions(-)

diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
index 72aebcc..3f13519 100644
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -31,30 +31,7 @@ services:
       - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
       - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
       # Add Variables from /etc/patientlist-id-generators.env
-      - ML_BK_IDGENERATOR_RANDOM_1
-      - ML_BK_IDGENERATOR_RANDOM_2
-      - ML_BK_IDGENERATOR_RANDOM_3
-      - ML_MDS_IDGENERATOR_RANDOM_1
-      - ML_MDS_IDGENERATOR_RANDOM_2
-      - ML_MDS_IDGENERATOR_RANDOM_3
-      - ML_DKTK000001985_IDGENERATOR_RANDOM_1
-      - ML_DKTK000001985_IDGENERATOR_RANDOM_2
-      - ML_DKTK000001985_IDGENERATOR_RANDOM_3
-      - ML_DKTK000001986_IDGENERATOR_RANDOM_1
-      - ML_DKTK000001986_IDGENERATOR_RANDOM_2
-      - ML_DKTK000001986_IDGENERATOR_RANDOM_3
-      - ML_DKTK000001950_IDGENERATOR_RANDOM_1
-      - ML_DKTK000001950_IDGENERATOR_RANDOM_2
-      - ML_DKTK000001950_IDGENERATOR_RANDOM_3
-      - ML_DKTK000001951_IDGENERATOR_RANDOM_1
-      - ML_DKTK000001951_IDGENERATOR_RANDOM_2
-      - ML_DKTK000001951_IDGENERATOR_RANDOM_3
-      - ML_DKTK999999999_IDGENERATOR_RANDOM_1
-      - ML_DKTK999999999_IDGENERATOR_RANDOM_2
-      - ML_DKTK999999999_IDGENERATOR_RANDOM_3
-      - ML_DKTK000002089_IDGENERATOR_RANDOM_1
-      - ML_DKTK000002089_IDGENERATOR_RANDOM_2
-      - ML_DKTK000002089_IDGENERATOR_RANDOM_3
+      - PATIENTLIST_SEEDS_TRANSFORMED
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.patientlist.rule=PathPrefix(`/patientlist`)"
diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh
index 98c4217..0f361dc 100644
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@@ -9,8 +9,8 @@ function idManagementSetup() {
 		PATIENTLIST_POSTGRES_PASSWORD="$(echo \"id-management-module-db-password-salt\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 		IDMANAGER_LOCAL_PATIENTLIST_APIKEY="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 
-		# Source the ID Generators Configuration
-		source /etc/bridgehead/patientlist-id-generators.env
+		# Transform Seeds Configuration to pass it to the Mainzelliste Container
+		PATIENTLIST_SEEDS_TRANSFORMED="$(declare -p PATIENTLIST_SEEDS | tr -d '\"' | sed 's/\[/\[\"/g' | sed 's/\]/\"\]/g')"
 
 		# Ensure old ids are working !!!
 		legacyIdMapping
diff --git a/ccp/modules/id-management.md b/ccp/modules/id-management.md
index 98da3d1..66f9f71 100644
--- a/ccp/modules/id-management.md
+++ b/ccp/modules/id-management.md
@@ -16,10 +16,12 @@ IDMANAGER_SEEDS_BK="<three-numbers>"
 IDMANAGER_SEEDS_MDS="<three-numbers>"
 IDMANAGER_SEEDS_DKTK000001985="<three-numbers>"
 ```
+> NOTE: Additionally, the CCP-IT adds lines declaring the `PATIENTLIST_SEEDS` array in your site configuration. This will contain the seeds for the different id-generators used in all projects.
 
 Once your Bridgehead is updated and restarted, you're all set!
 
 ## Additional information you may want to know
+
 ### Services
 
 Upon configuration, the Bridgehead will spawn the following services:

From a3ba98a2fdb1d950ab4fbcb2d1a9302692086816 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Wed, 7 Dec 2022 15:46:19 +0100
Subject: [PATCH 133/213] Added Configuration for Local ID-Management

---
 ccp/modules/id-management-setup.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh
index 0f361dc..b02ef66 100644
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 
 function idManagementSetup() {
-	if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
+#	if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
+	if [ -n "$ENABLE_ID_MANAGEMENT" ]; then
 		log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)."
 		OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
 

From e2d90447f7e3ad6ee981c16de6d02b048cfdebf2 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Thu, 15 Dec 2022 16:39:03 +0100
Subject: [PATCH 134/213] refactor: Changed Trigger of the IDM Module

---
 ccp/modules/id-management-setup.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh
index b02ef66..c8ea707 100644
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
 function idManagementSetup() {
-#	if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
 	if [ -n "$ENABLE_ID_MANAGEMENT" ]; then
 		log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)."
 		OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"

From bce28342f90482205a5eba1d284fb5dffb6e6cce Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de" <p.delpy@dkfz-heidelberg.de>
Date: Wed, 18 Jan 2023 13:42:36 +0100
Subject: [PATCH 135/213] update docker and host paths

---
 ccp/mtba-compose.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml
index 857ff34..ad25dd0 100644
--- a/ccp/mtba-compose.yml
+++ b/ccp/mtba-compose.yml
@@ -17,16 +17,16 @@ services:
       PATIENT_CSV_BIRTHDAY_HEADER: ${PATIENT_CSV_BIRTHDAY_HEADER:-"BIRTHDAY"}
       CBIOPORTAL_URL:  http://bridgehead-ccp-cbioportal:8080
       MUTATIONS_CSV_SCRIPT_INTERPRETER: "python3"
+      NEW_FILES_DIRECTORY: "/app/input"
+      PERSIST_DIRECTORY: "/app/persist"
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.mtba.rule=PathPrefix(`/`)"
       - "traefik.http.services.mtba.loadbalancer.server.port=80"
       - "traefik.http.routers.mtba.tls=true"
     volumes:
-      # This directory persists the FHIR Resources that are needed to import data into blaze.
-      - mtba-data:/app/mtba-files/persist
-      # Place new import files in this directory
-      - /tmp/bridgehead/mtba/:/app/mtba-files/input
+      - /tmp/bridgehead/mtba/input:/app/input
+      - /tmp/bridgehead/mtba/persist:/app/persist
 
   # TODO: Include CBioPortal in Deployment ...
   # NOTE: CBioPortal can't load data while the system is running. So after import of data bridgehead needs to be restarted!

From e9455a5558dd33de59bb46e3c048368f4c30df34 Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de" <p.delpy@dkfz-heidelberg.de>
Date: Fri, 27 Jan 2023 11:13:49 +0100
Subject: [PATCH 136/213] update mtba config

---
 ccp/modules/id-management-setup.sh |  2 +-
 ccp/mtba-compose.yml               | 20 ++++++++++----------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh
index c8ea707..0f361dc 100644
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 function idManagementSetup() {
-	if [ -n "$ENABLE_ID_MANAGEMENT" ]; then
+	if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
 		log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)."
 		OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
 
diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml
index ad25dd0..bb90059 100644
--- a/ccp/mtba-compose.yml
+++ b/ccp/mtba-compose.yml
@@ -5,20 +5,20 @@ services:
     image: samply/mtba:develop
     container_name: bridgehead-mtba
     environment:
-      BLAZE_STORE_URL: http://bridgehead-ccp-blaze:8080/fhir
+      BLAZE_STORE_URL: http://blaze:8080
       # NOTE: Aktuell Berechtigungen wie MagicPL!!!
       # TODO: Add separate ApiKey to MagicPL only for MTBA!
       ID_MANAGER_API_KEY: ${IDMANAGER_UPLOAD_APIKEY}
       ID_MANAGER_PSEUDONYM_ID_TYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
-      ID_MANAGER_URL: http://bridgehead-id-manager:8080
-      PATIENT_CSV_FIRST_NAME_HEADER: ${PATIENT_CSV_FIRST_NAME_HEADER:-"FIRST_NAME"}
-      PATIENT_CSV_LAST_NAME_HEADER: ${PATIENT_CSV_LAST_NAME_HEADER:-"LAST_NAME"}
-      PATIENT_CSV_GENDER_HEADER: ${PATIENT_CSV_GENDER_HEADER:-"GENDER"}
-      PATIENT_CSV_BIRTHDAY_HEADER: ${PATIENT_CSV_BIRTHDAY_HEADER:-"BIRTHDAY"}
-      CBIOPORTAL_URL:  http://bridgehead-ccp-cbioportal:8080
-      MUTATIONS_CSV_SCRIPT_INTERPRETER: "python3"
-      NEW_FILES_DIRECTORY: "/app/input"
-      PERSIST_DIRECTORY: "/app/persist"
+      ID_MANAGER_URL: http://id-manager:8080/id-manager
+      PATIENT_CSV_FIRST_NAME_HEADER: ${MTBA_PATIENT_CSV_FIRST_NAME_HEADER}
+      PATIENT_CSV_LAST_NAME_HEADER: ${MTBA_PATIENT_CSV_LAST_NAME_HEADER}
+      PATIENT_CSV_GENDER_HEADER: ${MTBA_PATIENT_CSV_GENDER_HEADER}
+      PATIENT_CSV_BIRTHDAY_HEADER: ${MTBA_PATIENT_CSV_BIRTHDAY_HEADER}
+      CBIOPORTAL_URL:  http://cbioportal:8080
+      FILE_CHARSET: ${MTBA_FILE_CHARSET}
+      FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE}
+      CSV_DELIMITER: ${MTBA_CSV_DELIMITER}
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.mtba.rule=PathPrefix(`/`)"

From 068125c0623137aeb00e40a1ae217279487cb868 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Wed, 8 Feb 2023 11:03:35 +0100
Subject: [PATCH 137/213] Updated environemnt variable names so that they start
 with "DS_"

---
 bbmri/docker-compose.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index b4bc9a9..1824ef6 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -107,13 +107,13 @@ services:
   directory_sync_service:
     image: "samply/directory_sync_service"
     environment:
-      DIRECTORY_URL: ${DIRECTORY_URL}
-      DIRECTORY_USER_NAME: ${DIRECTORY_USER_NAME}
-      DIRECTORY_PASS_CODE: ${DIRECTORY_PASS_CODE}
-      FHIR_STORE_URL: "http://bridgehead-bbmri-blaze:8080"
-      TIMER_CRON: ${TIMER_CRON}
-      RETRY_MAX: ${RETRY_MAX}
-      RETRY_INTERVAL: ${RETRY_INTERVAL}
+      DS_DIRECTORY_URL: ${DS_DIRECTORY_URL}
+      DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}
+      DS_DIRECTORY_PASS_CODE: ${DS_DIRECTORY_PASS_CODE}
+      DS_FHIR_STORE_URL: "http://bridgehead-bbmri-blaze:8080"
+      DS_TIMER_CRON: ${DS_TIMER_CRON}
+      DS_RETRY_MAX: ${DS_RETRY_MAX}
+      DS_RETRY_INTERVAL: ${DS_RETRY_INTERVAL}
 
 volumes:
   blaze-data:

From c88919c926e1b07b0d5bfe8a21d32dfaee3c267e Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Wed, 8 Feb 2023 14:42:52 +0100
Subject: [PATCH 138/213] feature: Ensured the mapping to legacy ids works

---
 ccp/modules/id-management-setup.sh | 49 +++++++++++++++++++-----------
 1 file changed, 32 insertions(+), 17 deletions(-)

diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh
index 0f361dc..ba8ad45 100644
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@@ -13,25 +13,40 @@ function idManagementSetup() {
 		PATIENTLIST_SEEDS_TRANSFORMED="$(declare -p PATIENTLIST_SEEDS | tr -d '\"' | sed 's/\[/\[\"/g' | sed 's/\]/\"\]/g')"
 
 		# Ensure old ids are working !!!
-		legacyIdMapping
+		export IDMANAGEMENT_FRIENDLY_ID=$(legacyIdMapping "$SITE_ID")
 	fi
-
 }
 
-# TODO: Map all old site ids to the new ones
+# Transform into single string array, e.g. 'dktk-test' to 'dktk test'
+# Usage: transformToSingleStringArray 'dktk-test' -> 'dktk test'
+function transformToSingleStringArray() {
+	echo "${1//-/ }";
+}
+
+# Ensure all Words are Uppercase
+# Usage: transformToUppercase 'dktk test' -> 'Dktk Test'
+function transformToUppercase() {
+	result="";
+	for word in $1; do
+		result+=" ${word^}";
+	done
+	echo "$result";
+}
+
+# Handle all execeptions from the norm (e.g LMU, TUM)
+# Usage: applySpecialCases 'Muenchen Lmu Test' -> 'Muenchen LMU Test'
+function applySpecialCases() {
+	result="$1";
+	result="${result/Lmu/LMU}";
+	result="${result/Tum/TUM}";
+	echo "$result";
+}
+
+# Transform current siteids to legacy version
+# Usage: legacyIdMapping "dktk-test" -> "DktkTest"
 function legacyIdMapping() {
-    case ${SITE_ID} in
-	"berlin")
-		export IDMANAGEMENT_FRIENDLY_ID=Berlin
-		;;
-	"dresden")
-		export IDMANAGEMENT_FRIENDLY_ID=Dresden
-		;;
-	"frankfurt")
-		export IDMANAGEMENT_FRIENDLY_ID=Frankfurt
-		;;
-	*)
-		export IDMANAGEMENT_FRIENDLY_ID=$SITE_ID
-		;;
-    esac
+	single_string_array=$(transformToSingleStringArray "$1");
+	uppercase_string=$(transformToUppercase "$single_string_array");
+	normalized_string=$(applySpecialCases "$uppercase_string");
+	echo "$normalized_string" | tr -d ' '
 }

From d728ccd88657358374f107ee0a03b06442a5c4e1 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Wed, 8 Feb 2023 15:02:35 +0100
Subject: [PATCH 139/213] refactor: Fixated Postgres Version to 15.1

All Minor Updates will cause a crashing postgres on start
---
 ccp/modules/id-management-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
index 3f13519..2f26ce4 100644
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -41,7 +41,7 @@ services:
       - patientlist-db
 
   patientlist-db:
-    image: postgres:14-alpine
+    image: postgres:15.1-alpine
     container_name: bridgehead-patientlist-db
     environment:
       POSTGRES_USER: "mainzelliste"

From 64095ac8dd3b0b0816ff6aefc77fe5d56a8efb16 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Thu, 9 Feb 2023 09:15:29 +0100
Subject: [PATCH 140/213] feat: Added Upload ApiKey to Patientlist

---
 ccp/modules/id-management-compose.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
index 2f26ce4..8e5bab8 100644
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -30,6 +30,7 @@ services:
       - ML_SITE=${SITE_ID}
       - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
       - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
+      - ML_UPLOAD_API_KEY=${IDMANAGER_UPLOAD_APIKEY}
       # Add Variables from /etc/patientlist-id-generators.env
       - PATIENTLIST_SEEDS_TRANSFORMED
     labels:

From a1cd5a206e402922a22f037c4bedaa1488642150 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Thu, 9 Feb 2023 09:50:30 +0100
Subject: [PATCH 141/213] fix: Repaired check for Auto Updates

---
 lib/update-bridgehead.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index ab39cca..c661595 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -103,7 +103,7 @@ else
   hc_send log "$RES"
 fi
 
-if [ -z "${BACKUP_DIRECTORY}" ]; then
+if [ -n "${BACKUP_DIRECTORY}" ]; then
   if [ ! -d "$BACKUP_DIRECTORY" ]; then
     message="Performing automatic maintenance: Attempting to create backup directory $BACKUP_DIRECTORY."
     hc_send log "$message"

From a6975e37ac8433d615b8a8ee3d36c219e047c194 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Thu, 9 Feb 2023 09:58:51 +0100
Subject: [PATCH 142/213] fix: Added Image Updates for activated Modules

---
 lib/update-bridgehead.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index c661595..c53b731 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -81,7 +81,7 @@ done
 # Check docker updates
 log "INFO" "Checking for updates to running docker images ..."
 docker_updated="false"
-for IMAGE in $(cat $PROJECT/docker-compose.yml | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
+for IMAGE in $(cat $PROJECT/docker-compose.yml ${OVERRIDE//-f/} | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
     CHANGE="Image $IMAGE updated."

From 5a7dd1d0aedeba61c6d8c2b954f0bc0cc8ef5114 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Thu, 9 Feb 2023 10:07:05 +0100
Subject: [PATCH 143/213] fix: Use Mapped Site Id in Patientlist

---
 ccp/modules/id-management-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
index 8e5bab8..cb0c89a 100644
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -27,7 +27,7 @@ services:
     container_name: bridgehead-patientlist
     environment:
       - TOMCAT_REVERSEPROXY_FQDN=${HOST}
-      - ML_SITE=${SITE_ID}
+      - ML_SITE=${IDMANAGEMENT_FRIENDLY_ID}
       - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
       - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
       - ML_UPLOAD_API_KEY=${IDMANAGER_UPLOAD_APIKEY}

From 8dd1b018420428d64f7a4152ea4d7077b00ff70d Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Mon, 20 Feb 2023 16:17:45 +0100
Subject: [PATCH 144/213] Updates for PR52

* Incorporated some of Martin's suggestions (the ones where I had no questions)
* Updated the table of contents to reflect the current structure of the document.
---
 README.md | 93 +++++++++++++++++++++++--------------------------------
 1 file changed, 39 insertions(+), 54 deletions(-)

diff --git a/README.md b/README.md
index 1a11d87..d7c636f 100644
--- a/README.md
+++ b/README.md
@@ -6,24 +6,30 @@ This repository is the starting point for any information and tools you will nee
 
 1. [Requirements](#requirements)
     - [Hardware](#hardware)
-    - [System](#system)
+    - [Software](#software)
       - [Git](#git)
       - [Docker](#docker)
+    - [Network](#network)
 2. [Deployment](#deployment)
-    - [Installation](#installation)
+    - [Site name](#site-name)
+    - [Projects](#projects)
+    - [GitLab repository](#gitlab-repository)
+    - [Base Installation](#base-installation)
     - [Register with Samply.Beam](#register-with-samplybeam)
     - [Starting and stopping your Bridgehead](#starting-and-stopping-your-bridgehead)
-    - [Auto-starting your Bridgehead when the server starts](#auto-starting-your-bridgehead-when-the-server-starts)
-3. [Additional Services](#additional-Services)
-    - [Monitoring](#monitoring)
-    - [Register with a Directory](#register-with-a-Directory)
-4. [Site-specific configuration](#site-specific-configuration)
+    - [Testing your new Bridgehead](#testing-your-new-bridgehead)
+    - [De-installing a Bridgehead](#de-installing-a-bridgehead)
+3. [Site-specific configuration](#site-specific-configuration)
     - [HTTPS Access](#https-access)
-    - [Locally Managed Secrets](#locally-managed-secrets)
-    - [Git Proxy Configuration](#git-proxy-configuration)
-    - [Docker Daemon Proxy Configuration](#docker-daemon-proxy-configuration)
+    - [TLS terminating proxies](#tls-terminating-proxies)
+    - [File structure](#file-structure)
+4. [Things you should know](#things-you-should-know)
+    - [Auto-Updates](#auto-updates)
     - [Non-Linux OS](#non-linux-os)
-5. [License](#license)
+5. [Troubleshooting](#troubleshooting)
+    - [Monitoring](#monitoring)
+    - [Docker Daemon Proxy Configuration](#docker-Daemon-Proxy-Configuration)
+6. [License](#license)
 
 ## Requirements
 
@@ -98,9 +104,7 @@ We will set the repository up for you. We will then send you:
 - The repository's URL.
 - A token to access the repository.
 
-Before installation, you must set up your site's configuration in GitLab.
-
-To do this, visit the configuration repository's URL and click on the configuration file. Depending on your project, this will be called either ```bbmri.conf```or ```ccp.conf```. Use the blue button to edit it. You will need to change, as a minimum, the following variables:
+During the installation, your Bridgehead will download your site's configuration from GitLab. You will receive a weblink to review these settings and make changes as needed. To do this, visit the URL and click on the configuration file (```*.conf```, depending on your network). Use the blue button to edit it. You will need to check, as a minimum, the following variables:
 
 - SITE_NAME
 - SITE_ID
@@ -109,9 +113,9 @@ To do this, visit the configuration repository's URL and click on the configurat
 - OPERATOR_EMAIL
 - OPERATOR_PHONE
 
-SITE_NAME and SITE_ID can be set to the chosen name for your site, e.g. "your-site-name". OPERATOR_* should be set to values appropriate for the administrator of your site.
+SITE_NAME and SITE_ID should be set to the chosen name for your site. OPERATOR_* should be set to values appropriate for the administrator of your site (see examples in the file).
 
-Once you have made your changes, these will need to be reviewed by members of our team before you can proceed with the installation.
+Once you have made your changes, these will need to be reviewed by members of our team as part of a git pull request. Once accepted, the Bridgehead will automatically re-download these settings as part of its auto-update.
 
 ### Base Installation
 
@@ -176,7 +180,7 @@ After starting the Bridgehead, you can watch the initialization process with the
 journalctl -u bridgehead@bbmri -f
 ```
 
-if this exits with the following:
+if this exits with something similar to the following:
 
 ```
 bridgehead@bbmri.service: Main process exited, code=exited, status=1/FAILURE
@@ -190,7 +194,7 @@ Once the Bridgehead is running, you can also view the individual Docker processe
 docker ps
 ```
 
-There should be 6 Docker proceses. If there are fewer, then you know that something has gone wrong. To see what is going on, run:
+There should be 6 - 10 Docker proceses. If there are fewer, then you know that something has gone wrong. To see what is going on, run:
 
 ```shell
 journalctl -u bridgehead@bbmri -f
@@ -216,31 +220,12 @@ If you have chosen to take part in our monitoring program (by setting the ```MON
 
 You may decide that you want to remove a Bridgehead installation from your machine, e.g. if you want to migrate it to a new location or if you want to start a fresh installation because the initial attempts did not work.
 
-The following steps will remove all traces of the Bridgehead from your machine. All locally stored data pertaining to the Bridgehead will be lost.
-
-First, purge the Bridgehead from ```systemctl```:
+To do this, run:
 
 ```shell
-sudo systemctl stop bridgehead@bbmri.service
-sudo systemctl disable bridgehead@bbmri.service
-sudo systemctl daemon-reload
-sudo systemctl reset-failed
+sh bridgehead uninstall
 ```
 
-Now remove the directories where the Bridgehead files reside:
-
-```shell
-sudo rm -rf /srv/docker/bridgehead /etc/bridgehead
-```
-
-Finally, get rid of the Docker images:
-
-```shell
-docker image rm traefik:latest samply/beam-proxy:develop samply/blaze:0.18 samply/bridgehead-forward-proxy:latest samply/bridgehead-landingpage:master samply/spot:latest
-```
-
-Note that you will still have a functioning Beam certificate and a functioning GitLab configuration repository, even after you have removed everything locally.
-
 ## Site-specific configuration
 
 ### HTTPS Access
@@ -271,21 +256,6 @@ Your Bridgehead will automatically and regularly check for updates. Whenever som
 
 If you would like to understand what happens exactly and when, please check the systemd units deployed during the [installation](#base-installation) via `systemctl cat bridgehead-update@<PROJECT>.service` and `systemctl cat bridgehead-update@<PROJECT.timer`.
 
-### Monitoring
-
-To keep all Bridgeheads up and working and detect any errors before a user does, a central monitoring 
-
-- Your Bridgehead itself will report relevant system events, such as successful/failed updates, restarts, performance metrics or version numbers.
-- Your Bridgehead is also monitored from the outside by your network's central components. For example, the federated search will regularly perform a black-box test by sending an empty query to your Bridgehead and checking if the results make sense.
-
-In all monitoring cases, obviously no sensitive information is transmitted, in particular not any patient-related data. Aggregated data, e.g. total amount of datasets, may be transmitted for diagnostic purposes.
-
-## Troubleshooting
-
-### Docker Daemon Proxy Configuration
-
-Docker has a background daemon, responsible for downloading images and starting them. Sometimes, proxy configuration from your system won't carry over and it will fail to download images. In that case, configure the proxy for this daemon as described in the [official documentation](https://docs.docker.com).
-
 ### Non-Linux OS
 
 The installation procedures described above have only been tested under Linux.
@@ -303,6 +273,21 @@ We have tested the installation procedure with an Ubuntu 22.04 guest system runn
 
 Installation under WSL ought to work, but we have not tested this.
 
+## Troubleshooting
+
+### Monitoring
+
+To keep all Bridgeheads up and working and detect any errors before a user does, a central monitoring 
+
+- Your Bridgehead itself will report relevant system events, such as successful/failed updates, restarts, performance metrics or version numbers.
+- Your Bridgehead is also monitored from the outside by your network's central components. For example, the federated search will regularly perform a black-box test by sending an empty query to your Bridgehead and checking if the results make sense.
+
+In all monitoring cases, obviously no sensitive information is transmitted, in particular not any patient-related data. Aggregated data, e.g. total amount of datasets, may be transmitted for diagnostic purposes.
+
+### Docker Daemon Proxy Configuration
+
+Docker has a background daemon, responsible for downloading images and starting them. Sometimes, proxy configuration from your system won't carry over and it will fail to download images. In that case, configure the proxy for this daemon as described in the [official documentation](https://docs.docker.com).
+
 ## License
 
 Copyright 2019 - 2022 The Samply Community

From 90773ea92afb409bd15c6205531398e6f464d3f4 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 21 Feb 2023 09:26:53 +0100
Subject: [PATCH 145/213] Switch beam images to develop tag

---
 bbmri/docker-compose.yml | 2 +-
 ccp/docker-compose.yml   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 3291326..89ed1a9 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -85,7 +85,7 @@ services:
       - "blaze"
 
   beam-proxy:
-    image: samply/beam-proxy:main
+    image: samply/beam-proxy:develop
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 4c26d5e..65e57d2 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -85,7 +85,7 @@ services:
       - "blaze"
 
   beam-proxy:
-    image: samply/beam-proxy:main
+    image: samply/beam-proxy:develop
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}

From 191e9863642119a5088124f714bb045de29e3348 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 22 Feb 2023 15:32:21 +0100
Subject: [PATCH 146/213] Add check for installation in WSL and for systemd

---
 lib/prepare-system.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh
index 2cba2e2..2a4fdae 100755
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@@ -5,6 +5,15 @@ source lib/functions.sh
 
 log "INFO" "Preparing your system for bridgehead installation ..."
 
+# Check, if running in WSL
+if [[ $(grep -i Microsoft /proc/version) ]]; then
+    # Check, if systemd is available
+    if [ ! $(systemctl) ]; then
+        log "ERROR" "It seems, that you have no active systemd environment in your WSL. Please follow the guide in https://devblogs.microsoft.com/commandline/systemd-support-is-now-available-in-wsl/"
+        exit 1
+    fi
+fi
+
 # Create the bridgehead user
 if id bridgehead &>/dev/null; then
     log "INFO" "Existing user with id $(id -u bridgehead) will be used by the bridgehead system units."

From 4578c77d4bf18d2275d45a94532cdfed04673bb8 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 22 Feb 2023 15:42:52 +0100
Subject: [PATCH 147/213] Fix systemd check

---
 lib/prepare-system.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh
index 2a4fdae..cfede1e 100755
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@@ -8,7 +8,7 @@ log "INFO" "Preparing your system for bridgehead installation ..."
 # Check, if running in WSL
 if [[ $(grep -i Microsoft /proc/version) ]]; then
     # Check, if systemd is available
-    if [ ! $(systemctl) ]; then
+    if [ $(systemctl is-system-running) -eq "offline" ]; then
         log "ERROR" "It seems, that you have no active systemd environment in your WSL. Please follow the guide in https://devblogs.microsoft.com/commandline/systemd-support-is-now-available-in-wsl/"
         exit 1
     fi

From fdda14c1bea574c9a8eef11e8459056ae2ed3f16 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Thu, 23 Feb 2023 14:26:59 +0100
Subject: [PATCH 148/213] Fixed naming of site in exliquid script

---
 ccp/exliquid-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/exliquid-setup.sh b/ccp/exliquid-setup.sh
index 83daa45..91909eb 100644
--- a/ccp/exliquid-setup.sh
+++ b/ccp/exliquid-setup.sh
@@ -2,7 +2,7 @@
 
 function exliquidSetup() {
 	case ${SITE_ID} in
-		berlin|dresden|essen|frankfurt|freiburg|luebeck|mainz|muenchen-lmu|muenchen-tu|mannheim|tuebingen)
+		berlin|dresden|essen|frankfurt|freiburg|luebeck|mainz|muenchen-lmu|muenchen-tum|mannheim|tuebingen)
 			EXLIQUID=1
 			;;
 		dktk-test)

From 3023b82bb164a99d331f86a113418e6c78b90895 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 21 Feb 2023 09:26:53 +0100
Subject: [PATCH 149/213] Switch beam images to develop tag

---
 bbmri/docker-compose.yml | 2 +-
 ccp/docker-compose.yml   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 3291326..89ed1a9 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -85,7 +85,7 @@ services:
       - "blaze"
 
   beam-proxy:
-    image: samply/beam-proxy:main
+    image: samply/beam-proxy:develop
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 4c26d5e..65e57d2 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -85,7 +85,7 @@ services:
       - "blaze"
 
   beam-proxy:
-    image: samply/beam-proxy:main
+    image: samply/beam-proxy:develop
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}

From 2dc36433bf38527970160942e793cfc21a91e6d3 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Thu, 23 Feb 2023 14:26:59 +0100
Subject: [PATCH 150/213] Fixed naming of site in exliquid script

---
 ccp/exliquid-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/exliquid-setup.sh b/ccp/exliquid-setup.sh
index 83daa45..91909eb 100644
--- a/ccp/exliquid-setup.sh
+++ b/ccp/exliquid-setup.sh
@@ -2,7 +2,7 @@
 
 function exliquidSetup() {
 	case ${SITE_ID} in
-		berlin|dresden|essen|frankfurt|freiburg|luebeck|mainz|muenchen-lmu|muenchen-tu|mannheim|tuebingen)
+		berlin|dresden|essen|frankfurt|freiburg|luebeck|mainz|muenchen-lmu|muenchen-tum|mannheim|tuebingen)
 			EXLIQUID=1
 			;;
 		dktk-test)

From 8b2e99200ed0586faf6ed7e7df229908c9809072 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 23 Feb 2023 18:05:34 +0100
Subject: [PATCH 151/213] Fix typo

---
 lib/prepare-system.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh
index 2cba2e2..f54ee07 100755
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@@ -26,7 +26,7 @@ if [ -d "/srv/docker/bridgehead" ]; then
 else
     log "INFO" "Cloning $bridgehead_repository_url to /srv/docker/bridgehead"
     mkdir -p /srv/docker/
-    git clone bridgehead_repository_url /srv/docker/bridgehead
+    git clone $bridgehead_repository_url /srv/docker/bridgehead
 fi
 
 case "$PROJECT" in

From 857e351b884b11d123d4516e4fadea04f893addb Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 23 Feb 2023 18:05:53 +0100
Subject: [PATCH 152/213] Support gitmirror for github.com repo

---
 lib/prepare-system.sh | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh
index f54ee07..8cacdf0 100755
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@@ -14,7 +14,12 @@ else
 fi
 
 # Clone the OpenSource repository of bridgehead
-bridgehead_repository_url="https://github.com/samply/bridgehead.git"
+set +e
+bridgehead_repository_url=$(git remote get-url origin)
+if [ $? -ne 0 ]; then
+    bridgehead_repository_url="https://github.com/samply/bridgehead.git"
+fi
+set -e
 if [ -d "/srv/docker/bridgehead" ]; then
     current_owner=$(stat -c '%U' /srv/docker/bridgehead)
     if [ "$(su -c 'git -C /srv/docker/bridgehead remote get-url origin' $current_owner)" == "$bridgehead_repository_url" ]; then

From 7a350a8c9b2e3c1d5a8c3a56d0e7958e468ea39a Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Fri, 24 Feb 2023 11:29:06 +0100
Subject: [PATCH 153/213] Fix string comparison in WSL check

---
 lib/prepare-system.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh
index cfede1e..169ad2c 100755
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@@ -8,7 +8,7 @@ log "INFO" "Preparing your system for bridgehead installation ..."
 # Check, if running in WSL
 if [[ $(grep -i Microsoft /proc/version) ]]; then
     # Check, if systemd is available
-    if [ $(systemctl is-system-running) -eq "offline" ]; then
+    if [ $(systemctl is-system-running) = "offline" ]; then
         log "ERROR" "It seems, that you have no active systemd environment in your WSL. Please follow the guide in https://devblogs.microsoft.com/commandline/systemd-support-is-now-available-in-wsl/"
         exit 1
     fi

From bfc00b99676ce51c821bd9fd38739ed5e3495843 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Fri, 24 Feb 2023 11:41:05 +0100
Subject: [PATCH 154/213] Prevent variable splitting in wsl check and improve
 error message

---
 lib/prepare-system.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh
index 169ad2c..7e9f24f 100755
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@@ -8,8 +8,8 @@ log "INFO" "Preparing your system for bridgehead installation ..."
 # Check, if running in WSL
 if [[ $(grep -i Microsoft /proc/version) ]]; then
     # Check, if systemd is available
-    if [ $(systemctl is-system-running) = "offline" ]; then
-        log "ERROR" "It seems, that you have no active systemd environment in your WSL. Please follow the guide in https://devblogs.microsoft.com/commandline/systemd-support-is-now-available-in-wsl/"
+    if [ "$(systemctl is-system-running)" = "offline" ]; then
+        log "ERROR" "It seems you have no active systemd environment in your WSL environment. Please follow the guide in https://devblogs.microsoft.com/commandline/systemd-support-is-now-available-in-wsl/"
         exit 1
     fi
 fi

From 5d38f48f682065d3ec1ce70275452a57ea9da932 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Fri, 24 Feb 2023 16:32:17 +0100
Subject: [PATCH 155/213] Add developer install

---
 bridgehead            |  7 ++++++-
 lib/prepare-system.sh | 10 ++++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/bridgehead b/bridgehead
index ecf4ec0..227a0d7 100755
--- a/bridgehead
+++ b/bridgehead
@@ -77,7 +77,12 @@ case "$ACTION" in
 		exec ./lib/update-bridgehead.sh $PROJECT
 		;;
 	install)
-		source ./lib/prepare-system.sh
+		source ./lib/prepare-system.sh NODEV
+		loadVars
+		exec ./lib/install-bridgehead.sh $PROJECT
+		;;
+	dev-install)
+		exec ./lib/prepare-system.sh DEV
 		loadVars
 		exec ./lib/install-bridgehead.sh $PROJECT
 		;;
diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh
index 8cacdf0..765c6d3 100755
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@@ -1,5 +1,7 @@
 #!/bin/bash -e
 
+DEV_MODE="${1:-NODEV}"
+
 source lib/log.sh
 source lib/functions.sh
 
@@ -55,7 +57,7 @@ if [ -d /etc/bridgehead ]; then
     else
         log "WARN" "Your site configuration repository in /etc/bridgehead seems to have another origin than git.verbis.dkfz.de. Please check if the repository is correctly cloned!"
     fi
-else
+elif [[ "$DEV_MODE" == "NODEV" ]]; then
     log "INFO" "Now cloning your site configuration repository for you."
     read -p "Please enter your site: " site
     read -s -p "Please enter the bridgehead's access token for your site configuration repository (will not be echoed): " access_token
@@ -64,9 +66,13 @@ else
     if [ $? -gt 0 ]; then
         log "ERROR" "Unable to clone your configuration repository. Please obtain correct access data and try again."
     fi
+elif [[ "$DEV_MODE" == "DEV" ]]; then
+    log "INFO" "Now cloning your developer configuration repository for you."
+    read -p "Please enter your config repository URL: " url
+    git clone "$url" /etc/bridgehead
 fi
 
 chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
 
-log INFO "System preparation is completed and private key is present."
+log INFO "System preparation is completed and configuration is present."
 

From cedc97477f3bc094cdb35daf1d6b2a8ba81513c6 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Mon, 27 Feb 2023 13:02:59 +0100
Subject: [PATCH 156/213] Add developer install option to the documentation

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 8fba0c9..2951102 100644
--- a/README.md
+++ b/README.md
@@ -157,6 +157,10 @@ To keep all Bridgeheads up and working and detect any errors before a user does,
 
 In all monitoring cases, obviously no sensitive information is transmitted, in particular not any patient-related data. Aggregated data, e.g. total amount of datasets, may be transmitted for diagnostic purposes.
 
+### Development Installation
+
+By using `./bridgehead dev-install <projectname>` instead of `install`, you can install a developer bridgehead. The difference is, that you can provide an arbitrary configuration repository during the installation, meaning that it does not have to adhere to the usual naming scheme. This allows for better decoupling between development and production configurations.
+
 ## Troubleshooting
 
 ### Docker Daemon Proxy Configuration

From 0ff153ef22ab71ad6ca6e31d37f59950062a9545 Mon Sep 17 00:00:00 2001
From: lablans <m.lablans@dkfz-heidelberg.de>
Date: Wed, 8 Mar 2023 09:00:38 +0000
Subject: [PATCH 157/213] Use project name. Add is-running function.

---
 bridgehead       |  7 +++++--
 lib/functions.sh | 12 +++++++++++-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/bridgehead b/bridgehead
index 227a0d7..60f4aa9 100755
--- a/bridgehead
+++ b/bridgehead
@@ -66,11 +66,14 @@ case "$ACTION" in
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
 		export LDM_LOGIN=$(getLdmPassword)
-		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
+		exec $COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
 		loadVars
-		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE down
+		exec $COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE down
+		;;
+	is-running)
+		exit bk_is_running
 		;;
 	update)
 		loadVars
diff --git a/lib/functions.sh b/lib/functions.sh
index 23fb939..6954cd2 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -34,7 +34,7 @@ checkOwner(){
 }
 
 printUsage() {
-	echo "Usage: bridgehead start|stop|update|install|uninstall|enroll PROJECTNAME"
+	echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|enroll PROJECTNAME"
 	echo "PROJECTNAME should be one of ccp|bbmri"
 }
 
@@ -169,6 +169,16 @@ function retry {
   return 0
 }
 
+function bk_is_running {
+	RUNNING="$($COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE ps -q)"
+	NUMBEROFRUNNING=$(echo "$RUNNING" | wc -l)
+	if [ $NUMBEROFRUNNING -gt 0 ]; then
+		return 0
+	else
+		return 1
+	fi
+}
+
 ##Setting Network properties
 # currently not needed
 #export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');

From 380511d3bb5ff95422f269621eb49484b231199a Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Wed, 8 Mar 2023 10:37:37 +0100
Subject: [PATCH 158/213] Don't delete docker images if BK is not running

---
 bridgehead               | 3 ++-
 lib/functions.sh         | 3 ++-
 lib/update-bridgehead.sh | 9 +++++++--
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/bridgehead b/bridgehead
index 60f4aa9..f2eaa6b 100755
--- a/bridgehead
+++ b/bridgehead
@@ -73,7 +73,8 @@ case "$ACTION" in
 		exec $COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		;;
 	is-running)
-		exit bk_is_running
+		bk_is_running
+		exit $?
 		;;
 	update)
 		loadVars
diff --git a/lib/functions.sh b/lib/functions.sh
index 6954cd2..836ffcc 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -170,9 +170,10 @@ function retry {
 }
 
 function bk_is_running {
+	detectCompose
 	RUNNING="$($COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE ps -q)"
 	NUMBEROFRUNNING=$(echo "$RUNNING" | wc -l)
-	if [ $NUMBEROFRUNNING -gt 0 ]; then
+	if [ $NUMBEROFRUNNING -ge 2 ]; then
 		return 0
 	else
 		return 1
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index c53b731..bce720d 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -4,10 +4,15 @@ source lib/functions.sh
 AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true}
 
 if [ "$AUTO_HOUSEKEEPING" == "true" ]; then
-	A="Performing automatic maintenance: Cleaning docker images."
+	A="Performing automatic maintenance: "
+	if bk_is_running; then
+		A="$A Cleaning docker images."
+		docker system prune -a -f
+	else
+		A="$A Not cleaning docker images since BK is not running."
+	fi
 	hc_send log "$A"
 	log INFO "$A"
-	docker system prune -a -f
 else
 	log WARN "Automatic housekeeping disabled (variable AUTO_HOUSEKEEPING != \"true\")"
 fi

From 33b50372c6d264ce17811656ab2b2d74bf846404 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 9 Mar 2023 11:16:34 +0100
Subject: [PATCH 159/213] Pull docker images from DKFZ mirror

---
 bbmri/docker-compose.yml              | 12 ++++++------
 ccp/docker-compose.yml                | 12 ++++++------
 ccp/exliquid-compose.yml              |  4 ++--
 ccp/modules/id-management-compose.yml |  2 +-
 ccp/mtba-compose.yml                  |  2 +-
 ccp/nngm-compose.yml                  |  2 +-
 lib/functions.sh                      |  2 +-
 7 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 89ed1a9..6a6d0a8 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -3,7 +3,7 @@ version: "3.7"
 services:
   traefik:
     container_name: bridgehead-traefik
-    image: traefik:latest
+    image: docker.verbis.dkfz.de/cache/traefik:latest
     command:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
@@ -32,7 +32,7 @@ services:
 
   forward_proxy:
     container_name: bridgehead-forward-proxy
-    image: samply/bridgehead-forward-proxy:latest
+    image: docker.verbis.dkfz.de/cache/samply/bridgehead-forward-proxy:latest
     environment:
       HTTPS_PROXY: ${HTTPS_PROXY_URL}
       USERNAME: ${HTTPS_PROXY_USERNAME}
@@ -42,7 +42,7 @@ services:
 
   landing:
     container_name: bridgehead-landingpage
-    image: samply/bridgehead-landingpage:master
+    image: docker.verbis.dkfz.de/cache/samply/bridgehead-landingpage:master
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
@@ -54,7 +54,7 @@ services:
       SITE_NAME: ${SITE_NAME}
 
   blaze:
-    image: "samply/blaze:0.19"
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.19
     container_name: bridgehead-bbmri-blaze
     environment:
       BASE_URL: "http://bridgehead-bbmri-blaze:8080"
@@ -72,7 +72,7 @@ services:
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   spot:
-    image: samply/spot:latest
+    image: docker.verbis.dkfz.de/cache/samply/spot:latest
     container_name: bridgehead-spot
     environment:
       SECRET: ${SPOT_BEAM_SECRET_LONG}
@@ -85,7 +85,7 @@ services:
       - "blaze"
 
   beam-proxy:
-    image: samply/beam-proxy:develop
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 65e57d2..209ee70 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -3,7 +3,7 @@ version: "3.7"
 services:
   traefik:
     container_name: bridgehead-traefik
-    image: traefik:latest
+    image: docker.verbis.dkfz.de/cache/traefik:latest
     command:
       - --entrypoints.web.address=:80
       - --entrypoints.websecure.address=:443
@@ -32,7 +32,7 @@ services:
 
   forward_proxy:
     container_name: bridgehead-forward-proxy
-    image: samply/bridgehead-forward-proxy:latest
+    image: docker.verbis.dkfz.de/cache/samply/bridgehead-forward-proxy:latest
     environment:
       HTTPS_PROXY: ${HTTPS_PROXY_URL}
       USERNAME: ${HTTPS_PROXY_USERNAME}
@@ -42,7 +42,7 @@ services:
 
   landing:
     container_name: bridgehead-landingpage
-    image: samply/bridgehead-landingpage:master
+    image: docker.verbis.dkfz.de/cache/samply/bridgehead-landingpage:master
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
@@ -54,7 +54,7 @@ services:
       SITE_NAME: ${SITE_NAME}
 
   blaze:
-    image: "samply/blaze:0.19"
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.19
     container_name: bridgehead-ccp-blaze
     environment:
       BASE_URL: "http://bridgehead-ccp-blaze:8080"
@@ -72,7 +72,7 @@ services:
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   spot:
-    image: samply/spot:latest
+    image: docker.verbis.dkfz.de/cache/samply/spot:latest
     container_name: bridgehead-spot
     environment:
       SECRET: ${SPOT_BEAM_SECRET_LONG}
@@ -85,7 +85,7 @@ services:
       - "blaze"
 
   beam-proxy:
-    image: samply/beam-proxy:develop
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}
diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml
index eb8d194..d5bb351 100644
--- a/ccp/exliquid-compose.yml
+++ b/ccp/exliquid-compose.yml
@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   exliquid-task-store:
-    image: "samply/blaze:0.19"
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.19
     container_name: bridgehead-exliquid-task-store
     environment:
       BASE_URL: "http://bridgehead-exliquid-task-store:8080"
@@ -13,7 +13,7 @@ services:
       - "traefik.enable=false"
 
   exliquid-report-hub:
-    image: "samply/report-hub:latest"
+    image: docker.verbis.dkfz.de/cache/samply/report-hub:latest
     container_name: bridgehead-exliquid-report-hub
     environment:
       SPRING_WEBFLUX_BASE_PATH: "/exliquid"
diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
index cb0c89a..be1375e 100644
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -42,7 +42,7 @@ services:
       - patientlist-db
 
   patientlist-db:
-    image: postgres:15.1-alpine
+    image: docker.verbis.dkfz.de/cache/postgres:15.1-alpine
     container_name: bridgehead-patientlist-db
     environment:
       POSTGRES_USER: "mainzelliste"
diff --git a/ccp/mtba-compose.yml b/ccp/mtba-compose.yml
index bb90059..01cff12 100644
--- a/ccp/mtba-compose.yml
+++ b/ccp/mtba-compose.yml
@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   mtba:
-    image: samply/mtba:develop
+    image: docker.verbis.dkfz.de/cache/samply/mtba:develop
     container_name: bridgehead-mtba
     environment:
       BLAZE_STORE_URL: http://blaze:8080
diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml
index c212fed..bd189fb 100644
--- a/ccp/nngm-compose.yml
+++ b/ccp/nngm-compose.yml
@@ -18,7 +18,7 @@ services:
       - "traefik.http.routers.connector.tls=true"
 
   connector_db:
-    image: postgres:9.5-alpine
+    image: docker.verbis.dkfz.de/cache/postgres:9.5-alpine
     container_name: bridgehead-ccp-connector-db
     volumes:
       - "connector_db_data:/var/lib/postgresql/data"
diff --git a/lib/functions.sh b/lib/functions.sh
index 836ffcc..fb93e87 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -11,7 +11,7 @@ detectCompose() {
 
 getLdmPassword() {
 	if [ -n "$LDM_PASSWORD" ]; then
-		docker run --rm httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r'
+		docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r'
 	else
 		echo -n ""
 	fi

From 25081c1bf48b53d097579468642a079afffd4146 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Thu, 9 Mar 2023 14:56:45 +0100
Subject: [PATCH 160/213] hotfix: Switch to old Project Name

---
 bridgehead       | 6 ++++--
 lib/functions.sh | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/bridgehead b/bridgehead
index f2eaa6b..13cb682 100755
--- a/bridgehead
+++ b/bridgehead
@@ -66,11 +66,13 @@ case "$ACTION" in
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
 		export LDM_LOGIN=$(getLdmPassword)
-		exec $COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
+		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
 		loadVars
-		exec $COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE down
+		# HACK: This is tempoarily to properly shut down false bridgehead instances (bridgehead-ccp instead ccp)
+		$COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE down
+		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		;;
 	is-running)
 		bk_is_running
diff --git a/lib/functions.sh b/lib/functions.sh
index fb93e87..ac5ae6b 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -171,7 +171,7 @@ function retry {
 
 function bk_is_running {
 	detectCompose
-	RUNNING="$($COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE ps -q)"
+	RUNNING="$($COMPOSE -p $PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE ps -q)"
 	NUMBEROFRUNNING=$(echo "$RUNNING" | wc -l)
 	if [ $NUMBEROFRUNNING -ge 2 ]; then
 		return 0

From bedad57f416ceade24d337418cca4c4dec4cd49e Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Tue, 14 Mar 2023 09:59:37 +0100
Subject: [PATCH 161/213] Changes for Directory sync PR 53

* Change docker-compose.yml to reduce the number of environment
  variables being passed to Directory sync.
* Improve documentation.
---
 README.md                | 20 ++++----------------
 bbmri/docker-compose.yml |  3 ---
 2 files changed, 4 insertions(+), 19 deletions(-)

diff --git a/README.md b/README.md
index 3cb8822..283b81b 100644
--- a/README.md
+++ b/README.md
@@ -133,11 +133,11 @@ Your Bridgehead's actual data is not stored in the above directories, but in nam
 
 ### Directory sync
 
-This is an optional feature for bbmri projects.  It keeps the [BBMRI Directory](https://directory.bbmri-eric.eu/) up to date with the number of samples, etc.  kept in your biobank. It also updates the local FHIR store with the latest contact details etc. from the Directory.  You must explicitly enable this feature if you want to make use of it.
+This is an optional feature for bbmri projects. It keeps the [BBMRI Directory](https://directory.bbmri-eric.eu/) up to date with your local data eg. number of samples. It also updates the local FHIR store with the latest contact details etc. from the Directory.  You must explicitly set your country specific directory url, username and password to enable this feature.
 
 Full details can be found in [directory_sync_service](https://github.com/samply/directory_sync_service).
 
-To enable it, you will need to add some extra variables to the ```bbmri.conf``` file in your GitLab repository, for example:
+To enable it, you will need to set these variables to the ```bbmri.conf``` file of your GitLab repository. Here is an example config:
 
 ```
 ### Directory sync service
@@ -148,21 +148,9 @@ DS_TIMER_CRON="0 22 * * *"
 ```
 You must contact the Directory for your national node to find the URL, and to register as a user.
 
-Additionally, you should choose when you want Directory sync to run. In the example above, this is set to happen at 10 pm every evening. You can modify this to suit your requirements. The timer specification should follow the cron convention.
+Additionally, you should choose when you want Directory sync to run. In the example above, this is set to happen at 10 pm every evening. You can modify this to suit your requirements. The timer specification should follow the [cron](https://crontab.guru) convention.
 
-Once you have made the changes, update your local configuration:
-
-```shell
-cd /etc/bridgehead
-sudo git pull
-sudo chown -R bridgehead * .git*
-```
-
-Then restart the Bridgehead:
-
-```shell
-sudo systemctl restart bridgehead@bbmri.service
-```
+Once you edited the gitlab config. The bridgehead will autoupdate the config with the values and will sync the data.
 
 There will be a delay before the effects of Directory sync become visible. First, you will need to wait until the time you have specified in ```TIMER_CRON```. Second, the information will then be synchronized from your national node with the central European Directory. This can take up to 24 hours.
 
diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 1824ef6..26f2378 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -110,10 +110,7 @@ services:
       DS_DIRECTORY_URL: ${DS_DIRECTORY_URL}
       DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}
       DS_DIRECTORY_PASS_CODE: ${DS_DIRECTORY_PASS_CODE}
-      DS_FHIR_STORE_URL: "http://bridgehead-bbmri-blaze:8080"
       DS_TIMER_CRON: ${DS_TIMER_CRON}
-      DS_RETRY_MAX: ${DS_RETRY_MAX}
-      DS_RETRY_INTERVAL: ${DS_RETRY_INTERVAL}
 
 volumes:
   blaze-data:

From d7a983000b357fee0d06ae94f1263bc19d884dcb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Radovan=20Tom=C3=A1=C5=A1ik?= <tomasik@mail.muni.cz>
Date: Fri, 17 Mar 2023 11:03:19 +0100
Subject: [PATCH 162/213] Update README.md

---
 README.md | 41 +++++++++++++++++++++++------------------
 1 file changed, 23 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index d7c636f..69b1902 100644
--- a/README.md
+++ b/README.md
@@ -96,15 +96,33 @@ To request a new repository, please send an email to one of the following:
 - For the bbmri project: bridgehead@helpdesk.bbmri-eric.eu.
 - For the ccp project: support-ccp@dkfz-heidelberg.de
 
-Mention which project you belong to, i.e. "bbmri" or "ccp", plus your chosen site name.
+Mention:
+- which project you belong to, i.e. "bbmri" or "ccp"
+- site name (According to conventions listed above)
+- operator name, email and contact phone
 
 We will set the repository up for you. We will then send you:
 
 - A Repository Short Name (RSN). Beware: this is distinct from your site name.
-- The repository's URL.
-- A token to access the repository.
+- Repository URL containing the acces token eg. https://BH_Dummy:dummy_token@git.verbis.dkfz.de/bbmri-bridgehead-configs/dummy.git
 
-During the installation, your Bridgehead will download your site's configuration from GitLab. You will receive a weblink to review these settings and make changes as needed. To do this, visit the URL and click on the configuration file (```*.conf```, depending on your network). Use the blue button to edit it. You will need to check, as a minimum, the following variables:
+During the installation, your Bridgehead will download your site's configuration from GitLab and you can review the details provided to us by email.
+
+
+### Base Installation
+
+First, download your site specific configuration repository:
+```shell
+sudo mkdir -p /etc/bridgehead/
+sudo git clone <REPO_URL_FROM_EMAIL> /etc/bridgehead/
+```
+
+Review the site configuration:
+```shell
+sudo cat /etc/bridgehead/bbmri.conf
+```
+
+Pay special attention to:
 
 - SITE_NAME
 - SITE_ID
@@ -113,14 +131,7 @@ During the installation, your Bridgehead will download your site's configuration
 - OPERATOR_EMAIL
 - OPERATOR_PHONE
 
-SITE_NAME and SITE_ID should be set to the chosen name for your site. OPERATOR_* should be set to values appropriate for the administrator of your site (see examples in the file).
-
-Once you have made your changes, these will need to be reviewed by members of our team as part of a git pull request. Once accepted, the Bridgehead will automatically re-download these settings as part of its auto-update.
-
-### Base Installation
-
-First, get the Bridgehead:
-
+Download the bridghead repository:
 ```shell
 sudo mkdir -p /srv/docker/
 sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead
@@ -133,12 +144,6 @@ cd /srv/docker/bridgehead
 sudo ./bridgehead install <PROJECT>
 ```
 
-When prompted with "Please enter your site", you should enter the Repository Short Name (RSN) for GitLab that you were given in the previous section.
-
-When prompted with "Please enter the bridgehead's access token for your site configuration repository", you should enter the token for the GitLab repository that was given to you.
-
-You should then be prompted to do the next step:
-
 ### Register with Samply.Beam
 
 Many Bridgehead services rely on the secure, performant and flexible messaging middleware called [Samply.Beam](https://github.com/samply/beam). You will need to register ("enroll") with Samply.Beam by creating a cryptographic key pair for your bridgehead:

From c53fe491d97ec03ed63d7cecbd0f66389836ff6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Radovan=20Tom=C3=A1=C5=A1ik?= <tomasik@mail.muni.cz>
Date: Fri, 17 Mar 2023 11:17:25 +0100
Subject: [PATCH 163/213] Update README.md

Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 69b1902..3e0c4b3 100644
--- a/README.md
+++ b/README.md
@@ -74,7 +74,7 @@ Site names should adhere to the following conventions:
 - They should generally be named after the city where your site is based, e.g. ```karlsruhe```.
 - If you have a multi-part name, please use a hypen ("-") as separator, e.g. ```le-havre```.
 - If your site is for testing purposes, rather than production, please append "-test", e.g. ```zaragoza-test```.
-- If you are a developer and you are making changes to the Bridgehead, please use your name and append "-dev", e.g. ```joe-doe-dev```.
+- If you are a developer and you are making changes to the Bridgehead, please use your name and prepend "dev-", e.g. ```dev-joe-doe```.
 
 ### Projects
 

From bf3989dcbd02a381a0c76115fab1585c286d9a41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Radovan=20Tom=C3=A1=C5=A1ik?= <tomasik@mail.muni.cz>
Date: Fri, 17 Mar 2023 11:17:47 +0100
Subject: [PATCH 164/213] Update README.md

Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com>
---
 README.md | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/README.md b/README.md
index 3e0c4b3..1f888f2 100644
--- a/README.md
+++ b/README.md
@@ -76,17 +76,6 @@ Site names should adhere to the following conventions:
 - If your site is for testing purposes, rather than production, please append "-test", e.g. ```zaragoza-test```.
 - If you are a developer and you are making changes to the Bridgehead, please use your name and prepend "dev-", e.g. ```dev-joe-doe```.
 
-### Projects
-
-The following "projects" are known to the Bridgehead installation:
-
-- bbmri
-- ccp
-
-Use "bbmri" if you are in the BBMRI-ERIC European biobank network or the GBA (German Biobank Alliance) network.
-
-Use "ccp" if you are in the DKTK network, the C4 network or the nNGM network.
-
 ### GitLab repository
 
 In order to be able to install, you will need to have your own repository in GitLab for your site's configuration settings. This allows automated updates of the Bridgehead software.

From c39518f763456401f0cb0dacfdee6f0e97ad8067 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Radovan=20Tom=C3=A1=C5=A1ik?= <tomasik@mail.muni.cz>
Date: Fri, 17 Mar 2023 11:25:56 +0100
Subject: [PATCH 165/213] Update README.md

---
 README.md | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 1f888f2..45ecf52 100644
--- a/README.md
+++ b/README.md
@@ -80,7 +80,7 @@ Site names should adhere to the following conventions:
 
 In order to be able to install, you will need to have your own repository in GitLab for your site's configuration settings. This allows automated updates of the Bridgehead software.
 
-To request a new repository, please send an email to one of the following:
+To request a new repository, please contact your research network administration or send an email to one of the project specific addresses:
 
 - For the bbmri project: bridgehead@helpdesk.bbmri-eric.eu.
 - For the ccp project: support-ccp@dkfz-heidelberg.de
@@ -88,7 +88,7 @@ To request a new repository, please send an email to one of the following:
 Mention:
 - which project you belong to, i.e. "bbmri" or "ccp"
 - site name (According to conventions listed above)
-- operator name, email and contact phone
+- operator name and email
 
 We will set the repository up for you. We will then send you:
 
@@ -118,9 +118,8 @@ Pay special attention to:
 - OPERATOR_FIRST_NAME
 - OPERATOR_LAST_NAME
 - OPERATOR_EMAIL
-- OPERATOR_PHONE
 
-Download the bridghead repository:
+Clone the bridgehead repository:
 ```shell
 sudo mkdir -p /srv/docker/
 sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead

From 8f3d2f0947c0c25641d1c7ebc0291b678fca8211 Mon Sep 17 00:00:00 2001
From: Enola Knezevic <enola.knezevic@dkfz-heidelberg.de>
Date: Wed, 22 Mar 2023 11:26:55 +0100
Subject: [PATCH 166/213] replace local spot with focus

---
 bbmri/docker-compose.yml | 14 +++++++-------
 bbmri/vars               |  3 +--
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 6a6d0a8..eb30a34 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -71,12 +71,12 @@ services:
       - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,auth"
       - "traefik.http.routers.blaze_ccp.tls=true"
 
-  spot:
-    image: docker.verbis.dkfz.de/cache/samply/spot:latest
-    container_name: bridgehead-spot
+  focus:
+    image: docker.verbis.dkfz.de/cache/samply/focus:develop
+    container_name: bridgehead-focus
     environment:
-      SECRET: ${SPOT_BEAM_SECRET_LONG}
-      APPID: spot
+      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
+      APP_ID: focus
       PROXY_ID: ${PROXY_ID}
       LDM_URL: http://bridgehead-bbmri-blaze:8080/fhir
       BEAM_PROXY: http://beam-proxy:8081
@@ -90,8 +90,8 @@ services:
     environment:
       BROKER_URL: ${BROKER_URL}
       PROXY_ID: ${PROXY_ID}
-      APP_0_ID: spot
-      APP_0_KEY: ${SPOT_BEAM_SECRET_SHORT}
+      APP_0_ID: focus
+      APP_0_KEY: ${FOCUS_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
diff --git a/bbmri/vars b/bbmri/vars
index 6fb693d..5803ac5 100644
--- a/bbmri/vars
+++ b/bbmri/vars
@@ -1,7 +1,6 @@
 BROKER_ID=broker.bbmri.samply.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
-SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
+FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 SUPPORT_EMAIL=bridgehead@helpdesk.bbmri-eric.eu
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem

From 1c3785ace7579b9ab877d5edb6d5f4dc4860dda9 Mon Sep 17 00:00:00 2001
From: Enola Knezevic <enola.knezevic@dkfz-heidelberg.de>
Date: Wed, 22 Mar 2023 11:37:48 +0100
Subject: [PATCH 167/213] added missing variables and renamed correctly

---
 bbmri/docker-compose.yml | 7 ++++---
 bbmri/vars               | 3 ++-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index eb30a34..348166c 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -76,10 +76,11 @@ services:
     container_name: bridgehead-focus
     environment:
       API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      APP_ID: focus
+      BEAM_APP_ID: focus
       PROXY_ID: ${PROXY_ID}
-      LDM_URL: http://bridgehead-bbmri-blaze:8080/fhir
-      BEAM_PROXY: http://beam-proxy:8081
+      BLAZE_URL: http://bridgehead-bbmri-blaze:8080/fhir
+      BEAM_PROXY_URL: http://beam-proxy:8081
+      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
     depends_on:
       - "beam-proxy"
       - "blaze"
diff --git a/bbmri/vars b/bbmri/vars
index 5803ac5..34995ed 100644
--- a/bbmri/vars
+++ b/bbmri/vars
@@ -2,5 +2,6 @@ BROKER_ID=broker.bbmri.samply.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+FOCUS_RETRY_COUNT=32
 SUPPORT_EMAIL=bridgehead@helpdesk.bbmri-eric.eu
-PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
\ No newline at end of file

From ebd213e1192d0d43c111ef70aa94817fe66713ce Mon Sep 17 00:00:00 2001
From: Enola Knezevic <enola.knezevic@dkfz-heidelberg.de>
Date: Thu, 23 Mar 2023 15:07:30 +0100
Subject: [PATCH 168/213] focus app name long

---
 bbmri/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 348166c..6173830 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -76,7 +76,7 @@ services:
     container_name: bridgehead-focus
     environment:
       API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      BEAM_APP_ID: focus
+      BEAM_APP_ID: focus.${PROXY_ID}
       PROXY_ID: ${PROXY_ID}
       BLAZE_URL: http://bridgehead-bbmri-blaze:8080/fhir
       BEAM_PROXY_URL: http://beam-proxy:8081

From caeb3034978a41af83ba964df162c57e5e88409b Mon Sep 17 00:00:00 2001
From: Enola Knezevic <enola.knezevic@dkfz-heidelberg.de>
Date: Thu, 23 Mar 2023 15:26:10 +0100
Subject: [PATCH 169/213] beam app id changed to avoid confusion

---
 bbmri/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 6173830..9b1255e 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -76,7 +76,7 @@ services:
     container_name: bridgehead-focus
     environment:
       API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      BEAM_APP_ID: focus.${PROXY_ID}
+      BEAM_APP_ID_LONG: focus.${PROXY_ID}
       PROXY_ID: ${PROXY_ID}
       BLAZE_URL: http://bridgehead-bbmri-blaze:8080/fhir
       BEAM_PROXY_URL: http://beam-proxy:8081

From 6530aca843e592c5a3d20a067dffc45f1f8fd857 Mon Sep 17 00:00:00 2001
From: Enola Knezevic <enola.knezevic@dkfz-heidelberg.de>
Date: Thu, 23 Mar 2023 15:30:28 +0100
Subject: [PATCH 170/213] and proxy name

---
 bbmri/docker-compose.yml | 6 +++---
 bbmri/vars               | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 9b1255e..f8b7178 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -76,8 +76,8 @@ services:
     container_name: bridgehead-focus
     environment:
       API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      BEAM_APP_ID_LONG: focus.${PROXY_ID}
-      PROXY_ID: ${PROXY_ID}
+      BEAM_APP_ID_LONG: focus.${PROXY_ID_LONG}
+      PROXY_ID: ${PROXY_ID_LONG}
       BLAZE_URL: http://bridgehead-bbmri-blaze:8080/fhir
       BEAM_PROXY_URL: http://beam-proxy:8081
       RETRY_COUNT: ${FOCUS_RETRY_COUNT}
@@ -90,7 +90,7 @@ services:
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}
-      PROXY_ID: ${PROXY_ID}
+      PROXY_ID: ${PROXY_ID_LONG}
       APP_0_ID: focus
       APP_0_KEY: ${FOCUS_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
diff --git a/bbmri/vars b/bbmri/vars
index 34995ed..434cb4f 100644
--- a/bbmri/vars
+++ b/bbmri/vars
@@ -1,6 +1,6 @@
 BROKER_ID=broker.bbmri.samply.de
 BROKER_URL=https://${BROKER_ID}
-PROXY_ID=${SITE_ID}.${BROKER_ID}
+PROXY_ID_LONG=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=32
 SUPPORT_EMAIL=bridgehead@helpdesk.bbmri-eric.eu

From bf408f9297dce0874b3f46f29ec0dee3544ae8a0 Mon Sep 17 00:00:00 2001
From: Enola Knezevic <enola.knezevic@dkfz-heidelberg.de>
Date: Mon, 27 Mar 2023 09:28:55 +0200
Subject: [PATCH 171/213] slash and quotation marks around blaze path

---
 bbmri/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index f8b7178..d15f694 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -78,7 +78,7 @@ services:
       API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
       BEAM_APP_ID_LONG: focus.${PROXY_ID_LONG}
       PROXY_ID: ${PROXY_ID_LONG}
-      BLAZE_URL: http://bridgehead-bbmri-blaze:8080/fhir
+      BLAZE_URL: "http://bridgehead-bbmri-blaze:8080/fhir/"
       BEAM_PROXY_URL: http://beam-proxy:8081
       RETRY_COUNT: ${FOCUS_RETRY_COUNT}
     depends_on:

From bdff02ce49705709264b65ad79ec110a9f0ef748 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Mon, 27 Mar 2023 14:41:47 +0200
Subject: [PATCH 172/213] Update variable name to make enroll command work for
 BBMRI

---
 bbmri/docker-compose.yml | 6 +++---
 bbmri/vars               | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index d15f694..07658f4 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -76,8 +76,8 @@ services:
     container_name: bridgehead-focus
     environment:
       API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      BEAM_APP_ID_LONG: focus.${PROXY_ID_LONG}
-      PROXY_ID: ${PROXY_ID_LONG}
+      BEAM_APP_ID_LONG: focus.${PROXY_ID}
+      PROXY_ID: ${PROXY_ID}
       BLAZE_URL: "http://bridgehead-bbmri-blaze:8080/fhir/"
       BEAM_PROXY_URL: http://beam-proxy:8081
       RETRY_COUNT: ${FOCUS_RETRY_COUNT}
@@ -90,7 +90,7 @@ services:
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}
-      PROXY_ID: ${PROXY_ID_LONG}
+      PROXY_ID: ${PROXY_ID}
       APP_0_ID: focus
       APP_0_KEY: ${FOCUS_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
diff --git a/bbmri/vars b/bbmri/vars
index 434cb4f..0f99eb1 100644
--- a/bbmri/vars
+++ b/bbmri/vars
@@ -1,7 +1,7 @@
 BROKER_ID=broker.bbmri.samply.de
 BROKER_URL=https://${BROKER_ID}
-PROXY_ID_LONG=${SITE_ID}.${BROKER_ID}
+PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=32
 SUPPORT_EMAIL=bridgehead@helpdesk.bbmri-eric.eu
-PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
\ No newline at end of file
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem

From df74d6d768dd4d9b69b1c044e17d9cd2aab75429 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Fri, 31 Mar 2023 08:04:28 +0200
Subject: [PATCH 173/213] Make directory sync opt service

---
 bbmri/directory-sync-compose.yml | 8 ++++++++
 bbmri/directory-sync.sh          | 8 ++++++++
 bbmri/docker-compose.yml         | 8 --------
 bbmri/vars                       | 4 ++++
 4 files changed, 20 insertions(+), 8 deletions(-)
 create mode 100644 bbmri/directory-sync-compose.yml
 create mode 100755 bbmri/directory-sync.sh

diff --git a/bbmri/directory-sync-compose.yml b/bbmri/directory-sync-compose.yml
new file mode 100644
index 0000000..486b924
--- /dev/null
+++ b/bbmri/directory-sync-compose.yml
@@ -0,0 +1,8 @@
+services:
+  directory_sync_service:
+    image: "samply/directory_sync_service"
+    environment:
+      DS_DIRECTORY_URL: ${DS_DIRECTORY_URL}
+      DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}
+      DS_DIRECTORY_PASS_CODE: ${DS_DIRECTORY_PASS_CODE}
+      DS_TIMER_CRON: ${DS_TIMER_CRON}
\ No newline at end of file
diff --git a/bbmri/directory-sync.sh b/bbmri/directory-sync.sh
new file mode 100755
index 0000000..2eeef4a
--- /dev/null
+++ b/bbmri/directory-sync.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+function dirSetup() {
+	if [ -n "$DS_DIRECTORY_USER_NAME" ]; then
+		log INFO "Directory sync setup detected -- will start directory sync service."
+		OVERRIDE+=" -f ./$PROJECT/directory-sync-compose.yml"
+	fi
+}
diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 26f2378..2433234 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -104,14 +104,6 @@ services:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - ./root.crt.pem:/conf/root.crt.pem:ro
 
-  directory_sync_service:
-    image: "samply/directory_sync_service"
-    environment:
-      DS_DIRECTORY_URL: ${DS_DIRECTORY_URL}
-      DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}
-      DS_DIRECTORY_PASS_CODE: ${DS_DIRECTORY_PASS_CODE}
-      DS_TIMER_CRON: ${DS_TIMER_CRON}
-
 volumes:
   blaze-data:
 
diff --git a/bbmri/vars b/bbmri/vars
index 6fb693d..a9c65cb 100644
--- a/bbmri/vars
+++ b/bbmri/vars
@@ -5,3 +5,7 @@ SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | he
 SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
 SUPPORT_EMAIL=bridgehead@helpdesk.bbmri-eric.eu
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
+
+# This will load directory-sync setup.
+source $PROJECT/directory-sync.sh
+dirSetup

From fa41f8d77f3313a836ce9003d981a1951cf913d1 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Fri, 31 Mar 2023 10:01:51 +0200
Subject: [PATCH 174/213] Changed image to docker.verbis.dkfz.de/cache/

Requested by Torben Brenner in PR 53
---
 bbmri/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 26f2378..0ec9ca3 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -105,7 +105,7 @@ services:
       - ./root.crt.pem:/conf/root.crt.pem:ro
 
   directory_sync_service:
-    image: "samply/directory_sync_service"
+    image: "docker.verbis.dkfz.de/cache/samply/directory_sync_service"
     environment:
       DS_DIRECTORY_URL: ${DS_DIRECTORY_URL}
       DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}

From f4e65cc3d00cdc06bab7860474beb02a221a5d09 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Fri, 31 Mar 2023 11:55:19 +0200
Subject: [PATCH 175/213] Implemented Torbens request for PR 53

---
 bbmri/directory-sync-compose.yml | 4 ++--
 bbmri/docker-compose.yml         | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/bbmri/directory-sync-compose.yml b/bbmri/directory-sync-compose.yml
index 486b924..9776ecb 100644
--- a/bbmri/directory-sync-compose.yml
+++ b/bbmri/directory-sync-compose.yml
@@ -1,8 +1,8 @@
 services:
   directory_sync_service:
-    image: "samply/directory_sync_service"
+    image: "docker.verbis.dkfz.de/cache/samply/directory_sync_service"
     environment:
       DS_DIRECTORY_URL: ${DS_DIRECTORY_URL}
       DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}
       DS_DIRECTORY_PASS_CODE: ${DS_DIRECTORY_PASS_CODE}
-      DS_TIMER_CRON: ${DS_TIMER_CRON}
\ No newline at end of file
+      DS_TIMER_CRON: ${DS_TIMER_CRON}
diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 0ec9ca3..26f2378 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -105,7 +105,7 @@ services:
       - ./root.crt.pem:/conf/root.crt.pem:ro
 
   directory_sync_service:
-    image: "docker.verbis.dkfz.de/cache/samply/directory_sync_service"
+    image: "samply/directory_sync_service"
     environment:
       DS_DIRECTORY_URL: ${DS_DIRECTORY_URL}
       DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}

From 5b926ba20c58b106b7d8fc1b09e7f09bbfb36025 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Fri, 31 Mar 2023 12:15:43 +0200
Subject: [PATCH 176/213] Remove opt directory_sync from compose

---
 bbmri/docker-compose.yml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 26f2378..2433234 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -104,14 +104,6 @@ services:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - ./root.crt.pem:/conf/root.crt.pem:ro
 
-  directory_sync_service:
-    image: "samply/directory_sync_service"
-    environment:
-      DS_DIRECTORY_URL: ${DS_DIRECTORY_URL}
-      DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}
-      DS_DIRECTORY_PASS_CODE: ${DS_DIRECTORY_PASS_CODE}
-      DS_TIMER_CRON: ${DS_TIMER_CRON}
-
 volumes:
   blaze-data:
 

From 3a42570ac4c6842986c981ca4ec520b5436c2c8f Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Tue, 4 Apr 2023 13:11:33 +0200
Subject: [PATCH 177/213] Add DNPM discovery URL as public configuration

---
 dnpm/dnpm-setup.sh | 4 ++--
 dnpm/vars          | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 dnpm/vars

diff --git a/dnpm/dnpm-setup.sh b/dnpm/dnpm-setup.sh
index 3b94a86..ff32c68 100644
--- a/dnpm/dnpm-setup.sh
+++ b/dnpm/dnpm-setup.sh
@@ -6,10 +6,10 @@ function dnpmSetup() {
 		OVERRIDE+=" -f ./dnpm/dnpm-compose-beamconnect.yml"
 		DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 		DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-		source /etc/bridgehead/dnpm/shared-but-secret-vars || fail_and_report 1 "Unable to load /etc/bridgehead/dnpm/shared-but-secret-vars"
+		source /srv/docker/bridgehead/dnpm/vars || fail_and_report 1 "Unable to load /srv/docker/bridgehead/dnpm/vars"
 		export DNPM_DISCOVERY_URL
 		if [ -e /etc/bridgehead/dnpm/bwhcConnectorConfig.xml ]; then
-			log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend."
+			log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend. This is highly experimental!"
 			OVERRIDE+=" -f ./dnpm/dnpm-compose-bwhc.yml"
 		fi
 	fi
diff --git a/dnpm/vars b/dnpm/vars
new file mode 100644
index 0000000..69c2220
--- /dev/null
+++ b/dnpm/vars
@@ -0,0 +1 @@
+DNPM_DISCOVERY_URL=https://dnpm.medizin.uni-tuebingen.de/sites

From 48dd477a9417b5ad7f463e08488d455beaf30173 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Mon, 24 Apr 2023 10:33:04 +0200
Subject: [PATCH 178/213] Removed non-functioning links from Table of Contents

Removed Git and Docker from Requirements -> Software, since they are
no longer used.
---
 README.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/README.md b/README.md
index c8aad18..cc70d45 100644
--- a/README.md
+++ b/README.md
@@ -7,8 +7,6 @@ This repository is the starting point for any information and tools you will nee
 1. [Requirements](#requirements)
     - [Hardware](#hardware)
     - [Software](#software)
-      - [Git](#git)
-      - [Docker](#docker)
     - [Network](#network)
 2. [Deployment](#deployment)
     - [Site name](#site-name)

From dd0d2c64fd806ca542b5237b492e6522c51c3960 Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de" <p.delpy@dkfz-heidelberg.de>
Date: Thu, 4 May 2023 15:18:30 +0200
Subject: [PATCH 179/213] nngm migration from connector to nngm-rest

---
 ccp/nngm-compose.yml | 30 +++++++++++-------------------
 ccp/nngm-setup.sh    |  7 +++++--
 2 files changed, 16 insertions(+), 21 deletions(-)

diff --git a/ccp/nngm-compose.yml b/ccp/nngm-compose.yml
index bd189fb..47bfa70 100644
--- a/ccp/nngm-compose.yml
+++ b/ccp/nngm-compose.yml
@@ -1,32 +1,24 @@
 version: "3.7"
+volumes:
+  nngm-rest:
 
 services:
   connector:
     container_name: bridgehead-connector
-    image: docker.verbis.dkfz.de/ccp/connector:bk2
+    image: docker.verbis.dkfz.de/ccp/nngm-rest:main
     environment:
-      POSTGRES_PASSWORD: ${CONNECTOR_POSTGRES_PASSWORD}
-      NNGM_MAGICPL_APIKEY: ${NNGM_MAGICPL_APIKEY}
-      NNGM_MAINZELLISTE_APIKEY: ${NNGM_MAINZELLISTE_APIKEY}
-      NNGM_CTS_APIKEY: ${NNGM_CTS_APIKEY}
-      NNGM_CRYPTKEY: ${NNGM_CRYPTKEY}
+      CTS_MAGICPL_API_KEY: ${NNGM_MAGICPL_APIKEY}
+      CTS_API_KEY: ${NNGM_CTS_APIKEY}
+      CRYPT_KEY: ${NNGM_CRYPTKEY}
+      #CTS_MAGICPL_SITE: ${SITE_ID}TODO
     restart: always
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.connector.rule=PathPrefix(`/ccp-connector`)"
+      - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)"
+      - "traefik.http.middlewares.connector_strip.stripprefix.prefixes=/nngm-connector"
       - "traefik.http.services.connector.loadbalancer.server.port=8080"
       - "traefik.http.routers.connector.tls=true"
-
-  connector_db:
-    image: docker.verbis.dkfz.de/cache/postgres:9.5-alpine
-    container_name: bridgehead-ccp-connector-db
+      - "traefik.http.routers.connector.middlewares=connector_strip,auth"
     volumes:
-      - "connector_db_data:/var/lib/postgresql/data"
-    environment:
-      POSTGRES_DB: "samplyconnector"
-      POSTGRES_USER: "samplyconnector"
-      POSTGRES_PASSWORD: ${CONNECTOR_POSTGRES_PASSWORD}
-    restart: always
+      - nngm-rest:/var/log
 
-volumes:
-  connector_db_data:
diff --git a/ccp/nngm-setup.sh b/ccp/nngm-setup.sh
index ba2e77f..bcc4cd1 100644
--- a/ccp/nngm-setup.sh
+++ b/ccp/nngm-setup.sh
@@ -1,12 +1,15 @@
 #!/bin/bash
+##nNGM vars:
+#NNGM_MAGICPL_APIKEY
+#NNGM_CTS_APIKEY
+#NNGM_CRYPTKEY
 
 function nngmSetup() {
 	if [ -n "$NNGM_CTS_APIKEY" ]; then
 		log INFO "nNGM setup detected -- will start nNGM Connector."
 		OVERRIDE+=" -f ./$PROJECT/nngm-compose.yml"
 	fi
-	CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-}
+	}
 
 function mtbaSetup() {
 	# TODO: Check if ID-Management Module is activated!

From 3e1659a38d3c4eb6bc64d960445d124c8a808d14 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 10 May 2023 10:54:05 +0000
Subject: [PATCH 180/213] Modularize DNPM components

---
 bbmri/docker-compose.yml                     | 52 ------------------
 bbmri/modules/dnpm-compose-beamconnect.yml   | 47 ++++++++++++++++
 bbmri/modules/dnpm-compose-bwhc.yml          | 54 +++++++++++++++++++
 bbmri/modules/dnpm-setup.sh                  | 17 ++++++
 bbmri/vars                                   |  8 ++-
 bridgehead                                   | 14 +++--
 ccp/docker-compose.yml                       | 52 ------------------
 ccp/modules/dnpm-compose-beamconnect.yml     | 28 ++++++++++
 ccp/modules/dnpm-compose-bwhc.yml            | 54 +++++++++++++++++++
 ccp/modules/dnpm-setup.sh                    | 17 ++++++
 ccp/vars                                     |  8 +--
 lib/functions.sh                             |  2 +-
 lib/update-bridgehead.sh                     |  2 +-
 minimal/docker-compose.yml                   | 56 ++++++++++++++++++++
 minimal/modules/dnpm-compose-beamconnect.yml | 47 ++++++++++++++++
 minimal/modules/dnpm-compose-bwhc.yml        | 54 +++++++++++++++++++
 minimal/modules/dnpm-setup.sh                | 17 ++++++
 minimal/vars                                 |  5 ++
 18 files changed, 421 insertions(+), 113 deletions(-)
 create mode 100644 bbmri/modules/dnpm-compose-beamconnect.yml
 create mode 100644 bbmri/modules/dnpm-compose-bwhc.yml
 create mode 100644 bbmri/modules/dnpm-setup.sh
 create mode 100644 ccp/modules/dnpm-compose-beamconnect.yml
 create mode 100644 ccp/modules/dnpm-compose-bwhc.yml
 create mode 100644 ccp/modules/dnpm-setup.sh
 create mode 100644 minimal/docker-compose.yml
 create mode 100644 minimal/modules/dnpm-compose-beamconnect.yml
 create mode 100644 minimal/modules/dnpm-compose-bwhc.yml
 create mode 100644 minimal/modules/dnpm-setup.sh
 create mode 100644 minimal/vars

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index d15f694..4255684 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -1,58 +1,6 @@
 version: "3.7"
 
 services:
-  traefik:
-    container_name: bridgehead-traefik
-    image: docker.verbis.dkfz.de/cache/traefik:latest
-    command:
-      - --entrypoints.web.address=:80
-      - --entrypoints.websecure.address=:443
-      - --providers.docker=true
-      - --providers.docker.exposedbydefault=false
-      - --providers.file.directory=/configuration/
-      - --api.dashboard=true
-      - --accesslog=true
-      - --entrypoints.web.http.redirections.entrypoint.to=websecure
-      - --entrypoints.web.http.redirections.entrypoint.scheme=https
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
-      - "traefik.http.routers.dashboard.entrypoints=websecure"
-      - "traefik.http.routers.dashboard.service=api@internal"
-      - "traefik.http.routers.dashboard.tls=true"
-      - "traefik.http.routers.dashboard.middlewares=auth"
-      - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}"
-    ports:
-      - 80:80
-      - 443:443
-    volumes:
-      - /etc/bridgehead/traefik-tls:/certs:ro
-      - ../lib/traefik-configuration/:/configuration:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-
-  forward_proxy:
-    container_name: bridgehead-forward-proxy
-    image: docker.verbis.dkfz.de/cache/samply/bridgehead-forward-proxy:latest
-    environment:
-      HTTPS_PROXY: ${HTTPS_PROXY_URL}
-      USERNAME: ${HTTPS_PROXY_USERNAME}
-      PASSWORD: ${HTTPS_PROXY_PASSWORD}
-    volumes:
-      - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
-
-  landing:
-    container_name: bridgehead-landingpage
-    image: docker.verbis.dkfz.de/cache/samply/bridgehead-landingpage:master
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
-    environment:
-      HOST: ${HOST}
-      PROJECT: ${PROJECT}
-      SITE_NAME: ${SITE_NAME}
-
   blaze:
     image: docker.verbis.dkfz.de/cache/samply/blaze:0.19
     container_name: bridgehead-bbmri-blaze
diff --git a/bbmri/modules/dnpm-compose-beamconnect.yml b/bbmri/modules/dnpm-compose-beamconnect.yml
new file mode 100644
index 0000000..9d3be80
--- /dev/null
+++ b/bbmri/modules/dnpm-compose-beamconnect.yml
@@ -0,0 +1,47 @@
+version: "3.7"
+
+services:
+  dnpm-beam-proxy:
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
+    container_name: bridgehead-dnpm-beam-proxy
+    environment:
+      BROKER_URL: ${BROKER_URL}
+      PROXY_ID: ${PROXY_ID}
+      APP_3_ID: dnpm-connect
+      APP_3_KEY: ${DNPM_BEAM_SECRET_SHORT}
+      PRIVKEY_FILE: /run/secrets/proxy.pem
+      ALL_PROXY: http://forward_proxy:3128
+      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
+      ROOTCERT_FILE: /conf/root.crt.pem
+    secrets:
+      - proxy.pem
+    depends_on:
+      - "forward_proxy"
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
+      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
+
+  dnpm-beam-connect:
+    depends_on: [ dnpm-beam-proxy ]
+    image: samply/beam-connect:sites-without-auth
+    environment:
+      PROXY_URL: http://dnpm-beam-proxy:8081
+      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
+      APP_ID: dnpm-connect.${PROXY_ID}
+      DISCOVERY_URL: ${DNPM_DISCOVERY_URL}
+      LOCAL_TARGETS_FILE: /conf/connect_targets.json
+      HTTP_PROXY: http://forward_proxy:3128
+      HTTPS_PROXY: http://forward_proxy:3128
+      NO_PROXY: dnpm-beam-proxy,dnpm-backend
+      RUST_LOG: ${RUST_LOG:-info}
+    volumes:
+      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
+      - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
+      - "traefik.http.routers.dnpm-connect.tls=true"
+
+secrets:
+  proxy.pem:
+    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
diff --git a/bbmri/modules/dnpm-compose-bwhc.yml b/bbmri/modules/dnpm-compose-bwhc.yml
new file mode 100644
index 0000000..9ba1357
--- /dev/null
+++ b/bbmri/modules/dnpm-compose-bwhc.yml
@@ -0,0 +1,54 @@
+version: "3.7"
+
+services:
+  dnpm-frontend:
+    depends_on: [ dnpm-backend ]
+    build:
+      context: ../../dnpm/origin
+      dockerfile: Frontend.Dockerfile
+      network: host
+      args:
+        NUXT_HOST: 0.0.0.0
+        NUXT_PORT: 3000
+        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
+        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
+        BACKEND_PORT: 9000
+        DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
+        HTTP_PROXY: ${http_proxy}
+        HTTPS_PROXY: ${https_proxy}
+    environment:
+        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
+        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
+        BACKEND_PORT: 9000
+        no_proxy: dnpm-backend
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/dnpm-frontend`)"
+      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
+      - "traefik.http.routers.dnpm-frontend.tls=true"
+
+  dnpm-backend:
+    build:
+      context: ../../dnpm/origin
+      dockerfile: Backend.Dockerfile
+      args:
+        BWHC_BASE_DIR: /bwhc-backend
+        DNPM_BWHC_BACKEND_ZIP: ${DNPM_BWHC_BACKEND_ZIP}
+    ports:
+      - 9000:9000
+    environment:
+      APPLICATION_SECRET: ${DNPM_APPLICATION_SECRET}
+      ZPM_SITE: ${ZPM_SITE}
+      noproxy: dnpm-frontend,dnpm-beam-connect
+      # PLAY_HTTP_PORT: 9000
+      # PLAY_HTTP_ADDRESS: 0.0.0.0
+    volumes:
+      - ../dnpm/origin/logback.xml:/bwhc-backend/logback.xml:ro
+      - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
+      - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
+      - bwhc_data:/bwhc-backend/data/
+      - bwhc_hgnc_data:/bwhc-backend/hgnc_data/
+
+volumes:
+  bwhc_data:
+  bwhc_hgnc_data:
diff --git a/bbmri/modules/dnpm-setup.sh b/bbmri/modules/dnpm-setup.sh
new file mode 100644
index 0000000..9a3cbf4
--- /dev/null
+++ b/bbmri/modules/dnpm-setup.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+if [ -n "${ENABLE_DNPM}" ]; then
+	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
+	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-beamconnect.yml"
+
+	# Set variables required for Beam-Connect
+	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+	DNPM_DISCOVERY_URL="https://dnpm.medizin.uni-tuebingen.de/sites"
+
+	# Optionally, start bwhc as well. This is currently only experimental
+	if [ -n "${ENABLE_DNPM_BWHC}" ]; then
+		log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend. This is highly experimental!"
+		OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-bwhc.yml"
+	fi
+fi
diff --git a/bbmri/vars b/bbmri/vars
index 434cb4f..be7805a 100644
--- a/bbmri/vars
+++ b/bbmri/vars
@@ -4,4 +4,10 @@ PROXY_ID_LONG=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=32
 SUPPORT_EMAIL=bridgehead@helpdesk.bbmri-eric.eu
-PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
\ No newline at end of file
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
+
+for module in $PROJECT/modules/*.sh
+do
+    log INFO "sourcing $module"
+    source $module
+done
diff --git a/bridgehead b/bridgehead
index 13cb682..7ca7af1 100755
--- a/bridgehead
+++ b/bridgehead
@@ -32,6 +32,9 @@ case "$PROJECT" in
 	bbmri)
 		#nothing extra to do
 		;;
+	minimal)
+		#nothing extra to do
+		;;
 	*)
 		printUsage
 		exit 1
@@ -51,6 +54,11 @@ loadVars() {
 	set +a
 
 	OVERRIDE=${OVERRIDE:=""}
+	# minimal contains shared components, so potential overrides must be applied in every project
+	if [ -f "minimal/docker-compose.override.yml" ]; then
+		log INFO "Applying minimal/docker-compose.override.yml"
+		OVERRIDE+=" -f ./minimal/docker-compose.override.yml"
+	fi
 	if [ -f "$PROJECT/docker-compose.override.yml" ]; then
 		log INFO "Applying $PROJECT/docker-compose.override.yml"
 		OVERRIDE+=" -f ./$PROJECT/docker-compose.override.yml"
@@ -66,13 +74,13 @@ case "$ACTION" in
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
 		export LDM_LOGIN=$(getLdmPassword)
-		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
+		exec $COMPOSE -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
 		loadVars
 		# HACK: This is tempoarily to properly shut down false bridgehead instances (bridgehead-ccp instead ccp)
-		$COMPOSE -p bridgehead-$PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE down
-		exec $COMPOSE -f ./$PROJECT/docker-compose.yml $OVERRIDE down
+		$COMPOSE -p bridgehead-$PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
+		exec $COMPOSE -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		;;
 	is-running)
 		bk_is_running
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 209ee70..456eef1 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -1,58 +1,6 @@
 version: "3.7"
 
 services:
-  traefik:
-    container_name: bridgehead-traefik
-    image: docker.verbis.dkfz.de/cache/traefik:latest
-    command:
-      - --entrypoints.web.address=:80
-      - --entrypoints.websecure.address=:443
-      - --providers.docker=true
-      - --providers.docker.exposedbydefault=false
-      - --providers.file.directory=/configuration/
-      - --api.dashboard=true
-      - --accesslog=true
-      - --entrypoints.web.http.redirections.entrypoint.to=websecure
-      - --entrypoints.web.http.redirections.entrypoint.scheme=https
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
-      - "traefik.http.routers.dashboard.entrypoints=websecure"
-      - "traefik.http.routers.dashboard.service=api@internal"
-      - "traefik.http.routers.dashboard.tls=true"
-      - "traefik.http.routers.dashboard.middlewares=auth"
-      - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}"
-    ports:
-      - 80:80
-      - 443:443
-    volumes:
-      - /etc/bridgehead/traefik-tls:/certs:ro
-      - ../lib/traefik-configuration/:/configuration:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-
-  forward_proxy:
-    container_name: bridgehead-forward-proxy
-    image: docker.verbis.dkfz.de/cache/samply/bridgehead-forward-proxy:latest
-    environment:
-      HTTPS_PROXY: ${HTTPS_PROXY_URL}
-      USERNAME: ${HTTPS_PROXY_USERNAME}
-      PASSWORD: ${HTTPS_PROXY_PASSWORD}
-    volumes:
-      - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
-
-  landing:
-    container_name: bridgehead-landingpage
-    image: docker.verbis.dkfz.de/cache/samply/bridgehead-landingpage:master
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
-    environment:
-      HOST: ${HOST}
-      PROJECT: ${PROJECT}
-      SITE_NAME: ${SITE_NAME}
-
   blaze:
     image: docker.verbis.dkfz.de/cache/samply/blaze:0.19
     container_name: bridgehead-ccp-blaze
diff --git a/ccp/modules/dnpm-compose-beamconnect.yml b/ccp/modules/dnpm-compose-beamconnect.yml
new file mode 100644
index 0000000..8db45ac
--- /dev/null
+++ b/ccp/modules/dnpm-compose-beamconnect.yml
@@ -0,0 +1,28 @@
+version: "3.7"
+
+services:
+  beam-proxy:
+    environment:
+      APP_3_ID: dnpm-connect
+      APP_3_KEY: ${DNPM_BEAM_SECRET_SHORT}
+
+  dnpm-beam-connect:
+    depends_on: [ beam-proxy ]
+    image: samply/beam-connect:sites-without-auth
+    environment:
+      PROXY_URL: http://beam-proxy:8081
+      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
+      APP_ID: dnpm-connect.${PROXY_ID}
+      DISCOVERY_URL: ${DNPM_DISCOVERY_URL}
+      LOCAL_TARGETS_FILE: /conf/connect_targets.json
+      HTTP_PROXY: http://forward_proxy:3128
+      HTTPS_PROXY: http://forward_proxy:3128
+      NO_PROXY: beam-proxy,dnpm-backend
+      RUST_LOG: ${RUST_LOG:-info}
+    volumes:
+      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
+      - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
+      - "traefik.http.routers.dnpm-connect.tls=true"
diff --git a/ccp/modules/dnpm-compose-bwhc.yml b/ccp/modules/dnpm-compose-bwhc.yml
new file mode 100644
index 0000000..9ba1357
--- /dev/null
+++ b/ccp/modules/dnpm-compose-bwhc.yml
@@ -0,0 +1,54 @@
+version: "3.7"
+
+services:
+  dnpm-frontend:
+    depends_on: [ dnpm-backend ]
+    build:
+      context: ../../dnpm/origin
+      dockerfile: Frontend.Dockerfile
+      network: host
+      args:
+        NUXT_HOST: 0.0.0.0
+        NUXT_PORT: 3000
+        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
+        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
+        BACKEND_PORT: 9000
+        DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
+        HTTP_PROXY: ${http_proxy}
+        HTTPS_PROXY: ${https_proxy}
+    environment:
+        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
+        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
+        BACKEND_PORT: 9000
+        no_proxy: dnpm-backend
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/dnpm-frontend`)"
+      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
+      - "traefik.http.routers.dnpm-frontend.tls=true"
+
+  dnpm-backend:
+    build:
+      context: ../../dnpm/origin
+      dockerfile: Backend.Dockerfile
+      args:
+        BWHC_BASE_DIR: /bwhc-backend
+        DNPM_BWHC_BACKEND_ZIP: ${DNPM_BWHC_BACKEND_ZIP}
+    ports:
+      - 9000:9000
+    environment:
+      APPLICATION_SECRET: ${DNPM_APPLICATION_SECRET}
+      ZPM_SITE: ${ZPM_SITE}
+      noproxy: dnpm-frontend,dnpm-beam-connect
+      # PLAY_HTTP_PORT: 9000
+      # PLAY_HTTP_ADDRESS: 0.0.0.0
+    volumes:
+      - ../dnpm/origin/logback.xml:/bwhc-backend/logback.xml:ro
+      - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
+      - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
+      - bwhc_data:/bwhc-backend/data/
+      - bwhc_hgnc_data:/bwhc-backend/hgnc_data/
+
+volumes:
+  bwhc_data:
+  bwhc_hgnc_data:
diff --git a/ccp/modules/dnpm-setup.sh b/ccp/modules/dnpm-setup.sh
new file mode 100644
index 0000000..9a3cbf4
--- /dev/null
+++ b/ccp/modules/dnpm-setup.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+if [ -n "${ENABLE_DNPM}" ]; then
+	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
+	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-beamconnect.yml"
+
+	# Set variables required for Beam-Connect
+	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+	DNPM_DISCOVERY_URL="https://dnpm.medizin.uni-tuebingen.de/sites"
+
+	# Optionally, start bwhc as well. This is currently only experimental
+	if [ -n "${ENABLE_DNPM_BWHC}" ]; then
+		log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend. This is highly experimental!"
+		OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-bwhc.yml"
+	fi
+fi
diff --git a/ccp/vars b/ccp/vars
index 456dda9..2a295f4 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -19,6 +19,8 @@ source $PROJECT/exliquid-setup.sh
 exliquidSetup
 mtbaSetup
 
-# This will load DNPM setup. Effective only if DNPM configuration is defined in /etc/bridgehead/dnpm.
-source dnpm/dnpm-setup.sh
-dnpmSetup
+for module in $PROJECT/modules/*.sh
+do
+    log INFO "sourcing $module"
+    source $module
+done
diff --git a/lib/functions.sh b/lib/functions.sh
index ac5ae6b..a243842 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -171,7 +171,7 @@ function retry {
 
 function bk_is_running {
 	detectCompose
-	RUNNING="$($COMPOSE -p $PROJECT -f ./$PROJECT/docker-compose.yml $OVERRIDE ps -q)"
+	RUNNING="$($COMPOSE -p $PROJECT -f minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE ps -q)"
 	NUMBEROFRUNNING=$(echo "$RUNNING" | wc -l)
 	if [ $NUMBEROFRUNNING -ge 2 ]; then
 		return 0
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index bce720d..89db369 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -86,7 +86,7 @@ done
 # Check docker updates
 log "INFO" "Checking for updates to running docker images ..."
 docker_updated="false"
-for IMAGE in $(cat $PROJECT/docker-compose.yml ${OVERRIDE//-f/} | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
+for IMAGE in $(cat $PROJECT/docker-compose.yml ${OVERRIDE//-f/} minimal/docker-compose.yml | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
     CHANGE="Image $IMAGE updated."
diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml
new file mode 100644
index 0000000..cd4c2e5
--- /dev/null
+++ b/minimal/docker-compose.yml
@@ -0,0 +1,56 @@
+version: "3.7"
+
+services:
+  traefik:
+    container_name: bridgehead-traefik
+    image: docker.verbis.dkfz.de/cache/traefik:latest
+    command:
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --providers.file.directory=/configuration/
+      - --api.dashboard=true
+      - --accesslog=true
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+      - "traefik.http.routers.dashboard.entrypoints=websecure"
+      - "traefik.http.routers.dashboard.service=api@internal"
+      - "traefik.http.routers.dashboard.tls=true"
+      - "traefik.http.routers.dashboard.middlewares=auth"
+      - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}"
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - /etc/bridgehead/traefik-tls:/certs:ro
+      - ../lib/traefik-configuration/:/configuration:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+  forward_proxy:
+    container_name: bridgehead-forward-proxy
+    image: docker.verbis.dkfz.de/cache/samply/bridgehead-forward-proxy:latest
+    environment:
+      HTTPS_PROXY: ${HTTPS_PROXY_URL}
+      USERNAME: ${HTTPS_PROXY_USERNAME}
+      PASSWORD: ${HTTPS_PROXY_PASSWORD}
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
+
+  landing:
+    container_name: bridgehead-landingpage
+    image: docker.verbis.dkfz.de/cache/samply/bridgehead-landingpage:master
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+      - "traefik.http.services.landing.loadbalancer.server.port=80"
+      - "traefik.http.routers.landing.tls=true"
+    environment:
+      HOST: ${HOST}
+      PROJECT: ${PROJECT}
+      SITE_NAME: ${SITE_NAME}
+
+
diff --git a/minimal/modules/dnpm-compose-beamconnect.yml b/minimal/modules/dnpm-compose-beamconnect.yml
new file mode 100644
index 0000000..9d3be80
--- /dev/null
+++ b/minimal/modules/dnpm-compose-beamconnect.yml
@@ -0,0 +1,47 @@
+version: "3.7"
+
+services:
+  dnpm-beam-proxy:
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
+    container_name: bridgehead-dnpm-beam-proxy
+    environment:
+      BROKER_URL: ${BROKER_URL}
+      PROXY_ID: ${PROXY_ID}
+      APP_3_ID: dnpm-connect
+      APP_3_KEY: ${DNPM_BEAM_SECRET_SHORT}
+      PRIVKEY_FILE: /run/secrets/proxy.pem
+      ALL_PROXY: http://forward_proxy:3128
+      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
+      ROOTCERT_FILE: /conf/root.crt.pem
+    secrets:
+      - proxy.pem
+    depends_on:
+      - "forward_proxy"
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
+      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
+
+  dnpm-beam-connect:
+    depends_on: [ dnpm-beam-proxy ]
+    image: samply/beam-connect:sites-without-auth
+    environment:
+      PROXY_URL: http://dnpm-beam-proxy:8081
+      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
+      APP_ID: dnpm-connect.${PROXY_ID}
+      DISCOVERY_URL: ${DNPM_DISCOVERY_URL}
+      LOCAL_TARGETS_FILE: /conf/connect_targets.json
+      HTTP_PROXY: http://forward_proxy:3128
+      HTTPS_PROXY: http://forward_proxy:3128
+      NO_PROXY: dnpm-beam-proxy,dnpm-backend
+      RUST_LOG: ${RUST_LOG:-info}
+    volumes:
+      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
+      - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
+      - "traefik.http.routers.dnpm-connect.tls=true"
+
+secrets:
+  proxy.pem:
+    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
diff --git a/minimal/modules/dnpm-compose-bwhc.yml b/minimal/modules/dnpm-compose-bwhc.yml
new file mode 100644
index 0000000..9ba1357
--- /dev/null
+++ b/minimal/modules/dnpm-compose-bwhc.yml
@@ -0,0 +1,54 @@
+version: "3.7"
+
+services:
+  dnpm-frontend:
+    depends_on: [ dnpm-backend ]
+    build:
+      context: ../../dnpm/origin
+      dockerfile: Frontend.Dockerfile
+      network: host
+      args:
+        NUXT_HOST: 0.0.0.0
+        NUXT_PORT: 3000
+        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
+        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
+        BACKEND_PORT: 9000
+        DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
+        HTTP_PROXY: ${http_proxy}
+        HTTPS_PROXY: ${https_proxy}
+    environment:
+        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
+        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
+        BACKEND_PORT: 9000
+        no_proxy: dnpm-backend
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/dnpm-frontend`)"
+      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
+      - "traefik.http.routers.dnpm-frontend.tls=true"
+
+  dnpm-backend:
+    build:
+      context: ../../dnpm/origin
+      dockerfile: Backend.Dockerfile
+      args:
+        BWHC_BASE_DIR: /bwhc-backend
+        DNPM_BWHC_BACKEND_ZIP: ${DNPM_BWHC_BACKEND_ZIP}
+    ports:
+      - 9000:9000
+    environment:
+      APPLICATION_SECRET: ${DNPM_APPLICATION_SECRET}
+      ZPM_SITE: ${ZPM_SITE}
+      noproxy: dnpm-frontend,dnpm-beam-connect
+      # PLAY_HTTP_PORT: 9000
+      # PLAY_HTTP_ADDRESS: 0.0.0.0
+    volumes:
+      - ../dnpm/origin/logback.xml:/bwhc-backend/logback.xml:ro
+      - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
+      - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
+      - bwhc_data:/bwhc-backend/data/
+      - bwhc_hgnc_data:/bwhc-backend/hgnc_data/
+
+volumes:
+  bwhc_data:
+  bwhc_hgnc_data:
diff --git a/minimal/modules/dnpm-setup.sh b/minimal/modules/dnpm-setup.sh
new file mode 100644
index 0000000..9a3cbf4
--- /dev/null
+++ b/minimal/modules/dnpm-setup.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+if [ -n "${ENABLE_DNPM}" ]; then
+	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
+	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-beamconnect.yml"
+
+	# Set variables required for Beam-Connect
+	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+	DNPM_DISCOVERY_URL="https://dnpm.medizin.uni-tuebingen.de/sites"
+
+	# Optionally, start bwhc as well. This is currently only experimental
+	if [ -n "${ENABLE_DNPM_BWHC}" ]; then
+		log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend. This is highly experimental!"
+		OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-bwhc.yml"
+	fi
+fi
diff --git a/minimal/vars b/minimal/vars
new file mode 100644
index 0000000..acca503
--- /dev/null
+++ b/minimal/vars
@@ -0,0 +1,5 @@
+for module in $PROJECT/modules/*.sh
+do
+    log INFO "sourcing $module"
+    source $module
+done

From 498092d36a74a75465d165cf45c7f193d8d28ed5 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 10 May 2023 10:59:13 +0000
Subject: [PATCH 181/213] Replace deprecated openssl command

---
 ccp/modules/id-management-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh
index ba8ad45..1e24891 100644
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@@ -6,7 +6,7 @@ function idManagementSetup() {
 		OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
 
 		# Auto Generate local Passwords
-		PATIENTLIST_POSTGRES_PASSWORD="$(echo \"id-management-module-db-password-salt\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+		PATIENTLIST_POSTGRES_PASSWORD="$(echo \"id-management-module-db-password-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 		IDMANAGER_LOCAL_PATIENTLIST_APIKEY="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 
 		# Transform Seeds Configuration to pass it to the Mainzelliste Container

From 64169acca2629ee5f7725cc44a9ff0b0bcdb1941 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 10 May 2023 12:13:20 +0000
Subject: [PATCH 182/213] Rely on beam-enroll message for exsisting key

---
 bridgehead | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/bridgehead b/bridgehead
index 13cb682..056d385 100755
--- a/bridgehead
+++ b/bridgehead
@@ -97,10 +97,6 @@ case "$ACTION" in
 		;;
 	enroll)
 		loadVars
-		if [ -e $PRIVATEKEYFILENAME ]; then
-			log ERROR "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed."
-			exit 1
-		fi
 		docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $PROXY_ID --admin-email $SUPPORT_EMAIL
 		chmod 600 $PRIVATEKEYFILENAME
 		;;

From d87745443e3f7958f606903d78942583ca970d8c Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 10 May 2023 20:15:14 +0200
Subject: [PATCH 183/213] support minimal project in system preparation

---
 lib/prepare-system.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh
index c0caa79..1bddf3e 100755
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@@ -52,6 +52,9 @@ case "$PROJECT" in
 	bbmri)
 		site_configuration_repository_middle="git.verbis.dkfz.de/bbmri-bridgehead-configs/"
 		;;
+	minimal)
+		site_configuration_repository_middle="git.verbis.dkfz.de/minimal-bridgehead-configs/"
+		;;
 	*)
 		log ERROR "Internal error, this should not happen."
         exit 1

From c9806ad874530d7da25c24d871392cecdb6e2e99 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Mon, 15 May 2023 13:43:01 +0200
Subject: [PATCH 184/213] Adapt DNPM configuration

---
 bbmri/modules/dnpm-compose-beamconnect.yml   | 15 ++++++++-------
 bbmri/modules/dnpm-setup.sh                  |  4 +++-
 ccp/modules/dnpm-compose-beamconnect.yml     |  9 +++++----
 ccp/modules/dnpm-setup.sh                    |  1 -
 minimal/modules/dnpm-compose-beamconnect.yml | 19 ++++++++++---------
 minimal/modules/dnpm-setup.sh                |  4 +++-
 6 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/bbmri/modules/dnpm-compose-beamconnect.yml b/bbmri/modules/dnpm-compose-beamconnect.yml
index 9d3be80..90f6cf1 100644
--- a/bbmri/modules/dnpm-compose-beamconnect.yml
+++ b/bbmri/modules/dnpm-compose-beamconnect.yml
@@ -5,10 +5,10 @@ services:
     image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
     container_name: bridgehead-dnpm-beam-proxy
     environment:
-      BROKER_URL: ${BROKER_URL}
-      PROXY_ID: ${PROXY_ID}
-      APP_3_ID: dnpm-connect
-      APP_3_KEY: ${DNPM_BEAM_SECRET_SHORT}
+      BROKER_URL: ${DNPM_BROKER_URL}
+      PROXY_ID: ${DNPM_PROXY_ID}
+      APP_0_ID: dnpm-connect
+      APP_0_KEY: ${DNPM_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
@@ -27,15 +27,16 @@ services:
     environment:
       PROXY_URL: http://dnpm-beam-proxy:8081
       PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
-      APP_ID: dnpm-connect.${PROXY_ID}
-      DISCOVERY_URL: ${DNPM_DISCOVERY_URL}
-      LOCAL_TARGETS_FILE: /conf/connect_targets.json
+      APP_ID: dnpm-connect.${DNPM_PROXY_ID}
+      DISCOVERY_URL: "./conf/central_targets.json"
+      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
       HTTP_PROXY: http://forward_proxy:3128
       HTTPS_PROXY: http://forward_proxy:3128
       NO_PROXY: dnpm-beam-proxy,dnpm-backend
       RUST_LOG: ${RUST_LOG:-info}
     volumes:
       - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
+      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
diff --git a/bbmri/modules/dnpm-setup.sh b/bbmri/modules/dnpm-setup.sh
index 9a3cbf4..db1969a 100644
--- a/bbmri/modules/dnpm-setup.sh
+++ b/bbmri/modules/dnpm-setup.sh
@@ -7,7 +7,9 @@ if [ -n "${ENABLE_DNPM}" ]; then
 	# Set variables required for Beam-Connect
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-	DNPM_DISCOVERY_URL="https://dnpm.medizin.uni-tuebingen.de/sites"
+	DNPM_BROKER_ID="broker.dev.ccp-it.dktk.dkfz.de"
+	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
+	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
 
 	# Optionally, start bwhc as well. This is currently only experimental
 	if [ -n "${ENABLE_DNPM_BWHC}" ]; then
diff --git a/ccp/modules/dnpm-compose-beamconnect.yml b/ccp/modules/dnpm-compose-beamconnect.yml
index 8db45ac..2dce251 100644
--- a/ccp/modules/dnpm-compose-beamconnect.yml
+++ b/ccp/modules/dnpm-compose-beamconnect.yml
@@ -13,14 +13,15 @@ services:
       PROXY_URL: http://beam-proxy:8081
       PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
       APP_ID: dnpm-connect.${PROXY_ID}
-      DISCOVERY_URL: ${DNPM_DISCOVERY_URL}
-      LOCAL_TARGETS_FILE: /conf/connect_targets.json
-      HTTP_PROXY: http://forward_proxy:3128
-      HTTPS_PROXY: http://forward_proxy:3128
+      DISCOVERY_URL: "./conf/central_targets.json"
+      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
+      HTTP_PROXY: "http://forward_proxy:3128"
+      HTTPS_PROXY: "http://forward_proxy:3128"
       NO_PROXY: beam-proxy,dnpm-backend
       RUST_LOG: ${RUST_LOG:-info}
     volumes:
       - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
+      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
diff --git a/ccp/modules/dnpm-setup.sh b/ccp/modules/dnpm-setup.sh
index 9a3cbf4..ce39731 100644
--- a/ccp/modules/dnpm-setup.sh
+++ b/ccp/modules/dnpm-setup.sh
@@ -7,7 +7,6 @@ if [ -n "${ENABLE_DNPM}" ]; then
 	# Set variables required for Beam-Connect
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-	DNPM_DISCOVERY_URL="https://dnpm.medizin.uni-tuebingen.de/sites"
 
 	# Optionally, start bwhc as well. This is currently only experimental
 	if [ -n "${ENABLE_DNPM_BWHC}" ]; then
diff --git a/minimal/modules/dnpm-compose-beamconnect.yml b/minimal/modules/dnpm-compose-beamconnect.yml
index 9d3be80..16cfdb9 100644
--- a/minimal/modules/dnpm-compose-beamconnect.yml
+++ b/minimal/modules/dnpm-compose-beamconnect.yml
@@ -5,14 +5,14 @@ services:
     image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
     container_name: bridgehead-dnpm-beam-proxy
     environment:
-      BROKER_URL: ${BROKER_URL}
-      PROXY_ID: ${PROXY_ID}
-      APP_3_ID: dnpm-connect
-      APP_3_KEY: ${DNPM_BEAM_SECRET_SHORT}
+      BROKER_URL: ${DNPM_BROKER_URL}
+      PROXY_ID: ${DNPM_PROXY_ID}
+      APP_0_ID: dnpm-connect
+      APP_0_KEY: ${DNPM_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
       ALL_PROXY: http://forward_proxy:3128
-      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
-      ROOTCERT_FILE: /conf/root.crt.pem
+      TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs
+      ROOTCERT_FILE: ./conf/root.crt.pem
     secrets:
       - proxy.pem
     depends_on:
@@ -27,15 +27,16 @@ services:
     environment:
       PROXY_URL: http://dnpm-beam-proxy:8081
       PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
-      APP_ID: dnpm-connect.${PROXY_ID}
-      DISCOVERY_URL: ${DNPM_DISCOVERY_URL}
-      LOCAL_TARGETS_FILE: /conf/connect_targets.json
+      APP_ID: dnpm-connect.${DNPM_PROXY_ID}
+      DISCOVERY_URL: "./conf/central_targets.json"
+      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
       HTTP_PROXY: http://forward_proxy:3128
       HTTPS_PROXY: http://forward_proxy:3128
       NO_PROXY: dnpm-beam-proxy,dnpm-backend
       RUST_LOG: ${RUST_LOG:-info}
     volumes:
       - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
+      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
diff --git a/minimal/modules/dnpm-setup.sh b/minimal/modules/dnpm-setup.sh
index 9a3cbf4..db1969a 100644
--- a/minimal/modules/dnpm-setup.sh
+++ b/minimal/modules/dnpm-setup.sh
@@ -7,7 +7,9 @@ if [ -n "${ENABLE_DNPM}" ]; then
 	# Set variables required for Beam-Connect
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-	DNPM_DISCOVERY_URL="https://dnpm.medizin.uni-tuebingen.de/sites"
+	DNPM_BROKER_ID="broker.dev.ccp-it.dktk.dkfz.de"
+	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
+	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
 
 	# Optionally, start bwhc as well. This is currently only experimental
 	if [ -n "${ENABLE_DNPM_BWHC}" ]; then

From ee727fb22049bbff9c2e0a659b30695e6c900040 Mon Sep 17 00:00:00 2001
From: "p.delpy@dkfz-heidelberg.de" <p.delpy@dkfz-heidelberg.de>
Date: Tue, 16 May 2023 08:56:31 +0200
Subject: [PATCH 185/213] add max-time for curl monitoring

---
 lib/monitoring.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/monitoring.sh b/lib/monitoring.sh
index 87e66bc..c3eb9fc 100755
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -47,8 +47,8 @@ function hc_send(){
 
     if [ -n "$2" ]; then
         MSG="$2\n\nDocker stats:\n$UPTIME"
-        echo -e "$MSG" | https_proxy=$HTTPS_PROXY_URL curl -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+        echo -e "$MSG" | https_proxy=$HTTPS_PROXY_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
     else
-        https_proxy=$HTTPS_PROXY_URL curl -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+        https_proxy=$HTTPS_PROXY_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
     fi
 }

From 7b753c03c008a4946ea43f40cc2532e4767fa3aa Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Tue, 16 May 2023 10:46:17 +0200
Subject: [PATCH 186/213] Add minimal project to readme

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 5acb5f0..9d95d32 100644
--- a/README.md
+++ b/README.md
@@ -87,7 +87,7 @@ To request a new repository, please contact your research network administration
 - For the ccp project: support-ccp@dkfz-heidelberg.de
 
 Mention:
-- which project you belong to, i.e. "bbmri" or "ccp"
+- which project you belong to, i.e. "bbmri", "ccp", or "minimal"
 - site name (According to conventions listed above)
 - operator name and email
 
@@ -248,7 +248,7 @@ Your Bridgehead's actual data is not stored in the above directories, but in nam
 
 Your Bridgehead will automatically and regularly check for updates. Whenever something has been updates (e.g., one of the git repositories or one of the docker images), your Bridgehead is automatically restarted. This should happen automatically and does not need any configuration.
 
-If you would like to understand what happens exactly and when, please check the systemd units deployed during the [installation](#base-installation) via `systemctl cat bridgehead-update@<PROJECT>.service` and `systemctl cat bridgehead-update@<PROJECT.timer`.
+If you would like to understand what happens exactly and when, please check the systemd units deployed during the [installation](#base-installation) via `systemctl cat bridgehead-update@<PROJECT>.service` and `systemctl cat bridgehead-update@<PROJECT>.timer`.
 
 ### Auto-Backups
 

From 2de6504832f677f23481a875cdd8b52551ae9719 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Tue, 16 May 2023 11:57:27 +0200
Subject: [PATCH 187/213] Change blaze tag to latest

---
 bbmri/docker-compose.yml | 2 +-
 ccp/docker-compose.yml   | 2 +-
 ccp/exliquid-compose.yml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 07658f4..c32d8f3 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -54,7 +54,7 @@ services:
       SITE_NAME: ${SITE_NAME}
 
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.19
+    image: docker.verbis.dkfz.de/cache/samply/blaze:latest
     container_name: bridgehead-bbmri-blaze
     environment:
       BASE_URL: "http://bridgehead-bbmri-blaze:8080"
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 209ee70..38ba27e 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -54,7 +54,7 @@ services:
       SITE_NAME: ${SITE_NAME}
 
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.19
+    image: docker.verbis.dkfz.de/cache/samply/blaze:latest
     container_name: bridgehead-ccp-blaze
     environment:
       BASE_URL: "http://bridgehead-ccp-blaze:8080"
diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml
index d5bb351..becf99a 100644
--- a/ccp/exliquid-compose.yml
+++ b/ccp/exliquid-compose.yml
@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   exliquid-task-store:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.19
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.20
     container_name: bridgehead-exliquid-task-store
     environment:
       BASE_URL: "http://bridgehead-exliquid-task-store:8080"

From 4e7f023b8a3e050c9c591145510e3ee36a2bf939 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Tue, 16 May 2023 10:56:28 +0000
Subject: [PATCH 188/213] Clean up bwhc startup

---
 bbmri/modules/dnpm-compose-bwhc.yml           | 20 +++-----
 bbmri/modules/dnpm-setup.sh                   | 10 ++++
 ccp/modules/dnpm-compose-bwhc.yml             | 20 +++-----
 ccp/modules/dnpm-setup.sh                     | 10 ++++
 dnpm/dnpm-compose-beamconnect.yml             | 29 -----------
 dnpm/dnpm-compose-bwhc.yml                    | 51 -------------------
 dnpm/dnpm-setup.sh                            | 16 ------
 dnpm/origin/logback.xml                       | 37 --------------
 dnpm/vars                                     |  1 -
 .../modules/dnpm-backend.Dockerfile           |  0
 minimal/modules/dnpm-compose-bwhc.yml         | 20 +++-----
 .../modules/dnpm-frontend.Dockerfile          |  0
 minimal/modules/dnpm-setup.sh                 | 10 ++++
 13 files changed, 54 insertions(+), 170 deletions(-)
 delete mode 100644 dnpm/dnpm-compose-beamconnect.yml
 delete mode 100644 dnpm/dnpm-compose-bwhc.yml
 delete mode 100644 dnpm/dnpm-setup.sh
 delete mode 100644 dnpm/origin/logback.xml
 delete mode 100644 dnpm/vars
 rename dnpm/origin/Backend.Dockerfile => minimal/modules/dnpm-backend.Dockerfile (100%)
 rename dnpm/origin/Frontend.Dockerfile => minimal/modules/dnpm-frontend.Dockerfile (100%)

diff --git a/bbmri/modules/dnpm-compose-bwhc.yml b/bbmri/modules/dnpm-compose-bwhc.yml
index 9ba1357..a264728 100644
--- a/bbmri/modules/dnpm-compose-bwhc.yml
+++ b/bbmri/modules/dnpm-compose-bwhc.yml
@@ -4,21 +4,20 @@ services:
   dnpm-frontend:
     depends_on: [ dnpm-backend ]
     build:
-      context: ../../dnpm/origin
-      dockerfile: Frontend.Dockerfile
-      network: host
+      context: ../../minimal/modules
+      dockerfile: dnpm-frontend.Dockerfile
       args:
         NUXT_HOST: 0.0.0.0
         NUXT_PORT: 3000
-        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
-        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
+        BACKEND_PROTOCOL: http
+        BACKEND_HOSTNAME: dnpm-backend
         BACKEND_PORT: 9000
         DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
         HTTP_PROXY: ${http_proxy}
         HTTPS_PROXY: ${https_proxy}
     environment:
-        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
-        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
+        BACKEND_PROTOCOL: http
+        BACKEND_HOSTNAME: dnpm-backend
         BACKEND_PORT: 9000
         no_proxy: dnpm-backend
     labels:
@@ -29,13 +28,11 @@ services:
 
   dnpm-backend:
     build:
-      context: ../../dnpm/origin
-      dockerfile: Backend.Dockerfile
+      context: ../../minimal/modules
+      dockerfile: dnpm-backend.Dockerfile
       args:
         BWHC_BASE_DIR: /bwhc-backend
         DNPM_BWHC_BACKEND_ZIP: ${DNPM_BWHC_BACKEND_ZIP}
-    ports:
-      - 9000:9000
     environment:
       APPLICATION_SECRET: ${DNPM_APPLICATION_SECRET}
       ZPM_SITE: ${ZPM_SITE}
@@ -43,7 +40,6 @@ services:
       # PLAY_HTTP_PORT: 9000
       # PLAY_HTTP_ADDRESS: 0.0.0.0
     volumes:
-      - ../dnpm/origin/logback.xml:/bwhc-backend/logback.xml:ro
       - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
       - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
       - bwhc_data:/bwhc-backend/data/
diff --git a/bbmri/modules/dnpm-setup.sh b/bbmri/modules/dnpm-setup.sh
index db1969a..ca98542 100644
--- a/bbmri/modules/dnpm-setup.sh
+++ b/bbmri/modules/dnpm-setup.sh
@@ -15,5 +15,15 @@ if [ -n "${ENABLE_DNPM}" ]; then
 	if [ -n "${ENABLE_DNPM_BWHC}" ]; then
 		log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend. This is highly experimental!"
 		OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-bwhc.yml"
+
+		if [ -z "${DNPM_BWHC_FRONTEND_ZIP}" ]; then
+			fail_and_report 1 "Variable DNPM_BWHC_FRONTEND_ZIP is not set."
+		fi
+		if [ -z "${DNPM_BWHC_BACKEND_ZIP}" ]; then
+			fail_and_report 1 "Variable DNPM_BWHC_BACKEND_ZIP is not set."
+		fi
+		if [ -z "${ZPM_SITE}" ]; then
+			fail_and_report 1 "Variable ZPM_SITE is not set."
+		fi
 	fi
 fi
diff --git a/ccp/modules/dnpm-compose-bwhc.yml b/ccp/modules/dnpm-compose-bwhc.yml
index 9ba1357..a264728 100644
--- a/ccp/modules/dnpm-compose-bwhc.yml
+++ b/ccp/modules/dnpm-compose-bwhc.yml
@@ -4,21 +4,20 @@ services:
   dnpm-frontend:
     depends_on: [ dnpm-backend ]
     build:
-      context: ../../dnpm/origin
-      dockerfile: Frontend.Dockerfile
-      network: host
+      context: ../../minimal/modules
+      dockerfile: dnpm-frontend.Dockerfile
       args:
         NUXT_HOST: 0.0.0.0
         NUXT_PORT: 3000
-        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
-        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
+        BACKEND_PROTOCOL: http
+        BACKEND_HOSTNAME: dnpm-backend
         BACKEND_PORT: 9000
         DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
         HTTP_PROXY: ${http_proxy}
         HTTPS_PROXY: ${https_proxy}
     environment:
-        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
-        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
+        BACKEND_PROTOCOL: http
+        BACKEND_HOSTNAME: dnpm-backend
         BACKEND_PORT: 9000
         no_proxy: dnpm-backend
     labels:
@@ -29,13 +28,11 @@ services:
 
   dnpm-backend:
     build:
-      context: ../../dnpm/origin
-      dockerfile: Backend.Dockerfile
+      context: ../../minimal/modules
+      dockerfile: dnpm-backend.Dockerfile
       args:
         BWHC_BASE_DIR: /bwhc-backend
         DNPM_BWHC_BACKEND_ZIP: ${DNPM_BWHC_BACKEND_ZIP}
-    ports:
-      - 9000:9000
     environment:
       APPLICATION_SECRET: ${DNPM_APPLICATION_SECRET}
       ZPM_SITE: ${ZPM_SITE}
@@ -43,7 +40,6 @@ services:
       # PLAY_HTTP_PORT: 9000
       # PLAY_HTTP_ADDRESS: 0.0.0.0
     volumes:
-      - ../dnpm/origin/logback.xml:/bwhc-backend/logback.xml:ro
       - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
       - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
       - bwhc_data:/bwhc-backend/data/
diff --git a/ccp/modules/dnpm-setup.sh b/ccp/modules/dnpm-setup.sh
index ce39731..c6c2b29 100644
--- a/ccp/modules/dnpm-setup.sh
+++ b/ccp/modules/dnpm-setup.sh
@@ -12,5 +12,15 @@ if [ -n "${ENABLE_DNPM}" ]; then
 	if [ -n "${ENABLE_DNPM_BWHC}" ]; then
 		log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend. This is highly experimental!"
 		OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-bwhc.yml"
+
+		if [ -z "${DNPM_BWHC_FRONTEND_ZIP}" ]; then
+			fail_and_report 1 "Variable DNPM_BWHC_FRONTEND_ZIP is not set."
+		fi
+		if [ -z "${DNPM_BWHC_BACKEND_ZIP}" ]; then
+			fail_and_report 1 "Variable DNPM_BWHC_BACKEND_ZIP is not set."
+		fi
+		if [ -z "${ZPM_SITE}" ]; then
+			fail_and_report 1 "Variable ZPM_SITE is not set."
+		fi
 	fi
 fi
diff --git a/dnpm/dnpm-compose-beamconnect.yml b/dnpm/dnpm-compose-beamconnect.yml
deleted file mode 100644
index 57c46eb..0000000
--- a/dnpm/dnpm-compose-beamconnect.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-version: "3.7"
-
-services:
-  beam-proxy:
-    environment:
-      APP_2_ID: dnpm
-      APP_2_KEY: ${DNPM_BEAM_SECRET_SHORT}
-
-  dnpm-beam-connect:
-    depends_on: [ beam-proxy ]
-    image: samply/beam-connect:sites-without-auth
-    environment:
-      PROXY_URL: http://beam-proxy:8081
-      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
-      APP_ID: dnpm.${PROXY_ID}
-      DISCOVERY_URL: ${DNPM_DISCOVERY_URL}
-      LOCAL_TARGETS_FILE: /run/secrets/connect_targets.json
-      HTTP_PROXY: http://forward_proxy:3128
-      HTTPS_PROXY: http://forward_proxy:3128
-      NO_PROXY: beam-proxy,dnpm-backend
-      RUST_LOG: ${RUST_LOG:-info}
-    secrets:
-      - connect_targets.json
-    ports:
-      - 8062:8062
-
-secrets:
-  connect_targets.json:
-    file: /etc/bridgehead/dnpm/local_targets.json
diff --git a/dnpm/dnpm-compose-bwhc.yml b/dnpm/dnpm-compose-bwhc.yml
deleted file mode 100644
index 60fe3f0..0000000
--- a/dnpm/dnpm-compose-bwhc.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-version: "3.7"
-
-services:
-  dnpm-frontend:
-    depends_on: [ dnpm-backend ]
-    build:
-      context: ../dnpm/origin
-      dockerfile: Frontend.Dockerfile
-      network: host
-      args:
-        NUXT_HOST: 0.0.0.0
-        NUXT_PORT: 3000
-        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
-        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
-        BACKEND_PORT: 9000
-        DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
-        HTTP_PROXY: ${http_proxy}
-        HTTPS_PROXY: ${https_proxy}
-    ports:
-        - 3000:3000
-    environment:
-        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
-        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
-        BACKEND_PORT: 9000
-        no_proxy: dnpm-backend
-
-  dnpm-backend:
-    build:
-      context: ../dnpm/origin
-      dockerfile: Backend.Dockerfile
-      args:
-        BWHC_BASE_DIR: /bwhc-backend
-        DNPM_BWHC_BACKEND_ZIP: ${DNPM_BWHC_BACKEND_ZIP}
-    ports:
-      - 9000:9000
-    environment:
-      APPLICATION_SECRET: ${DNPM_APPLICATION_SECRET}
-      ZPM_SITE: ${ZPM_SITE}
-      noproxy: dnpm-frontend,connect
-      # PLAY_HTTP_PORT: 9000
-      # PLAY_HTTP_ADDRESS: 0.0.0.0
-    volumes:
-      - ../dnpm/origin/logback.xml:/bwhc-backend/logback.xml:ro
-      - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
-      - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
-      - bwhc_data:/bwhc-backend/data/
-      - bwhc_hgnc_data:/bwhc-backend/hgnc_data/
-
-volumes:
-  bwhc_data:
-  bwhc_hgnc_data:
diff --git a/dnpm/dnpm-setup.sh b/dnpm/dnpm-setup.sh
deleted file mode 100644
index ff32c68..0000000
--- a/dnpm/dnpm-setup.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/bash
-
-function dnpmSetup() {
-	if [ -e /etc/bridgehead/dnpm/local_targets.json ]; then
-		log INFO "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
-		OVERRIDE+=" -f ./dnpm/dnpm-compose-beamconnect.yml"
-		DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-		DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-		source /srv/docker/bridgehead/dnpm/vars || fail_and_report 1 "Unable to load /srv/docker/bridgehead/dnpm/vars"
-		export DNPM_DISCOVERY_URL
-		if [ -e /etc/bridgehead/dnpm/bwhcConnectorConfig.xml ]; then
-			log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend. This is highly experimental!"
-			OVERRIDE+=" -f ./dnpm/dnpm-compose-bwhc.yml"
-		fi
-	fi
-}
diff --git a/dnpm/origin/logback.xml b/dnpm/origin/logback.xml
deleted file mode 100644
index c25cda6..0000000
--- a/dnpm/origin/logback.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-
-<configuration scan="true">
-
-  <property name="LOG_DIR"  value="./bwhc_logs/"/>
-  <property name="LOG_FILE" value="bwhealthcloud"/>
-
-  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
-    <encoder>
-      <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
-    </encoder>
-  </appender>
-
-<!--
-  <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
-    <file>${LOG_DIR}/${LOG_FILE}.log</file>
-
-    <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
-      <fileNamePattern>${LOG_DIR}/${LOG_FILE}-%d{yyyy-MM-dd}.log</fileNamePattern>
-
-      <maxHistory>30</maxHistory>
-      <totalSizeCap>3GB</totalSizeCap>
-    </rollingPolicy>
-
-    <encoder>
-      <pattern>%d [%thread] %-5level %logger{36} - %msg%n</pattern>
-    </encoder>
-  </appender>
--->
-  <root level="DEBUG">
-    <appender-ref ref="STDOUT"/>
-<!--
-    <appender-ref ref="FILE"/>
--->
-  </root>
-
-</configuration>
diff --git a/dnpm/vars b/dnpm/vars
deleted file mode 100644
index 69c2220..0000000
--- a/dnpm/vars
+++ /dev/null
@@ -1 +0,0 @@
-DNPM_DISCOVERY_URL=https://dnpm.medizin.uni-tuebingen.de/sites
diff --git a/dnpm/origin/Backend.Dockerfile b/minimal/modules/dnpm-backend.Dockerfile
similarity index 100%
rename from dnpm/origin/Backend.Dockerfile
rename to minimal/modules/dnpm-backend.Dockerfile
diff --git a/minimal/modules/dnpm-compose-bwhc.yml b/minimal/modules/dnpm-compose-bwhc.yml
index 9ba1357..a264728 100644
--- a/minimal/modules/dnpm-compose-bwhc.yml
+++ b/minimal/modules/dnpm-compose-bwhc.yml
@@ -4,21 +4,20 @@ services:
   dnpm-frontend:
     depends_on: [ dnpm-backend ]
     build:
-      context: ../../dnpm/origin
-      dockerfile: Frontend.Dockerfile
-      network: host
+      context: ../../minimal/modules
+      dockerfile: dnpm-frontend.Dockerfile
       args:
         NUXT_HOST: 0.0.0.0
         NUXT_PORT: 3000
-        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
-        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
+        BACKEND_PROTOCOL: http
+        BACKEND_HOSTNAME: dnpm-backend
         BACKEND_PORT: 9000
         DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
         HTTP_PROXY: ${http_proxy}
         HTTPS_PROXY: ${https_proxy}
     environment:
-        BACKEND_PROTOCOL: ${DNPM_BMHC_BACKEND_PROTOCOL}
-        BACKEND_HOSTNAME: ${DNPM_BWHC_BACKEND_HOSTNAME}
+        BACKEND_PROTOCOL: http
+        BACKEND_HOSTNAME: dnpm-backend
         BACKEND_PORT: 9000
         no_proxy: dnpm-backend
     labels:
@@ -29,13 +28,11 @@ services:
 
   dnpm-backend:
     build:
-      context: ../../dnpm/origin
-      dockerfile: Backend.Dockerfile
+      context: ../../minimal/modules
+      dockerfile: dnpm-backend.Dockerfile
       args:
         BWHC_BASE_DIR: /bwhc-backend
         DNPM_BWHC_BACKEND_ZIP: ${DNPM_BWHC_BACKEND_ZIP}
-    ports:
-      - 9000:9000
     environment:
       APPLICATION_SECRET: ${DNPM_APPLICATION_SECRET}
       ZPM_SITE: ${ZPM_SITE}
@@ -43,7 +40,6 @@ services:
       # PLAY_HTTP_PORT: 9000
       # PLAY_HTTP_ADDRESS: 0.0.0.0
     volumes:
-      - ../dnpm/origin/logback.xml:/bwhc-backend/logback.xml:ro
       - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
       - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
       - bwhc_data:/bwhc-backend/data/
diff --git a/dnpm/origin/Frontend.Dockerfile b/minimal/modules/dnpm-frontend.Dockerfile
similarity index 100%
rename from dnpm/origin/Frontend.Dockerfile
rename to minimal/modules/dnpm-frontend.Dockerfile
diff --git a/minimal/modules/dnpm-setup.sh b/minimal/modules/dnpm-setup.sh
index db1969a..ca98542 100644
--- a/minimal/modules/dnpm-setup.sh
+++ b/minimal/modules/dnpm-setup.sh
@@ -15,5 +15,15 @@ if [ -n "${ENABLE_DNPM}" ]; then
 	if [ -n "${ENABLE_DNPM_BWHC}" ]; then
 		log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend. This is highly experimental!"
 		OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-bwhc.yml"
+
+		if [ -z "${DNPM_BWHC_FRONTEND_ZIP}" ]; then
+			fail_and_report 1 "Variable DNPM_BWHC_FRONTEND_ZIP is not set."
+		fi
+		if [ -z "${DNPM_BWHC_BACKEND_ZIP}" ]; then
+			fail_and_report 1 "Variable DNPM_BWHC_BACKEND_ZIP is not set."
+		fi
+		if [ -z "${ZPM_SITE}" ]; then
+			fail_and_report 1 "Variable ZPM_SITE is not set."
+		fi
 	fi
 fi

From f4134bcfca5f3f96974568c57ad5c2651990cf1a Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 17 May 2023 09:26:55 +0000
Subject: [PATCH 189/213] Remove DNPM-BwHC experiment

---
 bbmri/modules/dnpm-compose-bwhc.yml           | 50 --------------
 ...mpose-beamconnect.yml => dnpm-compose.yml} |  0
 bbmri/modules/dnpm-setup.sh                   | 18 +----
 ccp/modules/dnpm-compose-bwhc.yml             | 50 --------------
 ...mpose-beamconnect.yml => dnpm-compose.yml} |  0
 ccp/modules/dnpm-setup.sh                     | 18 +----
 minimal/modules/dnpm-backend.Dockerfile       | 66 -------------------
 minimal/modules/dnpm-compose-bwhc.yml         | 50 --------------
 ...mpose-beamconnect.yml => dnpm-compose.yml} |  0
 minimal/modules/dnpm-frontend.Dockerfile      | 42 ------------
 minimal/modules/dnpm-setup.sh                 | 18 +----
 11 files changed, 3 insertions(+), 309 deletions(-)
 delete mode 100644 bbmri/modules/dnpm-compose-bwhc.yml
 rename bbmri/modules/{dnpm-compose-beamconnect.yml => dnpm-compose.yml} (100%)
 delete mode 100644 ccp/modules/dnpm-compose-bwhc.yml
 rename ccp/modules/{dnpm-compose-beamconnect.yml => dnpm-compose.yml} (100%)
 delete mode 100644 minimal/modules/dnpm-backend.Dockerfile
 delete mode 100644 minimal/modules/dnpm-compose-bwhc.yml
 rename minimal/modules/{dnpm-compose-beamconnect.yml => dnpm-compose.yml} (100%)
 delete mode 100644 minimal/modules/dnpm-frontend.Dockerfile

diff --git a/bbmri/modules/dnpm-compose-bwhc.yml b/bbmri/modules/dnpm-compose-bwhc.yml
deleted file mode 100644
index a264728..0000000
--- a/bbmri/modules/dnpm-compose-bwhc.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-version: "3.7"
-
-services:
-  dnpm-frontend:
-    depends_on: [ dnpm-backend ]
-    build:
-      context: ../../minimal/modules
-      dockerfile: dnpm-frontend.Dockerfile
-      args:
-        NUXT_HOST: 0.0.0.0
-        NUXT_PORT: 3000
-        BACKEND_PROTOCOL: http
-        BACKEND_HOSTNAME: dnpm-backend
-        BACKEND_PORT: 9000
-        DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
-        HTTP_PROXY: ${http_proxy}
-        HTTPS_PROXY: ${https_proxy}
-    environment:
-        BACKEND_PROTOCOL: http
-        BACKEND_HOSTNAME: dnpm-backend
-        BACKEND_PORT: 9000
-        no_proxy: dnpm-backend
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/dnpm-frontend`)"
-      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
-      - "traefik.http.routers.dnpm-frontend.tls=true"
-
-  dnpm-backend:
-    build:
-      context: ../../minimal/modules
-      dockerfile: dnpm-backend.Dockerfile
-      args:
-        BWHC_BASE_DIR: /bwhc-backend
-        DNPM_BWHC_BACKEND_ZIP: ${DNPM_BWHC_BACKEND_ZIP}
-    environment:
-      APPLICATION_SECRET: ${DNPM_APPLICATION_SECRET}
-      ZPM_SITE: ${ZPM_SITE}
-      noproxy: dnpm-frontend,dnpm-beam-connect
-      # PLAY_HTTP_PORT: 9000
-      # PLAY_HTTP_ADDRESS: 0.0.0.0
-    volumes:
-      - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
-      - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
-      - bwhc_data:/bwhc-backend/data/
-      - bwhc_hgnc_data:/bwhc-backend/hgnc_data/
-
-volumes:
-  bwhc_data:
-  bwhc_hgnc_data:
diff --git a/bbmri/modules/dnpm-compose-beamconnect.yml b/bbmri/modules/dnpm-compose.yml
similarity index 100%
rename from bbmri/modules/dnpm-compose-beamconnect.yml
rename to bbmri/modules/dnpm-compose.yml
diff --git a/bbmri/modules/dnpm-setup.sh b/bbmri/modules/dnpm-setup.sh
index ca98542..4ece115 100644
--- a/bbmri/modules/dnpm-setup.sh
+++ b/bbmri/modules/dnpm-setup.sh
@@ -2,7 +2,7 @@
 
 if [ -n "${ENABLE_DNPM}" ]; then
 	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
-	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-beamconnect.yml"
+	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
 
 	# Set variables required for Beam-Connect
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
@@ -10,20 +10,4 @@ if [ -n "${ENABLE_DNPM}" ]; then
 	DNPM_BROKER_ID="broker.dev.ccp-it.dktk.dkfz.de"
 	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
 	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
-
-	# Optionally, start bwhc as well. This is currently only experimental
-	if [ -n "${ENABLE_DNPM_BWHC}" ]; then
-		log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend. This is highly experimental!"
-		OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-bwhc.yml"
-
-		if [ -z "${DNPM_BWHC_FRONTEND_ZIP}" ]; then
-			fail_and_report 1 "Variable DNPM_BWHC_FRONTEND_ZIP is not set."
-		fi
-		if [ -z "${DNPM_BWHC_BACKEND_ZIP}" ]; then
-			fail_and_report 1 "Variable DNPM_BWHC_BACKEND_ZIP is not set."
-		fi
-		if [ -z "${ZPM_SITE}" ]; then
-			fail_and_report 1 "Variable ZPM_SITE is not set."
-		fi
-	fi
 fi
diff --git a/ccp/modules/dnpm-compose-bwhc.yml b/ccp/modules/dnpm-compose-bwhc.yml
deleted file mode 100644
index a264728..0000000
--- a/ccp/modules/dnpm-compose-bwhc.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-version: "3.7"
-
-services:
-  dnpm-frontend:
-    depends_on: [ dnpm-backend ]
-    build:
-      context: ../../minimal/modules
-      dockerfile: dnpm-frontend.Dockerfile
-      args:
-        NUXT_HOST: 0.0.0.0
-        NUXT_PORT: 3000
-        BACKEND_PROTOCOL: http
-        BACKEND_HOSTNAME: dnpm-backend
-        BACKEND_PORT: 9000
-        DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
-        HTTP_PROXY: ${http_proxy}
-        HTTPS_PROXY: ${https_proxy}
-    environment:
-        BACKEND_PROTOCOL: http
-        BACKEND_HOSTNAME: dnpm-backend
-        BACKEND_PORT: 9000
-        no_proxy: dnpm-backend
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/dnpm-frontend`)"
-      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
-      - "traefik.http.routers.dnpm-frontend.tls=true"
-
-  dnpm-backend:
-    build:
-      context: ../../minimal/modules
-      dockerfile: dnpm-backend.Dockerfile
-      args:
-        BWHC_BASE_DIR: /bwhc-backend
-        DNPM_BWHC_BACKEND_ZIP: ${DNPM_BWHC_BACKEND_ZIP}
-    environment:
-      APPLICATION_SECRET: ${DNPM_APPLICATION_SECRET}
-      ZPM_SITE: ${ZPM_SITE}
-      noproxy: dnpm-frontend,dnpm-beam-connect
-      # PLAY_HTTP_PORT: 9000
-      # PLAY_HTTP_ADDRESS: 0.0.0.0
-    volumes:
-      - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
-      - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
-      - bwhc_data:/bwhc-backend/data/
-      - bwhc_hgnc_data:/bwhc-backend/hgnc_data/
-
-volumes:
-  bwhc_data:
-  bwhc_hgnc_data:
diff --git a/ccp/modules/dnpm-compose-beamconnect.yml b/ccp/modules/dnpm-compose.yml
similarity index 100%
rename from ccp/modules/dnpm-compose-beamconnect.yml
rename to ccp/modules/dnpm-compose.yml
diff --git a/ccp/modules/dnpm-setup.sh b/ccp/modules/dnpm-setup.sh
index c6c2b29..c9250cb 100644
--- a/ccp/modules/dnpm-setup.sh
+++ b/ccp/modules/dnpm-setup.sh
@@ -2,25 +2,9 @@
 
 if [ -n "${ENABLE_DNPM}" ]; then
 	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
-	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-beamconnect.yml"
+	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
 
 	# Set variables required for Beam-Connect
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-
-	# Optionally, start bwhc as well. This is currently only experimental
-	if [ -n "${ENABLE_DNPM_BWHC}" ]; then
-		log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend. This is highly experimental!"
-		OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-bwhc.yml"
-
-		if [ -z "${DNPM_BWHC_FRONTEND_ZIP}" ]; then
-			fail_and_report 1 "Variable DNPM_BWHC_FRONTEND_ZIP is not set."
-		fi
-		if [ -z "${DNPM_BWHC_BACKEND_ZIP}" ]; then
-			fail_and_report 1 "Variable DNPM_BWHC_BACKEND_ZIP is not set."
-		fi
-		if [ -z "${ZPM_SITE}" ]; then
-			fail_and_report 1 "Variable ZPM_SITE is not set."
-		fi
-	fi
 fi
diff --git a/minimal/modules/dnpm-backend.Dockerfile b/minimal/modules/dnpm-backend.Dockerfile
deleted file mode 100644
index e37c008..0000000
--- a/minimal/modules/dnpm-backend.Dockerfile
+++ /dev/null
@@ -1,66 +0,0 @@
-FROM openjdk:11-jre AS builder
-
-ARG DNPM_BWHC_BACKEND_ZIP
-
-# Change to latest release
-ARG VERSION=broker
-
-ARG BWHC_BASE_DIR=/bwhc-backend
-
-ENV BWHC_BASE_DIR=$BWHC_BASE_DIR
-ENV BWHC_USER_DB_DIR=$BWHC_BASE_DIR/data/user-db
-ENV BWHC_DATA_ENTRY_DIR=$BWHC_BASE_DIR/data/data-entry
-ENV BWHC_QUERY_DATA_DIR=$BWHC_BASE_DIR/data/query-data
-
-ADD ${DNPM_BWHC_BACKEND_ZIP} /
-RUN unzip $(basename ${DNPM_BWHC_BACKEND_ZIP}) && rm $(basename ${DNPM_BWHC_BACKEND_ZIP})
-
-WORKDIR $BWHC_BASE_DIR
-
-# Prepare config file to use environment variables from docker
-RUN sed -i -r "s/APPLICATION_SECRET(.*)/#APPLICATION_SECRET\1/" ./config
-RUN sed -i -r "s/ZPM_SITE(.*)/#ZPM_SITE\1/" ./config
-
-# Prepare config file to use fix environment variables for this image
-RUN sed -i -r "s~BWHC_DATA_ENTRY_DIR.*~BWHC_DATA_ENTRY_DIR=$BWHC_DATA_ENTRY_DIR~" ./config
-RUN sed -i -r "s~BWHC_QUERY_DATA_DIR.*~BWHC_QUERY_DATA_DIR=$BWHC_QUERY_DATA_DIR~" ./config
-RUN sed -i -r "s~BWHC_USER_DB_DIR.*~BWHC_USER_DB_DIR=$BWHC_USER_DB_DIR~" ./config
-
-RUN ./install.sh $BWHC_BASE_DIR
-
-RUN mv bwhc-rest-api-gateway-*/  bwhc-rest-api-gateway/
-
-FROM openjdk:11-jre
-
-ARG BWHC_BASE_DIR=/bwhc-backend
-
-ENV BWHC_BASE_DIR=$BWHC_BASE_DIR
-ENV BWHC_USER_DB_DIR=$BWHC_BASE_DIR/data/user-db
-ENV BWHC_DATA_ENTRY_DIR=$BWHC_BASE_DIR/data/data-entry
-ENV BWHC_QUERY_DATA_DIR=$BWHC_BASE_DIR/data/query-data
-ENV BWHC_CONNECTOR_CONFIG=$BWHC_BASE_DIR/bwhcConnectorConfig.xml
-
-COPY --from=builder $BWHC_BASE_DIR/config $BWHC_BASE_DIR/
-COPY --from=builder $BWHC_BASE_DIR/bwhcConnectorConfig.xml $BWHC_BASE_DIR/
-COPY --from=builder $BWHC_BASE_DIR/logback.xml $BWHC_BASE_DIR/
-COPY --from=builder $BWHC_BASE_DIR/production.conf $BWHC_BASE_DIR/
-COPY --from=builder $BWHC_BASE_DIR/bwhc-rest-api-gateway/ $BWHC_BASE_DIR/bwhc-rest-api-gateway/
-
-VOLUME $BWHC_BASE_DIR/data
-VOLUME $BWHC_BASE_DIR/hgnc_data
-
-EXPOSE ${BWHC_BACKEND_PORT}
-
-WORKDIR $BWHC_BASE_DIR
-
-CMD $BWHC_BASE_DIR/bwhc-rest-api-gateway/bin/bwhc-rest-api-gateway \
-    -Dplay.http.secret.key=$APPLICATION_SECRET \
-    -Dconfig.file=$BWHC_BASE_DIR/production.conf \
-    -Dlogger.file=$BWHC_BASE_DIR/logback.xml \
-    -Dpidfile.path=/dev/null \
-    -Dbwhc.zpm.site=$ZPM_SITE \
-    -Dbwhc.data.entry.dir=$BWHC_DATA_ENTRY_DIR \
-    -Dbwhc.query.data.dir=$BWHC_QUERY_DATA_DIR \
-    -Dbwhc.user.data.dir=$BWHC_USER_DB_DIR \
-    -Dbwhc.hgnc.dir=$BWHC_HGNC_DIR \
-    -Dbwhc.connector.configFile=$BWHC_CONNECTOR_CONFIG
diff --git a/minimal/modules/dnpm-compose-bwhc.yml b/minimal/modules/dnpm-compose-bwhc.yml
deleted file mode 100644
index a264728..0000000
--- a/minimal/modules/dnpm-compose-bwhc.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-version: "3.7"
-
-services:
-  dnpm-frontend:
-    depends_on: [ dnpm-backend ]
-    build:
-      context: ../../minimal/modules
-      dockerfile: dnpm-frontend.Dockerfile
-      args:
-        NUXT_HOST: 0.0.0.0
-        NUXT_PORT: 3000
-        BACKEND_PROTOCOL: http
-        BACKEND_HOSTNAME: dnpm-backend
-        BACKEND_PORT: 9000
-        DNPM_BWHC_FRONTEND_ZIP: ${DNPM_BWHC_FRONTEND_ZIP}
-        HTTP_PROXY: ${http_proxy}
-        HTTPS_PROXY: ${https_proxy}
-    environment:
-        BACKEND_PROTOCOL: http
-        BACKEND_HOSTNAME: dnpm-backend
-        BACKEND_PORT: 9000
-        no_proxy: dnpm-backend
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/dnpm-frontend`)"
-      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
-      - "traefik.http.routers.dnpm-frontend.tls=true"
-
-  dnpm-backend:
-    build:
-      context: ../../minimal/modules
-      dockerfile: dnpm-backend.Dockerfile
-      args:
-        BWHC_BASE_DIR: /bwhc-backend
-        DNPM_BWHC_BACKEND_ZIP: ${DNPM_BWHC_BACKEND_ZIP}
-    environment:
-      APPLICATION_SECRET: ${DNPM_APPLICATION_SECRET}
-      ZPM_SITE: ${ZPM_SITE}
-      noproxy: dnpm-frontend,dnpm-beam-connect
-      # PLAY_HTTP_PORT: 9000
-      # PLAY_HTTP_ADDRESS: 0.0.0.0
-    volumes:
-      - /etc/bridgehead/dnpm/bwhcConnectorConfig.xml:/bwhc-backend/bwhcConnectorConfig.xml:ro
-      - /etc/bridgehead/dnpm/production.conf:/bwhc-backend/production.conf:ro
-      - bwhc_data:/bwhc-backend/data/
-      - bwhc_hgnc_data:/bwhc-backend/hgnc_data/
-
-volumes:
-  bwhc_data:
-  bwhc_hgnc_data:
diff --git a/minimal/modules/dnpm-compose-beamconnect.yml b/minimal/modules/dnpm-compose.yml
similarity index 100%
rename from minimal/modules/dnpm-compose-beamconnect.yml
rename to minimal/modules/dnpm-compose.yml
diff --git a/minimal/modules/dnpm-frontend.Dockerfile b/minimal/modules/dnpm-frontend.Dockerfile
deleted file mode 100644
index 1d4bb30..0000000
--- a/minimal/modules/dnpm-frontend.Dockerfile
+++ /dev/null
@@ -1,42 +0,0 @@
-FROM node:10-alpine
-
-ARG DNPM_BWHC_FRONTEND_ZIP
-
-# Change to latest release
-# Required for image build using local copy of zip file
-ARG VERSION=2207
-
-# nuxt host and port to be replaced in package.json. (See 2.3 in bwHCPrototypeManual)
-# NUXT_HOST should have a value with public available IP address from within container.
-# If changing NUXT_PORT, also change exposed port.
-ARG NUXT_HOST=0.0.0.0
-ARG NUXT_PORT=3000
-
-# Backend access setup. (See 2.4 in bwHCPrototypeManual)
-ARG BACKEND_PROTOCOL=http
-ARG BACKEND_HOSTNAME=localhost
-ARG BACKEND_PORT=8080
-
-ARG HTTP_PROXY=""
-ARG HTTPS_PROXY=""
-
-ADD ${DNPM_BWHC_FRONTEND_ZIP} /
-RUN unzip $(basename ${DNPM_BWHC_FRONTEND_ZIP}) && rm $(basename ${DNPM_BWHC_FRONTEND_ZIP})
-
-WORKDIR /bwhc-frontend
-
-RUN npm install
-
-# Prepare package.json
-RUN sed -i -r "s/^(\s*)\"host\"[^,]*(,?)/\1\"host\": \"$NUXT_HOST\"\2/" ./package.json
-RUN sed -i -r "s/^(\s*)\"port\"[^,]*(,?)/\1\"port\": \"$NUXT_PORT\"\2/" ./package.json
-
-# Prepare nuxt.config.js
-RUN sed -i -r "s/^(\s*)baseUrl[^,]*(,?)/\1baseUrl: process.env.BASE_URL || '$BACKEND_PROTOCOL:\/\/$BACKEND_HOSTNAME'\2/" ./nuxt.config.js
-RUN sed -i -r "s/^(\s*)port[^,]*(,?)/\1port: process.env.port || ':$BACKEND_PORT'\2/" ./nuxt.config.js
-
-RUN npm run generate
-
-EXPOSE $NUXT_PORT
-
-CMD npm start
diff --git a/minimal/modules/dnpm-setup.sh b/minimal/modules/dnpm-setup.sh
index ca98542..4ece115 100644
--- a/minimal/modules/dnpm-setup.sh
+++ b/minimal/modules/dnpm-setup.sh
@@ -2,7 +2,7 @@
 
 if [ -n "${ENABLE_DNPM}" ]; then
 	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
-	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-beamconnect.yml"
+	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
 
 	# Set variables required for Beam-Connect
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
@@ -10,20 +10,4 @@ if [ -n "${ENABLE_DNPM}" ]; then
 	DNPM_BROKER_ID="broker.dev.ccp-it.dktk.dkfz.de"
 	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
 	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
-
-	# Optionally, start bwhc as well. This is currently only experimental
-	if [ -n "${ENABLE_DNPM_BWHC}" ]; then
-		log INFO "DNPM setup detected (with Frontend/Backend) -- will start BWHC Frontend/Backend. This is highly experimental!"
-		OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose-bwhc.yml"
-
-		if [ -z "${DNPM_BWHC_FRONTEND_ZIP}" ]; then
-			fail_and_report 1 "Variable DNPM_BWHC_FRONTEND_ZIP is not set."
-		fi
-		if [ -z "${DNPM_BWHC_BACKEND_ZIP}" ]; then
-			fail_and_report 1 "Variable DNPM_BWHC_BACKEND_ZIP is not set."
-		fi
-		if [ -z "${ZPM_SITE}" ]; then
-			fail_and_report 1 "Variable ZPM_SITE is not set."
-		fi
-	fi
 fi

From a18b63e190a2ec26c5a666d8038e430f547e6d12 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 17 May 2023 10:04:35 +0000
Subject: [PATCH 190/213] Use cached beam-connect image for dnpm

---
 bbmri/modules/dnpm-compose.yml   | 3 ++-
 ccp/modules/dnpm-compose.yml     | 3 ++-
 minimal/modules/dnpm-compose.yml | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/bbmri/modules/dnpm-compose.yml b/bbmri/modules/dnpm-compose.yml
index 90f6cf1..0175bf5 100644
--- a/bbmri/modules/dnpm-compose.yml
+++ b/bbmri/modules/dnpm-compose.yml
@@ -23,7 +23,8 @@ services:
 
   dnpm-beam-connect:
     depends_on: [ dnpm-beam-proxy ]
-    image: samply/beam-connect:sites-without-auth
+    image: docker.verbis.dkfz.de/cache/samply/beam-connect:sites-without-auth
+    container_name: bridgehead-dnpm-beam-connect
     environment:
       PROXY_URL: http://dnpm-beam-proxy:8081
       PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
diff --git a/ccp/modules/dnpm-compose.yml b/ccp/modules/dnpm-compose.yml
index 2dce251..2f523b9 100644
--- a/ccp/modules/dnpm-compose.yml
+++ b/ccp/modules/dnpm-compose.yml
@@ -8,7 +8,8 @@ services:
 
   dnpm-beam-connect:
     depends_on: [ beam-proxy ]
-    image: samply/beam-connect:sites-without-auth
+    image: docker.verbis.dkfz.de/cache/samply/beam-connect:sites-without-auth
+    container_name: bridgehead-dnpm-beam-connect
     environment:
       PROXY_URL: http://beam-proxy:8081
       PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
diff --git a/minimal/modules/dnpm-compose.yml b/minimal/modules/dnpm-compose.yml
index 16cfdb9..a2eb0b0 100644
--- a/minimal/modules/dnpm-compose.yml
+++ b/minimal/modules/dnpm-compose.yml
@@ -23,7 +23,8 @@ services:
 
   dnpm-beam-connect:
     depends_on: [ dnpm-beam-proxy ]
-    image: samply/beam-connect:sites-without-auth
+    image: docker.verbis.dkfz.de/cache/samply/beam-connect:sites-without-auth
+    container_name: bridgehead-dnpm-beam-connect
     environment:
       PROXY_URL: http://dnpm-beam-proxy:8081
       PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}

From ff4fb06ad158c6ac86bee8461834f77f1e9f9105 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Fri, 19 May 2023 11:53:03 +0000
Subject: [PATCH 191/213] Address review comments

---
 README.md                        | 2 +-
 bbmri/modules/dnpm-compose.yml   | 2 +-
 bbmri/modules/dnpm-setup.sh      | 4 ++--
 bbmri/vars                       | 2 +-
 bridgehead                       | 4 ++--
 ccp/modules/dnpm-compose.yml     | 2 +-
 ccp/modules/dnpm-setup.sh        | 4 ++--
 ccp/vars                         | 2 +-
 minimal/modules/dnpm-compose.yml | 2 +-
 minimal/modules/dnpm-setup.sh    | 4 ++--
 minimal/vars                     | 2 +-
 11 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 550f563..8daab1f 100644
--- a/README.md
+++ b/README.md
@@ -85,7 +85,7 @@ To request a new repository, please contact your research network administration
 - For the ccp project: support-ccp@dkfz-heidelberg.de
 
 Mention:
-- which project you belong to, i.e. "bbmri", "ccp", or "minimal"
+- which project you belong to, i.e. "bbmri" or "ccp"
 - site name (According to conventions listed above)
 - operator name and email
 
diff --git a/bbmri/modules/dnpm-compose.yml b/bbmri/modules/dnpm-compose.yml
index 0175bf5..48d58de 100644
--- a/bbmri/modules/dnpm-compose.yml
+++ b/bbmri/modules/dnpm-compose.yml
@@ -23,7 +23,7 @@ services:
 
   dnpm-beam-connect:
     depends_on: [ dnpm-beam-proxy ]
-    image: docker.verbis.dkfz.de/cache/samply/beam-connect:sites-without-auth
+    image: docker.verbis.dkfz.de/cache/samply/beam-connect:dnpm
     container_name: bridgehead-dnpm-beam-connect
     environment:
       PROXY_URL: http://dnpm-beam-proxy:8081
diff --git a/bbmri/modules/dnpm-setup.sh b/bbmri/modules/dnpm-setup.sh
index 4ece115..c8b003e 100644
--- a/bbmri/modules/dnpm-setup.sh
+++ b/bbmri/modules/dnpm-setup.sh
@@ -1,11 +1,11 @@
 #!/bin/bash
 
 if [ -n "${ENABLE_DNPM}" ]; then
-	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
+	log DEBUG "DNPM setup detected (Beam.Connect) -- will start Beam and Beam.Connect for DNPM."
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
 
 	# Set variables required for Beam-Connect
-	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 	DNPM_BROKER_ID="broker.dev.ccp-it.dktk.dkfz.de"
 	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
diff --git a/bbmri/vars b/bbmri/vars
index b5be616..21aeaec 100644
--- a/bbmri/vars
+++ b/bbmri/vars
@@ -8,7 +8,7 @@ PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 
 for module in $PROJECT/modules/*.sh
 do
-    log INFO "sourcing $module"
+    log DEBUG "sourcing $module"
     source $module
 done
 
diff --git a/bridgehead b/bridgehead
index 8d35708..b14d1d3 100755
--- a/bridgehead
+++ b/bridgehead
@@ -56,7 +56,7 @@ loadVars() {
 	OVERRIDE=${OVERRIDE:=""}
 	# minimal contains shared components, so potential overrides must be applied in every project
 	if [ -f "minimal/docker-compose.override.yml" ]; then
-		log INFO "Applying minimal/docker-compose.override.yml"
+		log INFO "Applying Bridgehead common components override (minimal/docker-compose.override.yml)"
 		OVERRIDE+=" -f ./minimal/docker-compose.override.yml"
 	fi
 	if [ -f "$PROJECT/docker-compose.override.yml" ]; then
@@ -78,7 +78,7 @@ case "$ACTION" in
 		;;
 	stop)
 		loadVars
-		# HACK: This is tempoarily to properly shut down false bridgehead instances (bridgehead-ccp instead ccp)
+		# HACK: This is temporarily to properly shut down false bridgehead instances (bridgehead-ccp instead ccp)
 		$COMPOSE -p bridgehead-$PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		exec $COMPOSE -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		;;
diff --git a/ccp/modules/dnpm-compose.yml b/ccp/modules/dnpm-compose.yml
index 2f523b9..a4ef1aa 100644
--- a/ccp/modules/dnpm-compose.yml
+++ b/ccp/modules/dnpm-compose.yml
@@ -8,7 +8,7 @@ services:
 
   dnpm-beam-connect:
     depends_on: [ beam-proxy ]
-    image: docker.verbis.dkfz.de/cache/samply/beam-connect:sites-without-auth
+    image: docker.verbis.dkfz.de/cache/samply/beam-connect:dnpm
     container_name: bridgehead-dnpm-beam-connect
     environment:
       PROXY_URL: http://beam-proxy:8081
diff --git a/ccp/modules/dnpm-setup.sh b/ccp/modules/dnpm-setup.sh
index c9250cb..04659eb 100644
--- a/ccp/modules/dnpm-setup.sh
+++ b/ccp/modules/dnpm-setup.sh
@@ -1,10 +1,10 @@
 #!/bin/bash
 
 if [ -n "${ENABLE_DNPM}" ]; then
-	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
+	log DEBUG "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
 
 	# Set variables required for Beam-Connect
-	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 fi
diff --git a/ccp/vars b/ccp/vars
index 2a295f4..a180d82 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -21,6 +21,6 @@ mtbaSetup
 
 for module in $PROJECT/modules/*.sh
 do
-    log INFO "sourcing $module"
+    log DEBUG "sourcing $module"
     source $module
 done
diff --git a/minimal/modules/dnpm-compose.yml b/minimal/modules/dnpm-compose.yml
index a2eb0b0..f320ead 100644
--- a/minimal/modules/dnpm-compose.yml
+++ b/minimal/modules/dnpm-compose.yml
@@ -23,7 +23,7 @@ services:
 
   dnpm-beam-connect:
     depends_on: [ dnpm-beam-proxy ]
-    image: docker.verbis.dkfz.de/cache/samply/beam-connect:sites-without-auth
+    image: docker.verbis.dkfz.de/cache/samply/beam-connect:dnpm
     container_name: bridgehead-dnpm-beam-connect
     environment:
       PROXY_URL: http://dnpm-beam-proxy:8081
diff --git a/minimal/modules/dnpm-setup.sh b/minimal/modules/dnpm-setup.sh
index 4ece115..c8b003e 100644
--- a/minimal/modules/dnpm-setup.sh
+++ b/minimal/modules/dnpm-setup.sh
@@ -1,11 +1,11 @@
 #!/bin/bash
 
 if [ -n "${ENABLE_DNPM}" ]; then
-	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
+	log DEBUG "DNPM setup detected (Beam.Connect) -- will start Beam and Beam.Connect for DNPM."
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
 
 	# Set variables required for Beam-Connect
-	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 	DNPM_BROKER_ID="broker.dev.ccp-it.dktk.dkfz.de"
 	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
diff --git a/minimal/vars b/minimal/vars
index acca503..fe661ed 100644
--- a/minimal/vars
+++ b/minimal/vars
@@ -1,5 +1,5 @@
 for module in $PROJECT/modules/*.sh
 do
-    log INFO "sourcing $module"
+    log DEBUG "sourcing $module"
     source $module
 done

From f02587d9fadb6e7349aacbaf64343022624e2dc3 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Thu, 25 May 2023 11:20:18 +0000
Subject: [PATCH 192/213] Change DNPM broker id

---
 bbmri/modules/dnpm-setup.sh   | 2 +-
 minimal/modules/dnpm-setup.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/bbmri/modules/dnpm-setup.sh b/bbmri/modules/dnpm-setup.sh
index c8b003e..7b3be9a 100644
--- a/bbmri/modules/dnpm-setup.sh
+++ b/bbmri/modules/dnpm-setup.sh
@@ -7,7 +7,7 @@ if [ -n "${ENABLE_DNPM}" ]; then
 	# Set variables required for Beam-Connect
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-	DNPM_BROKER_ID="broker.dev.ccp-it.dktk.dkfz.de"
+	DNPM_BROKER_ID="broker.ccp-it.dktk.dkfz.de"
 	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
 	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
 fi
diff --git a/minimal/modules/dnpm-setup.sh b/minimal/modules/dnpm-setup.sh
index c8b003e..7b3be9a 100644
--- a/minimal/modules/dnpm-setup.sh
+++ b/minimal/modules/dnpm-setup.sh
@@ -7,7 +7,7 @@ if [ -n "${ENABLE_DNPM}" ]; then
 	# Set variables required for Beam-Connect
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-	DNPM_BROKER_ID="broker.dev.ccp-it.dktk.dkfz.de"
+	DNPM_BROKER_ID="broker.ccp-it.dktk.dkfz.de"
 	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
 	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
 fi

From a00fed7df27d266797fb837691e27da3f21eea57 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Thu, 1 Jun 2023 10:26:14 +0200
Subject: [PATCH 193/213] Changed as result of onboarding experience on the
 30th

* Proxy and firewall adjustments were highlighted.
* The need to register with the Directory and obtain a default
  Collection ID was mentioned.
---
 README.md | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index cc70d45..446f88f 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,7 @@ This repository is the starting point for any information and tools you will nee
     - [Hardware](#hardware)
     - [Software](#software)
     - [Network](#network)
+    - [Register with a Directory](#register-with-a-directory)
 2. [Deployment](#deployment)
     - [Site name](#site-name)
     - [Projects](#projects)
@@ -57,10 +58,31 @@ Note for Ubuntu: Please note that snap versions of Docker are not supported.
 
 ### Network
 
-Since it needs to carry sensitive patient data, Bridgeheads are intended to be deployed within your institution's secure network and behave well even in networks in strict security settings, e.g. firewall rules. The only connectivity required is an outgoing HTTPS proxy. TLS termination is supported, too (see [below](#tls-terminating-proxies))
+A running Bridgehead requires an outgoing HTTPS proxy to communicate with the central components.
+
+Additionally, your site might use its own proxy. You should discuss this with your local systems administration. If a proxy is being used, you will need to note down the URL of the proxy. If it is a secure proxy, then you will also need to make a note of its username and password. This information will be used later on during the installation process.
+
+Note that git and Docker may also need to be configured to use this proxy. This is a job for your systems administrators.
+
+If there is a site firewall, this needs to be configured so that git and Docker can reach the outside world. Another job for the systems administrators.
 
 Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to conflict with Docker [here](https://github.com/chaifeng/ufw-docker).
 
+### Register with a Directory
+
+The [Directory][https://directory.bbmri-eric.eu] is a BBMRI project that aims to catalog all biobanks in Europe and beyond. Each biobank is given its own unique ID and the Directory maintains counts of the number of donors and the number of samples held at each biobank. You are strongly encouraged to register with the Directory, because this opens the door to further services, such as the [Negotiator][https://negotiator.bbmri-eric.eu/login.xhtml].
+
+Generally, you should register with the BBMRI national node for the country where your biobank is based. You can find a list of contacts for the national nodes [here](http://www.bbmri-eric.eu/national-nodes/). If your country is not in this list, or you have any questions, please contact the [BBMRI helpdesk](mailto:directory@helpdesk.bbmri-eric.eu). If your biobank is for COVID samples, you can also take advantage of an accelerated registration process [here](https://docs.google.com/forms/d/e/1FAIpQLSdIFfxADikGUf1GA0M16J0HQfc2NHJ55M_E47TXahju5BlFIQ).
+
+Your national node will give you detailed instructions for registering, but for your information, here are the basic steps:
+
+* Log in to the Directory for your country.
+* Add your biobank and enter its details, including contact information for a person involved in running the biobank.
+* You will need to create at least one collection.
+* Note the biobank ID and the collection ID that you have created - these will be needed when you register with the Locator (see below).
+
+Once you have registered, you should choose one of your Collections as a default collection for your biobank. This is the Collection that will be automatically used to label any samples that have not been assigned a Collection ID in your ETL process. Make a note of this ID, you will need it later on in the installation process.
+
 ## Deployment
 
 ### Site name
@@ -140,7 +162,7 @@ cd /srv/docker/bridgehead
 sudo ./bridgehead enroll <PROJECT>
 ```
 
-... and follow the instructions on the screen. You should then be prompted to do the next step:
+... and follow the instructions on the screen. Please send your default Collection ID and the display name of your site together with the certificate request when you enroll. You should then be prompted to do the next step:
 
 ### Starting and stopping your Bridgehead
 

From 906b98f26e65027559ee3a9928d2882a3b5fa774 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Thu, 1 Jun 2023 10:40:48 +0200
Subject: [PATCH 194/213] Simplified the Directory registration section

---
 README.md | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 446f88f..89694d1 100644
--- a/README.md
+++ b/README.md
@@ -70,18 +70,11 @@ Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to c
 
 ### Register with a Directory
 
-The [Directory][https://directory.bbmri-eric.eu] is a BBMRI project that aims to catalog all biobanks in Europe and beyond. Each biobank is given its own unique ID and the Directory maintains counts of the number of donors and the number of samples held at each biobank. You are strongly encouraged to register with the Directory, because this opens the door to further services, such as the [Negotiator][https://negotiator.bbmri-eric.eu/login.xhtml].
+If you run a biobank, you should register with the [Directory][https://directory.bbmri-eric.eu], a BBMRI project that catalogs biobanks.
 
-Generally, you should register with the BBMRI national node for the country where your biobank is based. You can find a list of contacts for the national nodes [here](http://www.bbmri-eric.eu/national-nodes/). If your country is not in this list, or you have any questions, please contact the [BBMRI helpdesk](mailto:directory@helpdesk.bbmri-eric.eu). If your biobank is for COVID samples, you can also take advantage of an accelerated registration process [here](https://docs.google.com/forms/d/e/1FAIpQLSdIFfxADikGUf1GA0M16J0HQfc2NHJ55M_E47TXahju5BlFIQ).
+To do this, contact the BBMRI national node for the country where your biobank is based, see [the list of nodes](http://www.bbmri-eric.eu/national-nodes/).
 
-Your national node will give you detailed instructions for registering, but for your information, here are the basic steps:
-
-* Log in to the Directory for your country.
-* Add your biobank and enter its details, including contact information for a person involved in running the biobank.
-* You will need to create at least one collection.
-* Note the biobank ID and the collection ID that you have created - these will be needed when you register with the Locator (see below).
-
-Once you have registered, you should choose one of your Collections as a default collection for your biobank. This is the Collection that will be automatically used to label any samples that have not been assigned a Collection ID in your ETL process. Make a note of this ID, you will need it later on in the installation process.
+Once you have registered, **you should choose one of your sample collections as a default collection for your biobank**. This is the collection that will be automatically used to label any samples that have not been assigned a collection ID in your ETL process. Make a note of this ID, you will need it later on in the installation process.
 
 ## Deployment
 

From 156590724393a0cdacaff15c8fbb80608e980e25 Mon Sep 17 00:00:00 2001
From: Croft <d506t@ad.dkfz-heidelberg.de>
Date: Thu, 1 Jun 2023 10:47:30 +0200
Subject: [PATCH 195/213] Minor text and formatting improvements

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 89694d1..3cd198e 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ This repository is the starting point for any information and tools you will nee
     - [Hardware](#hardware)
     - [Software](#software)
     - [Network](#network)
-    - [Register with a Directory](#register-with-a-directory)
+    - [Register with the Directory](#register-with-the-directory)
 2. [Deployment](#deployment)
     - [Site name](#site-name)
     - [Projects](#projects)
@@ -68,9 +68,9 @@ If there is a site firewall, this needs to be configured so that git and Docker
 
 Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to conflict with Docker [here](https://github.com/chaifeng/ufw-docker).
 
-### Register with a Directory
+### Register with the Directory
 
-If you run a biobank, you should register with the [Directory][https://directory.bbmri-eric.eu], a BBMRI project that catalogs biobanks.
+If you run a biobank, you should register with the [Directory](https://directory.bbmri-eric.eu), a BBMRI project that catalogs biobanks.
 
 To do this, contact the BBMRI national node for the country where your biobank is based, see [the list of nodes](http://www.bbmri-eric.eu/national-nodes/).
 

From c41ebd226d1c76a71c16d3b7ec3148c6c5326d1f Mon Sep 17 00:00:00 2001
From: Enola Knezevic <enola.knezevic@dkfz-heidelberg.de>
Date: Fri, 16 Jun 2023 16:24:48 +0200
Subject: [PATCH 196/213] =?UTF-8?q?DKTK=20local=20spot=20->=20focus=20?=
 =?UTF-8?q?=F0=9F=A5=B3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ccp/docker-compose.yml | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 209ee70..910bac7 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -71,15 +71,17 @@ services:
       - "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,auth"
       - "traefik.http.routers.blaze_ccp.tls=true"
 
-  spot:
-    image: docker.verbis.dkfz.de/cache/samply/spot:latest
-    container_name: bridgehead-spot
+  focus:
+    image: docker.verbis.dkfz.de/cache/samply/focus:develop
+    container_name: bridgehead-focus
     environment:
-      SECRET: ${SPOT_BEAM_SECRET_LONG}
-      APPID: spot
+      SECRET: ${FOCUS_BEAM_SECRET_SHORT}
+      BEAM_APP_ID_LONG: focus.${PROXY_ID}
       PROXY_ID: ${PROXY_ID}
-      LDM_URL: http://bridgehead-ccp-blaze:8080/fhir
-      BEAM_PROXY: http://beam-proxy:8081
+      BLAZE_URL: "http://bridgehead-ccp-blaze:8080/fhir/"
+      BEAM_PROXY_URL: http://beam-proxy:8081
+      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
+      OBFUSCATE: "no"
     depends_on:
       - "beam-proxy"
       - "blaze"
@@ -90,8 +92,8 @@ services:
     environment:
       BROKER_URL: ${BROKER_URL}
       PROXY_ID: ${PROXY_ID}
-      APP_0_ID: spot
-      APP_0_KEY: ${SPOT_BEAM_SECRET_SHORT}
+      APP_0_ID: focus
+      APP_0_KEY: ${FOCUS_BEAM_SECRET_SHORT}
       APP_1_ID: report-hub
       APP_1_KEY: ${REPORTHUB_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem

From 9dadd3efa0497ac09ddbf5ac9877075fb0083b03 Mon Sep 17 00:00:00 2001
From: Enola Knezevic <enola.knezevic@dkfz-heidelberg.de>
Date: Fri, 16 Jun 2023 16:28:22 +0200
Subject: [PATCH 197/213] variables

---
 ccp/vars | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ccp/vars b/ccp/vars
index 5172d24..cc0bccd 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -1,8 +1,8 @@
 BROKER_ID=broker.dev.ccp-it.dktk.dkfz.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
-SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
+FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+FOCUS_RETRY_COUNT=32
 REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"
 SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de

From 5642141f3f69279f3ab722567680c9d83219560d Mon Sep 17 00:00:00 2001
From: Enola Knezevic <enola.knezevic@dkfz-heidelberg.de>
Date: Mon, 19 Jun 2023 10:32:39 +0200
Subject: [PATCH 198/213] CCP focus develop -> main

---
 ccp/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 910bac7..bc462f7 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -72,7 +72,7 @@ services:
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:develop
+    image: docker.verbis.dkfz.de/cache/samply/focus:main
     container_name: bridgehead-focus
     environment:
       SECRET: ${FOCUS_BEAM_SECRET_SHORT}

From b1ee2fa5f42b13e7b47eba837ca9d69cf23ccbdd Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 19 Jun 2023 13:25:22 +0200
Subject: [PATCH 199/213] New beam-proxy api key syntax

---
 bbmri/docker-compose.yml | 3 +--
 ccp/docker-compose.yml   | 6 ++----
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 07658f4..c37ff71 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -91,8 +91,7 @@ services:
     environment:
       BROKER_URL: ${BROKER_URL}
       PROXY_ID: ${PROXY_ID}
-      APP_0_ID: focus
-      APP_0_KEY: ${FOCUS_BEAM_SECRET_SHORT}
+      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index bc462f7..ac104f8 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -92,10 +92,8 @@ services:
     environment:
       BROKER_URL: ${BROKER_URL}
       PROXY_ID: ${PROXY_ID}
-      APP_0_ID: focus
-      APP_0_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      APP_1_ID: report-hub
-      APP_1_KEY: ${REPORTHUB_BEAM_SECRET_SHORT}
+      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
+      APP_report-hub_KEY: ${REPORTHUB_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs

From 2f20082d4c3a97efda7661023d93e3c3a48023f1 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 19 Jun 2023 13:32:47 +0200
Subject: [PATCH 200/213] Change focus tag to main

---
 bbmri/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 07658f4..e00ed67 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -72,7 +72,7 @@ services:
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:develop
+    image: docker.verbis.dkfz.de/cache/samply/focus:main
     container_name: bridgehead-focus
     environment:
       API_KEY: ${FOCUS_BEAM_SECRET_SHORT}

From 23a500aae948bae2802dd9d55b8a28265aac3410 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 19 Jun 2023 13:33:26 +0200
Subject: [PATCH 201/213] focus: Rename SECRET to API_KEY

---
 ccp/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index bc462f7..624766d 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -75,7 +75,7 @@ services:
     image: docker.verbis.dkfz.de/cache/samply/focus:main
     container_name: bridgehead-focus
     environment:
-      SECRET: ${FOCUS_BEAM_SECRET_SHORT}
+      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
       BEAM_APP_ID_LONG: focus.${PROXY_ID}
       PROXY_ID: ${PROXY_ID}
       BLAZE_URL: "http://bridgehead-ccp-blaze:8080/fhir/"

From 12991e4796320e127833ae319c54467273ac4c63 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 28 Jun 2023 11:16:15 +0200
Subject: [PATCH 202/213] Fix enrollment for minimal bh

---
 bridgehead   | 17 ++++++++++++++++-
 minimal/vars |  1 +
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/bridgehead b/bridgehead
index b14d1d3..9824e3b 100755
--- a/bridgehead
+++ b/bridgehead
@@ -105,7 +105,22 @@ case "$ACTION" in
 		;;
 	enroll)
 		loadVars
-		docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $PROXY_ID --admin-email $SUPPORT_EMAIL
+
+		MANUAL_PROXY_ID="${3:-$PROXY_ID}"
+		if [ -z "$MANUAL_PROXY_ID" ]; then
+			log ERROR "No Proxy ID set"
+			exit 1
+		else
+			log INFO "Enrolling Beam Proxy Id $MANUAL_PROXY_ID"
+		fi
+
+		if [ -z "$SUPPORT_EMAIL" ]; then
+			EMAIL_PARAM=""
+		else
+			EMAIL_PARAM="--admin-email $SUPPORT_EMAIL"
+		fi
+			
+		docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $MANUAL_PROXY_ID $EMAIL_PARAM
 		chmod 600 $PRIVATEKEYFILENAME
 		;;
 	preRun | preUpdate)
diff --git a/minimal/vars b/minimal/vars
index fe661ed..11d07ff 100644
--- a/minimal/vars
+++ b/minimal/vars
@@ -3,3 +3,4 @@ do
     log DEBUG "sourcing $module"
     source $module
 done
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem

From f0d423fcf7944525566460c49cf0ba1e27ce9392 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 28 Jun 2023 11:48:47 +0200
Subject: [PATCH 203/213] Adapt to new beam app syntax

---
 bbmri/modules/dnpm-compose.yml   | 3 +--
 ccp/modules/dnpm-compose.yml     | 4 +---
 minimal/modules/dnpm-compose.yml | 3 +--
 3 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/bbmri/modules/dnpm-compose.yml b/bbmri/modules/dnpm-compose.yml
index 48d58de..0cbc45f 100644
--- a/bbmri/modules/dnpm-compose.yml
+++ b/bbmri/modules/dnpm-compose.yml
@@ -7,8 +7,7 @@ services:
     environment:
       BROKER_URL: ${DNPM_BROKER_URL}
       PROXY_ID: ${DNPM_PROXY_ID}
-      APP_0_ID: dnpm-connect
-      APP_0_KEY: ${DNPM_BEAM_SECRET_SHORT}
+      APP_dnpm-connect_KEY: ${DNPM_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
diff --git a/ccp/modules/dnpm-compose.yml b/ccp/modules/dnpm-compose.yml
index a4ef1aa..9286d32 100644
--- a/ccp/modules/dnpm-compose.yml
+++ b/ccp/modules/dnpm-compose.yml
@@ -3,9 +3,7 @@ version: "3.7"
 services:
   beam-proxy:
     environment:
-      APP_3_ID: dnpm-connect
-      APP_3_KEY: ${DNPM_BEAM_SECRET_SHORT}
-
+      APP_dnpm-connect_KEY: ${DNPM_BEAM_SECRET_SHORT}
   dnpm-beam-connect:
     depends_on: [ beam-proxy ]
     image: docker.verbis.dkfz.de/cache/samply/beam-connect:dnpm
diff --git a/minimal/modules/dnpm-compose.yml b/minimal/modules/dnpm-compose.yml
index f320ead..276f5ff 100644
--- a/minimal/modules/dnpm-compose.yml
+++ b/minimal/modules/dnpm-compose.yml
@@ -7,8 +7,7 @@ services:
     environment:
       BROKER_URL: ${DNPM_BROKER_URL}
       PROXY_ID: ${DNPM_PROXY_ID}
-      APP_0_ID: dnpm-connect
-      APP_0_KEY: ${DNPM_BEAM_SECRET_SHORT}
+      APP_dnpm-connect_KEY: ${DNPM_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs

From a0333864648907037ed3b6111b8bf06d3606439c Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Wed, 28 Jun 2023 15:38:05 +0200
Subject: [PATCH 204/213] Absolute path for beam root cert

---
 bbmri/docker-compose.yml | 2 +-
 ccp/docker-compose.yml   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml
index 8ad8211..07f1a2f 100644
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@@ -50,7 +50,7 @@ services:
       - "forward_proxy"
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - ./root.crt.pem:/conf/root.crt.pem:ro
+      - /srv/docker/bridgehead/bbmri/root.crt.pem:/conf/root.crt.pem:ro
 
 volumes:
   blaze-data:
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 7b7e129..786acc9 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -52,7 +52,7 @@ services:
       - "forward_proxy"
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - ./root.crt.pem:/conf/root.crt.pem:ro
+      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
 
 
 volumes:

From f41e7df8204fe68e6f506c0b57760d94f88e4d09 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Thu, 29 Jun 2023 07:52:11 +0000
Subject: [PATCH 205/213] Fix docker namespaces step 1 of 2

---
 bridgehead | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bridgehead b/bridgehead
index 9824e3b..6481ef0 100755
--- a/bridgehead
+++ b/bridgehead
@@ -74,7 +74,7 @@ case "$ACTION" in
 		checkRequirements
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
 		export LDM_LOGIN=$(getLdmPassword)
-		exec $COMPOSE -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
+		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
 		loadVars

From 431eceb07198fbd062ea457c8ce542d063aa42df Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Thu, 29 Jun 2023 08:27:00 +0000
Subject: [PATCH 206/213] Fix docker namespaces step 2 of 2

---
 bridgehead | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bridgehead b/bridgehead
index 6481ef0..2709f8c 100755
--- a/bridgehead
+++ b/bridgehead
@@ -80,7 +80,7 @@ case "$ACTION" in
 		loadVars
 		# HACK: This is temporarily to properly shut down false bridgehead instances (bridgehead-ccp instead ccp)
 		$COMPOSE -p bridgehead-$PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
-		exec $COMPOSE -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
+		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		;;
 	is-running)
 		bk_is_running

From 6d94ebd4eb671c5ce8d04663dbcd1237b59150f3 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Fri, 30 Jun 2023 06:02:32 +0000
Subject: [PATCH 207/213] Add path stripper

---
 bbmri/modules/dnpm-compose.yml   | 2 ++
 ccp/modules/dnpm-compose.yml     | 2 ++
 minimal/modules/dnpm-compose.yml | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/bbmri/modules/dnpm-compose.yml b/bbmri/modules/dnpm-compose.yml
index 0cbc45f..9201fe4 100644
--- a/bbmri/modules/dnpm-compose.yml
+++ b/bbmri/modules/dnpm-compose.yml
@@ -40,6 +40,8 @@ services:
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
+      - "traefik.http.middlewares.dnpm-connect-strip.stripprefix.prefixes=/dnpm-connect"
+      - "traefik.http.routers.dnpm-connect.middlewares=dnpm-connect-strip"
       - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
       - "traefik.http.routers.dnpm-connect.tls=true"
 
diff --git a/ccp/modules/dnpm-compose.yml b/ccp/modules/dnpm-compose.yml
index 9286d32..336ae1c 100644
--- a/ccp/modules/dnpm-compose.yml
+++ b/ccp/modules/dnpm-compose.yml
@@ -24,5 +24,7 @@ services:
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
+      - "traefik.http.middlewares.dnpm-connect-strip.stripprefix.prefixes=/dnpm-connect"
+      - "traefik.http.routers.dnpm-connect.middlewares=dnpm-connect-strip"
       - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
       - "traefik.http.routers.dnpm-connect.tls=true"
diff --git a/minimal/modules/dnpm-compose.yml b/minimal/modules/dnpm-compose.yml
index 276f5ff..155ee9c 100644
--- a/minimal/modules/dnpm-compose.yml
+++ b/minimal/modules/dnpm-compose.yml
@@ -40,6 +40,8 @@ services:
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
+      - "traefik.http.middlewares.dnpm-connect-strip.stripprefix.prefixes=/dnpm-connect"
+      - "traefik.http.routers.dnpm-connect.middlewares=dnpm-connect-strip"
       - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
       - "traefik.http.routers.dnpm-connect.tls=true"
 

From dd0c28daf32dd021df2f9695696366e83fde2ea0 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>
Date: Fri, 30 Jun 2023 07:50:18 +0000
Subject: [PATCH 208/213] Add new dktk root cert

---
 bbmri/modules/dnpm-compose.yml   |  2 +-
 ccp/root-new.crt.pem             | 20 ++++++++++++++++++++
 minimal/modules/dnpm-compose.yml |  2 +-
 3 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 ccp/root-new.crt.pem

diff --git a/bbmri/modules/dnpm-compose.yml b/bbmri/modules/dnpm-compose.yml
index 9201fe4..d7a253e 100644
--- a/bbmri/modules/dnpm-compose.yml
+++ b/bbmri/modules/dnpm-compose.yml
@@ -18,7 +18,7 @@ services:
       - "forward_proxy"
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
+      - /srv/docker/bridgehead/ccp/root-new.crt.pem:/conf/root.crt.pem:ro
 
   dnpm-beam-connect:
     depends_on: [ dnpm-beam-proxy ]
diff --git a/ccp/root-new.crt.pem b/ccp/root-new.crt.pem
new file mode 100644
index 0000000..100011d
--- /dev/null
+++ b/ccp/root-new.crt.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUN7yzueIZzwpe8PaPEIMY8zoH+eMwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjMwNTIzMTAxNzIzWhcNMzMw
+NTIwMTAxNzUzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAN5JAj+HydSGaxvA0AOcrXVTZ9FfsH0cMVBlQb72
+bGZgrRvkqtB011TNXZfsHl7rPxCY61DcsDJfFq3+8VHT+S9HE0qV1bEwP+oA3xc4
+Opq77av77cNNOqDC7h+jyPhHcUaE33iddmrH9Zn2ofWTSkKHHu3PAe5udCrc2QnD
+4PLRF6gqiEY1mcGknJrXj1ff/X0nRY/m6cnHNXz0Cvh8oPOtbdfGgfZjID2/fJNP
+fNoNKqN+5oJAZ+ZZ9id9rBvKj1ivW3F2EoGjZF268SgZzc5QrM/D1OpSBQf5SF/V
+qUPcQTgt9ry3YR+SZYazLkfKMEOWEa0WsqJVgXdQ6FyergcCAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEa70kcseqU5
+bHx2zSt4bG21HokhMB8GA1UdIwQYMBaAFEa70kcseqU5bHx2zSt4bG21HokhMBYG
+A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCGmE7NXW4T
+6J4mV3b132cGEMD7grx5JeiXK5EHMlswUS+Odz0NcBNzhUHdG4WVMbrilHbI5Ua+
+6jdKx5WwnqzjQvElP0MCw6sH/35gbokWgk1provOP99WOFRsQs+9Sm8M2XtMf9HZ
+m3wABwU/O+dhZZ1OT1PjSZD0OKWKqH/KvlsoF5R6P888KpeYFiIWiUNS5z21Jm8A
+ZcllJjiRJ60EmDwSUOQVJJSMOvtr6xTZDZLtAKSN8zN08lsNGzyrFwqjDwU0WTqp
+scMXEGBsWQjlvxqDnXyljepR0oqRIjOvgrWaIgbxcnu98tK/OdBGwlAPKNUW7Crr
+vO+eHxl9iqd4
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/minimal/modules/dnpm-compose.yml b/minimal/modules/dnpm-compose.yml
index 155ee9c..549ed91 100644
--- a/minimal/modules/dnpm-compose.yml
+++ b/minimal/modules/dnpm-compose.yml
@@ -18,7 +18,7 @@ services:
       - "forward_proxy"
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
+      - /srv/docker/bridgehead/ccp/root-new.crt.pem:/conf/root.crt.pem:ro
 
   dnpm-beam-connect:
     depends_on: [ dnpm-beam-proxy ]

From f5102756854216bd025916a8021a4c6e8cc380cb Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Fri, 30 Jun 2023 12:30:19 +0200
Subject: [PATCH 209/213] Deleted EXLIQUID setup + compose

---
 ccp/exliquid-compose.yml | 34 ----------------------------------
 ccp/exliquid-setup.sh    | 19 -------------------
 ccp/vars                 |  2 --
 3 files changed, 55 deletions(-)
 delete mode 100644 ccp/exliquid-compose.yml
 delete mode 100644 ccp/exliquid-setup.sh

diff --git a/ccp/exliquid-compose.yml b/ccp/exliquid-compose.yml
deleted file mode 100644
index becf99a..0000000
--- a/ccp/exliquid-compose.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-version: "3.7"
-
-services:
-  exliquid-task-store:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.20
-    container_name: bridgehead-exliquid-task-store
-    environment:
-      BASE_URL: "http://bridgehead-exliquid-task-store:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx1g"
-    volumes:
-    - "exliquid-task-store-data:/app/data"
-    labels:
-      - "traefik.enable=false"
-
-  exliquid-report-hub:
-    image: docker.verbis.dkfz.de/cache/samply/report-hub:latest
-    container_name: bridgehead-exliquid-report-hub
-    environment:
-      SPRING_WEBFLUX_BASE_PATH: "/exliquid"
-      JAVA_TOOL_OPTIONS: "-Xmx1g"
-      APP_BEAM_APPID: "report-hub.${PROXY_ID}"
-      APP_BEAM_SECRET: ${REPORTHUB_BEAM_SECRET_SHORT}
-      APP_BEAM_PROXY_BASEURL: http://beam-proxy:8081
-      APP_TASKSTORE_BASEURL: "http://bridgehead-exliquid-task-store:8080/fhir"
-      APP_DATASTORE_BASEURL:  http://bridgehead-ccp-blaze:8080/fhir
-    restart: always
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.report-ccp.rule=PathPrefix(`/exliquid`)"
-      - "traefik.http.services.report-ccp.loadbalancer.server.port=8080"
-      - "traefik.http.routers.report-ccp.tls=true"
-
-volumes:
-  exliquid-task-store-data:
\ No newline at end of file
diff --git a/ccp/exliquid-setup.sh b/ccp/exliquid-setup.sh
deleted file mode 100644
index 91909eb..0000000
--- a/ccp/exliquid-setup.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-function exliquidSetup() {
-	case ${SITE_ID} in
-		berlin|dresden|essen|frankfurt|freiburg|luebeck|mainz|muenchen-lmu|muenchen-tum|mannheim|tuebingen)
-			EXLIQUID=1
-			;;
-		dktk-test)
-			EXLIQUID=1
-			;;
-		*)
-			EXLIQUID=0
-			;;
-	esac
-	if [[ $EXLIQUID -eq 1 ]]; then
-		log INFO "EXLIQUID setup detected -- will start Report-Hub."
-		OVERRIDE+=" -f ./$PROJECT/exliquid-compose.yml"
-	fi
-}
\ No newline at end of file
diff --git a/ccp/vars b/ccp/vars
index f3ef8ce..b642a9d 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -15,8 +15,6 @@ idManagementSetup
 source $PROJECT/nngm-setup.sh
 nngmSetup
 
-source $PROJECT/exliquid-setup.sh
-exliquidSetup
 mtbaSetup
 
 for module in $PROJECT/modules/*.sh

From 512f335da871a1526705965860ca3fe45a0a8618 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Fri, 30 Jun 2023 12:32:25 +0200
Subject: [PATCH 210/213] Removed Report-Hub env var

---
 ccp/docker-compose.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 786acc9..1e5be26 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -41,7 +41,6 @@ services:
       BROKER_URL: ${BROKER_URL}
       PROXY_ID: ${PROXY_ID}
       APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      APP_report-hub_KEY: ${REPORTHUB_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs

From 9ca3e0059e5378f5214f5f7ae7c369974d7c4594 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Fri, 30 Jun 2023 12:33:34 +0200
Subject: [PATCH 211/213] Rmoved generated of report-hub secret

---
 ccp/vars | 2 --
 1 file changed, 2 deletions(-)

diff --git a/ccp/vars b/ccp/vars
index b642a9d..420b0d0 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -3,8 +3,6 @@ BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=32
-REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"
 SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 

From b311ff7831d476d86675a55f0785b3d5bb900749 Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Wed, 12 Jul 2023 08:53:16 +0200
Subject: [PATCH 212/213] Docs: Move info about BBMRI-ERIC Directory

---
 README.md | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index 0c7e1fb..012d28c 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,6 @@ This repository is the starting point for any information and tools you will nee
     - [Hardware](#hardware)
     - [Software](#software)
     - [Network](#network)
-    - [Register with the Directory](#register-with-the-directory)
 2. [Deployment](#deployment)
     - [Site name](#site-name)
     - [Projects](#projects)
@@ -22,6 +21,7 @@ This repository is the starting point for any information and tools you will nee
     - [HTTPS Access](#https-access)
     - [TLS terminating proxies](#tls-terminating-proxies)
     - [File structure](#file-structure)
+    - [BBMRI-ERIC Directory](#bbmri-eric-directory)
 4. [Things you should know](#things-you-should-know)
     - [Auto-Updates](#auto-updates)
     - [Auto-Backups](#auto-backups)
@@ -68,14 +68,6 @@ If there is a site firewall, this needs to be configured so that git and Docker
 
 Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to conflict with Docker [here](https://github.com/chaifeng/ufw-docker).
 
-### Register with the Directory
-
-If you run a biobank, you should register with the [Directory](https://directory.bbmri-eric.eu), a BBMRI project that catalogs biobanks.
-
-To do this, contact the BBMRI national node for the country where your biobank is based, see [the list of nodes](http://www.bbmri-eric.eu/national-nodes/).
-
-Once you have registered, **you should choose one of your sample collections as a default collection for your biobank**. This is the collection that will be automatically used to label any samples that have not been assigned a collection ID in your ETL process. Make a note of this ID, you will need it later on in the installation process.
-
 ## Deployment
 
 ### Site name
@@ -255,9 +247,15 @@ All of the Bridgehead's outgoing connections are secured by transport encryption
 
 Your Bridgehead's actual data is not stored in the above directories, but in named docker volumes, see `docker volume ls` and `docker volume inspect <volume_name>`.
 
-### Directory sync
+### BBMRI-ERIC Directory
 
-This is an optional feature for bbmri projects. It keeps the [BBMRI Directory](https://directory.bbmri-eric.eu/) up to date with your local data eg. number of samples. It also updates the local FHIR store with the latest contact details etc. from the Directory.  You must explicitly set your country specific directory url, username and password to enable this feature.
+If you run a biobank, you should register with the [Directory](https://directory.bbmri-eric.eu), a BBMRI-ERIC project that catalogs biobanks.
+
+To do this, contact the BBMRI-ERIC national node for the country where your biobank is based, see [the list of nodes](http://www.bbmri-eric.eu/national-nodes/).
+
+Once you have registered, **you should choose one of your sample collections as a default collection for your biobank**. This is the collection that will be automatically used to label any samples that have not been assigned a collection ID in your ETL process. Make a note of this ID, you will need it later on in the installation process.
+
+The Bridgehead's **Directory Sync** is an optional feature that keeps the Directory up to date with your local data, e.g. number of samples. Conversely, it also updates the local FHIR store with the latest contact details etc. from the Directory. You must explicitly set your country specific directory url, username and password to enable this feature.
 
 Full details can be found in [directory_sync_service](https://github.com/samply/directory_sync_service).
 
@@ -274,7 +272,7 @@ You must contact the Directory for your national node to find the URL, and to re
 
 Additionally, you should choose when you want Directory sync to run. In the example above, this is set to happen at 10 pm every evening. You can modify this to suit your requirements. The timer specification should follow the [cron](https://crontab.guru) convention.
 
-Once you edited the gitlab config. The bridgehead will autoupdate the config with the values and will sync the data.
+Once you edited the gitlab config, the bridgehead will autoupdate the config with the values and will sync the data.
 
 There will be a delay before the effects of Directory sync become visible. First, you will need to wait until the time you have specified in ```TIMER_CRON```. Second, the information will then be synchronized from your national node with the central European Directory. This can take up to 24 hours.
 

From 0a12720e4cdfee34133eee9e0c993ccf878e5fd8 Mon Sep 17 00:00:00 2001
From: Torben Brenner <t.brenner@dkfz-heidelberg.de>
Date: Tue, 25 Jul 2023 13:27:21 +0200
Subject: [PATCH 213/213] fix: ensure id-management redirects with ssl

---
 ccp/modules/id-management-compose.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml
index be1375e..f7a48fd 100644
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -5,6 +5,7 @@ services:
     container_name: bridgehead-id-manager
     environment:
       TOMCAT_REVERSEPROXY_FQDN: ${HOST}
+      TOMCAT_REVERSEPROXY_SSL: "true"
       MAGICPL_SITE: ${IDMANAGEMENT_FRIENDLY_ID}
       MAGICPL_ALLOWED_ORIGINS: https://${HOST}
       MAGICPL_LOCAL_PATIENTLIST_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}