mirror of https://github.com/samply/bridgehead.git
Adapt to changes in main
This commit is contained in:
commit
cfb1bed7b4
|
@ -4,3 +4,6 @@ site-config/*
|
||||||
|
|
||||||
## Ignore site configuration
|
## Ignore site configuration
|
||||||
*/docker-compose.override.yml
|
*/docker-compose.override.yml
|
||||||
|
|
||||||
|
## MAC OS
|
||||||
|
.DS_Store
|
||||||
|
|
|
@ -64,7 +64,7 @@ Additionally, your site might use its own proxy. You should discuss this with yo
|
||||||
|
|
||||||
Note that git and Docker may also need to be configured to use this proxy. This is a job for your systems administrators.
|
Note that git and Docker may also need to be configured to use this proxy. This is a job for your systems administrators.
|
||||||
|
|
||||||
If there is a site firewall, this needs to be configured so that git and Docker can reach the outside world. Another job for the systems administrators.
|
If there is a site firewall, this needs to be configured so that outgoing calls to the following URLs are allowed: *.dkfz.de, github.com, docker.io, *.docker.io, *.samply.de.
|
||||||
|
|
||||||
Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to conflict with Docker [here](https://github.com/chaifeng/ufw-docker).
|
Note for Ubuntu: Please note that the uncomplicated firewall (ufw) is known to conflict with Docker [here](https://github.com/chaifeng/ufw-docker).
|
||||||
|
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
function dirSetup() {
|
|
||||||
if [ -n "$DS_DIRECTORY_USER_NAME" ]; then
|
|
||||||
log INFO "Directory sync setup detected -- will start directory sync service."
|
|
||||||
OVERRIDE+=" -f ./$PROJECT/directory-sync-compose.yml"
|
|
||||||
fi
|
|
||||||
}
|
|
|
@ -1,5 +1,7 @@
|
||||||
version: "3.7"
|
version: "3.7"
|
||||||
|
|
||||||
|
# This includes only the shared persistence for BBMRI-ERIC and GBN. Federation components are included as modules, see vars.
|
||||||
|
|
||||||
services:
|
services:
|
||||||
blaze:
|
blaze:
|
||||||
image: docker.verbis.dkfz.de/cache/samply/blaze:latest
|
image: docker.verbis.dkfz.de/cache/samply/blaze:latest
|
||||||
|
@ -19,42 +21,10 @@ services:
|
||||||
- "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,auth"
|
- "traefik.http.routers.blaze_ccp.middlewares=ccp_b_strip,auth"
|
||||||
- "traefik.http.routers.blaze_ccp.tls=true"
|
- "traefik.http.routers.blaze_ccp.tls=true"
|
||||||
|
|
||||||
focus:
|
|
||||||
image: docker.verbis.dkfz.de/cache/samply/focus:main
|
|
||||||
container_name: bridgehead-focus
|
|
||||||
environment:
|
|
||||||
API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
|
|
||||||
BEAM_APP_ID_LONG: focus.${PROXY_ID}
|
|
||||||
PROXY_ID: ${PROXY_ID}
|
|
||||||
BLAZE_URL: "http://bridgehead-bbmri-blaze:8080/fhir/"
|
|
||||||
BEAM_PROXY_URL: http://beam-proxy:8081
|
|
||||||
RETRY_COUNT: ${FOCUS_RETRY_COUNT}
|
|
||||||
depends_on:
|
|
||||||
- "beam-proxy"
|
|
||||||
- "blaze"
|
|
||||||
|
|
||||||
beam-proxy:
|
|
||||||
image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
|
|
||||||
container_name: bridgehead-beam-proxy
|
|
||||||
environment:
|
|
||||||
BROKER_URL: ${BROKER_URL}
|
|
||||||
PROXY_ID: ${PROXY_ID}
|
|
||||||
APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
|
|
||||||
PRIVKEY_FILE: /run/secrets/proxy.pem
|
|
||||||
ALL_PROXY: http://forward_proxy:3128
|
|
||||||
TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
|
|
||||||
ROOTCERT_FILE: /conf/root.crt.pem
|
|
||||||
secrets:
|
|
||||||
- proxy.pem
|
|
||||||
depends_on:
|
|
||||||
- "forward_proxy"
|
|
||||||
volumes:
|
|
||||||
- /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
|
|
||||||
- /srv/docker/bridgehead/bbmri/root.crt.pem:/conf/root.crt.pem:ro
|
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
blaze-data:
|
blaze-data:
|
||||||
|
|
||||||
|
# used in modules *-locator.yml
|
||||||
secrets:
|
secrets:
|
||||||
proxy.pem:
|
proxy.pem:
|
||||||
file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
|
file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ -n "${DS_DIRECTORY_USER_NAME}" ]; then
|
||||||
|
log INFO "Directory sync setup detected -- will start directory sync service."
|
||||||
|
OVERRIDE+=" -f ./$PROJECT/modules/directory-sync-compose.yml"
|
||||||
|
fi
|
|
@ -1,7 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
if [ -n "${ENABLE_DNPM}" ]; then
|
if [ -n "${ENABLE_DNPM}" ]; then
|
||||||
log DEBUG "DNPM setup detected (Beam.Connect) -- will start Beam and Beam.Connect for DNPM."
|
log INFO "DNPM setup detected (Beam.Connect) -- will start Beam and Beam.Connect for DNPM."
|
||||||
OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
|
OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
|
||||||
|
|
||||||
# Set variables required for Beam-Connect
|
# Set variables required for Beam-Connect
|
||||||
|
|
|
@ -0,0 +1,36 @@
|
||||||
|
version: "3.7"
|
||||||
|
|
||||||
|
services:
|
||||||
|
focus-eric:
|
||||||
|
image: docker.verbis.dkfz.de/cache/samply/focus:main
|
||||||
|
container_name: bridgehead-focus-eric
|
||||||
|
environment:
|
||||||
|
API_KEY: ${ERIC_FOCUS_BEAM_SECRET_SHORT}
|
||||||
|
BEAM_APP_ID_LONG: focus.${ERIC_PROXY_ID}
|
||||||
|
PROXY_ID: ${ERIC_PROXY_ID}
|
||||||
|
BLAZE_URL: "http://blaze:8080/fhir/"
|
||||||
|
BEAM_PROXY_URL: http://beam-proxy-eric:8081
|
||||||
|
RETRY_COUNT: ${FOCUS_RETRY_COUNT}
|
||||||
|
depends_on:
|
||||||
|
- "beam-proxy-eric"
|
||||||
|
- "blaze"
|
||||||
|
|
||||||
|
beam-proxy-eric:
|
||||||
|
image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
|
||||||
|
container_name: bridgehead-beam-proxy-eric
|
||||||
|
environment:
|
||||||
|
BROKER_URL: ${ERIC_BROKER_URL}
|
||||||
|
PROXY_ID: ${ERIC_PROXY_ID}
|
||||||
|
APP_focus_KEY: ${ERIC_FOCUS_BEAM_SECRET_SHORT}
|
||||||
|
PRIVKEY_FILE: /run/secrets/proxy.pem
|
||||||
|
ALL_PROXY: http://forward_proxy:3128
|
||||||
|
TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
|
||||||
|
ROOTCERT_FILE: /conf/root.crt.pem
|
||||||
|
secrets:
|
||||||
|
- proxy.pem
|
||||||
|
depends_on:
|
||||||
|
- "forward_proxy"
|
||||||
|
volumes:
|
||||||
|
- /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
|
||||||
|
- /srv/docker/bridgehead/bbmri/modules/eric.root.crt.pem:/conf/root.crt.pem:ro
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ "${ENABLE_ERIC}" == "true" ]; then
|
||||||
|
log INFO "BBMRI-ERIC setup detected -- will start services for BBMRI-ERIC."
|
||||||
|
OVERRIDE+=" -f ./$PROJECT/modules/eric-compose.yml"
|
||||||
|
|
||||||
|
# Set required variables
|
||||||
|
ERIC_BROKER_ID=broker.bbmri.samply.de
|
||||||
|
ERIC_BROKER_URL=https://${ERIC_BROKER_ID}
|
||||||
|
ERIC_PROXY_ID=${SITE_ID}.${ERIC_BROKER_ID}
|
||||||
|
ERIC_FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
|
||||||
|
ERIC_SUPPORT_EMAIL=bridgehead@helpdesk.bbmri-eric.eu
|
||||||
|
fi
|
|
@ -0,0 +1,36 @@
|
||||||
|
version: "3.7"
|
||||||
|
|
||||||
|
services:
|
||||||
|
focus-gbn:
|
||||||
|
image: docker.verbis.dkfz.de/cache/samply/focus:main
|
||||||
|
container_name: bridgehead-focus-gbn
|
||||||
|
environment:
|
||||||
|
API_KEY: ${GBN_FOCUS_BEAM_SECRET_SHORT}
|
||||||
|
BEAM_APP_ID_LONG: focus.${GBN_PROXY_ID}
|
||||||
|
PROXY_ID: ${GBN_PROXY_ID}
|
||||||
|
BLAZE_URL: "http://blaze:8080/fhir/"
|
||||||
|
BEAM_PROXY_URL: http://beam-proxy-gbn:8081
|
||||||
|
RETRY_COUNT: ${FOCUS_RETRY_COUNT}
|
||||||
|
depends_on:
|
||||||
|
- "beam-proxy-gbn"
|
||||||
|
- "blaze"
|
||||||
|
|
||||||
|
beam-proxy-gbn:
|
||||||
|
image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
|
||||||
|
container_name: bridgehead-beam-proxy-gbn
|
||||||
|
environment:
|
||||||
|
BROKER_URL: ${GBN_BROKER_URL}
|
||||||
|
PROXY_ID: ${GBN_PROXY_ID}
|
||||||
|
APP_focus_KEY: ${GBN_FOCUS_BEAM_SECRET_SHORT}
|
||||||
|
PRIVKEY_FILE: /run/secrets/proxy.pem
|
||||||
|
ALL_PROXY: http://forward_proxy:3128
|
||||||
|
TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
|
||||||
|
ROOTCERT_FILE: /conf/root.crt.pem
|
||||||
|
secrets:
|
||||||
|
- proxy.pem
|
||||||
|
depends_on:
|
||||||
|
- "forward_proxy"
|
||||||
|
volumes:
|
||||||
|
- /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
|
||||||
|
- /srv/docker/bridgehead/bbmri/modules/gbn.root.crt.pem:/conf/root.crt.pem:ro
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ "${ENABLE_GBN}" == "true" ]; then
|
||||||
|
log INFO "GBN setup detected -- will start services for German Biobank Node."
|
||||||
|
OVERRIDE+=" -f ./$PROJECT/modules/gbn-compose.yml"
|
||||||
|
|
||||||
|
# Set required variables
|
||||||
|
GBN_BROKER_ID='#TODO#'
|
||||||
|
GBN_BROKER_URL=https://${GBN_BROKER_ID}
|
||||||
|
GBN_PROXY_ID=${SITE_ID}.${GBN_BROKER_ID}
|
||||||
|
GBN_FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
|
||||||
|
GBN_SUPPORT_EMAIL=todo@verbis.dkfz.de
|
||||||
|
fi
|
|
@ -0,0 +1 @@
|
||||||
|
#TODO#
|
36
bbmri/vars
36
bbmri/vars
|
@ -1,9 +1,10 @@
|
||||||
BROKER_ID=broker.bbmri.samply.de
|
# Makes sense for all European Biobanks
|
||||||
BROKER_URL=https://${BROKER_ID}
|
: ${ENABLE_ERIC:=true}
|
||||||
PROXY_ID=${SITE_ID}.${BROKER_ID}
|
|
||||||
FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
|
# Makes only sense for German Biobanks
|
||||||
|
: ${ENABLE_GBN:=false}
|
||||||
|
|
||||||
FOCUS_RETRY_COUNT=32
|
FOCUS_RETRY_COUNT=32
|
||||||
SUPPORT_EMAIL=bridgehead@helpdesk.bbmri-eric.eu
|
|
||||||
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
|
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
|
||||||
|
|
||||||
for module in $PROJECT/modules/*.sh
|
for module in $PROJECT/modules/*.sh
|
||||||
|
@ -12,6 +13,25 @@ do
|
||||||
source $module
|
source $module
|
||||||
done
|
done
|
||||||
|
|
||||||
# This will load directory-sync setup.
|
SUPPORT_EMAIL=$ERIC_SUPPORT_EMAIL
|
||||||
source $PROJECT/directory-sync.sh
|
BROKER_URL_FOR_PREREQ=$ERIC_BROKER_URL
|
||||||
dirSetup
|
|
||||||
|
if [ -n "$GBN_SUPPORT_EMAIL" ]; then
|
||||||
|
SUPPORT_EMAIL=$GBN_SUPPORT_EMAIL
|
||||||
|
fi
|
||||||
|
|
||||||
|
function do_enroll {
|
||||||
|
COUNT=0
|
||||||
|
if [ "$ENABLE_ERIC" == "true" ]; then
|
||||||
|
do_enroll_inner $ERIC_PROXY_ID $ERIC_SUPPORT_EMAIL
|
||||||
|
COUNT=$((COUNT+1))
|
||||||
|
fi
|
||||||
|
if [ "$ENABLE_GBN" == "true" ]; then
|
||||||
|
do_enroll_inner $GBN_PROXY_ID $GBN_SUPPORT_EMAIL
|
||||||
|
COUNT=$((COUNT+1))
|
||||||
|
fi
|
||||||
|
if [ $COUNT -ge 2 ]; then
|
||||||
|
echo
|
||||||
|
echo "You just received $COUNT certificate signing requests (CSR). Please send $COUNT e-mails, with 1 CSR each, to the respective e-mail address."
|
||||||
|
fi
|
||||||
|
}
|
27
bridgehead
27
bridgehead
|
@ -73,7 +73,6 @@ case "$ACTION" in
|
||||||
hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
|
hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
|
||||||
checkRequirements
|
checkRequirements
|
||||||
hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
|
hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
|
||||||
export LDM_LOGIN=$(getLdmPassword)
|
|
||||||
exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
|
exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
|
||||||
;;
|
;;
|
||||||
stop)
|
stop)
|
||||||
|
@ -103,25 +102,17 @@ case "$ACTION" in
|
||||||
uninstall)
|
uninstall)
|
||||||
exec ./lib/uninstall-bridgehead.sh $PROJECT
|
exec ./lib/uninstall-bridgehead.sh $PROJECT
|
||||||
;;
|
;;
|
||||||
|
adduser)
|
||||||
|
loadVars
|
||||||
|
log "INFO" "Adding encrypted credentials in /etc/bridgehead/$PROJECT.local.conf"
|
||||||
|
read -p "Please choose the component (LDM_AUTH|NNGM_AUTH) you want to add a user to : " COMPONENT
|
||||||
|
read -p "Please enter a username: " USER
|
||||||
|
read -s -p "Please enter a password (will not be echoed): "$'\n' PASSWORD
|
||||||
|
add_basic_auth_user $USER $PASSWORD $COMPONENT $PROJECT
|
||||||
|
;;
|
||||||
enroll)
|
enroll)
|
||||||
loadVars
|
loadVars
|
||||||
|
do_enroll $PROXY_ID
|
||||||
MANUAL_PROXY_ID="${3:-$PROXY_ID}"
|
|
||||||
if [ -z "$MANUAL_PROXY_ID" ]; then
|
|
||||||
log ERROR "No Proxy ID set"
|
|
||||||
exit 1
|
|
||||||
else
|
|
||||||
log INFO "Enrolling Beam Proxy Id $MANUAL_PROXY_ID"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "$SUPPORT_EMAIL" ]; then
|
|
||||||
EMAIL_PARAM=""
|
|
||||||
else
|
|
||||||
EMAIL_PARAM="--admin-email $SUPPORT_EMAIL"
|
|
||||||
fi
|
|
||||||
|
|
||||||
docker run --rm -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $MANUAL_PROXY_ID $EMAIL_PARAM
|
|
||||||
chmod 600 $PRIVATEKEYFILENAME
|
|
||||||
;;
|
;;
|
||||||
preRun | preUpdate)
|
preRun | preUpdate)
|
||||||
fixPermissions
|
fixPermissions
|
||||||
|
|
|
@ -7,7 +7,6 @@ services:
|
||||||
environment:
|
environment:
|
||||||
BASE_URL: "http://bridgehead-ccp-blaze:8080"
|
BASE_URL: "http://bridgehead-ccp-blaze:8080"
|
||||||
JAVA_TOOL_OPTIONS: "-Xmx4g"
|
JAVA_TOOL_OPTIONS: "-Xmx4g"
|
||||||
LOG_LEVEL: "debug"
|
|
||||||
ENFORCE_REFERENTIAL_INTEGRITY: "false"
|
ENFORCE_REFERENTIAL_INTEGRITY: "false"
|
||||||
volumes:
|
volumes:
|
||||||
- "blaze-data:/app/data"
|
- "blaze-data:/app/data"
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
if [ -n "${ENABLE_DNPM}" ]; then
|
if [ -n "${ENABLE_DNPM}" ]; then
|
||||||
log DEBUG "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
|
log INFO "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
|
||||||
OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
|
OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
|
||||||
|
|
||||||
# Set variables required for Beam-Connect
|
# Set variables required for Beam-Connect
|
||||||
|
|
|
@ -5,6 +5,7 @@ services:
|
||||||
container_name: bridgehead-id-manager
|
container_name: bridgehead-id-manager
|
||||||
environment:
|
environment:
|
||||||
TOMCAT_REVERSEPROXY_FQDN: ${HOST}
|
TOMCAT_REVERSEPROXY_FQDN: ${HOST}
|
||||||
|
TOMCAT_REVERSEPROXY_SSL: "true"
|
||||||
MAGICPL_SITE: ${IDMANAGEMENT_FRIENDLY_ID}
|
MAGICPL_SITE: ${IDMANAGEMENT_FRIENDLY_ID}
|
||||||
MAGICPL_ALLOWED_ORIGINS: https://${HOST}
|
MAGICPL_ALLOWED_ORIGINS: https://${HOST}
|
||||||
MAGICPL_LOCAL_PATIENTLIST_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
|
MAGICPL_LOCAL_PATIENTLIST_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
function mtbaSetup() {
|
||||||
|
# TODO: Check if ID-Management Module is activated!
|
||||||
|
if [ -n "$ENABLE_MTBA" ];then
|
||||||
|
log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal."
|
||||||
|
if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
|
||||||
|
log ERROR "Detected MTBA Module configuration but ID-Management Module seems not to be configured!"
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
OVERRIDE+=" -f ./$PROJECT/modules/mtba-compose.yml"
|
||||||
|
fi
|
||||||
|
}
|
|
@ -18,7 +18,12 @@ services:
|
||||||
- "traefik.http.middlewares.connector_strip.stripprefix.prefixes=/nngm-connector"
|
- "traefik.http.middlewares.connector_strip.stripprefix.prefixes=/nngm-connector"
|
||||||
- "traefik.http.services.connector.loadbalancer.server.port=8080"
|
- "traefik.http.services.connector.loadbalancer.server.port=8080"
|
||||||
- "traefik.http.routers.connector.tls=true"
|
- "traefik.http.routers.connector.tls=true"
|
||||||
- "traefik.http.routers.connector.middlewares=connector_strip,auth"
|
- "traefik.http.routers.connector.middlewares=connector_strip,auth-nngm"
|
||||||
volumes:
|
volumes:
|
||||||
- nngm-rest:/var/log
|
- nngm-rest:/var/log
|
||||||
|
|
||||||
|
traefik:
|
||||||
|
labels:
|
||||||
|
- "traefik.http.middlewares.auth-nngm.basicauth.users=${NNGM_AUTH}"
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
function nngmSetup() {
|
||||||
|
if [ -n "$NNGM_CTS_APIKEY" ]; then
|
||||||
|
log INFO "nNGM setup detected -- will start nNGM Connector."
|
||||||
|
OVERRIDE+=" -f ./$PROJECT/modules/nngm-compose.yml"
|
||||||
|
fi
|
||||||
|
}
|
|
@ -1,24 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
##nNGM vars:
|
|
||||||
#NNGM_MAGICPL_APIKEY
|
|
||||||
#NNGM_CTS_APIKEY
|
|
||||||
#NNGM_CRYPTKEY
|
|
||||||
|
|
||||||
function nngmSetup() {
|
|
||||||
if [ -n "$NNGM_CTS_APIKEY" ]; then
|
|
||||||
log INFO "nNGM setup detected -- will start nNGM Connector."
|
|
||||||
OVERRIDE+=" -f ./$PROJECT/nngm-compose.yml"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
function mtbaSetup() {
|
|
||||||
# TODO: Check if ID-Management Module is activated!
|
|
||||||
if [ -n "$ENABLE_MTBA" ];then
|
|
||||||
log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal."
|
|
||||||
if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
|
|
||||||
log ERROR "Detected MTBA Module configuration but ID-Management Module seems not to be configured!"
|
|
||||||
exit 1;
|
|
||||||
fi
|
|
||||||
OVERRIDE+=" -f ./$PROJECT/mtba-compose.yml"
|
|
||||||
fi
|
|
||||||
}
|
|
|
@ -1,20 +1,20 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
-----BEGIN CERTIFICATE-----
|
||||||
MIIDNTCCAh2gAwIBAgIUMeGRSrNPhRdQ1tU7uK5+lUa4f38wDQYJKoZIhvcNAQEL
|
MIIDNTCCAh2gAwIBAgIUN7yzueIZzwpe8PaPEIMY8zoH+eMwDQYJKoZIhvcNAQEL
|
||||||
BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjIwOTI5MTQxMjU1WhcNMzIw
|
BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjMwNTIzMTAxNzIzWhcNMzMw
|
||||||
OTI2MTQxMzI1WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
|
NTIwMTAxNzUzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
|
||||||
AQEBBQADggEPADCCAQoCggEBAMYyroOUeb27mYzClOrjCmgIceLalsFA0aVCh5mZ
|
AQEBBQADggEPADCCAQoCggEBAN5JAj+HydSGaxvA0AOcrXVTZ9FfsH0cMVBlQb72
|
||||||
KtP8+1U3oq/7exP30gXiJojxW7xoerfyQY9s0Sz5YYbxYbuskFOYEtyAILB/pxgd
|
bGZgrRvkqtB011TNXZfsHl7rPxCY61DcsDJfFq3+8VHT+S9HE0qV1bEwP+oA3xc4
|
||||||
+k+J3tlZKolpfmo7WT5tZiHxH/zjrtAYGnuB2xPHRMCWh/tHYrELgXQuilNol24y
|
Opq77av77cNNOqDC7h+jyPhHcUaE33iddmrH9Zn2ofWTSkKHHu3PAe5udCrc2QnD
|
||||||
GBa1plTlARy0aKEDUHp87WLhD2qH7B8sFlLgo0+gunE1UtR2HMSPF45w3VXszyG6
|
4PLRF6gqiEY1mcGknJrXj1ff/X0nRY/m6cnHNXz0Cvh8oPOtbdfGgfZjID2/fJNP
|
||||||
fJNrAj0yPnKy3Dm1BMO3jDO2e0A9lCQ71a4j4TeKePfCk1xCArSu6PpiwiacKplF
|
fNoNKqN+5oJAZ+ZZ9id9rBvKj1ivW3F2EoGjZF268SgZzc5QrM/D1OpSBQf5SF/V
|
||||||
c6CRR6KrWVm2g+8Y2hFcOBG/Py2xusm3PWbpylGq6vtFRkkCAwEAAaN7MHkwDgYD
|
qUPcQTgt9ry3YR+SZYazLkfKMEOWEa0WsqJVgXdQ6FyergcCAwEAAaN7MHkwDgYD
|
||||||
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEFxD6BQwQO5
|
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEa70kcseqU5
|
||||||
xsJ+3cvZypsnh6dDMB8GA1UdIwQYMBaAFEFxD6BQwQO5xsJ+3cvZypsnh6dDMBYG
|
bHx2zSt4bG21HokhMB8GA1UdIwQYMBaAFEa70kcseqU5bHx2zSt4bG21HokhMBYG
|
||||||
A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQB5zTeIhV/3
|
A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCGmE7NXW4T
|
||||||
3Am6O144EFtnIeaZ2w0D6aEHqHAZp50vJv3+uQfOliCOzgw7VDxI4Zz2JALjlR/i
|
6J4mV3b132cGEMD7grx5JeiXK5EHMlswUS+Odz0NcBNzhUHdG4WVMbrilHbI5Ua+
|
||||||
uOYHsu3YIRMIOmPOjqrdDJa6auB0ufL4oUPfCRln7Fh0f3JVlz3BUoHsSDt949p4
|
6jdKx5WwnqzjQvElP0MCw6sH/35gbokWgk1provOP99WOFRsQs+9Sm8M2XtMf9HZ
|
||||||
g0nnsciL2JHuzlqjn7Jyt3L7dAHrlFKulCcuidG5D3cqXrRCbF83f+k3TC/HRiNd
|
m3wABwU/O+dhZZ1OT1PjSZD0OKWKqH/KvlsoF5R6P888KpeYFiIWiUNS5z21Jm8A
|
||||||
25oMi7I4MP/SOCdfQGUGIsHIf/0hSm3pNjDOrC/XuI/8gh2f5io+Y8V+hMwMBcm4
|
ZcllJjiRJ60EmDwSUOQVJJSMOvtr6xTZDZLtAKSN8zN08lsNGzyrFwqjDwU0WTqp
|
||||||
JbH8bdyBB+EIhsNbTwf2MWntD5bmg47sf7hh23aNvKXI67Li1pTI2t1CqiGnFR0U
|
scMXEGBsWQjlvxqDnXyljepR0oqRIjOvgrWaIgbxcnu98tK/OdBGwlAPKNUW7Crr
|
||||||
fCEpeaEAHs0k
|
vO+eHxl9iqd4
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
14
ccp/vars
14
ccp/vars
|
@ -1,4 +1,4 @@
|
||||||
BROKER_ID=broker.dev.ccp-it.dktk.dkfz.de
|
BROKER_ID=broker.ccp-it.dktk.dkfz.de
|
||||||
BROKER_URL=https://${BROKER_ID}
|
BROKER_URL=https://${BROKER_ID}
|
||||||
PROXY_ID=${SITE_ID}.${BROKER_ID}
|
PROXY_ID=${SITE_ID}.${BROKER_ID}
|
||||||
FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
|
FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
|
||||||
|
@ -6,17 +6,15 @@ FOCUS_RETRY_COUNT=32
|
||||||
SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
|
SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
|
||||||
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
|
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
|
||||||
|
|
||||||
# This will load id-management setup. Effective only if id-management configuration is defined.
|
BROKER_URL_FOR_PREREQ=$BROKER_URL
|
||||||
source $PROJECT/modules/id-management-setup.sh
|
|
||||||
idManagementSetup
|
|
||||||
# This will load nngm setup. Effective only if nngm configuration is defined.
|
|
||||||
source $PROJECT/nngm-setup.sh
|
|
||||||
nngmSetup
|
|
||||||
|
|
||||||
mtbaSetup
|
|
||||||
|
|
||||||
for module in $PROJECT/modules/*.sh
|
for module in $PROJECT/modules/*.sh
|
||||||
do
|
do
|
||||||
log DEBUG "sourcing $module"
|
log DEBUG "sourcing $module"
|
||||||
source $module
|
source $module
|
||||||
done
|
done
|
||||||
|
|
||||||
|
idManagementSetup
|
||||||
|
nngmSetup
|
||||||
|
mtbaSetup
|
|
@ -9,14 +9,6 @@ detectCompose() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
getLdmPassword() {
|
|
||||||
if [ -n "$LDM_PASSWORD" ]; then
|
|
||||||
docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $PROJECT $LDM_PASSWORD | tr -d '\n' | tr -d '\r'
|
|
||||||
else
|
|
||||||
echo -n ""
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
exitIfNotRoot() {
|
exitIfNotRoot() {
|
||||||
if [ "$EUID" -ne 0 ]; then
|
if [ "$EUID" -ne 0 ]; then
|
||||||
log "ERROR" "Please run as root"
|
log "ERROR" "Please run as root"
|
||||||
|
@ -34,7 +26,7 @@ checkOwner(){
|
||||||
}
|
}
|
||||||
|
|
||||||
printUsage() {
|
printUsage() {
|
||||||
echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|enroll PROJECTNAME"
|
echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|adduser|enroll PROJECTNAME"
|
||||||
echo "PROJECTNAME should be one of ccp|bbmri"
|
echo "PROJECTNAME should be one of ccp|bbmri"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -180,6 +172,43 @@ function bk_is_running {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
##Setting Network properties
|
function do_enroll_inner {
|
||||||
# currently not needed
|
PARAMS=""
|
||||||
#export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
|
|
||||||
|
MANUAL_PROXY_ID="${1:-$PROXY_ID}"
|
||||||
|
if [ -z "$MANUAL_PROXY_ID" ]; then
|
||||||
|
log ERROR "No Proxy ID set"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
log INFO "Enrolling Beam Proxy Id $MANUAL_PROXY_ID"
|
||||||
|
fi
|
||||||
|
|
||||||
|
SUPPORT_EMAIL="${2:-$SUPPORT_EMAIL}"
|
||||||
|
if [ -n "$SUPPORT_EMAIL" ]; then
|
||||||
|
PARAMS+="--admin-email $SUPPORT_EMAIL"
|
||||||
|
fi
|
||||||
|
|
||||||
|
docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $MANUAL_PROXY_ID $PARAMS
|
||||||
|
chmod 600 $PRIVATEKEYFILENAME
|
||||||
|
}
|
||||||
|
|
||||||
|
function do_enroll {
|
||||||
|
do_enroll_inner $@
|
||||||
|
}
|
||||||
|
|
||||||
|
add_basic_auth_user() {
|
||||||
|
USER="${1}"
|
||||||
|
PASSWORD="${2}"
|
||||||
|
NAME="${3}"
|
||||||
|
PROJECT="${4}"
|
||||||
|
FILE="/etc/bridgehead/${PROJECT}.local.conf"
|
||||||
|
ENCRY_CREDENTIALS="$(docker run --rm docker.verbis.dkfz.de/cache/httpd:alpine htpasswd -nb $USER $PASSWORD | tr -d '\n' | tr -d '\r')"
|
||||||
|
if [ -f $FILE ] && grep -R -q "$NAME=" $FILE # if a specific basic auth user already exists:
|
||||||
|
then
|
||||||
|
sed -i "/$NAME/ s|='|='$ENCRY_CREDENTIALS,|" $FILE
|
||||||
|
else
|
||||||
|
echo -e "\n## Basic Authentication Credentials for:\n$NAME='$ENCRY_CREDENTIALS'" >> $FILE;
|
||||||
|
fi
|
||||||
|
log DEBUG "Saving clear text credentials in $FILE. If wanted, delete them manually."
|
||||||
|
sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE
|
||||||
|
}
|
|
@ -29,12 +29,16 @@ bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# TODO: Determine whether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
|
# TODO: Determine whether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
|
||||||
if [ -z "$LDM_PASSWORD" ]; then
|
if [ -z "$LDM_AUTH" ]; then
|
||||||
log "INFO" "Now generating a password for the local data management. Please save the password for your ETL process!"
|
log "INFO" "Now generating basic auth for the local data management (see adduser in bridgehead for more information). "
|
||||||
generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
|
generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
|
||||||
|
add_basic_auth_user $PROJECT $generated_passwd "LDM_AUTH" $PROJECT
|
||||||
|
fi
|
||||||
|
|
||||||
log "INFO" "Your generated credentials are:\n user: $PROJECT\n password: $generated_passwd"
|
if [ ! -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then
|
||||||
echo -e "## Local Data Management Basic Authentication\n# User: $PROJECT\nLDM_PASSWORD=$generated_passwd" >> /etc/bridgehead/${PROJECT}.local.conf;
|
log "INFO" "Now generating basic auth for nNGM upload API (see adduser in bridgehead for more information). "
|
||||||
|
generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
|
||||||
|
add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
log "INFO" "Registering system units for bridgehead and bridgehead-update"
|
log "INFO" "Registering system units for bridgehead and bridgehead-update"
|
||||||
|
|
|
@ -71,8 +71,12 @@ if [ -d /etc/bridgehead ]; then
|
||||||
fi
|
fi
|
||||||
elif [[ "$DEV_MODE" == "NODEV" ]]; then
|
elif [[ "$DEV_MODE" == "NODEV" ]]; then
|
||||||
log "INFO" "Now cloning your site configuration repository for you."
|
log "INFO" "Now cloning your site configuration repository for you."
|
||||||
read -p "Please enter your site: " site
|
if [ -z "$site" ]; then
|
||||||
read -s -p "Please enter the bridgehead's access token for your site configuration repository (will not be echoed): " access_token
|
read -p "Please enter your site: " site
|
||||||
|
fi
|
||||||
|
if [ -z "$access_token" ]; then
|
||||||
|
read -s -p "Please enter the bridgehead's access token for your site configuration repository (will not be echoed): " access_token
|
||||||
|
fi
|
||||||
site_configuration_repository_url="https://bytoken:${access_token}@${site_configuration_repository_middle}$(echo $site | tr '[:upper:]' '[:lower:]').git"
|
site_configuration_repository_url="https://bytoken:${access_token}@${site_configuration_repository_middle}$(echo $site | tr '[:upper:]' '[:lower:]').git"
|
||||||
git clone $site_configuration_repository_url /etc/bridgehead
|
git clone $site_configuration_repository_url /etc/bridgehead
|
||||||
if [ $? -gt 0 ]; then
|
if [ $? -gt 0 ]; then
|
||||||
|
|
|
@ -62,6 +62,34 @@ if [ -e /etc/bridgehead/vault.conf ]; then
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
log INFO "Checking network access ($BROKER_URL_FOR_PREREQ) ..."
|
||||||
|
|
||||||
|
source /etc/bridgehead/${PROJECT}.conf
|
||||||
|
source ${PROJECT}/vars
|
||||||
|
|
||||||
|
set +e
|
||||||
|
SERVERTIME="$(https_proxy=$HTTPS_PROXY_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
|
||||||
|
RET=$?
|
||||||
|
set -e
|
||||||
|
if [ $RET -ne 0 ]; then
|
||||||
|
log WARN "Unable to connect to Samply.Beam broker at $BROKER_URL_FOR_PREREQ. Please check your proxy settings.\nThe currently configured proxy was \"$HTTPS_PROXY_URL\". This error is normal when using proxy authentication."
|
||||||
|
log WARN "Unable to check clock skew due to previous error."
|
||||||
|
else
|
||||||
|
log INFO "Checking clock skew ..."
|
||||||
|
|
||||||
|
SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s)
|
||||||
|
MYTIME=$(date +%s)
|
||||||
|
SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME))
|
||||||
|
SKEW=$(echo $SKEW | awk -F- '{print $NF}')
|
||||||
|
SYNCTEXT="For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd."
|
||||||
|
if [ $SKEW -ge 300 ]; then
|
||||||
|
report_error 5 "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. $SYNCTEXT"
|
||||||
|
exit 1
|
||||||
|
elif [ $SKEW -ge 60 ]; then
|
||||||
|
log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server. $SYNCTEXT"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
checkPrivKey() {
|
checkPrivKey() {
|
||||||
if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
|
if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
|
||||||
log INFO "Success - private key found."
|
log INFO "Success - private key found."
|
||||||
|
@ -69,8 +97,6 @@ checkPrivKey() {
|
||||||
log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run\n bridgehead enroll ${PROJECT}\nand follow the instructions."
|
log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run\n bridgehead enroll ${PROJECT}\nand follow the instructions."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
log INFO "Success - all prerequisites are met!"
|
|
||||||
hc_send log "Success - all prerequisites are met!"
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -80,4 +106,7 @@ else
|
||||||
checkPrivKey || exit 1
|
checkPrivKey || exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
log INFO "Success - all prerequisites are met!"
|
||||||
|
hc_send log "Success - all prerequisites are met!"
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
@ -139,6 +139,15 @@ else
|
||||||
log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")"
|
log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
#TODO: the following block can be deleted after successful update at all sites
|
||||||
|
if [ ! -z "$LDM_PASSWORD" ]; then
|
||||||
|
FILE="/etc/bridgehead/$PROJECT.local.conf"
|
||||||
|
log "INFO" "Migrating LDM_PASSWORD to encrypted credentials in $FILE"
|
||||||
|
add_basic_auth_user $PROJECT $LDM_PASSWORD "LDM_AUTH" $PROJECT
|
||||||
|
add_basic_auth_user $PROJECT $LDM_PASSWORD "NNGM_AUTH" $PROJECT
|
||||||
|
sed -i "/LDM_PASSWORD/{d;}" $FILE
|
||||||
|
fi
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
# TODO: Print last commit explicit
|
# TODO: Print last commit explicit
|
||||||
|
|
|
@ -21,7 +21,7 @@ services:
|
||||||
- "traefik.http.routers.dashboard.service=api@internal"
|
- "traefik.http.routers.dashboard.service=api@internal"
|
||||||
- "traefik.http.routers.dashboard.tls=true"
|
- "traefik.http.routers.dashboard.tls=true"
|
||||||
- "traefik.http.routers.dashboard.middlewares=auth"
|
- "traefik.http.routers.dashboard.middlewares=auth"
|
||||||
- "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}"
|
- "traefik.http.middlewares.auth.basicauth.users=${LDM_AUTH}"
|
||||||
ports:
|
ports:
|
||||||
- 80:80
|
- 80:80
|
||||||
- 443:443
|
- 443:443
|
||||||
|
@ -37,6 +37,9 @@ services:
|
||||||
HTTPS_PROXY: ${HTTPS_PROXY_URL}
|
HTTPS_PROXY: ${HTTPS_PROXY_URL}
|
||||||
USERNAME: ${HTTPS_PROXY_USERNAME}
|
USERNAME: ${HTTPS_PROXY_USERNAME}
|
||||||
PASSWORD: ${HTTPS_PROXY_PASSWORD}
|
PASSWORD: ${HTTPS_PROXY_PASSWORD}
|
||||||
|
tmpfs:
|
||||||
|
- /var/log/squid
|
||||||
|
- /var/spool/squid
|
||||||
volumes:
|
volumes:
|
||||||
- /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
|
- /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue