Changed: image used for cbioportal and teiler backend

- used image for cbioportal in cbioportal-compose to the Harbor image

- Ran tests to make sure cbioportal and cbioportal API work in Teiler backend.

.github/CODEOWNERS

@@ -1 +0,0 @@
-*  @samply/bridgehead-developers

.github/scripts/rename_inactive_branches.py

@@ -1,39 +0,0 @@
-import os
-import requests
-from datetime import datetime, timedelta
-
-# Configuration
-GITHUB_TOKEN = os.getenv('GITHUB_TOKEN')
-REPO = 'samply/bridgehead'
-HEADERS = {'Authorization': f'token {GITHUB_TOKEN}', 'Accept': 'application/vnd.github.v3+json'}
-API_URL = f'https://api.github.com/repos/{REPO}/branches'
-INACTIVE_DAYS = 365
-CUTOFF_DATE = datetime.now() - timedelta(days=INACTIVE_DAYS)
-
-# Fetch all branches
-def get_branches():
-    response = requests.get(API_URL, headers=HEADERS)
-    response.raise_for_status()
-    return response.json() if response.status_code == 200 else []
-
-# Rename inactive branches
-def rename_branch(old_name, new_name):
-    rename_url = f'https://api.github.com/repos/{REPO}/branches/{old_name}/rename'
-    response = requests.post(rename_url, json={'new_name': new_name}, headers=HEADERS)
-    response.raise_for_status()
-    print(f"Renamed branch {old_name} to {new_name}" if response.status_code == 201 else f"Failed to rename {old_name}: {response.status_code}")
-
-# Check if the branch is inactive
-def is_inactive(commit_url):
-    last_commit_date = requests.get(commit_url, headers=HEADERS).json()['commit']['committer']['date']
-    return datetime.strptime(last_commit_date, '%Y-%m-%dT%H:%M:%SZ') < CUTOFF_DATE
-
-# Rename inactive branches
-def main():
-    for branch in get_branches():
-        if is_inactive(branch['commit']['url']):
-            #rename_branch(branch['name'], f"archived/{branch['name']}")
-            print(f"[LOG] Branch '{branch['name']}' is inactive and would be renamed to 'archived/{branch['name']}'")
-
-if __name__ == "__main__":
-    main()

.github/workflows/rename-inactive-branches.yml

@@ -1,27 +0,0 @@
-name: Cleanup - Rename Inactive Branches
-
-on:
-  schedule:
-    - cron: '0 0 * * 0'  # Runs every Sunday at midnight
-
-jobs:
-  archive-stale-branches:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout Repository
-        uses: actions/checkout@v2
-
-      - name: Set up Python
-        uses: actions/setup-python@v2
-        with:
-          python-version: '3.x'
-
-      - name: Install Libraries
-        run: pip install requests
-
-      - name: Run Script to Rename Inactive Branches
-        run: |
-          python .github/scripts/rename_inactive_branches.py
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -22,13 +22,11 @@ This repository is the starting point for any information and tools you will nee
     - [TLS terminating proxies](#tls-terminating-proxies)
     - [File structure](#file-structure)
     - [BBMRI-ERIC Directory entry needed](#bbmri-eric-directory-entry-needed)
-    - [Directory sync tool](#directory-sync-tool)
     - [Loading data](#loading-data)
 4. [Things you should know](#things-you-should-know)
     - [Auto-Updates](#auto-updates)
     - [Auto-Backups](#auto-backups)
     - [Non-Linux OS](#non-linux-os)
-    - [FAQ](#faq)
 5. [Troubleshooting](#troubleshooting)
     - [Docker Daemon Proxy Configuration](#docker-daemon-proxy-configuration)
     - [Monitoring](#monitoring)
@@ -36,7 +34,7 @@ This repository is the starting point for any information and tools you will nee
 
 ## Requirements
 
-The data protection officer at your site will probably want to know exactly what our software does with patient data, and you may need to get their approval before you are allowed to install a Bridgehead. To help you with this, we have provided some data protection concepts:
+The data protection group at your site will probably want to know exactly what our software does with patient data, and you may need to get their approval before you are allowed to install a Bridgehead. To help you with this, we have provided some data protection concepts:
 
 - [Germany](https://www.bbmri.de/biobanking/it/infrastruktur/datenschutzkonzept/)
 
@@ -48,8 +46,6 @@ Hardware requirements strongly depend on the specific use-cases of your network
 - 32 GB RAM
 - 160GB Hard Drive, SSD recommended
 
-We recommend using a dedicated VM for the Bridgehead, with no other applications running on it. While the Bridgehead can, in principle, run on a shared VM, you might run into surprising problems such as resource conflicts (e.g., two apps using tcp port 443).
-
 ### Software
 
 You are strongly recommended to install the Bridgehead under a Linux operating system (but see the section [Non-Linux OS](#non-linux-os)). You will need root (administrator) priveleges on this machine in order to perform the deployment. We recommend the newest Ubuntu LTS server release.
@@ -78,7 +74,7 @@ The following URLs need to be accessible (prefix with `https://`):
   * git.verbis.dkfz.de
 * To fetch docker images
   * docker.verbis.dkfz.de
-  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/setup/allow-list/))
+  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/all))
     * hub.docker.com
     * registry-1.docker.io
     * production.cloudflare.docker.com
@@ -156,7 +152,7 @@ Pay special attention to:
 Clone the bridgehead repository:
 ```shell
 sudo mkdir -p /srv/docker/
-sudo git clone -b main https://github.com/samply/bridgehead.git /srv/docker/bridgehead
+sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead
 ```
 
 Then, run the installation script:
@@ -204,7 +200,7 @@ sudo systemctl [enable|disable] bridgehead@<PROJECT>.service
 After starting the Bridgehead, you can watch the initialization process with the following command:
 
 ```shell
-/srv/docker/bridgehead/bridgehead logs <project> -f
+journalctl -u bridgehead@bbmri -f
 ```
 
 if this exits with something similar to the following:
@@ -224,9 +220,8 @@ docker ps
 There should be 6 - 10 Docker proceses. If there are fewer, then you know that something has gone wrong. To see what is going on, run:
 
 ```shell
-/srv/docker/bridgehead/bridgehead logs <Project> -f
+journalctl -u bridgehead@bbmri -f
 ```
-This translates to a journalctl command so all the regular journalctl flags can be used.
 
 Once the Bridgehead has passed these checks, take a look at the landing page:
 
@@ -240,7 +235,7 @@ You can either do this in a browser or with curl. If you visit the URL in the br
 curl -k https://localhost
 ```
 
-Should the landing page not show anything, you can inspect the logs of the containers to determine what is going wrong. To do this you can use `./bridgehead docker-logs <Project> -f` to follow the logs of the container. This transaltes to a docker compose logs command meaning all the ususal docker logs flags work.
+If you get errors when you do this, you need to use ```docker logs``` to examine your landing page container in order to determine what is going wrong.
 
 If you have chosen to take part in our monitoring program (by setting the ```MONITOR_APIKEY``` variable in the configuration), you will be informed by email when problems are detected in your Bridgehead.
 
@@ -256,8 +251,6 @@ sh bridgehead uninstall
 
 ## Site-specific configuration
 
-[How to Change Config Access Token](docs/update-access-token.md)
-
 ### HTTPS Access
 
 Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de).
@@ -303,38 +296,26 @@ Once you have added your biobank to the Directory you got persistent identifier
 
 ### Directory sync tool
 
-The Bridgehead's **Directory Sync** is an optional feature that keeps the BBMRI-ERIC Directory up to date with your local data, e.g. number of samples. Conversely, it can also update the local FHIR store with the latest contact details etc. from the  BBMRI-ERIC Directory.
+The Bridgehead's **Directory Sync** is an optional feature that keeps the Directory up to date with your local data, e.g. number of samples. Conversely, it also updates the local FHIR store with the latest contact details etc. from the Directory. You must explicitly set your country specific directory URL, username and password to enable this feature.
 
-You should talk with your local data protection group regarding the information that is published by Directory sync.
+Full details can be found in [directory_sync_service](https://github.com/samply/directory_sync_service).
 
-To enable it, you will need to explicitly set the username and password variables for BBMRI-ERIC Directory login in the configuration file of your GitLab repository (e.g. ```bbmri.conf```). Here is an example minimal config:
+To enable it, you will need to set these variables to the ```bbmri.conf``` file of your GitLab repository. Here is an example config:
 
 ```
+DS_DIRECTORY_URL=https://directory.bbmri-eric.eu
 DS_DIRECTORY_USER_NAME=your_directory_username
-DS_DIRECTORY_USER_PASS=your_directory_password
+DS_DIRECTORY_USER_PASS=qwdnqwswdvqHBVGFR9887
+DS_TIMER_CRON="0 22 * * *"
 ```
-Please contact your National Node or Directory support (directory-dev@helpdesk.bbmri-eric.eu) to obtain these credentials.
+You must contact the Directory team for your national node to find the URL, and to register as a user.
 
-The following environment variables can be used from within your config file to control the behavior of Directory sync:
+Additionally, you should choose when you want Directory sync to run. In the example above, this is set to happen at 10 pm every evening. You can modify this to suit your requirements. The timer specification should follow the [cron](https://crontab.guru) convention.
 
-| Variable                           | Purpose                                                                                                                                                              | Default if not specified               |
-|:-----------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------|
-| DS_DIRECTORY_URL                   | Base URL of the Directory                                                                                                                                            | https://directory-backend.molgenis.net |
-| DS_DIRECTORY_USER_NAME             | User name for logging in to Directory **Mandatory**                                                                                                                  |                                        |
-| DS_DIRECTORY_USER_PASS             | Password for logging in to Directory **Mandatory**                                                                                                                   |                                        |
-| DS_DIRECTORY_DEFAULT_COLLECTION_ID | ID of collection to be used if not in samples                                                                                                                        |                                        |
-| DS_DIRECTORY_ALLOW_STAR_MODEL      | Set to 'True' to send star model info to Directory                                                                                                                   | True                                  |
-| DS_FHIR_STORE_URL                  | URL for FHIR store                                                                                                                                                   | http://bridgehead-bbmri-blaze:8080     |
-| DS_TIMER_CRON                      | Execution interval for Directory sync, [cron](https://crontab.guru) format                                                                                           | 0 22 * * *                             |
-| DS_IMPORT_BIOBANKS                 | Set to 'True' to import biobank metadata from Directory                                                                                                              | True                                  |
-| DS_IMPORT_COLLECTIONS              | Set to 'True' to import collection metadata from Directory                                                                                                           | True                                  |
-
-Once you have finished editing the config, the Bridgehead will autoupdate the config with the values and will sync data at regular intervals, using the time specified in DS_TIMER_CRON.
+Once you edited the gitlab config, the bridgehead will autoupdate the config with the values and will sync the data.
 
 There will be a delay before the effects of Directory sync become visible. First, you will need to wait until the time you have specified in ```TIMER_CRON```. Second, the information will then be synchronized from your national node with the central European Directory. This can take up to 24 hours.
 
-More details of Directory sync can be found in [directory_sync_service](https://github.com/samply/directory_sync_service).
-
 ### Loading data
 
 The data accessed by the federated search is held in the Bridgehead in a FHIR store (we use Blaze).
@@ -354,24 +335,6 @@ The storage space on your hard drive will depend on the number of FHIR resources
 
 For more information on Blaze performance, please refer to [import performance](https://github.com/samply/blaze/blob/master/docs/performance/import.md).
 
-### Clearing data
-
-The Bridgehead's FHIR store, Blaze, saves its data in a Docker volume. This means that the data will persist even if you stop the Bridgehead. You can clear existing data from the FHIR store by deleting the relevant Docker volume.
-
-First, stop the Bridgehead:
-```shell
-sudo systemctl stop bridgehead@<PROJECT>.service
-```
-Now remove the volume:
-```shell
-docker volume rm <PROJECT>_blaze-data
-```
-Finally, restart the Bridgehead:
-```shell
-sudo systemctl start bridgehead@<PROJECT>.service
-```
-You will need to do this for example if you are using a VM as a test environment and you subsequently want to use the same VM for production.
-
 #### ETL for BBMRI and GBA
 
 Normally, you will need to build your own ETL to feed the Bridgehead. However, there is one case where a short cut might be available:
@@ -418,54 +381,6 @@ We have tested the installation procedure with an Ubuntu 22.04 guest system runn
 
 Installation under WSL ought to work, but we have not tested this.
 
-### FAQ
-
-**Q: How is the security of GitHub pulls, volumes/containers, and image signing ensured?**
-
-A: Changes to Git branches that could be delivered to sites (main and develop) must be accepted via a pull request with at least two positive reviews.
-Containers/images are not built manually, but rather automatically through a CI/CD pipeline, so that an image can be rolled back to a defined code version at any time without changes.
-**Note:** If firewall access for (outgoing) connections to GitHub and/or Docker Hub is problematic at the site, mirrors for both services are available, operated by the DKFZ.
-
-**Q: How is authentication between users and components regulated?**
-
-A: When setting up a Bridgehead, a private key and a so-called Certificate Sign Request (CSR) are generated locally. This CSR is manually signed by the broker operator, which allows the Bridgehead access to the network infrastructure.
-All communication runs via Samply.Beam and is therefore end-to-end encrypted, but also signed. This allows the integrity and authenticity of the sender to be technically verified (which happens automatically both in the broker and at the recipients).
-The connection to the broker is additionally secured using traditional TLS (transport encryption over https).
-
-**Q: Are there any statistics on incoming traffic from the Bridgehead (what goes in and what goes out)?**
-
-A: Incoming and outgoing traffic can only enter/leave the Bridgehead via a forward or reverse proxy, respectively. These components log all connections.
-Statistical analysis is not currently being conducted, but is on the roadmap for some projects. We are also working on a dashboard for all tasks/responses delivered via Samply.Beam.
-
-**Q: How is container access controlled, and what permission level is used?**
-
-A: Currently, it is not possible to run the Bridgehead "out-of-the-box" as a rootless Docker Compose stack. The main reason is the operation of the reverse proxy (Traefik), which binds to the privileged ports 80 (HTTP) and 443 (HTTPS).
-Otherwise, there are no known technical obstacles, although we don't have concrete experience implementing this.
-At the file system level, a "bridgehead" user is created during installation, which manages the configuration and Bridgehead folders.
-
-**Q: Is a cloud installation (not a company-owned one, but an external service provider) possible?**
-
-A: Technically, yes. This is primarily a data protection issue between the participant and their cloud provider.
-The Bridgehead contains a data storage system that, during use, contains sensitive patient and sample data.
-There are cloud providers with whom appropriately worded contracts can be concluded to make this possible.
-Of course, the details must be discussed with the responsible data protection officer.
-
-**Q: What needs to be considered regarding the Docker distribution/registry, and how is it used here?**
-
-A: The Bridgehead images are located both in Docker Hub and mirrored in a registry operated by the DKFZ.
-The latter is used by default, avoiding potential issues with Docker Hub URL activation or rate limits.
-When using automatic updates (highly recommended), an daily check is performed for:
-- site configuration updates
-- Bridgehead software updates
-- container image updates
-
-If updates are found, they are downloaded and applied.
-See the first question for the control mechanism.
-
-**Q: Is data only transferred one-way (Bridgehead/FHIR Store → Central/Locator), or is two-way access necessary?**
-
-A: By using Samply.Beam, only one outgoing connection to the broker is required at the network level (i.e., Bridgehead → Broker).
-
 ## Troubleshooting
 
 ### Docker Daemon Proxy Configuration

bbmri/docker-compose.yml

@@ -4,14 +4,12 @@ version: "3.7"
 
 services:
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/blaze:latest
     container_name: bridgehead-bbmri-blaze
     environment:
       BASE_URL: "http://bridgehead-bbmri-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
-      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
-      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
+      JAVA_TOOL_OPTIONS: "-Xmx4g"
+      LOG_LEVEL: "debug"
       ENFORCE_REFERENTIAL_INTEGRITY: "false"
     volumes:
       - "blaze-data:/app/data"

bbmri/modules/directory-sync-compose.yml

@@ -4,15 +4,7 @@ services:
   directory_sync_service:
     image: "docker.verbis.dkfz.de/cache/samply/directory_sync_service"
     environment:
-      DS_DIRECTORY_URL: ${DS_DIRECTORY_URL:-https://directory.bbmri-eric.eu}
+      DS_DIRECTORY_URL: ${DS_DIRECTORY_URL}
       DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}
-      DS_DIRECTORY_USER_PASS: ${DS_DIRECTORY_USER_PASS}
-      DS_TIMER_CRON: ${DS_TIMER_CRON:-0 22 * * *}
-      DS_DIRECTORY_ALLOW_STAR_MODEL: ${DS_DIRECTORY_ALLOW_STAR_MODEL:-true}
-      DS_DIRECTORY_MOCK: ${DS_DIRECTORY_MOCK}
-      DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID}
-      DS_DIRECTORY_COUNTRY: ${DS_DIRECTORY_COUNTRY}
-      DS_IMPORT_BIOBANKS: ${DS_IMPORT_BIOBANKS:-true}
-      DS_IMPORT_COLLECTIONS: ${DS_IMPORT_COLLECTIONS:-true}
-    depends_on:
-      - "blaze"
+      DS_DIRECTORY_PASS_CODE: ${DS_DIRECTORY_PASS_CODE}
+      DS_TIMER_CRON: ${DS_TIMER_CRON}

bbmri/modules/dnpm-compose.yml

@@ -0,0 +1,53 @@
+version: "3.7"
+
+services:
+  dnpm-beam-proxy:
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
+    container_name: bridgehead-dnpm-beam-proxy
+    environment:
+      BROKER_URL: ${DNPM_BROKER_URL}
+      PROXY_ID: ${DNPM_PROXY_ID}
+      APP_dnpm-connect_KEY: ${DNPM_BEAM_SECRET_SHORT}
+      PRIVKEY_FILE: /run/secrets/proxy.pem
+      ALL_PROXY: http://forward_proxy:3128
+      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
+      ROOTCERT_FILE: /conf/root.crt.pem
+    secrets:
+      - proxy.pem
+    depends_on:
+      - "forward_proxy"
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
+      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
+
+  dnpm-beam-connect:
+    depends_on: [ dnpm-beam-proxy ]
+    image: docker.verbis.dkfz.de/cache/samply/beam-connect:develop
+    container_name: bridgehead-dnpm-beam-connect
+    environment:
+      PROXY_URL: http://dnpm-beam-proxy:8081
+      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
+      APP_ID: dnpm-connect.${DNPM_PROXY_ID}
+      DISCOVERY_URL: "./conf/central_targets.json"
+      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
+      HTTP_PROXY: http://forward_proxy:3128
+      HTTPS_PROXY: http://forward_proxy:3128
+      NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal
+      RUST_LOG: ${RUST_LOG:-info}
+      NO_AUTH: "true"
+    extra_host:
+      - "host.docker.internal:host-gateway"
+    volumes:
+      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
+      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
+      - "traefik.http.middlewares.dnpm-connect-strip.stripprefix.prefixes=/dnpm-connect"
+      - "traefik.http.routers.dnpm-connect.middlewares=dnpm-connect-strip"
+      - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
+      - "traefik.http.routers.dnpm-connect.tls=true"
+
+secrets:
+  proxy.pem:
+    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

bbmri/modules/dnpm-node-compose.yml

@@ -0,0 +1,33 @@
+version: "3.7"
+
+services:
+  dnpm-backend:
+    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
+    container_name: bridgehead-dnpm-backend
+    environment:
+      - ZPM_SITE=${ZPM_SITE}
+    volumes:
+      - /etc/bridgehead/dnpm:/bwhc_config:ro
+      - ${DNPM_DATA_DIR}:/bwhc_data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
+      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
+      - "traefik.http.routers.bwhc-backend.tls=true"
+
+  dnpm-frontend:
+    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
+    container_name: bridgehead-dnpm-frontend
+    links:
+      - dnpm-backend
+    environment:
+      - NUXT_HOST=0.0.0.0
+      - NUXT_PORT=8080
+      - BACKEND_PROTOCOL=https
+      - BACKEND_HOSTNAME=$HOST
+      - BACKEND_PORT=443
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
+      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
+      - "traefik.http.routers.bwhc-frontend.tls=true"

bbmri/modules/dnpm-node-setup.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+if [ -n "${ENABLE_DNPM_NODE}" ]; then
+	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
+	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
+
+	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
+	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+	if [ -z "${ZPM_SITE+x}" ]; then
+		log ERROR "Mandatory variable ZPM_SITE not defined!"
+		exit 1
+	fi
+	if [ -z "${DNPM_DATA_DIR+x}" ]; then
+		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
+		exit 1
+	fi
+			if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
+				echo "Override of landing page url already in place"
+			else
+				echo "Adding override of landing page url"
+				if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
+					echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
+				else
+					echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
+				fi
+			fi
+fi

bbmri/modules/dnpm-setup.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+if [ -n "${ENABLE_DNPM}" ]; then
+	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam and Beam.Connect for DNPM."
+	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
+
+	# Set variables required for Beam-Connect
+	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+	DNPM_BROKER_ID="broker.ccp-it.dktk.dkfz.de"
+	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
+	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
+fi

bbmri/modules/eric-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   focus-eric:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-bbmri
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
     container_name: bridgehead-focus-eric
     environment:
       API_KEY: ${ERIC_FOCUS_BEAM_SECRET_SHORT}
@@ -16,7 +16,7 @@ services:
       - "blaze"
 
   beam-proxy-eric:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
     container_name: bridgehead-beam-proxy-eric
     environment:
       BROKER_URL: ${ERIC_BROKER_URL}

bbmri/modules/eric-setup.sh

@@ -10,10 +10,6 @@ if [ "${ENABLE_ERIC}" == "true" ]; then
 			export ERIC_BROKER_ID=broker.bbmri.samply.de
 			export ERIC_ROOT_CERT=eric
 			;;
-		"acceptance")
-			export ERIC_BROKER_ID=broker-acc.bbmri-acc.samply.de
-			export ERIC_ROOT_CERT=eric.acc
-			;;
 		"test")
 			export ERIC_BROKER_ID=broker-test.bbmri-test.samply.de
 			export ERIC_ROOT_CERT=eric.test

bbmri/modules/eric.acc.root.crt.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNTCCAh2gAwIBAgIUE/wu6FmI+KSMOalI65b+lI3HI4cwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwOTE2MTUyMzU0WhcNMzQw
-OTE0MTUyNDI0WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOt1I1FQt2bI4Nnjtg8JBYid29cBIkDT4MMb45Jr
-ays24y4R3WO7VJK9UjNduSq/A1jlA0W0A/szDf8Ojq6bBtg+uL92PTDjYH1QXwX0
-c7eMo2tvvyyrs/cb2/ovDBQ1lpibcxVmVAv042ASmil3SdqKKXpv3ATnF9I7V4cv
-fwB56FChaGIov5EK+9JOMjTx6oMlBEgUFR6qq/lSqM9my0HYwUFbX2W+nT9EKEIP
-9UP1eyfRZR3E/+oticnm/cS20BGCbjoYrNgLthXKyaASuhGoElKs8EZ3h9MiI+u0
-DpR0KpePhAkMLugBrgYWqkMwwD1684LfC4YVQrsLwzo5OW8CAwEAAaN7MHkwDgYD
-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPbXs3g3lMjH
-1JMe0a5aVbN7lB92MB8GA1UdIwQYMBaAFPbXs3g3lMjH1JMe0a5aVbN7lB92MBYG
-A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQBM5RsXb2HN
-FpC1mYfocXAn20Zu4d603qmc/IqkiOWbp36pWo+jk1AxejyRS9hEpQalgSnvcRPQ
-1hPEhGU+wvI0WWVi/01iNjVbXmJNPQEouXQWAT17dyp9vqQkPw8LNzpSV/qdPgbT
-Z9o3sZrjUsSLsK7A7Q5ky4ePkiJBaMsHeAD+wqGwpiJ4D2Xhp8e1v36TWM0qt2EA
-gySx9isx/jeGGPBmDqYB9BCal5lrihPN56jd+5pCkyXeZqKWiiXFJKXwcwxctYZc
-ADHIiTLLPXE8LHTUJAO51it1NAZ1S24aMzax4eWDXcWO7/ybbx5pkYkMd6EqlKHd
-8riQJIhY4huX
------END CERTIFICATE-----

bbmri/modules/exporter-compose.yml

@@ -1,67 +0,0 @@
-version: "3.7"
-
-services:
-  exporter:
-    image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
-    container_name: bridgehead-bbmri-exporter
-    environment:
-      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
-      LOG_LEVEL: "INFO"
-      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
-      CROSS_ORIGINS: "https://${HOST}"
-      EXPORTER_DB_USER: "exporter"
-      EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
-      EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
-      HTTP_RELATIVE_PATH: "/bbmri-exporter"
-      SITE: "${SITE_ID}"
-      HTTP_SERVLET_REQUEST_SCHEME: "https"
-      OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.exporter_bbmri.rule=PathPrefix(`/bbmri-exporter`)"
-      - "traefik.http.services.exporter_bbmri.loadbalancer.server.port=8092"
-      - "traefik.http.routers.exporter_bbmri.tls=true"
-      - "traefik.http.middlewares.exporter_bbmri_strip.stripprefix.prefixes=/bbmri-exporter"
-      - "traefik.http.routers.exporter_bbmri.middlewares=exporter_bbmri_strip"
-    volumes:
-      - "/var/cache/bridgehead/bbmri/exporter-files:/app/exporter-files/output"
-
-  exporter-db:
-    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
-    container_name: bridgehead-bbmri-exporter-db
-    environment:
-      POSTGRES_USER: "exporter"
-      POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
-      POSTGRES_DB: "exporter"
-    volumes:
-      # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
-      - "/var/cache/bridgehead/bbmri/exporter-db:/var/lib/postgresql/data"
-
-  reporter:
-    image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
-    container_name: bridgehead-bbmri-reporter
-    environment:
-      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
-      LOG_LEVEL: "INFO"
-      CROSS_ORIGINS: "https://${HOST}"
-      HTTP_RELATIVE_PATH: "/bbmri-reporter"
-      SITE: "${SITE_ID}"
-      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
-      EXPORTER_URL: "http://exporter:8092"
-      LOG_FHIR_VALIDATION: "false"
-      HTTP_SERVLET_REQUEST_SCHEME: "https"
-
-    # In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
-    # However, in the first executions in the bbmri sites, this volume seems to be very important. A report is
-    # a process that can take several hours, because it depends on the exporter.
-    # There is a risk that the bridgehead restarts, losing the already created export.
-
-    volumes:
-      - "/var/cache/bridgehead/bbmri/reporter-files:/app/reports"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.reporter_bbmri.rule=PathPrefix(`/bbmri-reporter`)"
-      - "traefik.http.services.reporter_bbmri.loadbalancer.server.port=8095"
-      - "traefik.http.routers.reporter_bbmri.tls=true"
-      - "traefik.http.middlewares.reporter_bbmri_strip.stripprefix.prefixes=/bbmri-reporter"
-      - "traefik.http.routers.reporter_bbmri.middlewares=reporter_bbmri_strip"

bbmri/modules/exporter-setup.sh

@@ -1,8 +0,0 @@
-#!/bin/bash -e
-
-if [ "$ENABLE_EXPORTER" == true ]; then
-  log INFO "Exporter setup detected -- will start Exporter service."
-  OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
-  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
-fi

bbmri/modules/exporter.md

@@ -1,15 +0,0 @@
-# Exporter and Reporter
-
-
-## Exporter
-The exporter is a REST API that exports the data of the different databases of the bridgehead in a set of tables.
-It can accept different output formats as CSV, Excel, JSON or XML. It can also export data into Opal.
-
-## Exporter-DB
-It is a database to save queries for its execution in the exporter. 
-The exporter manages also the different executions of the same query in through the database.
-
-## Reporter
-This component is a plugin of the exporter that allows to create more complex Excel reports described in templates.
-It is compatible with different template engines as Groovy, Thymeleaf,...
-It is perfect to generate a document as our traditional CCP quality report.

bbmri/modules/gbn-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   focus-gbn:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-bbmri
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
     container_name: bridgehead-focus-gbn
     environment:
       API_KEY: ${GBN_FOCUS_BEAM_SECRET_SHORT}
@@ -16,7 +16,7 @@ services:
       - "blaze"
 
   beam-proxy-gbn:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
     container_name: bridgehead-beam-proxy-gbn
     environment:
       BROKER_URL: ${GBN_BROKER_URL}

bbmri/modules/teiler-compose.yml

@@ -1,73 +0,0 @@
-version: "3.7"
-
-services:
-
-  teiler-orchestrator:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-orchestrator:latest
-    container_name: bridgehead-teiler-orchestrator
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.teiler_orchestrator_bbmri.rule=PathPrefix(`/bbmri-teiler`)"
-      - "traefik.http.services.teiler_orchestrator_bbmri.loadbalancer.server.port=9000"
-      - "traefik.http.routers.teiler_orchestrator_bbmri.tls=true"
-      - "traefik.http.middlewares.teiler_orchestrator_bbmri_strip.stripprefix.prefixes=/bbmri-teiler"
-      - "traefik.http.routers.teiler_orchestrator_bbmri.middlewares=teiler_orchestrator_bbmri_strip"
-    environment:
-      TEILER_BACKEND_URL: "https://${HOST}/bbmri-teiler-backend"
-      TEILER_DASHBOARD_URL: "https://${HOST}/bbmri-teiler-dashboard"
-      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
-      HTTP_RELATIVE_PATH: "/bbmri-teiler"
-
-  teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
-    container_name: bridgehead-teiler-dashboard
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.teiler_dashboard_bbmri.rule=PathPrefix(`/bbmri-teiler-dashboard`)"
-      - "traefik.http.services.teiler_dashboard_bbmri.loadbalancer.server.port=80"
-      - "traefik.http.routers.teiler_dashboard_bbmri.tls=true"
-      - "traefik.http.middlewares.teiler_dashboard_bbmri_strip.stripprefix.prefixes=/bbmri-teiler-dashboard"
-      - "traefik.http.routers.teiler_dashboard_bbmri.middlewares=teiler_dashboard_bbmri_strip"
-    environment:
-      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
-      TEILER_BACKEND_URL: "https://${HOST}/bbmri-teiler-backend"
-      TEILER_DASHBOARD_URL: "https://${HOST}/bbmri-teiler-dashboard"
-      OIDC_URL: "${OIDC_URL}"
-      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
-      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
-      TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
-      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
-      TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
-      TEILER_PROJECT: "${PROJECT}"
-      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
-      TEILER_ORCHESTRATOR_URL: "https://${HOST}/bbmri-teiler"
-      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/bbmri-teiler"
-      TEILER_USER: "${OIDC_USER_GROUP}"
-      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
-      REPORTER_DEFAULT_TEMPLATE_ID: "bbmri-qb"
-      EXPORTER_DEFAULT_TEMPLATE_ID: "bbmri"
-
-
-  teiler-backend:
-    image: docker.verbis.dkfz.de/ccp/bbmri-teiler-backend:latest
-    container_name: bridgehead-teiler-backend
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.teiler_backend_bbmri.rule=PathPrefix(`/bbmri-teiler-backend`)"
-      - "traefik.http.services.teiler_backend_bbmri.loadbalancer.server.port=8085"
-      - "traefik.http.routers.teiler_backend_bbmri.tls=true"
-      - "traefik.http.middlewares.teiler_backend_bbmri_strip.stripprefix.prefixes=/bbmri-teiler-backend"
-      - "traefik.http.routers.teiler_backend_bbmri.middlewares=teiler_backend_bbmri_strip"
-    environment:
-      LOG_LEVEL: "INFO"
-      APPLICATION_PORT: "8085"
-      APPLICATION_ADDRESS: "${HOST}"
-      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
-      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/bbmri-teiler"
-      TEILER_ORCHESTRATOR_URL: "https://${HOST}/bbmri-teiler"
-      TEILER_DASHBOARD_DE_URL: "https://${HOST}/bbmri-teiler-dashboard/de"
-      TEILER_DASHBOARD_EN_URL: "https://${HOST}/bbmri-teiler-dashboard/en"
-      HTTP_PROXY: "http://forward_proxy:3128"
-      ENABLE_MTBA: "${ENABLE_MTBA}"
-      ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
-      IDMANAGER_UPLOAD_APIKEY: "${IDMANAGER_UPLOAD_APIKEY}" # Only used to check if the ID Manager is active

bbmri/modules/teiler-setup.sh

@@ -1,9 +0,0 @@
-#!/bin/bash -e
-
-if [ "$ENABLE_TEILER" == true ];then
-  log INFO "Teiler setup detected -- will start Teiler services."
-  OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
-  TEILER_DEFAULT_LANGUAGE=EN
-  TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
-  # add_public_oidc_redirect_url "/ccp-teiler/*"
-fi

bbmri/modules/teiler.md

@@ -1,19 +0,0 @@
-# Teiler
-This module orchestrates the different microfrontends of the bridgehead as a single page application.  
-
-## Teiler Orchestrator
-Single SPA component that consists on the root HTML site of the single page application and a javascript code that
-gets the information about the microfrontend calling the teiler backend and is responsible for registering them. With the
-resulting mapping, it can initialize, mount and unmount the required microfrontends on the fly. 
-
-The microfrontends run independently in different containers and can be based on different frameworks (Angular, Vue, React,...)
-This microfrontends can run as single alone but need an extension with Single-SPA (https://single-spa.js.org/docs/ecosystem).
-There are also available three templates (Angular, Vue, React) to be directly extended to be used directly in the teiler.
-
-## Teiler Dashboard
-It consists on the main dashboard and a set of embedded services.
-### Login
-user and password in ccp.local.conf
-
-## Teiler Backend
-In this component, the microfrontends are configured.

bbmri/vars

@@ -1,19 +1,11 @@
-BROKER_ID=broker-test.bbmri-test.samply.de
-BROKER_URL=https://${BROKER_ID}
-PROXY_ID=${SITE_ID}.${BROKER_ID}
-PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
-BROKER_URL_FOR_PREREQ=$BROKER_URL
-echo $PRIVATEKEYFILENAME
-
 # Makes sense for all European Biobanks
 : ${ENABLE_ERIC:=true}
 
 # Makes only sense for German Biobanks
 : ${ENABLE_GBN:=false}
 
-FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
-
-POSTGRES_TAG=15.6-alpine
+FOCUS_RETRY_COUNT=32
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 
 for module in $PROJECT/modules/*.sh
 do

bridgehead

@@ -32,18 +32,6 @@ case "$PROJECT" in
 	bbmri)
 		#nothing extra to do
 		;;
-	cce)
-		#nothing extra to do
-		;;
-	itcc)
-		#nothing extra to do
-		;;
-	kr)
-		#nothing extra to do
-		;;
-	dhki)
-		#nothing extra to do
-		;;
 	minimal)
 		#nothing extra to do
 		;;
@@ -53,47 +41,17 @@ case "$PROJECT" in
 		;;
 esac
 
-# Loads config variables and runs the projects setup script
+# TODO: Please add proper documentation for variable priorities (1. secrets, 2. vars, 3. PROJECT.local.conf, 4. PROJECT.conf, 5. ???
 loadVars() {
+	# Load variables from /etc/bridgehead and /srv/docker/bridgehead
 	set -a
-	# Source the project specific config file
 	source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
-	# Source the project specific local config file if present
-	# This file is ignored by git as oposed to the regular config file as it contains private site information like etl auth data
 	if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
 		log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
 		source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
 	fi
-	# Set execution environment on main default to prod else test
-	if [[ -z "${ENVIRONMENT+x}" ]]; then
-		if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
-			ENVIRONMENT="production"
-		else
-			ENVIRONMENT="test" # we have acceptance environment in BBMRI ERIC and it would be more appropriate to default to that one in case the data they have in BH is real, but I'm gonna leave it as is for backward compatibility
-		fi
-	fi
-	# Source the versions of the images components 
-	case "$ENVIRONMENT" in
-		"production")
-			source ./versions/prod
-			;;
-		"test")
-			source ./versions/test
-			;;
-		"acceptance")
-			source ./versions/acceptance
-			;;
-		*)
-			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
-			source ./versions/prod
-			;;
-	esac
 	fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 	setHostname
-	optimizeBlazeMemoryUsage
-	# Run project specific setup if it exists
-	# This will ususally modiy the `OVERRIDE` to include all the compose files that the project depends on
-	# This is also where projects specify which modules to load
 	[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 	set +a
 
@@ -109,6 +67,22 @@ loadVars() {
 	fi
 	detectCompose
 	setupProxy
+
+	# Set some project-independent default values
+	: ${ENVIRONMENT:=production}
+
+	case "$ENVIRONMENT" in
+		"production")
+			export FOCUS_TAG=main
+			;;
+		"test")
+			export FOCUS_TAG=develop
+			;;
+		*)
+			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
+			export FOCUS_TAG=main
+			;;
+	esac
 }
 
 case "$ACTION" in
@@ -116,14 +90,12 @@ case "$ACTION" in
 		loadVars
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
-		sync_secrets
+        sync_secrets
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
 		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
 		loadVars
-		# Kill stale secret-sync instances if present
-		docker kill $(docker ps -q --filter ancestor=docker.verbis.dkfz.de/cache/samply/secret-sync-local) 2>/dev/null || true
 		# HACK: This is temporarily to properly shut down false bridgehead instances (bridgehead-ccp instead ccp)
 		$COMPOSE -p bridgehead-$PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
@@ -132,16 +104,6 @@ case "$ACTION" in
 		bk_is_running
 		exit $?
 		;;
-	logs)
-		loadVars
-		shift 2
-		exec journalctl -u bridgehead@$PROJECT -u bridgehead-update@$PROJECT -a $@
-		;;
-	docker-logs)
-		loadVars
-		shift 2
-		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE logs -f $@
-		;;
 	update)
 		loadVars
 		exec ./lib/update-bridgehead.sh $PROJECT

cce/docker-compose.yml

@@ -1,68 +0,0 @@
-version: "3.7"
-
-services:
-  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
-    container_name: bridgehead-cce-blaze
-    environment:
-      BASE_URL: "http://bridgehead-cce-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
-      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
-      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
-      ENFORCE_REFERENTIAL_INTEGRITY: "false"
-    volumes:
-      - "blaze-data:/app/data"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.blaze_cce.rule=PathPrefix(`/cce-localdatamanagement`)"
-      - "traefik.http.middlewares.cce_b_strip.stripprefix.prefixes=/cce-localdatamanagement"
-      - "traefik.http.services.blaze_cce.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze_cce.middlewares=cce_b_strip,auth"
-      - "traefik.http.routers.blaze_cce.tls=true"
-
-  focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
-    container_name: bridgehead-focus
-    environment:
-      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      BEAM_APP_ID_LONG: focus.${PROXY_ID}
-      PROXY_ID: ${PROXY_ID}
-      BLAZE_URL: "http://bridgehead-cce-blaze:8080/fhir/"
-      BEAM_PROXY_URL: http://beam-proxy:8081
-      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
-      EPSILON: 0.28
-      QUERIES_TO_CACHE: '/queries_to_cache.conf'
-      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
-    volumes:
-      - /srv/docker/bridgehead/cce/queries_to_cache.conf:/queries_to_cache.conf:ro
-    depends_on:
-      - "beam-proxy"
-      - "blaze"
-
-  beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
-    container_name: bridgehead-beam-proxy
-    environment:
-      BROKER_URL: ${BROKER_URL}
-      PROXY_ID: ${PROXY_ID}
-      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      PRIVKEY_FILE: /run/secrets/proxy.pem
-      ALL_PROXY: http://forward_proxy:3128
-      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
-      ROOTCERT_FILE: /conf/root.crt.pem
-    secrets:
-      - proxy.pem
-    depends_on:
-      - "forward_proxy"
-    volumes:
-      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/cce/root.crt.pem:/conf/root.crt.pem:ro
-
-
-volumes:
-  blaze-data:
-
-secrets:
-  proxy.pem:
-    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

cce/modules/lens-compose.yml

@@ -1,33 +0,0 @@
-version: "3.7"
-services:
-  landing:
-    container_name: lens_federated-search
-    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
-
-  spot:
-    image: docker.verbis.dkfz.de/ccp-private/central-spot
-    environment:
-      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
-      BEAM_URL: http://beam-proxy:8081
-      BEAM_PROXY_ID: ${SITE_ID}
-      BEAM_BROKER_ID: ${BROKER_ID}
-      BEAM_APP_ID: "focus"
-      PROJECT_METADATA: "cce_supervisors"
-    depends_on:
-      - "beam-proxy"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.services.spot.loadbalancer.server.port=8080"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
-      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
-      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
-      - "traefik.http.routers.spot.tls=true"
-      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot"

cce/modules/lens-setup.sh

@@ -1,5 +0,0 @@
-#!/bin/bash
-
-if [ -n "$ENABLE_LENS" ];then
-  OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml"
-fi

cce/queries_to_cache.conf

@@ -1,2 +0,0 @@
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0FHRV9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OCnRydWU=
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIGljZDEwOiAnaHR0cDovL2ZoaXIuZGUvQ29kZVN5c3RlbS9iZmFybS9pY2QtMTAtZ20nCmNvZGVzeXN0ZW0gbW9ycGg6ICd1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjYuNDMuMScKCmNvbnRleHQgUGF0aWVudAoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9BR0VfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCkRLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgooKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDNjEnIGZyb20gaWNkMTBdKSBhbmQKKChleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODE0MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQ3LzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0ODAvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODUwMC8zJykpKQ==

cce/root.crt.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNTCCAh2gAwIBAgIUW34NEb7bl0+Ywx+I1VKtY5vpAOowDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTIyMTMzNzEzWhcNMzQw
-MTE5MTMzNzQzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAL5UegLXTlq3XRRj8LyFs3aF0tpRPVoW9RXp5kFI
-TnBvyO6qjNbMDT/xK+4iDtEX4QQUvsxAKxfXbe9i1jpdwjgH7JHaSGm2IjAiKLqO
-OXQQtguWwfNmmp96Ql13ArLj458YH08xMO/w2NFWGwB/hfARa4z/T0afFuc/tKJf
-XbGCG9xzJ9tmcG45QN8NChGhVvaTweNdVxGWlpHxmi0Mn8OM9CEuB7nPtTTiBuiu
-pRC2zVVmNjVp4ktkAqL7IHOz+/F5nhiz6tOika9oD3376Xj055lPznLcTQn2+4d7
-K7ZrBopCFxIQPjkgmYRLfPejbpdUjK1UVJw7hbWkqWqH7JMCAwEAAaN7MHkwDgYD
-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGjvRcaIP4HM
-poIguUAK9YL2n7fbMB8GA1UdIwQYMBaAFGjvRcaIP4HMpoIguUAK9YL2n7fbMBYG
-A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCbzycJSaDm
-AXXNJqQ88djrKs5MDXS8RIjS/cu2ayuLaYDe+BzVmUXNA0Vt9nZGdaz63SLLcjpU
-fNSxBfKbwmf7s30AK8Cnfj9q4W/BlBeVizUHQsg1+RQpDIdMrRQrwkXv8mfLw+w5
-3oaXNW6W/8KpBp/H8TBZ6myl6jCbeR3T8EMXBwipMGop/1zkbF01i98Xpqmhx2+l
-n+80ofPsSspOo5XmgCZym8CD/m/oFHmjcvOfpOCvDh4PZ+i37pmbSlCYoMpla3u/
-7MJMP5lugfLBYNDN2p+V4KbHP/cApCDT5UWLOeAWjgiZQtHH5ilDeYqEc1oPjyJt
-Rtup0MTxSJtN
------END CERTIFICATE-----

cce/vars

@@ -1,14 +0,0 @@
-BROKER_ID=test-no-real-data.broker.samply.de
-BROKER_URL=https://${BROKER_ID}
-PROXY_ID=${SITE_ID}.${BROKER_ID}
-FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
-SUPPORT_EMAIL=manoj.waikar@dkfz-heidelberg.de
-PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
-BROKER_URL_FOR_PREREQ=$BROKER_URL
-
-for module in $PROJECT/modules/*.sh
-do
-    log DEBUG "sourcing $module"
-    source $module
-done

ccp/docker-compose.yml

@@ -2,14 +2,11 @@ version: "3.7"
 
 services:
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/blaze:latest
     container_name: bridgehead-ccp-blaze
     environment:
       BASE_URL: "http://bridgehead-ccp-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
-      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
-      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
+      JAVA_TOOL_OPTIONS: "-Xmx4g"
       ENFORCE_REFERENTIAL_INTEGRITY: "false"
     volumes:
       - "blaze-data:/app/data"
@@ -22,7 +19,7 @@ services:
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-dktk
+    image: docker.verbis.dkfz.de/cache/samply/focus:main
     container_name: bridgehead-focus
     environment:
       API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
@@ -32,16 +29,12 @@ services:
       BEAM_PROXY_URL: http://beam-proxy:8081
       RETRY_COUNT: ${FOCUS_RETRY_COUNT}
       EPSILON: 0.28
-      QUERIES_TO_CACHE: '/queries_to_cache.conf'
-      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
-    volumes:
-      - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf:ro
     depends_on:
       - "beam-proxy"
       - "blaze"
 
   beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}
@@ -59,6 +52,13 @@ services:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
 
+  traefik:
+    labels:
+      - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2_proxy:4180/"
+      - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
+      - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
+
+
 volumes:
   blaze-data:
 

ccp/modules/adt2fhir-rest-compose.yml

@@ -0,0 +1,18 @@
+version: "3.7"
+
+services:
+  adt2fhir-rest:
+    container_name: bridgehead-adt2fhir-rest
+    image: docker.verbis.dkfz.de/ccp/adt2fhir-rest:main
+    environment:
+      IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
+      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
+      SALT: ${LOCAL_SALT}
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.adt2fhir-rest.rule=PathPrefix(`/adt2fhir-rest`)"
+      - "traefik.http.middlewares.adt2fhir-rest_strip.stripprefix.prefixes=/adt2fhir-rest"
+      - "traefik.http.services.adt2fhir-rest.loadbalancer.server.port=8080"
+      - "traefik.http.routers.adt2fhir-rest.tls=true"
+      - "traefik.http.routers.adt2fhir-rest.middlewares=adt2fhir-rest_strip,auth"

ccp/modules/adt2fhir-rest-setup.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+function adt2fhirRestSetup() {
+  if [ -n "$ENABLE_ADT2FHIR_REST" ]; then
+    log INFO "ADT2FHIR-REST setup detected -- will start adt2fhir-rest API."
+    if [ ! -n "$IDMANAGER_LOCAL_PATIENTLIST_APIKEY" ]; then
+      log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
+      exit 1;
+    fi
+    OVERRIDE+=" -f ./$PROJECT/modules/adt2fhir-rest-compose.yml"
+    LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+  fi
+}

ccp/modules/blaze-secondary-compose.yml

@@ -1,32 +0,0 @@
-version: "3.7"
-
-services:
-  blaze-secondary:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
-    container_name: bridgehead-ccp-blaze-secondary
-    environment:
-      BASE_URL: "http://bridgehead-ccp-blaze-secondary:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
-      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
-      ENFORCE_REFERENTIAL_INTEGRITY: "false"
-    volumes:
-      - "blaze-secondary-data:/app/data"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.blaze-secondary_ccp.rule=PathPrefix(`/ccp-localdatamanagement-secondary`)"
-      - "traefik.http.middlewares.ccp_b-secondary_strip.stripprefix.prefixes=/ccp-localdatamanagement-secondary"
-      - "traefik.http.services.blaze-secondary_ccp.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze-secondary_ccp.middlewares=ccp_b-secondary_strip,auth"
-      - "traefik.http.routers.blaze-secondary_ccp.tls=true"
-
-  obds2fhir-rest:
-    environment:
-      STORE_PATH: ${STORE_PATH:-http://blaze:8080/fhir}
-
-  exporter:
-    environment:
-      BLAZE_HOST: "blaze-secondary"
-
-volumes:
-  blaze-secondary-data:

ccp/modules/blaze-secondary-setup.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-
-function blazeSecondarySetup() {
-  if [ -n "$ENABLE_SECONDARY_BLAZE" ]; then
-    log INFO "Secondary Blaze setup detected -- will start second blaze."
-    OVERRIDE+=" -f ./$PROJECT/modules/blaze-secondary-compose.yml"
-    #make oBDS2FHIR ignore ID-Management and replace target Blaze
-    PATIENTLIST_URL=" "
-    STORE_PATH="http://blaze-secondary:8080/fhir"
-  fi
-}

ccp/modules/cbioportal-compose.yml

@@ -0,0 +1,53 @@
+version: '3.7'
+
+services:
+  cbioportal:
+    # image: docker.verbis.dkfz.de/ccp/dktk-cbioportal:latest
+    image: dktk-cbioportal
+    container_name: bridgehead-cbioportal
+    environment:
+      DB_PASSWORD: ${CBIOPORTAL_DB_PASSWORD}
+      HTTP_RELATIVE_PATH: "/cbioportal"
+      UPLOAD_HTTP_RELATIVE_PATH: "/cbioportal-upload"
+    depends_on:
+      - cbioportal-database
+      - cbioportal-session
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.cbioportal.rule=PathPrefix(`/cbioportal`)"
+      - "traefik.http.routers.cbioportal.service=cbioportal"
+      - "traefik.http.services.cbioportal.loadbalancer.server.port=8080"
+      - "traefik.http.routers.cbioportal.tls=true"
+      - "traefik.http.routers.cbioportal-upload.rule=PathPrefix(`/cbioportal-upload`)"    
+      - "traefik.http.routers.cbioportal-upload.service=cbioportal-upload"
+      - "traefik.http.routers.cbioportal-upload.tls=true"
+      - "traefik.http.services.cbioportal-upload.loadbalancer.server.port=8001"
+      
+
+  cbioportal-database:
+    image: docker.verbis.dkfz.de/ccp/dktk-cbioportal-database:latest
+    container_name: bridgehead-cbioportal-database
+    environment:
+      MYSQL_DATABASE: cbioportal
+      MYSQL_USER: cbio_user
+      MYSQL_PASSWORD: ${CBIOPORTAL_DB_PASSWORD}
+      MYSQL_ROOT_PASSWORD: ${CBIOPORTAL_DB_ROOT_PASSWORD}
+    volumes:
+      - /var/cache/bridgehead/ccp/cbioportal_db_data:/var/lib/mysql
+
+  cbioportal-session:
+    image: cbioportal/session-service:0.6.1
+    container_name: bridgehead-cbioportal-session
+    environment:
+      SERVER_PORT: 5000
+      JAVA_OPTS: -Dspring.data.mongodb.uri=mongodb://cbioportal-session-database:27017/session-service
+    depends_on:
+      - cbioportal-session-database
+
+  cbioportal-session-database:
+    image: mongo:4.2
+    container_name: bridgehead-cbioportal-session-database
+    environment:
+      MONGO_INITDB_DATABASE: session_service
+    volumes:
+      - /var/cache/bridgehead/ccp/cbioportal_session_db_data:/data/db

ccp/modules/cbioportal-setup.sh

@@ -0,0 +1,8 @@
+#!/bin/bash -e
+
+ if [ "$ENABLE_CBIOPORTAL" == true ]; then
+  log INFO "cBioPortal setup detected -- will start cBioPortal service."
+  OVERRIDE+=" -f ./$PROJECT/modules/cbioportal-compose.yml"
+  CBIOPORTAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the cbioportal database. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+  CBIOPORTAL_DB_ROOT_PASSWORD="$(echo \"This is a salt string to generate one consistent root password for the cbioportal database. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)" 
+ fi

ccp/modules/cbioportal.md

@@ -0,0 +1,10 @@
+# CBioPortal Data uploader
+
+
+## Usage
+
+We have integrated an API that allows you to upload data directly to cbioportal without the need to have cbioportal installed in your system.
+
+## Tech stack
+
+We used Flask to add this feature

ccp/modules/datashield-compose.yml

@@ -22,7 +22,7 @@ services:
 
   opal:
     container_name: bridgehead-opal
-    image: docker.verbis.dkfz.de/ccp/dktk-opal:test
+    image: docker.verbis.dkfz.de/ccp/dktk-opal:latest
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.opal_ccp.rule=PathPrefix(`/opal`)"
@@ -44,10 +44,11 @@ services:
       APP_CONTEXT_PATH: "/opal"
       OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
       OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
-      OIDC_URL: "${OIDC_URL}"
-      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
-      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
-      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
+      KEYCLOAK_URL: "${KEYCLOAK_URL}"
+      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
+      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}"
+      KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}"
       TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}"
       EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
       BEAM_APP_ID: token-manager.${PROXY_ID}
@@ -61,7 +62,7 @@ services:
 
   opal-db:
     container_name: bridgehead-opal-db
-    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
+    image: docker.verbis.dkfz.de/cache/postgres:15.4-alpine
     environment:
       POSTGRES_PASSWORD: "${OPAL_DB_PASSWORD}" # Set in datashield-setup.sh
       POSTGRES_USER: "opal"
@@ -97,10 +98,6 @@ services:
       - rstudio
   
   traefik:
-    labels:
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2-proxy:4180/"
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
     networks:
       - default
       - rstudio
@@ -114,15 +111,15 @@ services:
       APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET}
       APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET}
 
-  # TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time:
-  # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider):
-  # --allowed-groups=/DataSHIELD,OIDC_USER_GROUP
-  oauth2-proxy:
-    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
-    container_name: bridgehead-oauth2proxy
+  # TODO: Allow users of group /DataSHIELD and KEYCLOAK_USER_GROUP at the same time:
+  # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/):
+  # --allowed-groups=/DataSHIELD,KEYCLOAK_USER_GROUP
+  oauth2_proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy
+    container_name: bridgehead_oauth2_proxy
     command: >-
-      --allowed-group=DataSHIELD
-      --oidc-groups-claim=${OIDC_GROUP_CLAIM}
+      --allowed-group=/DataSHIELD
+      --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM}
       --auth-logging=true
       --whitelist-domain=${HOST}
       --http-address="0.0.0.0:4180"
@@ -137,10 +134,10 @@ services:
       #OIDC settings
       --provider="keycloak-oidc"
       --provider-display-name="VerbIS Login"
-      --client-id="${OIDC_PRIVATE_CLIENT_ID}"
+      --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}"
       --client-secret="${OIDC_CLIENT_SECRET}"
       --redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
-      --oidc-issuer-url="${OIDC_URL}"
+      --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}"
       --scope="openid email profile"
       --code-challenge-method="S256"
       --skip-provider-button=true
@@ -150,15 +147,9 @@ services:
       --pass-access-token=false
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.oauth2_proxy.rule=PathPrefix(`/oauth2`)"
+      - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)"
       - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
       - "traefik.http.routers.oauth2_proxy.tls=true"
-    environment:
-      http_proxy: "http://forward_proxy:3128"
-      https_proxy: "http://forward_proxy:3128"
-    depends_on:
-      forward_proxy:
-        condition: service_healthy
 
 secrets:
   opal-cert.pem:

ccp/modules/datashield-mappings.json

@@ -9,7 +9,5 @@
     "frankfurt",
     "essen",
     "dktk-datashield-test",
-    "dktk-test",
-    "mannheim",
-    "central-ds-orchestrator"
+    "dktk-test"
 ]

ccp/modules/datashield-setup.sh

@@ -1,14 +1,6 @@
 #!/bin/bash -e
 
 if [ "$ENABLE_DATASHIELD" == true ]; then
-  # HACK: This only works because exporter-setup.sh and teiler-setup.sh are sourced after datashield-setup.sh
-  if [ -z "${ENABLE_EXPORTER}" ] || [ "${ENABLE_EXPORTER}" != "true" ]; then
-    log WARN "The ENABLE_EXPORTER variable is either not set or not set to 'true'."
-  fi
-  OAUTH2_CALLBACK=/oauth2/callback
-  OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
-  add_private_oidc_redirect_url "${OAUTH2_CALLBACK}"
-
   log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
   OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
   EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")"
@@ -20,25 +12,22 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
   TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)"
   if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
     mkdir -p /tmp/bridgehead/
+    chown -R bridgehead:docker /tmp/bridgehead/
     openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE"
+    chmod g+r /tmp/bridgehead/opal-key.pem
   fi
   mkdir -p /tmp/bridgehead/opal-map
-  sites="$(cat ./$PROJECT/modules/datashield-sites.json)"
-  echo "$sites" | docker_jq -n --args '{"sites": input | map({
+  jq -n '{"sites": input | map({
     "name": .,
     "id": .,
     "virtualhost": "\(.):443",
     "beamconnect": "datashield-connect.\(.).'"$BROKER_ID"'"
-  })}' $sites >/tmp/bridgehead/opal-map/central.json
-  echo "$sites" | docker_jq -n --args '[{
+  })}' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/central.json
+  jq -n '[{
     "external": "'"$SITE_ID"':443",
     "internal": "opal:8443",
-    "allowed": input | map("\(.).'"$BROKER_ID"'")
-  }]' >/tmp/bridgehead/opal-map/local.json
-  if [ "$USER" == "root" ]; then
-    chown -R bridgehead:docker /tmp/bridgehead
-    chmod g+wr /tmp/bridgehead/opal-map/*
-    chmod g+r /tmp/bridgehead/opal-key.pem
-  fi
+    "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'")
+  }]' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/local.json
+  chown -R bridgehead:docker /tmp/bridgehead/
   add_private_oidc_redirect_url "/opal/*"
 fi

ccp/modules/datashield.md

@@ -1,5 +1,5 @@
 # DataSHIELD
-This module constitutes the infrastructure to run DataSHIELD within the bridgehead. 
+This module constitutes the infrastructure to run DataSHIELD within the bridghead. 
 For more information about DataSHIELD, please visit https://www.datashield.org/
 
 ## R-Studio

ccp/modules/dnpm-compose.yml

@@ -13,19 +13,17 @@ services:
       PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
       APP_ID: dnpm-connect.${PROXY_ID}
       DISCOVERY_URL: "./conf/central_targets.json"
-      LOCAL_TARGETS_FILE: "/conf/connect_targets.json"
+      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
       HTTP_PROXY: "http://forward_proxy:3128"
       HTTPS_PROXY: "http://forward_proxy:3128"
-      NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
+      NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal
       RUST_LOG: ${RUST_LOG:-info}
       NO_AUTH: "true"
-      TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs
     extra_hosts:
       - "host.docker.internal:host-gateway"
     volumes:
-      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro
+      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
@@ -33,7 +31,3 @@ services:
       - "traefik.http.routers.dnpm-connect.middlewares=dnpm-connect-strip"
       - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
       - "traefik.http.routers.dnpm-connect.tls=true"
-
-  dnpm-echo:
-    image: docker.verbis.dkfz.de/cache/samply/bridgehead-echo:latest
-    container_name: bridgehead-dnpm-echo

ccp/modules/dnpm-node-compose.yml

@@ -1,99 +1,33 @@
 version: "3.7"
 
 services:
-  dnpm-mysql:
-    image: mysql:9
-    healthcheck:
-      test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ]
-      interval: 3s
-      timeout: 5s
-      retries: 5
-    environment:
-      MYSQL_ROOT_HOST: "%"
-      MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD}
-    volumes:
-      - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql
-
-  dnpm-authup:
-    image: authup/authup:latest
-    container_name: bridgehead-dnpm-authup
-    volumes:
-      - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable
-    depends_on:
-      dnpm-mysql:
-        condition: service_healthy
-    command: server/core start
-    environment:
-      - PUBLIC_URL=https://${HOST}/auth/
-      - AUTHORIZE_REDIRECT_URL=https://${HOST}
-      - ROBOT_ADMIN_ENABLED=true
-      - ROBOT_ADMIN_SECRET=${DNPM_AUTHUP_SECRET}
-      - ROBOT_ADMIN_SECRET_RESET=true
-      - DB_TYPE=mysql
-      - DB_HOST=dnpm-mysql
-      - DB_USERNAME=root
-      - DB_PASSWORD=${DNPM_MYSQL_ROOT_PASSWORD}
-      - DB_DATABASE=auth
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.middlewares.authup-strip.stripprefix.prefixes=/auth"
-      - "traefik.http.routers.dnpm-auth.middlewares=authup-strip"
-      - "traefik.http.routers.dnpm-auth.rule=PathPrefix(`/auth`)"
-      - "traefik.http.services.dnpm-auth.loadbalancer.server.port=3000"
-      - "traefik.http.routers.dnpm-auth.tls=true"
-
-  dnpm-portal:
-    image: ghcr.io/dnpm-dip/portal:latest
-    container_name: bridgehead-dnpm-portal
-    environment:
-      - NUXT_API_URL=http://dnpm-backend:9000/
-      - NUXT_PUBLIC_API_URL=https://${HOST}/api/
-      - NUXT_AUTHUP_URL=http://dnpm-authup:3000/
-      - NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)"
-      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
-      - "traefik.http.routers.dnpm-frontend.tls=true"
-
   dnpm-backend:
+    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
     container_name: bridgehead-dnpm-backend
-    image: ghcr.io/dnpm-dip/backend:latest
     environment:
-      - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME}   # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
-      - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
-      - MTB_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
-      - HATEOAS_HOST=https://${HOST}
-      - CONNECTOR_TYPE=broker
-      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
+      - ZPM_SITE=${ZPM_SITE}
     volumes:
-      - /etc/bridgehead/dnpm/config:/dnpm_config
-      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
-    depends_on:
-      dnpm-authup:
-        condition: service_healthy
+      - /etc/bridgehead/dnpm:/bwhc_config:ro
+      - ${DNPM_DATA_DIR}:/bwhc_data
     labels:
       - "traefik.enable=true"
-      - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
-      # expose everything
-      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
-      - "traefik.http.routers.dnpm-backend.tls=true"
-      - "traefik.http.routers.dnpm-backend.service=dnpm-backend"
-      # except ETL
-      - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
-      - "traefik.http.routers.dnpm-backend-etl.tls=true"
-      - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
-      # this needs an ETL processor with support for basic auth
-      - "traefik.http.routers.dnpm-backend-etl.middlewares=auth"
-      # except peer-to-peer
-      - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
-      - "traefik.http.routers.dnpm-backend-peer.tls=true"
-      - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
-      - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
-      # this effectively denies all requests
-      # this is okay, because requests from peers don't go through Traefik
-      - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
+      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
+      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
+      - "traefik.http.routers.bwhc-backend.tls=true"
 
-  landing:
+  dnpm-frontend:
+    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
+    container_name: bridgehead-dnpm-frontend
+    links:
+      - dnpm-backend
+    environment:
+      - NUXT_HOST=0.0.0.0
+      - NUXT_PORT=8080
+      - BACKEND_PROTOCOL=https
+      - BACKEND_HOSTNAME=$HOST
+      - BACKEND_PORT=443
     labels:
-      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"
+      - "traefik.enable=true"
+      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
+      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
+      - "traefik.http.routers.bwhc-frontend.tls=true"

ccp/modules/dnpm-node-setup.sh

@@ -1,16 +1,27 @@
 #!/bin/bash
 
 if [ -n "${ENABLE_DNPM_NODE}" ]; then
-	log INFO "DNPM setup detected -- will start DNPM:DIP node."
+	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
 
 	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
+	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	if [ -z "${ZPM_SITE+x}" ]; then
 		log ERROR "Mandatory variable ZPM_SITE not defined!"
 		exit 1
 	fi
-    mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions."
-    DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1}
-    DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')"
-    DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')"
+	if [ -z "${DNPM_DATA_DIR+x}" ]; then
+		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
+		exit 1
+	fi
+			if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
+				echo "Override of landing page url already in place"
+			else
+				echo "Adding override of landing page url"
+				if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
+					echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
+				else
+					echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
+				fi
+			fi
 fi

ccp/modules/dnpm-setup.sh

@@ -6,10 +6,4 @@ if [ -n "${ENABLE_DNPM}" ]; then
 
 	# Set variables required for Beam-Connect
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-	# If the DNPM_NO_PROXY variable is set, prefix it with a comma (as it gets added to a comma separated list)
-	if [ -n "${DNPM_NO_PROXY}" ]; then
-		DNPM_ADDITIONAL_NO_PROXY=",${DNPM_NO_PROXY}"
-	else
-		DNPM_ADDITIONAL_NO_PROXY=""
-	fi
 fi

ccp/modules/exporter-compose.yml

@@ -27,7 +27,7 @@ services:
       - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output"
 
   exporter-db:
-    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
+    image: docker.verbis.dkfz.de/cache/postgres:15.4-alpine
     container_name: bridgehead-ccp-exporter-db
     environment:
       POSTGRES_USER: "exporter"
@@ -65,8 +65,3 @@ services:
       - "traefik.http.routers.reporter_ccp.tls=true"
       - "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter"
       - "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip"
-
-  focus:
-    environment:
-      EXPORTER_URL: "http://exporter:8092"
-      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"

ccp/modules/exporter-setup.sh

@@ -3,6 +3,6 @@
 if [ "$ENABLE_EXPORTER" == true ]; then
   log INFO "Exporter setup detected -- will start Exporter service."
   OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
-  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
+  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
 fi

ccp/modules/fhir2sql-compose.yml

@@ -1,29 +0,0 @@
-version: "3.7"
-
-services:
-  fhir2sql:
-    depends_on:
-      - "dashboard-db"
-      - "blaze"
-    image: docker.verbis.dkfz.de/cache/samply/fhir2sql:latest
-    container_name: bridgehead-ccp-dashboard-fhir2sql
-    environment:
-      BLAZE_BASE_URL: "http://bridgehead-ccp-blaze:8080"
-      PG_HOST: "dashboard-db"
-      PG_USERNAME: "dashboard"
-      PG_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in dashboard-setup.sh
-      PG_DBNAME: "dashboard"
-
-  dashboard-db:
-    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
-    container_name: bridgehead-ccp-dashboard-db
-    environment:
-      POSTGRES_USER: "dashboard"
-      POSTGRES_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in dashboard-setup.sh
-      POSTGRES_DB: "dashboard"
-    volumes:
-      - "/var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data"
-
-  focus:
-    environment:
-      POSTGRES_CONNECTION_STRING: "postgresql://dashboard:${DASHBOARD_DB_PASSWORD}@dashboard-db/dashboard"

ccp/modules/fhir2sql-setup.sh

@@ -1,8 +0,0 @@
-#!/bin/bash -e
-
-if [ "$ENABLE_FHIR2SQL" == true ]; then
-  log INFO "Dashboard setup detected -- will start Dashboard backend and FHIR2SQL service."
-  OVERRIDE+=" -f ./$PROJECT/modules/fhir2sql-compose.yml"
-  DASHBOARD_DB_PASSWORD="$(generate_simple_password 'fhir2sql')"
-  FOCUS_ENDPOINT_TYPE="blaze-and-sql"
-fi

ccp/modules/fhir2sql.md

@@ -1,36 +0,0 @@
-# fhir2sql
-fhir2sql connects to Blaze, retrieves data, and syncs it with a PostgreSQL database. The application is designed to run continuously, syncing data at regular intervals.
-The Dashboard module is a optional component of the Bridgehead CCP setup. When enabled, it starts two Docker services: **fhir2sql** and **dashboard-db**. Data held in PostgreSQL is only stored temporarily and Blaze is considered to be the 'leading system' or 'source of truth'.
-
-## Services
-### fhir2sql
-* Image: docker.verbis.dkfz.de/cache/samply/fhir2sql:latest
-* Container name: bridgehead-ccp-dashboard-fhir2sql
-* Depends on: dashboard-db
-* Environment variables:
-  - BLAZE_BASE_URL: The base URL of the Blaze FHIR server (set to http://blaze:8080/fhir/)
-  - PG_HOST: The hostname of the PostgreSQL database (set to dashboard-db)
-  - PG_USERNAME: The username for the PostgreSQL database (set to dashboard)
-  - PG_PASSWORD: The password for the PostgreSQL database (set to the value of DASHBOARD_DB_PASSWORD)
-  - PG_DBNAME: The name of the PostgreSQL database (set to dashboard)
-
-### dashboard-db
-
-* Image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
-* Container name: bridgehead-ccp-dashboard-db
-* Environment variables:
-  - POSTGRES_USER: The username for the PostgreSQL database (set to dashboard)
-  - POSTGRES_PASSWORD: The password for the PostgreSQL database (set to the value of DASHBOARD_DB_PASSWORD)
-  - POSTGRES_DB: The name of the PostgreSQL database (set to dashboard)
-* Volumes:
-  - /var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data
-
-The volume used by dashboard-db can be removed safely and should be restored to a working order by re-importing data from Blaze.
-
-### Environment Variables
-* DASHBOARD_DB_PASSWORD: A generated password for the PostgreSQL database, created using a salt string and the SHA1 hash function.
-* POSTGRES_TAG: The tag of the PostgreSQL image to use (not set in this module, but required by the dashboard-db service).
-
-
-### Setup
-To enable the Dashboard module, set the ENABLE_FHIR2SQL environment variable to true. The dashboard-setup.sh script will then start the fhir2sql and dashboard-db services, using the environment variables and volumes defined above.

ccp/modules/id-management-compose.yml

@@ -14,30 +14,21 @@ services:
       MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY}
       MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
       MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
+      MAGICPL_OIDC_CLIENT_ID: ${IDMANAGER_AUTH_CLIENT_ID}
+      MAGICPL_OIDC_CLIENT_SECRET: ${IDMANAGER_AUTH_CLIENT_SECRET}
     depends_on:
       - patientlist
-      - traefik-forward-auth
     labels:
       - "traefik.enable=true"
-      # Router with Authentication
       - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)"
+      - "traefik.http.services.id-manager.loadbalancer.server.port=8080"
       - "traefik.http.routers.id-manager.tls=true"
-      - "traefik.http.routers.id-manager.middlewares=traefik-forward-auth-idm"
-      - "traefik.http.routers.id-manager.service=id-manager-service"
-      # Router without Authentication
-      - "traefik.http.routers.id-manager-compatibility.rule=PathPrefix(`/id-manager/paths/translator/getIds`)"
-      - "traefik.http.routers.id-manager-compatibility.tls=true"
-      - "traefik.http.routers.id-manager-compatibility.service=id-manager-service"
-      # Definition of Service
-      - "traefik.http.services.id-manager-service.loadbalancer.server.port=8080"
-      - "traefik.http.services.id-manager-service.loadbalancer.server.scheme=http"
 
   patientlist:
     image: docker.verbis.dkfz.de/bridgehead/mainzelliste
     container_name: bridgehead-patientlist
     environment:
       - TOMCAT_REVERSEPROXY_FQDN=${HOST}
-      - TOMCAT_REVERSEPROXY_SSL=true
       - ML_SITE=${IDMANAGEMENT_FRIENDLY_ID}
       - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
       - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
@@ -53,7 +44,7 @@ services:
       - patientlist-db
 
   patientlist-db:
-    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
+    image: docker.verbis.dkfz.de/cache/postgres:15.6-alpine
     container_name: bridgehead-patientlist-db
     environment:
       POSTGRES_USER: "mainzelliste"
@@ -64,49 +55,5 @@ services:
       # NOTE: Add backups here. This is only imported if /var/lib/bridgehead/data/patientlist/ is empty!!!
       - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"
 
-  traefik-forward-auth:
-    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
-    environment:
-      - http_proxy=http://forward_proxy:3128
-      - https_proxy=http://forward_proxy:3128
-      - OAUTH2_PROXY_PROVIDER=oidc
-      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
-      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://login.verbis.dkfz.de/realms/master
-      - OAUTH2_PROXY_CLIENT_ID=bridgehead-${SITE_ID}
-      - OAUTH2_PROXY_CLIENT_SECRET=${IDMANAGER_AUTH_CLIENT_SECRET}
-      - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
-      - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_idm
-      - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
-      - OAUTH2_PROXY_HTTP_ADDRESS=:4180
-      - OAUTH2_PROXY_REVERSE_PROXY=true
-      - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST}
-      - OAUTH2_PROXY_UPSTREAMS=static://202
-      - OAUTH2_PROXY_EMAIL_DOMAINS=*
-      - OAUTH2_PROXY_SCOPE=openid profile email
-      # Pass Authorization Header and some user information to backend services
-      - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
-      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
-      # Keycloak has an expiration time of 60s therefore oauth2-proxy needs to refresh after that
-      - OAUTH2_PROXY_COOKIE_REFRESH=60s
-      - OAUTH2_PROXY_ALLOWED_GROUPS=DKTK-CCP-PPSN
-      - OAUTH2_PROXY_PROXY_PREFIX=/oauth2-idm
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4180"
-      - "traefik.http.routers.traefik-forward-auth.rule=Host(`${HOST}`) && PathPrefix(`/oauth2-idm`)"
-      - "traefik.http.routers.traefik-forward-auth.tls=true"
-      - "traefik.http.middlewares.traefik-forward-auth-idm.forwardauth.address=http://traefik-forward-auth:4180"
-      - "traefik.http.middlewares.traefik-forward-auth-idm.forwardauth.authResponseHeaders=Authorization"
-    depends_on:
-      forward_proxy:
-        condition: service_healthy
-
-  ccp-patient-project-identificator:
-    image: docker.verbis.dkfz.de/cache/samply/ccp-patient-project-identificator
-    container_name: bridgehead-ccp-patient-project-identificator
-    environment:
-      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
-      SITE_NAME: ${IDMANAGEMENT_FRIENDLY_ID}
-
 volumes:
   patientlist-db-data:

ccp/modules/id-management-setup.sh

@@ -3,7 +3,7 @@
 function idManagementSetup() {
 	if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
 		log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)."
-		OVERRIDE+=" -f ./ccp/modules/id-management-compose.yml"
+		OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
 
 		# Auto Generate local Passwords
 		PATIENTLIST_POSTGRES_PASSWORD="$(echo \"id-management-module-db-password-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"

ccp/modules/login-compose.yml

@@ -0,0 +1,47 @@
+version: "3.7"
+
+services:
+
+  login-db:
+    image: docker.verbis.dkfz.de/cache/postgres:15.4-alpine
+    container_name: bridgehead-login-db
+    environment:
+      POSTGRES_USER: "keycloak"
+      POSTGRES_PASSWORD: "${KEYCLOAK_DB_PASSWORD}" # Set in login-setup.sh
+      POSTGRES_DB: "keycloak"
+    tmpfs:
+      - /var/lib/postgresql/data
+# Consider removing this comment once we have collected experience in production.
+#    volumes:
+#      - "bridgehead-login-db:/var/lib/postgresql/data"
+
+  login:
+    image: docker.verbis.dkfz.de/ccp/dktk-keycloak:latest
+    container_name: bridgehead-login
+    environment:
+      KEYCLOAK_ADMIN: "admin"
+      KEYCLOAK_ADMIN_PASSWORD: "${LDM_AUTH}"
+      TEILER_ADMIN: "${PROJECT}"
+      TEILER_ADMIN_PASSWORD: "${LDM_AUTH}"
+      TEILER_ADMIN_FIRST_NAME: "${OPERATOR_FIRST_NAME}"
+      TEILER_ADMIN_LAST_NAME: "${OPERATOR_LAST_NAME}"
+      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
+      KC_DB_PASSWORD: "${KEYCLOAK_DB_PASSWORD}" # Set in login-setup.sh
+      KC_HOSTNAME_URL: "https://${HOST}/login"
+      KC_HOSTNAME_STRICT: "false"
+      KC_PROXY_ADDRESS_FORWARDING: "true"
+      TEILER_ORCHESTRATOR_EXTERN_URL: "https://${HOST}/ccp-teiler"
+    command:
+      - start-dev --import-realm --proxy edge --http-relative-path=/login
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.login.rule=PathPrefix(`/login`)"
+      - "traefik.http.services.login.loadbalancer.server.port=8080"
+      - "traefik.http.routers.login.tls=true"
+    depends_on:
+      - login-db
+
+# Consider removing this comment once we have collected experience in production.
+#volumes:
+#  bridgehead-login-db:
+#    name: "bridgehead-login-db"

ccp/modules/login-setup.sh

@@ -0,0 +1,7 @@
+#!/bin/bash -e
+
+if [ "$ENABLE_LOGIN" == true ]; then
+  log INFO "Login setup detected -- will start Login services."
+  OVERRIDE+=" -f ./$PROJECT/modules/login-compose.yml"
+  KEYCLOAK_DB_PASSWORD="$(generate_password \"local Keycloak\")"
+fi

ccp/modules/login.md

@@ -0,0 +1,13 @@
+# Login
+The login component is a local Keycloak instance. In the future will be replaced by the central keycloak instance
+or maybe can be used to add local identity providers to the bridgehead or just to simplify the configuration of
+the central keycloak instance for the integration of every new bridgehead.
+The basic configuration of our Keycloak instance is contained in a small json file.
+
+### Teiler User
+Currently, the local keycloak is used by the teiler. There is a basic admin user in the basic configuration of keycloak.
+The user can be configured with the environment variables TEILER_ADMIN_XXX.
+
+## Login-DB
+Keycloak requires a local database for its configuration. However, as we use an initial json configuration file, if no
+local identity provider is configured nor any local user, theoretically we don't need a volume for the login.

ccp/modules/mtba-compose.yml

@@ -2,6 +2,7 @@ version: "3.7"
 
 services:
   mtba:
+    #image: docker.verbis.dkfz.de/cache/samply/mtba:latest
     image: docker.verbis.dkfz.de/cache/samply/mtba:develop
     container_name: bridgehead-mtba
     environment:
@@ -20,10 +21,11 @@ services:
       FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE:-LF}
       CSV_DELIMITER: ${MTBA_CSV_DELIMITER:-TAB}
       HTTP_RELATIVE_PATH: "/mtba"
-      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
-      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
-      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
-      OIDC_URL: "${OIDC_URL}"
+      KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}"
+      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}"
+      KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
+      KEYCLOAK_URL: "${KEYCLOAK_URL}"
 
     labels:
       - "traefik.enable=true"

ccp/modules/mtba-setup.sh

@@ -5,6 +5,7 @@ function mtbaSetup() {
     log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal."
     if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
       log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
+      exit 1;
     fi
     OVERRIDE+=" -f ./$PROJECT/modules/mtba-compose.yml"
     add_private_oidc_redirect_url "/mtba/*"

ccp/modules/nngm-compose.yml

@@ -12,6 +12,7 @@ services:
       CTS_API_KEY: ${NNGM_CTS_APIKEY}
       CRYPT_KEY: ${NNGM_CRYPTKEY}
       #CTS_MAGICPL_SITE: ${SITE_ID}TODO
+    restart: always
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)"

ccp/modules/obds2fhir-rest-compose.yml

@@ -1,19 +0,0 @@
-version: "3.7"
-
-services:
-  obds2fhir-rest:
-    container_name: bridgehead-obds2fhir-rest
-    image: docker.verbis.dkfz.de/samply/obds2fhir-rest:main
-    environment:
-      IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
-      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
-      SALT: ${LOCAL_SALT}
-      KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false}
-      MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist}
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)"
-      - "traefik.http.middlewares.obds2fhir-rest_strip.stripprefix.prefixes=/obds2fhir-rest,/adt2fhir-rest"
-      - "traefik.http.services.obds2fhir-rest.loadbalancer.server.port=8080"
-      - "traefik.http.routers.obds2fhir-rest.tls=true"
-      - "traefik.http.routers.obds2fhir-rest.middlewares=obds2fhir-rest_strip,auth"

ccp/modules/obds2fhir-rest-setup.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-
-function obds2fhirRestSetup() {
-  if [ -n "$ENABLE_OBDS2FHIR_REST" ]; then
-    log INFO "oBDS2FHIR-REST setup detected -- will start obds2fhir-rest module."
-    if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
-      log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
-      PATIENTLIST_URL=" "
-    fi
-    OVERRIDE+=" -f ./ccp/modules/obds2fhir-rest-compose.yml"
-    LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  fi
-}

ccp/modules/teiler-compose.yml

@@ -15,12 +15,11 @@ services:
     environment:
       TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
       TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
-      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
+      DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE_LOWER_CASE}"
       HTTP_RELATIVE_PATH: "/ccp-teiler"
 
   teiler-dashboard:
-    #image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
-    image: samply/teiler-dashboard:develop
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:latest
     container_name: bridgehead-teiler-dashboard
     labels:
       - "traefik.enable=true"
@@ -30,27 +29,29 @@ services:
       - "traefik.http.middlewares.teiler_dashboard_ccp_strip.stripprefix.prefixes=/ccp-teiler-dashboard"
       - "traefik.http.routers.teiler_dashboard_ccp.middlewares=teiler_dashboard_ccp_strip"
     environment:
-      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
+      DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
       TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
-      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
-      OIDC_URL: "${OIDC_URL}"
-      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
-      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
+      KEYCLOAK_URL: "${KEYCLOAK_URL}"
+      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
+      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PUBLIC_CLIENT_ID}"
+      KEYCLOAK_TOKEN_GROUP: "${KEYCLOAK_GROUP_CLAIM}"
       TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
       TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
       TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
       TEILER_PROJECT: "${PROJECT}"
       EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
       TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
+      TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
       TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
-      TEILER_USER: "${OIDC_USER_GROUP}"
-      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
+      TEILER_USER: "${KEYCLOAK_USER_GROUP}"
+      TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}"
       REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
       EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"
 
 
   teiler-backend:
-    image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
+    # image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
+    image: dktk-teiler-backend
     container_name: bridgehead-teiler-backend
     labels:
       - "traefik.enable=true"
@@ -63,12 +64,19 @@ services:
       LOG_LEVEL: "INFO"
       APPLICATION_PORT: "8085"
       APPLICATION_ADDRESS: "${HOST}"
-      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
+      DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
+      CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf"
       TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
       TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
       TEILER_DASHBOARD_DE_URL: "https://${HOST}/ccp-teiler-dashboard/de"
       TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en"
+      CENTRAX_URL: "${CENTRAXX_URL}"
       HTTP_PROXY: "http://forward_proxy:3128"
       ENABLE_MTBA: "${ENABLE_MTBA}"
       ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
-      IDMANAGER_UPLOAD_APIKEY: "${IDMANAGER_UPLOAD_APIKEY}" # Only used to check if the ID Manager is active
+    secrets:
+      - ccp.conf
+
+secrets:
+  ccp.conf:
+    file: /etc/bridgehead/ccp.conf

ccp/modules/teiler-setup.sh

@@ -3,7 +3,5 @@
 if [ "$ENABLE_TEILER" == true ];then
   log INFO "Teiler setup detected -- will start Teiler services."
   OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
-  TEILER_DEFAULT_LANGUAGE=DE
-  TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
   add_public_oidc_redirect_url "/ccp-teiler/*"
 fi

ccp/queries_to_cache.conf

@@ -1,3 +0,0 @@
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCgpjb250ZXh0IFBhdGllbnQKCgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX1BSSU1BUllfRElBR05PU0lTX05PX1NPUlRfU1RSQVRJRklFUgpES1RLX1NUUkFUX0FHRV9DTEFTU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfUkVQTEFDRV9TUEVDSU1FTl9TVFJBVElGSUVSaWYgSW5Jbml0aWFsUG9wdWxhdGlvbiB0aGVuIFtTcGVjaW1lbl0gZWxzZSB7fSBhcyBMaXN0PFNwZWNpbWVuPgpES1RLX1NUUkFUX1BST0NFRFVSRV9TVFJBVElGSUVSCgpES1RLX1NUUkFUX01FRElDQVRJT05fU1RSQVRJRklFUgoKICBES1RLX1JFUExBQ0VfSElTVE9MT0dZX1NUUkFUSUZJRVIKIGlmIGhpc3RvLmNvZGUuY29kaW5nLndoZXJlKGNvZGUgPSAnNTk4NDctNCcpLmNvZGUuZmlyc3QoKSBpcyBudWxsIHRoZW4gMCBlbHNlIDEKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OCnRydWU=
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCmNvZGVzeXN0ZW0gaWNkMTA6ICdodHRwOi8vZmhpci5kZS9Db2RlU3lzdGVtL2JmYXJtL2ljZC0xMC1nbScKY29kZXN5c3RlbSBtb3JwaDogJ3VybjpvaWQ6Mi4xNi44NDAuMS4xMTM4ODMuNi40My4xJwoKY29udGV4dCBQYXRpZW50CgoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUklNQVJZX0RJQUdOT1NJU19OT19TT1JUX1NUUkFUSUZJRVIKREtUS19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1JFUExBQ0VfU1BFQ0lNRU5fU1RSQVRJRklFUmlmIEluSW5pdGlhbFBvcHVsYXRpb24gdGhlbiBbU3BlY2ltZW5dIGVsc2Uge30gYXMgTGlzdDxTcGVjaW1lbj4KREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKCiAgREtUS19SRVBMQUNFX0hJU1RPTE9HWV9TVFJBVElGSUVSCiBpZiBoaXN0by5jb2RlLmNvZGluZy53aGVyZShjb2RlID0gJzU5ODQ3LTQnKS5jb2RlLmZpcnN0KCkgaXMgbnVsbCB0aGVuIDAgZWxzZSAxCkRLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTihleGlzdHMgW0NvbmRpdGlvbjogQ29kZSAnQzYxJyBmcm9tIGljZDEwXSkgYW5kIAooKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQwLzMnKSBvciAKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQ3LzMnKSBvciAKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4NDgwLzMnKSBvciAKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4NTAwLzMnKSk=
-ORGANOID_DASHBOARD_PUBLIC

ccp/vars

@@ -2,20 +2,30 @@ BROKER_ID=broker.ccp-it.dktk.dkfz.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
+FOCUS_RETRY_COUNT=32
 SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 
 BROKER_URL_FOR_PREREQ=$BROKER_URL
+DEFAULT_LANGUAGE=DE
+DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,}
+ENABLE_EXPORTER=true
+ENABLE_TEILER=true
+#ENABLE_DATASHIELD=true
 
-OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
-OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
-OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
-OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
-OIDC_URL="https://login.verbis.dkfz.de/realms/test-realm-01"
-OIDC_GROUP_CLAIM="groups"
+KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
+KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
+KEYCLOAK_PRIVATE_CLIENT_ID=${SITE_ID}-private
+KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public
+# TODO: Change Keycloak Realm to productive. "test-realm-01" is only for testing
+KEYCLOAK_REALM="${KEYCLOAK_REALM:-test-realm-01}"
+KEYCLOAK_URL="https://login.verbis.dkfz.de"
+KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}"
+KEYCLOAK_GROUP_CLAIM="groups"
+OAUTH2_CALLBACK=/oauth2/callback
+OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
 
-POSTGRES_TAG=15.6-alpine
+add_private_oidc_redirect_url "${OAUTH2_CALLBACK}"
 
 for module in $PROJECT/modules/*.sh
 do
@@ -25,13 +35,4 @@ done
 
 idManagementSetup
 mtbaSetup
-obds2fhirRestSetup
-blazeSecondarySetup
-
-for module in modules/*.sh
-do
-    log DEBUG "sourcing $module"
-    source $module
-done
-
-transfairSetup
+adt2fhirRestSetup

dhki/docker-compose.yml

@@ -1,66 +0,0 @@
-version: "3.7"
-
-services:
-  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
-    container_name: bridgehead-dhki-blaze
-    environment:
-      BASE_URL: "http://bridgehead-dhki-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
-      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
-      ENFORCE_REFERENTIAL_INTEGRITY: "false"
-    volumes:
-      - "blaze-data:/app/data"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.blaze_dhki.rule=PathPrefix(`/dhki-localdatamanagement`)"
-      - "traefik.http.middlewares.dhki_b_strip.stripprefix.prefixes=/dhki-localdatamanagement"
-      - "traefik.http.services.blaze_dhki.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze_dhki.middlewares=dhki_b_strip,auth"
-      - "traefik.http.routers.blaze_dhki.tls=true"
-
-  focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
-    container_name: bridgehead-focus
-    environment:
-      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      BEAM_APP_ID_LONG: focus.${PROXY_ID}
-      PROXY_ID: ${PROXY_ID}
-      BLAZE_URL: "http://bridgehead-dhki-blaze:8080/fhir/"
-      BEAM_PROXY_URL: http://beam-proxy:8081
-      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
-      EPSILON: 0.28
-      QUERIES_TO_CACHE: '/queries_to_cache.conf'
-    volumes:
-      - /srv/docker/bridgehead/dhki/queries_to_cache.conf:/queries_to_cache.conf:ro
-    depends_on:
-      - "beam-proxy"
-      - "blaze"
-
-  beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
-    container_name: bridgehead-beam-proxy
-    environment:
-      BROKER_URL: ${BROKER_URL}
-      PROXY_ID: ${PROXY_ID}
-      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      PRIVKEY_FILE: /run/secrets/proxy.pem
-      ALL_PROXY: http://forward_proxy:3128
-      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
-      ROOTCERT_FILE: /conf/root.crt.pem
-    secrets:
-      - proxy.pem
-    depends_on:
-      - "forward_proxy"
-    volumes:
-      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/dhki/root.crt.pem:/conf/root.crt.pem:ro
-
-
-volumes:
-  blaze-data:
-
-secrets:
-  proxy.pem:
-    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

dhki/queries_to_cache.conf

@@ -1,2 +0,0 @@
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0FHRV9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRIS0lfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREhLSV9TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKCkRIS0lfU1RSQVRfRU5DT1VOVEVSX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OCnRydWU=
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIGljZDEwOiAnaHR0cDovL2ZoaXIuZGUvQ29kZVN5c3RlbS9iZmFybS9pY2QtMTAtZ20nCmNvZGVzeXN0ZW0gbW9ycGg6ICd1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjYuNDMuMScKCmNvbnRleHQgUGF0aWVudAoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9BR0VfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpESEtJX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRIS0lfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCgpESEtJX1NUUkFUX0VOQ09VTlRFUl9TVFJBVElGSUVSCkRLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgooKChleGlzdHMgW0NvbmRpdGlvbjogQ29kZSAnQzM0LjknIGZyb20gaWNkMTBdKSBvcgooZXhpc3RzIFtDb25kaXRpb246IENvZGUgJ0MzNC44JyBmcm9tIGljZDEwXSkgb3IKKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDMzQuMCcgZnJvbSBpY2QxMF0pIG9yCihleGlzdHMgW0NvbmRpdGlvbjogQ29kZSAnQzM0LjInIGZyb20gaWNkMTBdKSBvcgooZXhpc3RzIFtDb25kaXRpb246IENvZGUgJ0MzNC4xJyBmcm9tIGljZDEwXSkgb3IKKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDMzQuMycgZnJvbSBpY2QxMF0pKSBhbmQKKChleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODE0MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQxLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDMvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODE0Ny8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MjUwLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgyNTEvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODI1Mi8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MjUzLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgyNTUvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODI2MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MzEwLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgzMzMvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODQ3MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4NDgwLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0OTAvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODU1MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MDUyLzMnKSkp

dhki/root.crt.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNTCCAh2gAwIBAgIUSWUPebUMNfJvPKMjdgX+WiH+OXgwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTA1MDg1NTM4WhcNMzQw
-MTAyMDg1NjA4WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAL/nvo9Bn1/6Z/K4BKoLM6/mVziM4cmXTVx4npVz
-pnptwPPFU4rz47akRZ6ZMD5MO0bsyvaxG1nwVrW3aAGC42JIGTdZHKwMKrd35sxw
-k3YlGJagGUs+bKHUCL55OcSmyDWlh/UhA8+eeJWjOt9u0nYXv+vi+N4JSHA0oC9D
-bTF1v+7blrTQagf7PTPSF3pe22iXOjJYdOkZMWoMoNAjn6F958fkLNLY3csOZwvP
-/3eyNNawyAEPWeIm33Zk630NS8YHggz6WCqwXvuaKb6910mRP8jgauaYsqgsOyDt
-pbWuvk//aZWdGeN9RNsAA8eGppygiwm/m9eRC6I0shDwv6ECAwEAAaN7MHkwDgYD
-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFn/dbW1J3ry
-7TBzbKo3H4vJr2MiMB8GA1UdIwQYMBaAFFn/dbW1J3ry7TBzbKo3H4vJr2MiMBYG
-A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCa2V8B8aad
-XNDS1EUIi9oMdvGvkolcdFwx9fI++qu9xSIaZs5GETHck3oYKZF0CFP5ESnKDn5w
-enWgm5M0y+hVZppzB163WmET1efBXwrdyn8j4336NjX352h63JGWCaI2CfZ1qG1p
-kf5W9CVXllSFaJe5r994ovgyHvK2ucWwe8l8iMJbQhH79oKi/9uJMCD6aUXnpg1K
-nPHW1lsVx6foqYWijdBdtFU2i7LSH2OYo0nb1PgRnY/SABV63JHfJnqW9dZy4f7G
-rpsvvrmFrKmEnCZH0n6qveY3Z5bMD94Yx0ebkCTYEqAw3pV65gwxrzBTpEg6dgF0
-eG0eKFUS0REJ
------END CERTIFICATE-----

dhki/vars

@@ -1,28 +0,0 @@
-BROKER_ID=broker.hector.dkfz.de
-BROKER_URL=https://${BROKER_ID}
-PROXY_ID=${SITE_ID}.${BROKER_ID}
-FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
-SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
-PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
-
-BROKER_URL_FOR_PREREQ=$BROKER_URL
-
-POSTGRES_TAG=15.6-alpine
-
-for module in ccp/modules/*.sh
-do
-    log DEBUG "sourcing $module"
-    source $module
-done
-
-idManagementSetup
-obds2fhirRestSetup
-
-for module in modules/*.sh
-do
-    log DEBUG "sourcing $module"
-    source $module
-done
-
-transfairSetup

docs/update-access-token.md

@@ -1,42 +0,0 @@
-## How to Change Config Access Token
-
-### 1. Generate a New Access Token
-
-1. Go to your Git configuration repository provider, it might be either [git.verbis.dkfz.de](https://git.verbis.dkfz.de) or [gitlab.bbmri-eric.eu](https://gitlab.bbmri-eric.eu).  
-2. Navigate to the configuration repository for your site.  
-3. Go to **Settings → Access Tokens** to check if your Access Token is valid or expired.  
-   - **If expired**, create a new Access Token.  
-4. Configure the new Access Token with the following settings:  
-   - **Expiration date**: One year from today, minus one day.  
-   - **Role**: Developer.  
-   - **Scope**: Only `read_repository`.  
-5. Save the newly generated Access Token in a secure location.  
-
----
-
-### 2. Replace the Old Access Token
-
-1. Navigate to `/etc/bridgehead` in your system.  
-2. Run the following command to retrieve the current Git remote URL:  
-   ```bash
-   git remote get-url origin
-   ```
-   Example output:  
-   ```
-   https://name40dkfz-heidelberg.de:<old_access_token>@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git
-   ```
-3. Replace `<old_access_token>` with your new Access Token in the URL.  
-4. Set the updated URL using the following command:  
-   ```bash
-   git remote set-url origin https://name40dkfz-heidelberg.de:<new_access_token>@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git
-   
-   ```
-
-5. Start the Bridgehead update service by running:  
-   ```bash
-   systemctl start bridgehead-update@<project>
-   ```
-6. View the output to ensure the update process is successful:  
-   ```bash
-   journalctl -u bridgehead-update@<project> -f
-   ```

itcc/docker-compose.yml

@@ -1,68 +0,0 @@
-version: "3.7"
-
-services:
-  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
-    container_name: bridgehead-itcc-blaze
-    environment:
-      BASE_URL: "http://bridgehead-itcc-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
-      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
-      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
-      ENFORCE_REFERENTIAL_INTEGRITY: "false"
-    volumes:
-      - "blaze-data:/app/data"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.blaze_itcc.rule=PathPrefix(`/itcc-localdatamanagement`)"
-      - "traefik.http.middlewares.itcc_b_strip.stripprefix.prefixes=/itcc-localdatamanagement"
-      - "traefik.http.services.blaze_itcc.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze_itcc.middlewares=itcc_b_strip,auth"
-      - "traefik.http.routers.blaze_itcc.tls=true"
-
-  focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
-    container_name: bridgehead-focus
-    environment:
-      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      BEAM_APP_ID_LONG: focus.${PROXY_ID}
-      PROXY_ID: ${PROXY_ID}
-      BLAZE_URL: "http://bridgehead-itcc-blaze:8080/fhir/"
-      BEAM_PROXY_URL: http://beam-proxy:8081
-      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
-      EPSILON: 0.28
-      QUERIES_TO_CACHE: '/queries_to_cache.conf'
-      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
-    volumes:
-      - /srv/docker/bridgehead/itcc/queries_to_cache.conf:/queries_to_cache.conf:ro
-    depends_on:
-      - "beam-proxy"
-      - "blaze"
-
-  beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
-    container_name: bridgehead-beam-proxy
-    environment:
-      BROKER_URL: ${BROKER_URL}
-      PROXY_ID: ${PROXY_ID}
-      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      PRIVKEY_FILE: /run/secrets/proxy.pem
-      ALL_PROXY: http://forward_proxy:3128
-      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
-      ROOTCERT_FILE: /conf/root.crt.pem
-    secrets:
-      - proxy.pem
-    depends_on:
-      - "forward_proxy"
-    volumes:
-      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/itcc/root.crt.pem:/conf/root.crt.pem:ro
-
-
-volumes:
-  blaze-data:
-
-secrets:
-  proxy.pem:
-    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

itcc/modules/lens-compose.yml

@@ -1,33 +0,0 @@
-version: "3.7"
-services:
-  landing:
-    container_name: lens_federated-search
-    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
-
-  spot:
-    image: docker.verbis.dkfz.de/ccp-private/central-spot
-    environment:
-      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
-      BEAM_URL: http://beam-proxy:8081
-      BEAM_PROXY_ID: ${SITE_ID}
-      BEAM_BROKER_ID: ${BROKER_ID}
-      BEAM_APP_ID: "focus"
-      PROJECT_METADATA: "dktk_supervisors"
-    depends_on:
-      - "beam-proxy"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.services.spot.loadbalancer.server.port=8080"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
-      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
-      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
-      - "traefik.http.routers.spot.tls=true"
-      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot"

itcc/modules/lens-setup.sh

@@ -1,5 +0,0 @@
-#!/bin/bash
-
-if [ -n "$ENABLE_LENS" ];then
-  OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml"
-fi

itcc/queries_to_cache.conf

@@ -1,2 +0,0 @@
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CkRLVEtfU1RSQVRfR0VOREVSX1NUUkFUSUZJRVIKICBES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCiAgSVRDQ19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgogIERLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgp0cnVl
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIG1vbGVjdWxhck1hcmtlcjogJ2h0dHA6Ly93d3cuZ2VuZW5hbWVzLm9yZycKCmNvbnRleHQgUGF0aWVudApES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCiAgREtUS19TVFJBVF9ESUFHTk9TSVNfU1RSQVRJRklFUgogIElUQ0NfU1RSQVRfQUdFX0NMQVNTX1NUUkFUSUZJRVIKICBES1RLX1NUUkFUX0RFRl9JTl9JTklUSUFMX1BPUFVMQVRJT04KKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNjk1NDgtNicgZnJvbSBsb2luY10gTwp3aGVyZSBPLmNvbXBvbmVudC53aGVyZShjb2RlLmNvZGluZyBjb250YWlucyBDb2RlICc0ODAxOC02JyBmcm9tIGxvaW5jKS52YWx1ZS5jb2RpbmcgY29udGFpbnMgQ29kZSAnQlJBRicgZnJvbSBtb2xlY3VsYXJNYXJrZXIp

itcc/root.crt.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNTCCAh2gAwIBAgIUW34NEb7bl0+Ywx+I1VKtY5vpAOowDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTIyMTMzNzEzWhcNMzQw
-MTE5MTMzNzQzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAL5UegLXTlq3XRRj8LyFs3aF0tpRPVoW9RXp5kFI
-TnBvyO6qjNbMDT/xK+4iDtEX4QQUvsxAKxfXbe9i1jpdwjgH7JHaSGm2IjAiKLqO
-OXQQtguWwfNmmp96Ql13ArLj458YH08xMO/w2NFWGwB/hfARa4z/T0afFuc/tKJf
-XbGCG9xzJ9tmcG45QN8NChGhVvaTweNdVxGWlpHxmi0Mn8OM9CEuB7nPtTTiBuiu
-pRC2zVVmNjVp4ktkAqL7IHOz+/F5nhiz6tOika9oD3376Xj055lPznLcTQn2+4d7
-K7ZrBopCFxIQPjkgmYRLfPejbpdUjK1UVJw7hbWkqWqH7JMCAwEAAaN7MHkwDgYD
-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGjvRcaIP4HM
-poIguUAK9YL2n7fbMB8GA1UdIwQYMBaAFGjvRcaIP4HMpoIguUAK9YL2n7fbMBYG
-A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCbzycJSaDm
-AXXNJqQ88djrKs5MDXS8RIjS/cu2ayuLaYDe+BzVmUXNA0Vt9nZGdaz63SLLcjpU
-fNSxBfKbwmf7s30AK8Cnfj9q4W/BlBeVizUHQsg1+RQpDIdMrRQrwkXv8mfLw+w5
-3oaXNW6W/8KpBp/H8TBZ6myl6jCbeR3T8EMXBwipMGop/1zkbF01i98Xpqmhx2+l
-n+80ofPsSspOo5XmgCZym8CD/m/oFHmjcvOfpOCvDh4PZ+i37pmbSlCYoMpla3u/
-7MJMP5lugfLBYNDN2p+V4KbHP/cApCDT5UWLOeAWjgiZQtHH5ilDeYqEc1oPjyJt
-Rtup0MTxSJtN
------END CERTIFICATE-----

itcc/vars

@@ -1,14 +0,0 @@
-BROKER_ID=test-no-real-data.broker.samply.de
-BROKER_URL=https://${BROKER_ID}
-PROXY_ID=${SITE_ID}.${BROKER_ID}
-FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
-SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
-PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
-BROKER_URL_FOR_PREREQ=$BROKER_URL
-
-for module in $PROJECT/modules/*.sh
-do
-    log DEBUG "sourcing $module"
-    source $module
-done

kr/docker-compose.yml

@@ -1,67 +0,0 @@
-version: "3.7"
-
-services:
-  landing:
-    deploy:
-      replicas: 0 #deactivate landing page
-
-  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
-    container_name: bridgehead-kr-blaze
-    environment:
-      BASE_URL: "http://bridgehead-kr-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
-      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
-      ENFORCE_REFERENTIAL_INTEGRITY: "false"
-    volumes:
-      - "blaze-data:/app/data"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.blaze_kr.rule=PathPrefix(`/kr-localdatamanagement`)"
-      - "traefik.http.middlewares.kr_b_strip.stripprefix.prefixes=/kr-localdatamanagement"
-      - "traefik.http.services.blaze_kr.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze_kr.middlewares=kr_b_strip,auth"
-      - "traefik.http.routers.blaze_kr.tls=true"
-
-  focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
-    container_name: bridgehead-focus
-    environment:
-      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      BEAM_APP_ID_LONG: focus.${PROXY_ID}
-      PROXY_ID: ${PROXY_ID}
-      BLAZE_URL: "http://bridgehead-kr-blaze:8080/fhir/"
-      BEAM_PROXY_URL: http://beam-proxy:8081
-      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
-      EPSILON: 0.28
-    depends_on:
-      - "beam-proxy"
-      - "blaze"
-
-  beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
-    container_name: bridgehead-beam-proxy
-    environment:
-      BROKER_URL: ${BROKER_URL}
-      PROXY_ID: ${PROXY_ID}
-      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      PRIVKEY_FILE: /run/secrets/proxy.pem
-      ALL_PROXY: http://forward_proxy:3128
-      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
-      ROOTCERT_FILE: /conf/root.crt.pem
-    secrets:
-      - proxy.pem
-    depends_on:
-      - "forward_proxy"
-    volumes:
-      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/kr/root.crt.pem:/conf/root.crt.pem:ro
-
-
-volumes:
-  blaze-data:
-
-secrets:
-  proxy.pem:
-    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

kr/modules/export-and-qb.curl-templates

@@ -1,6 +0,0 @@
-# Full Excel Export
-curl --location --request POST 'https://${HOST}/ccp-exporter/request?query=Patient&query-format=FHIR_PATH&template-id=ccp&output-format=EXCEL' \
---header 'x-api-key: ${EXPORT_API_KEY}'
-
-# QB
-curl --location --request POST 'https://${HOST}/ccp-reporter/generate?template-id=ccp'

kr/modules/exporter-compose.yml

@@ -1,67 +0,0 @@
-version: "3.7"
-
-services:
-  exporter:
-    image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
-    container_name: bridgehead-ccp-exporter
-    environment:
-      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
-      LOG_LEVEL: "INFO"
-      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
-      CROSS_ORIGINS: "https://${HOST}"
-      EXPORTER_DB_USER: "exporter"
-      EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
-      EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
-      HTTP_RELATIVE_PATH: "/ccp-exporter"
-      SITE: "${SITE_ID}"
-      HTTP_SERVLET_REQUEST_SCHEME: "https"
-      OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"
-      - "traefik.http.services.exporter_ccp.loadbalancer.server.port=8092"
-      - "traefik.http.routers.exporter_ccp.tls=true"
-      - "traefik.http.middlewares.exporter_ccp_strip.stripprefix.prefixes=/ccp-exporter"
-      - "traefik.http.routers.exporter_ccp.middlewares=exporter_ccp_strip"
-    volumes:
-      - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output"
-
-  exporter-db:
-    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
-    container_name: bridgehead-ccp-exporter-db
-    environment:
-      POSTGRES_USER: "exporter"
-      POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
-      POSTGRES_DB: "exporter"
-    volumes:
-      # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
-      - "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data"
-
-  reporter:
-    image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
-    container_name: bridgehead-ccp-reporter
-    environment:
-      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
-      LOG_LEVEL: "INFO"
-      CROSS_ORIGINS: "https://${HOST}"
-      HTTP_RELATIVE_PATH: "/ccp-reporter"
-      SITE: "${SITE_ID}"
-      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
-      EXPORTER_URL: "http://exporter:8092"
-      LOG_FHIR_VALIDATION: "false"
-      HTTP_SERVLET_REQUEST_SCHEME: "https"
-
-    # In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
-    # However, in the first executions in the CCP sites, this volume seems to be very important. A report is
-    # a process that can take several hours, because it depends on the exporter.
-    # There is a risk that the bridgehead restarts, losing the already created export.
-
-    volumes:
-      - "/var/cache/bridgehead/ccp/reporter-files:/app/reports"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.reporter_ccp.rule=PathPrefix(`/ccp-reporter`)"
-      - "traefik.http.services.reporter_ccp.loadbalancer.server.port=8095"
-      - "traefik.http.routers.reporter_ccp.tls=true"
-      - "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter"
-      - "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip"

kr/modules/exporter-setup.sh

@@ -1,8 +0,0 @@
-#!/bin/bash -e
-
-if [ "$ENABLE_EXPORTER" == true ]; then
-  log INFO "Exporter setup detected -- will start Exporter service."
-  OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
-  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
-fi

kr/modules/exporter.md

@@ -1,15 +0,0 @@
-# Exporter and Reporter
-
-
-## Exporter
-The exporter is a REST API that exports the data of the different databases of the bridgehead in a set of tables.
-It can accept different output formats as CSV, Excel, JSON or XML. It can also export data into Opal.
-
-## Exporter-DB
-It is a database to save queries for its execution in the exporter. 
-The exporter manages also the different executions of the same query in through the database.
-
-## Reporter
-This component is a plugin of the exporter that allows to create more complex Excel reports described in templates.
-It is compatible with different template engines as Groovy, Thymeleaf,...
-It is perfect to generate a document as our traditional CCP quality report.

kr/modules/lens-compose.yml

@@ -1,35 +0,0 @@
-version: "3.7"
-services:
-  landing:
-    deploy:
-      replicas: 1 #reactivate if lens is in use
-    container_name: lens_federated-search
-    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
-
-  spot:
-    image: docker.verbis.dkfz.de/ccp-private/central-spot
-    environment:
-      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
-      BEAM_URL: http://beam-proxy:8081
-      BEAM_PROXY_ID: ${SITE_ID}
-      BEAM_BROKER_ID: ${BROKER_ID}
-      BEAM_APP_ID: "focus"
-      PROJECT_METADATA: "kr_supervisors"
-    depends_on:
-      - "beam-proxy"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.services.spot.loadbalancer.server.port=8080"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
-      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
-      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
-      - "traefik.http.routers.spot.tls=true"
-      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot"

kr/modules/lens-setup.sh

@@ -1,5 +0,0 @@
-#!/bin/bash
-
-if [ -n "$ENABLE_LENS" ];then
-  OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml"
-fi

kr/modules/obds2fhir-rest-compose.yml

@@ -1,19 +0,0 @@
-version: "3.7"
-
-services:
-  obds2fhir-rest:
-    container_name: bridgehead-obds2fhir-rest
-    image: docker.verbis.dkfz.de/ccp/obds2fhir-rest:main
-    environment:
-      IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
-      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
-      SALT: ${LOCAL_SALT}
-      KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false}
-      MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist}
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)"
-      - "traefik.http.middlewares.obds2fhir-rest_strip.stripprefix.prefixes=/obds2fhir-rest,/adt2fhir-rest"
-      - "traefik.http.services.obds2fhir-rest.loadbalancer.server.port=8080"
-      - "traefik.http.routers.obds2fhir-rest.tls=true"
-      - "traefik.http.routers.obds2fhir-rest.middlewares=obds2fhir-rest_strip,auth"

kr/modules/obds2fhir-rest-setup.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-
-function obds2fhirRestSetup() {
-  if [ -n "$ENABLE_OBDS2FHIR_REST" ]; then
-    log INFO "oBDS2FHIR-REST setup detected -- will start obds2fhir-rest module."
-    if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
-      log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
-      PATIENTLIST_URL=" "
-    fi
-    OVERRIDE+=" -f ./$PROJECT/modules/obds2fhir-rest-compose.yml"
-    LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  fi
-}

kr/modules/teiler-compose.yml

@@ -1,79 +0,0 @@
-version: "3.7"
-
-services:
-
-  teiler-orchestrator:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-orchestrator:latest
-    container_name: bridgehead-teiler-orchestrator
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.teiler_orchestrator_ccp.rule=PathPrefix(`/ccp-teiler`)"
-      - "traefik.http.services.teiler_orchestrator_ccp.loadbalancer.server.port=9000"
-      - "traefik.http.routers.teiler_orchestrator_ccp.tls=true"
-      - "traefik.http.middlewares.teiler_orchestrator_ccp_strip.stripprefix.prefixes=/ccp-teiler"
-      - "traefik.http.routers.teiler_orchestrator_ccp.middlewares=teiler_orchestrator_ccp_strip"
-    environment:
-      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
-      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
-      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
-      HTTP_RELATIVE_PATH: "/ccp-teiler"
-
-  teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
-    container_name: bridgehead-teiler-dashboard
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.teiler_dashboard_ccp.rule=PathPrefix(`/ccp-teiler-dashboard`)"
-      - "traefik.http.services.teiler_dashboard_ccp.loadbalancer.server.port=80"
-      - "traefik.http.routers.teiler_dashboard_ccp.tls=true"
-      - "traefik.http.middlewares.teiler_dashboard_ccp_strip.stripprefix.prefixes=/ccp-teiler-dashboard"
-      - "traefik.http.routers.teiler_dashboard_ccp.middlewares=teiler_dashboard_ccp_strip"
-    environment:
-      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
-      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
-      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
-      OIDC_URL: "${OIDC_URL}"
-      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
-      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
-      TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
-      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
-      TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
-      TEILER_PROJECT: "${PROJECT}"
-      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
-      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
-      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
-      TEILER_USER: "${OIDC_USER_GROUP}"
-      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
-      REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
-      EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"
-
-
-  teiler-backend:
-    image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
-    container_name: bridgehead-teiler-backend
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.teiler_backend_ccp.rule=PathPrefix(`/ccp-teiler-backend`)"
-      - "traefik.http.services.teiler_backend_ccp.loadbalancer.server.port=8085"
-      - "traefik.http.routers.teiler_backend_ccp.tls=true"
-      - "traefik.http.middlewares.teiler_backend_ccp_strip.stripprefix.prefixes=/ccp-teiler-backend"
-      - "traefik.http.routers.teiler_backend_ccp.middlewares=teiler_backend_ccp_strip"
-    environment:
-      LOG_LEVEL: "INFO"
-      APPLICATION_PORT: "8085"
-      APPLICATION_ADDRESS: "${HOST}"
-      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
-      CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf"
-      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
-      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
-      TEILER_DASHBOARD_DE_URL: "https://${HOST}/ccp-teiler-dashboard/de"
-      TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en"
-      HTTP_PROXY: "http://forward_proxy:3128"
-      ENABLE_MTBA: "${ENABLE_MTBA}"
-      ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
-    secrets:
-      - ccp.conf
-
-secrets:
-  ccp.conf:
-    file: /etc/bridgehead/ccp.conf

kr/modules/teiler-setup.sh

@@ -1,9 +0,0 @@
-#!/bin/bash -e
-
-if [ "$ENABLE_TEILER" == true ];then
-  log INFO "Teiler setup detected -- will start Teiler services."
-  OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
-  TEILER_DEFAULT_LANGUAGE=DE
-  TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
-  add_public_oidc_redirect_url "/ccp-teiler/*"
-fi

kr/modules/teiler.md

@@ -1,19 +0,0 @@
-# Teiler
-This module orchestrates the different microfrontends of the bridgehead as a single page application.  
-
-## Teiler Orchestrator
-Single SPA component that consists on the root HTML site of the single page application and a javascript code that
-gets the information about the microfrontend calling the teiler backend and is responsible for registering them. With the
-resulting mapping, it can initialize, mount and unmount the required microfrontends on the fly. 
-
-The microfrontends run independently in different containers and can be based on different frameworks (Angular, Vue, React,...)
-This microfrontends can run as single alone but need an extension with Single-SPA (https://single-spa.js.org/docs/ecosystem).
-There are also available three templates (Angular, Vue, React) to be directly extended to be used directly in the teiler.
-
-## Teiler Dashboard
-It consists on the main dashboard and a set of embedded services.
-### Login
-user and password in ccp.local.conf
-
-## Teiler Backend
-In this component, the microfrontends are configured.

kr/root.crt.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNTCCAh2gAwIBAgIUW34NEb7bl0+Ywx+I1VKtY5vpAOowDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTIyMTMzNzEzWhcNMzQw
-MTE5MTMzNzQzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAL5UegLXTlq3XRRj8LyFs3aF0tpRPVoW9RXp5kFI
-TnBvyO6qjNbMDT/xK+4iDtEX4QQUvsxAKxfXbe9i1jpdwjgH7JHaSGm2IjAiKLqO
-OXQQtguWwfNmmp96Ql13ArLj458YH08xMO/w2NFWGwB/hfARa4z/T0afFuc/tKJf
-XbGCG9xzJ9tmcG45QN8NChGhVvaTweNdVxGWlpHxmi0Mn8OM9CEuB7nPtTTiBuiu
-pRC2zVVmNjVp4ktkAqL7IHOz+/F5nhiz6tOika9oD3376Xj055lPznLcTQn2+4d7
-K7ZrBopCFxIQPjkgmYRLfPejbpdUjK1UVJw7hbWkqWqH7JMCAwEAAaN7MHkwDgYD
-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGjvRcaIP4HM
-poIguUAK9YL2n7fbMB8GA1UdIwQYMBaAFGjvRcaIP4HMpoIguUAK9YL2n7fbMBYG
-A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCbzycJSaDm
-AXXNJqQ88djrKs5MDXS8RIjS/cu2ayuLaYDe+BzVmUXNA0Vt9nZGdaz63SLLcjpU
-fNSxBfKbwmf7s30AK8Cnfj9q4W/BlBeVizUHQsg1+RQpDIdMrRQrwkXv8mfLw+w5
-3oaXNW6W/8KpBp/H8TBZ6myl6jCbeR3T8EMXBwipMGop/1zkbF01i98Xpqmhx2+l
-n+80ofPsSspOo5XmgCZym8CD/m/oFHmjcvOfpOCvDh4PZ+i37pmbSlCYoMpla3u/
-7MJMP5lugfLBYNDN2p+V4KbHP/cApCDT5UWLOeAWjgiZQtHH5ilDeYqEc1oPjyJt
-Rtup0MTxSJtN
------END CERTIFICATE-----

kr/vars

@@ -1,16 +0,0 @@
-BROKER_ID=test-no-real-data.broker.samply.de
-BROKER_URL=https://${BROKER_ID}
-PROXY_ID=${SITE_ID}.${BROKER_ID}
-FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
-SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
-PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
-BROKER_URL_FOR_PREREQ=$BROKER_URL
-
-for module in $PROJECT/modules/*.sh
-do
-    log DEBUG "sourcing $module"
-    source $module
-done
-
-obds2fhirRestSetup

lib/functions.sh

@@ -53,8 +53,8 @@ checkOwner(){
 }
 
 printUsage() {
-	echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|install|uninstall|adduser|enroll PROJECTNAME"
-	echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc|kr|dhki"
+	echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|adduser|enroll PROJECTNAME"
+	echo "PROJECTNAME should be one of ccp|bbmri"
 }
 
 checkRequirements() {
@@ -116,7 +116,7 @@ assertVarsNotEmpty() {
 	MISSING_VARS=""
 
 	for VAR in $@; do
-		if [ -z "${!VAR}" ]; then
+	if [ -z "${!VAR}" ]; then
 			MISSING_VARS+="$VAR "
 		fi
 	done
@@ -155,30 +155,6 @@ setHostname() {
 	fi
 }
 
-# This function optimizes the usage of memory through blaze, according to the official performance tuning guide:
-#   https://github.com/samply/blaze/blob/master/docs/tuning-guide.md
-# Short summary of the adjustments made:
-# - set blaze memory cap to a quarter of the system memory
-# - set db block cache size to a quarter of the system memory
-# - limit resource count allowed in blaze to 1,25M per 4GB available system memory
-optimizeBlazeMemoryUsage() {
-	if [ -z "$BLAZE_MEMORY_CAP" ]; then
-	   system_memory_in_mb=$(LC_ALL=C free -m | grep 'Mem:' | awk '{print $2}');
-	   export BLAZE_MEMORY_CAP=$(($system_memory_in_mb/4));
-	fi
-	if [ -z "$BLAZE_RESOURCE_CACHE_CAP" ]; then
-		available_system_memory_chunks=$((BLAZE_MEMORY_CAP / 1000))
-		if [ $available_system_memory_chunks -eq 0 ]; then
-			log WARN "Only ${BLAZE_MEMORY_CAP} system memory available for Blaze. If your Blaze stores more than 128000 fhir ressources it will run significally slower."
-			export BLAZE_RESOURCE_CACHE_CAP=128000;
-			export BLAZE_CQL_CACHE_CAP=32;
-		else
-			export BLAZE_RESOURCE_CACHE_CAP=$((available_system_memory_chunks * 312500))
-			export BLAZE_CQL_CACHE_CAP=$((($system_memory_in_mb/4)/16));
-		fi
-	fi
-}
-
 # Takes 1) The Backup Directory Path 2) The name of the Service to be backuped
 # Creates 3 Backups: 1) For the past seven days 2) For the current month and 3) for each calendar week
 createEncryptedPostgresBackup(){
@@ -291,7 +267,7 @@ function sync_secrets() {
     if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
         secret_sync_args="OIDC:OIDC_CLIENT_SECRET:private;$OIDC_PRIVATE_REDIRECT_URLS"
     fi
-    if [[ $OIDC_PUBLIC_REDIRECT_URLS != "" ]]; then
+    if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
         if [[ $secret_sync_args == "" ]]; then
             secret_sync_args="OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS"
         else 
@@ -301,109 +277,27 @@ function sync_secrets() {
     if [[ $secret_sync_args == "" ]]; then
         return
     fi
-
-    if [ "$PROJECT" == "bbmri" ]; then
-        # If the project is BBMRI, use the BBMRI-ERIC broker and not the GBN broker
-        proxy_id=$ERIC_PROXY_ID
-        broker_url=$ERIC_BROKER_URL
-        broker_id=$ERIC_BROKER_ID
-        root_crt_file="/srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem"
-    else
-        proxy_id=$PROXY_ID
-        broker_url=$BROKER_URL
-        broker_id=$BROKER_ID
-        root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem"
-    fi
-
-    mkdir -p /var/cache/bridgehead/secrets/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/secrets/'. Please run sudo './bridgehead install $PROJECT' again."
+    mkdir -p /var/cache/bridgehead/secrets/
     touch /var/cache/bridgehead/secrets/oidc
-    echo $PRIVATEKEYFILENAME
+    chown -R bridgehead:docker /var/cache/bridgehead/secrets
+    # The oidc provider will need to be switched based on the project at some point I guess
     docker run --rm \
         -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
         -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-        -v $root_crt_file:/run/secrets/root.crt.pem:ro \
+        -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
         -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
         -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-        -e NO_PROXY=localhost,127.0.0.1 \
-        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
-        -e PROXY_ID=$proxy_id \
-        -e BROKER_URL=$broker_url \
-        -e OIDC_PROVIDER=secret-sync-central.central-secret-sync.$broker_id \
+        -e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \
+        -e PROXY_ID=$PROXY_ID \
+        -e BROKER_URL=$BROKER_URL \
+        -e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
         -e SECRET_DEFINITIONS=$secret_sync_args \
         docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
-
     set -a # Export variables as environment variables
-    source /var/cache/bridgehead/secrets/oidc
+    source /var/cache/bridgehead/secrets/*
     set +a # Export variables in the regular way
 }
 
-function secret_sync_gitlab_token() {
-    # Map the origin of the git repository /etc/bridgehead to the prefix recognized by Secret Sync
-    local gitlab
-    case "$(git -C /etc/bridgehead remote get-url origin)" in
-        *git.verbis.dkfz.de*) gitlab=verbis;;
-        *gitlab.bbmri-eric.eu*) gitlab=bbmri;;
-        *)
-            log "WARN" "Not running Secret Sync because the git repository /etc/bridgehead has unknown origin"
-            return
-            ;;
-    esac
-
-    if [ "$PROJECT" == "bbmri" ]; then
-        # If the project is BBMRI, use the BBMRI-ERIC broker and not the GBN broker
-        proxy_id=$ERIC_PROXY_ID
-        broker_url=$ERIC_BROKER_URL
-        broker_id=$ERIC_BROKER_ID
-        root_crt_file="/srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem"
-    else
-        proxy_id=$PROXY_ID
-        broker_url=$BROKER_URL
-        broker_id=$BROKER_ID
-        root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem"
-    fi
-
-    # Create a temporary directory for Secret Sync that is valid per boot
-    secret_sync_tempdir="/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)"
-    mkdir -p $secret_sync_tempdir
-
-    # Use Secret Sync to validate the GitLab token in $secret_sync_tempdir/cache.
-    # If it is missing or expired, Secret Sync will create a new token and write it to the file.
-    # The git credential helper reads the token from the file during git pull.
-    log "INFO" "Running Secret Sync for the GitLab token (gitlab=$gitlab)"
-    docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
-    docker run --rm \
-        -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-        -v $root_crt_file:/run/secrets/root.crt.pem:ro \
-        -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
-        -v $secret_sync_tempdir:/secret-sync/ \
-        -e CACHE_PATH=/secret-sync/gitlab-token \
-        -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-        -e NO_PROXY=localhost,127.0.0.1 \
-        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
-        -e PROXY_ID=$proxy_id \
-        -e BROKER_URL=$broker_url \
-        -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.central-secret-sync.$broker_id \
-        -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN:$gitlab \
-        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
-    if [ $? -eq 0 ]; then
-        log "INFO" "Secret Sync was successful"
-        # In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
-        CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
-        git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
-        # Set the git credential helper
-        git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
-    else
-        log "WARN" "Secret Sync failed"
-        # Remove the git credential helper
-        git -C /etc/bridgehead config --unset credential.helper
-    fi
-
-    # In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
-    # Let's remove it to avoid confusion. This line can be removed at some point the future when we
-    # believe that it was removed on all/most production servers.
-    git -C /srv/docker/bridgehead config --unset credential.helper
-}
-
 capitalize_first_letter() {
     input="$1"
     capitalized="$(tr '[:lower:]' '[:upper:]' <<< ${input:0:1})${input:1}"
@@ -440,7 +334,7 @@ generate_password(){
   local random_special=${special:$n:1}
 
   local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret."
-  local main_password=$(echo "${combined_text}" | sha1sum | openssl pkeyutl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/\//A/g')
+  local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/\//A/g')
 
   echo "${main_password}${random_digit}${random_upper}${random_lower}${random_special}"
 }
@@ -449,9 +343,5 @@ generate_password(){
 generate_simple_password(){
   local seed_text="$1"
   local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret."
-  echo "${combined_text}" | sha1sum | openssl pkeyutl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g'
-}
-
-docker_jq() {
-    docker run --rm -i docker.verbis.dkfz.de/cache/jqlang/jq:latest "$@"
+  echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g'
 }

lib/gitlab-token-helper.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-
-[ "$1" = "get" ] || exit
-
-source "/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)/gitlab-token"
-
-# Any non-empty username works, only the token matters
-cat << EOF
-username=bk
-password=$BRIDGEHEAD_CONFIG_REPO_TOKEN
-EOF

lib/gitpassword.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+if [ "$1" != "get" ]; then
+	echo "Usage: $0 get"
+	exit 1
+fi
+
+baseDir() {
+	# see https://stackoverflow.com/questions/59895
+	SOURCE=${BASH_SOURCE[0]}
+	while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
+		DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
+		SOURCE=$(readlink "$SOURCE")
+		[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
+        done
+        DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
+        echo $DIR
+}
+
+BASE=$(baseDir)
+cd $BASE
+
+source lib/functions.sh
+
+assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
+
+PARAMS="$(cat)"
+GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
+
+fetchVarsFromVault GIT_PASSWORD
+
+if [ -z "${GIT_PASSWORD}" ]; then
+	fail_and_report 1 "gitpassword.sh failed: Git password not found."
+fi
+
+cat <<EOF
+protocol=https
+host=$GITHOST
+username=bk-${SITE_ID}
+password=${GIT_PASSWORD}
+EOF

lib/install-bridgehead.sh

@@ -41,14 +41,6 @@ if [ ! -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then
   add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT
 fi
 
-if [ -z "$TRANSFAIR_AUTH" ]; then
-  if [[ -n "$TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
-    log "INFO" "Now generating basic auth user for transfair API (see adduser in bridgehead for more information). "
-    generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
-    add_basic_auth_user "transfair" $generated_passwd "TRANSFAIR_AUTH" $PROJECT
-  fi
-fi
-
 log "INFO" "Registering system units for bridgehead and bridgehead-update"
 cp -v \
     lib/systemd/bridgehead\@.service \

lib/prepare-system.sh

@@ -52,21 +52,6 @@ case "$PROJECT" in
 	bbmri)
 		site_configuration_repository_middle="git.verbis.dkfz.de/bbmri-bridgehead-configs/"
 		;;
-	cce)
-		site_configuration_repository_middle="git.verbis.dkfz.de/cce-sites/"
-		;;
-	itcc)
-		site_configuration_repository_middle="git.verbis.dkfz.de/itcc-sites/"
-        ;;
-    dhki)
-        site_configuration_repository_middle="git.verbis.dkfz.de/dhki/"
-		;;
-	kr)
-		site_configuration_repository_middle="git.verbis.dkfz.de/krebsregister-sites/"
-		;;
-	dhki)
-		site_configuration_repository_middle="git.verbis.dkfz.de/dhki/"
-		;;
 	minimal)
 		site_configuration_repository_middle="git.verbis.dkfz.de/minimal-bridgehead-configs/"
 		;;
@@ -104,9 +89,6 @@ elif [[ "$DEV_MODE" == "DEV" ]]; then
 fi
 
 chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
-mkdir -p /tmp/bridgehead /var/cache/bridgehead
-chown -R bridgehead:docker /tmp/bridgehead /var/cache/bridgehead
-chmod -R g+wr /var/cache/bridgehead /tmp/bridgehead
 
 log INFO "System preparation is completed and configuration is present."
 

lib/prerequisites.sh

@@ -3,16 +3,14 @@
 source lib/functions.sh
 
 detectCompose
-CONFIG_DIR="/etc/bridgehead/"
-COMPONENT_DIR="/srv/docker/bridgehead/"
 
 if ! id "bridgehead" &>/dev/null; then
   log ERROR "User bridgehead does not exist. Please run bridgehead install $PROJECT"
   exit 1
 fi
 
-checkOwner "${CONFIG_DIR}" bridgehead || exit 1
-checkOwner "${COMPONENT_DIR}" bridgehead || exit 1
+checkOwner /srv/docker/bridgehead bridgehead || exit 1
+checkOwner /etc/bridgehead bridgehead || exit 1
 
 ## Check if user is a su
 log INFO "Checking if all prerequisites are met ..."
@@ -34,31 +32,31 @@ fi
 log INFO "Checking configuration ..."
 
 ## Download submodule
-if [ ! -d "${CONFIG_DIR}" ]; then
-  fail_and_report 1 "Please set up the config folder at ${CONFIG_DIR}. Instruction are in the readme."
+if [ ! -d "/etc/bridgehead/" ]; then
+  fail_and_report 1 "Please set up the config folder at /etc/bridgehead. Instruction are in the readme."
 fi
 
 # TODO: Check all required variables here in a generic loop
 
 #check if project env is present
-if [ -d "${CONFIG_DIR}${PROJECT}.conf" ]; then
-   fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under ${CONFIG_DIR}${PROJECT}.conf."
+if [ -d "/etc/bridgehead/${PROJECT}.conf" ]; then
+   fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under /etc/bridgehead-config/${PROJECT}.conf."
 fi
 
 # TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
 
 log INFO "Checking ssl cert for accessing bridgehead via https"
 
-if [ ! -d "${CONFIG_DIR}traefik-tls" ]; then
+if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
   log WARN "TLS certs for accessing bridgehead via https missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...) and put into /etc/bridgehead/traefik-tls"
   mkdir -p /etc/bridgehead/traefik-tls
 fi
 
-if [ ! -e "${CONFIG_DIR}traefik-tls/fullchain.pem" ]; then
+if [ ! -e "/etc/bridgehead/traefik-tls/fullchain.pem" ]; then
   openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/privkey.pem -out /etc/bridgehead/traefik-tls/fullchain.pem -days 3650 -subj "/CN=$HOST"
 fi
 
-if [ -e "${CONFIG_DIR}"vault.conf ]; then
+if [ -e /etc/bridgehead/vault.conf ]; then
   if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
     fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
   fi
@@ -66,54 +64,48 @@ fi
 
 log INFO "Checking network access ($BROKER_URL_FOR_PREREQ) ..."
 
-source "${CONFIG_DIR}${PROJECT}".conf
+source /etc/bridgehead/${PROJECT}.conf
 source ${PROJECT}/vars
 
-if [ "${PROJECT}" != "minimal" ]; then
-  set +e
-  SERVERTIME="$(https_proxy=$HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
-  RET=$?
-  set -e
-  if [ $RET -ne 0 ]; then
-	  log WARN "Unable to connect to Samply.Beam broker at $BROKER_URL_FOR_PREREQ. Please check your proxy settings.\nThe currently configured proxy was \"$HTTPS_PROXY_URL\". This error is normal when using proxy authentication."
-  	log WARN "Unable to check clock skew due to previous error."
-  else
-	  log INFO "Checking clock skew ..."
+set +e
+SERVERTIME="$(https_proxy=$HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
+RET=$?
+set -e
+if [ $RET -ne 0 ]; then
+	log WARN "Unable to connect to Samply.Beam broker at $BROKER_URL_FOR_PREREQ. Please check your proxy settings.\nThe currently configured proxy was \"$HTTPS_PROXY_URL\". This error is normal when using proxy authentication."
+	log WARN "Unable to check clock skew due to previous error."
+else
+	log INFO "Checking clock skew ..."
 
-    SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s)
-	  MYTIME=$(date +%s)
-	  SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME))
-	  SKEW=$(echo $SKEW | awk -F- '{print $NF}')
-	  SYNCTEXT="For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd."
-	  if [ $SKEW -ge 300 ]; then
-		  report_error 5 "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. $SYNCTEXT"
-		  exit 1
-	  elif [ $SKEW -ge 60 ]; then
-		  log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server. $SYNCTEXT"
-	  fi
-  fi
+	SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s)
+	MYTIME=$(date +%s)
+	SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME))
+	SKEW=$(echo $SKEW | awk -F- '{print $NF}')
+	SYNCTEXT="For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd."
+	if [ $SKEW -ge 300 ]; then
+		report_error 5 "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. $SYNCTEXT"
+		exit 1
+	elif [ $SKEW -ge 60 ]; then
+		log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server. $SYNCTEXT"
+	fi
 fi
+
 checkPrivKey() {
-  if [ -e "${CONFIG_DIR}pki/${SITE_ID}.priv.pem" ]; then
+  if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
     log INFO "Success - private key found."
   else
-    log ERROR "Unable to find private key at ${CONFIG_DIR}pki/${SITE_ID}.priv.pem. To fix, please run\n  bridgehead enroll ${PROJECT}\nand follow the instructions."
+    log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run\n  bridgehead enroll ${PROJECT}\nand follow the instructions."
     return 1
   fi
   return 0
 }
 
-if [[ "$@" =~ "noprivkey" ||  "${PROJECT}" != "minimal" ]]; then
+if [[ "$@" =~ "noprivkey" ]]; then
   log INFO "Skipping check for private key for now."
 else
   checkPrivKey || exit 1
 fi
 
-for dir in  "${CONFIG_DIR}" "${COMPONENT_DIR}"; do
-  log INFO "Checking branch: $(cd $dir && echo "$dir $(git branch --show-current)")"
-  hc_send log "Checking branch: $(cd $dir && echo "$dir $(git branch --show-current)")"
-done
-
 log INFO "Success - all prerequisites are met!"
 hc_send log "Success - all prerequisites are met!"
 

lib/systemd/bridgehead-update@.timer

@@ -1,9 +1,8 @@
 [Unit]
-Description=Daily Updates at 6am of Bridgehead (%i)
+Description=Hourly Updates of Bridgehead (%i)
 
 [Timer]
-OnCalendar=*-*-* 06:00:00
-Persistent=true
+OnCalendar=*-*-* *:00:00
 
 [Install]
 WantedBy=basic.target

lib/update-bridgehead.sh

@@ -19,7 +19,7 @@ fi
 
 hc_send log "Checking for bridgehead updates ..."
 
-CONFFILE=/etc/bridgehead/$PROJECT.conf
+CONFFILE=/etc/bridgehead/$1.conf
 
 if [ ! -e $CONFFILE ]; then
   fail_and_report 1 "Configuration file $CONFFILE not found."
@@ -33,7 +33,7 @@ export SITE_ID
 checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
 checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
 
-secret_sync_gitlab_token
+CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 
 CHANGES=""
 
@@ -45,6 +45,10 @@ for DIR in /etc/bridgehead $(pwd); do
   if [ -n "$OUT" ]; then
     report_error log "The working directory $DIR is modified. Changed files: $OUT"
   fi
+  if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
+    log "INFO" "Configuring repo to use bridgehead git credential helper."
+    git -C $DIR config credential.helper "$CREDHELPER"
+  fi
   old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
     log "INFO" "Git is using no proxy!"
@@ -54,8 +58,7 @@ for DIR in /etc/bridgehead $(pwd); do
     OUT=$(retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1)
   fi
   if [ $? -ne 0 ]; then
-    OUT_SAN=$(echo $OUT | sed -E 's|://[^:]+:[^@]+@|://credentials@|g')
-    report_error log "Unable to update git $DIR: $OUT_SAN"
+    report_error log "Unable to update git $DIR: $OUT"
   fi
 
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
@@ -83,7 +86,7 @@ done
 # Check docker updates
 log "INFO" "Checking for updates to running docker images ..."
 docker_updated="false"
-for IMAGE in $($COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE config | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
+for IMAGE in $(cat $PROJECT/docker-compose.yml ${OVERRIDE//-f/} minimal/docker-compose.yml | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
     CHANGE="Image $IMAGE updated."

minimal/docker-compose.yml

@@ -10,13 +10,13 @@ services:
       - --providers.docker=true
       - --providers.docker.exposedbydefault=false
       - --providers.file.directory=/configuration/
-      - --api.dashboard=false
+      - --api.dashboard=true
       - --accesslog=true
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.dashboard.rule=PathPrefix(`/dashboard/`)"
+      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
       - "traefik.http.routers.dashboard.entrypoints=websecure"
       - "traefik.http.routers.dashboard.service=api@internal"
       - "traefik.http.routers.dashboard.tls=true"
@@ -42,9 +42,6 @@ services:
       - /var/spool/squid
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
-    healthcheck:
-      # Wait 1s before marking this service healthy. Required for the oauth2-proxy to talk to the OIDC provider on startup which will fail if the forward proxy is not started yet.
-      test: ["CMD", "sleep", "1"]
 
   landing:
     container_name: bridgehead-landingpage
@@ -58,4 +55,5 @@ services:
       HOST: ${HOST}
       PROJECT: ${PROJECT}
       SITE_NAME: ${SITE_NAME}
-      ENVIRONMENT: ${ENVIRONMENT}
+
+

minimal/modules/dnpm-central-targets.json

@@ -1,142 +0,0 @@
-{
-    "sites": [
-        {
-            "id": "UKFR",
-            "name": "Freiburg",
-            "virtualhost": "ukfr.dnpm.de",
-            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKHD",
-            "name": "Heidelberg",
-            "virtualhost": "ukhd.dnpm.de",
-            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKT",
-            "name": "Tübingen",
-            "virtualhost": "ukt.dnpm.de",
-            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKU",
-            "name": "Ulm",
-            "virtualhost": "uku.dnpm.de",
-            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UM",
-            "name": "Mainz",
-            "virtualhost": "um.dnpm.de",
-            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKMR",
-            "name": "Marburg",
-            "virtualhost": "ukmr.dnpm.de",
-            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKE",
-            "name": "Hamburg",
-            "virtualhost": "uke.dnpm.de",
-            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKA",
-            "name": "Aachen",
-            "virtualhost": "uka.dnpm.de",
-            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "Charite",
-            "name": "Berlin",
-            "virtualhost": "charite.dnpm.de",
-            "beamconnect": "dnpm-connect.berlin-test.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "MRI",
-            "name": "Muenchen-tum",
-            "virtualhost": "mri.dnpm.de",
-            "beamconnect": "dnpm-connect.muenchen-tum.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "KUM",
-            "name": "Muenchen-lmu",
-            "virtualhost": "kum.dnpm.de",
-            "beamconnect": "dnpm-connect.muenchen-lmu.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "MHH",
-            "name": "Hannover",
-            "virtualhost": "mhh.dnpm.de",
-            "beamconnect": "dnpm-connect.hannover.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKDD",
-            "name": "dresden-dnpm",
-            "virtualhost": "ukdd.dnpm.de",
-            "beamconnect": "dnpm-connect.dresden-dnpm.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKB",
-            "name": "Bonn",
-            "virtualhost": "ukb.dnpm.de",
-            "beamconnect": "dnpm-connect.bonn-dnpm.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKD",
-            "name": "Duesseldorf",
-            "virtualhost": "ukd.dnpm.de",
-            "beamconnect": "dnpm-connect.duesseldorf-dnpm.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKK",
-            "name": "Koeln",
-            "virtualhost": "ukk.dnpm.de",
-            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UME",
-            "name": "Essen",
-            "virtualhost": "ume.dnpm.de",
-            "beamconnect": "dnpm-connect.essen.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKM",
-            "name": "Muenster",
-            "virtualhost": "ukm.dnpm.de",
-            "beamconnect": "dnpm-connect.muenster-dnpm.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKF",
-            "name": "Frankfurt",
-            "virtualhost": "ukf.dnpm.de",
-            "beamconnect": "dnpm-connect.frankfurt.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UMG",
-            "name": "Goettingen",
-            "virtualhost": "umg.dnpm.de",
-            "beamconnect": "dnpm-connect.goettingen.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKW",
-            "name": "Würzburg",
-            "virtualhost": "ukw.dnpm.de",
-            "beamconnect": "dnpm-connect.wuerzburg-dnpm.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "UKSH",
-            "name": "Schleswig-Holstein",
-            "virtualhost": "uksh.dnpm.de",
-            "beamconnect": "dnpm-connect.uksh-dnpm.broker.ccp-it.dktk.dkfz.de"
-        },
-        {
-            "id": "TKT",
-            "name": "Test",
-            "virtualhost": "tkt.dnpm.de",
-            "beamconnect": "dnpm-connect.tobias-develop.broker.ccp-it.dktk.dkfz.de"
-        }
-    ]
-}

minimal/modules/dnpm-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   dnpm-beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
     container_name: bridgehead-dnpm-beam-proxy
     environment:
       BROKER_URL: ${DNPM_BROKER_URL}
@@ -29,19 +29,17 @@ services:
       PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
       APP_ID: dnpm-connect.${DNPM_PROXY_ID}
       DISCOVERY_URL: "./conf/central_targets.json"
-      LOCAL_TARGETS_FILE: "/conf/connect_targets.json"
+      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
       HTTP_PROXY: http://forward_proxy:3128
       HTTPS_PROXY: http://forward_proxy:3128
-      NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
+      NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal
       RUST_LOG: ${RUST_LOG:-info}
       NO_AUTH: "true"
-      TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs
     extra_hosts:
       - "host.docker.internal:host-gateway"
     volumes:
-      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro
+      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
@@ -50,10 +48,6 @@ services:
       - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
       - "traefik.http.routers.dnpm-connect.tls=true"
 
-  dnpm-echo:
-    image: docker.verbis.dkfz.de/cache/samply/bridgehead-echo:latest
-    container_name: bridgehead-dnpm-echo
-
 secrets:
   proxy.pem:
     file: /etc/bridgehead/pki/${SITE_ID}.priv.pem