fix landingpage

Dont test clock skew and priv key for minimal bridgeheads

README.md

@@ -22,6 +22,7 @@ This repository is the starting point for any information and tools you will nee
     - [TLS terminating proxies](#tls-terminating-proxies)
     - [File structure](#file-structure)
     - [BBMRI-ERIC Directory entry needed](#bbmri-eric-directory-entry-needed)
+    - [Loading data](#loading-data)
 4. [Things you should know](#things-you-should-know)
     - [Auto-Updates](#auto-updates)
     - [Auto-Backups](#auto-backups)
@@ -33,6 +34,10 @@ This repository is the starting point for any information and tools you will nee
 
 ## Requirements
 
+The data protection group at your site will probably want to know exactly what our software does with patient data, and you may need to get their approval before you are allowed to install a Bridgehead. To help you with this, we have provided some data protection concepts:
+
+- [Germany](https://www.bbmri.de/biobanking/it/infrastruktur/datenschutzkonzept/)
+
 ### Hardware
 
 Hardware requirements strongly depend on the specific use-cases of your network as well as on the data it is going to serve. Most use-cases are well-served with the following configuration:
@@ -118,7 +123,7 @@ Mention:
 We will set the repository up for you. We will then send you:
 
 - A Repository Short Name (RSN). Beware: this is distinct from your site name.
-- Repository URL containing the acces token eg. https://BH_Dummy:dummy_token@git.verbis.dkfz.de/bbmri-bridgehead-configs/dummy.git
+- Repository URL containing the acces token eg. https://BH_Dummy:dummy_token@git.verbis.dkfz.de/<project>-bridgehead-configs/dummy.git
 
 During the installation, your Bridgehead will download your site's configuration from GitLab and you can review the details provided to us by email.
 
@@ -311,6 +316,32 @@ Once you edited the gitlab config, the bridgehead will autoupdate the config wit
 
 There will be a delay before the effects of Directory sync become visible. First, you will need to wait until the time you have specified in ```TIMER_CRON```. Second, the information will then be synchronized from your national node with the central European Directory. This can take up to 24 hours.
 
+### Loading data
+
+The data accessed by the federated search is held in the Bridgehead in a FHIR store (we use Blaze).
+
+You can load data into this store by using its FHIR API:
+
+```
+https://<Name of your server>/bbmri-localdatamanagement/fhir
+```
+The name of your server will generally be the full name of the VM that the Bridgehead runs on. You can alternatively supply an IP address.
+
+The FHIR API uses basic auth. You can find the credentials in `/etc/bridgehead/<project>.local.conf`.
+
+Note that if you don't have a DNS certificate for the Bridgehead, you will need to allow an insecure connection. E.g. with curl, use the `-k` flag.
+
+The storage space on your hard drive will depend on the number of FHIR resources that you intend to generate. This will be the sum of the number of patients/subjects, the number of samples, the number of conditions/diseases and the number of observations. As a general rule of thumb, you can assume that each resource will consume about 2 kilobytes of disk space.
+
+For more information on Blaze performance, please refer to [import performance](https://github.com/samply/blaze/blob/master/docs/performance/import.md).
+
+#### ETL for BBMRI and GBA
+
+Normally, you will need to build your own ETL to feed the Bridgehead. However, there is one case where a short cut might be available:
+- If you are using CentraXX as a BIMS and you have a FHIR-Export License, then you can employ standard mapping scripts that access the CentraXX-internal data structures and map the data onto the BBMRI FHIR profile. It may be necessary to adjust a few parameters, but this is nonetheless significantly easier than writing your own ETL.
+
+You can find the profiles for generating FHIR in [Simplifier](https://simplifier.net/bbmri.de/~resources?category=Profile).
+
 ## Things you should know
 
 ### Auto-Updates

bbmri/modules/dnpm-compose.yml

@@ -1,51 +0,0 @@
-version: "3.7"
-
-services:
-  dnpm-beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
-    container_name: bridgehead-dnpm-beam-proxy
-    environment:
-      BROKER_URL: ${DNPM_BROKER_URL}
-      PROXY_ID: ${DNPM_PROXY_ID}
-      APP_dnpm-connect_KEY: ${DNPM_BEAM_SECRET_SHORT}
-      PRIVKEY_FILE: /run/secrets/proxy.pem
-      ALL_PROXY: http://forward_proxy:3128
-      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
-      ROOTCERT_FILE: /conf/root.crt.pem
-    secrets:
-      - proxy.pem
-    depends_on:
-      - "forward_proxy"
-    volumes:
-      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/ccp/root-new.crt.pem:/conf/root.crt.pem:ro
-
-  dnpm-beam-connect:
-    depends_on: [ dnpm-beam-proxy ]
-    image: docker.verbis.dkfz.de/cache/samply/beam-connect:develop
-    container_name: bridgehead-dnpm-beam-connect
-    environment:
-      PROXY_URL: http://dnpm-beam-proxy:8081
-      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
-      APP_ID: dnpm-connect.${DNPM_PROXY_ID}
-      DISCOVERY_URL: "./conf/central_targets.json"
-      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
-      HTTP_PROXY: http://forward_proxy:3128
-      HTTPS_PROXY: http://forward_proxy:3128
-      NO_PROXY: dnpm-beam-proxy,dnpm-backend
-      RUST_LOG: ${RUST_LOG:-info}
-      NO_AUTH: "true"
-    volumes:
-      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
-      - "traefik.http.middlewares.dnpm-connect-strip.stripprefix.prefixes=/dnpm-connect"
-      - "traefik.http.routers.dnpm-connect.middlewares=dnpm-connect-strip"
-      - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
-      - "traefik.http.routers.dnpm-connect.tls=true"
-
-secrets:
-  proxy.pem:
-    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

bbmri/modules/dnpm-setup.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-
-if [ -n "${ENABLE_DNPM}" ]; then
-	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam and Beam.Connect for DNPM."
-	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
-
-	# Set variables required for Beam-Connect
-	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-	DNPM_BROKER_ID="broker.ccp-it.dktk.dkfz.de"
-	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
-	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
-fi

bbmri/modules/eric-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   focus-eric:
-    image: docker.verbis.dkfz.de/cache/samply/focus:main
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
     container_name: bridgehead-focus-eric
     environment:
       API_KEY: ${ERIC_FOCUS_BEAM_SECRET_SHORT}
@@ -32,5 +32,5 @@ services:
       - "forward_proxy"
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/bbmri/modules/eric.root.crt.pem:/conf/root.crt.pem:ro
+      - /srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem:/conf/root.crt.pem:ro
 

bbmri/modules/eric-setup.sh

@@ -4,8 +4,23 @@ if [ "${ENABLE_ERIC}" == "true" ]; then
 	log INFO "BBMRI-ERIC setup detected -- will start services for BBMRI-ERIC."
 	OVERRIDE+=" -f ./$PROJECT/modules/eric-compose.yml"
 
-	# Set required variables
-	ERIC_BROKER_ID=broker.bbmri.samply.de
+	# The environment needs to be defined in /etc/bridgehead
+	case "$ENVIRONMENT" in
+		"production")
+			export ERIC_BROKER_ID=broker.bbmri.samply.de
+			export ERIC_ROOT_CERT=eric
+			;;
+		"test")
+			export ERIC_BROKER_ID=broker-test.bbmri-test.samply.de
+			export ERIC_ROOT_CERT=eric.test
+			;;
+		*)
+			report_error 6 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
+			export ERIC_BROKER_ID=broker.bbmri.samply.de
+			export ERIC_ROOT_CERT=eric
+			;;
+	esac
+
 	ERIC_BROKER_URL=https://${ERIC_BROKER_ID}
 	ERIC_PROXY_ID=${SITE_ID}.${ERIC_BROKER_ID}
 	ERIC_FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"

bbmri/modules/eric.test.root.crt.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUJ0g7k2vrdAwNTU38S1/mU8NO26MwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjMwNzEwMTIyMzQxWhcNMzMw
+NzA3MTIyNDExWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALMvc/fApbsAl+/NXDszNgffNR5llAb9CfxzdnRn
+ryoBqZdPevBYZZfKBARRKjFbXRDdPWbE7erDeo1LiCM6PObXCuT9wmGWJtvfkmqW
+3Z/a75e4r360kceMEGVn4kWpi9dz8s7+oXVZURjW2r13h6pq6xQNZDNlXmpR8wHG
+58TSrQC4n1vzdSwMWdptgOA8Sw8adR7ZJI1yNZpmynB2QolKKNESI7FcSKC/+b+H
+LoPkseAwQG9yJo23qEw1GZS67B47iKIqX2wp9VLQobHw7ncrhKXQLSWq973k/Swp
+7lBdfOsTouf72flLiF1HbdOLcFDmWgIbf5scj2HaQe8b/UcCAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHYxBJiJZieW
+e6G1vwn6Q36/crgNMB8GA1UdIwQYMBaAFHYxBJiJZieWe6G1vwn6Q36/crgNMBYG
+A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCN6WVNYpWJ
+6Z1Ee+otLZYMXhjyR6NUQ5s0aHiug97gB8mTiNlgXiiTgipCbofEmENgh1inYrPC
+WfdXxqOaekSXCQW6nSO1KtBzEYtkN5LrN1cjKqt51P2DbkllinK37wwCS2Kfup1+
+yjhTRxrehSIfsMVK6bTUeSoc8etkgwErZpORhlpqZKWhmOwcMpgsYJJOLhUetqc1
+UNe/254bc0vqHEPT6VI/86c7qAmk1xR0RUfrnKAEqZtUeuoj2fe1L/6yOB16fxt5
+3V3oim7EO6eZCTjDo9fU5DaFiqSMe7WVdr03Na0cWet60XKRH/xaiC6gMWdHWcbh
+vZdXnV1qjlM2
+-----END CERTIFICATE-----

bbmri/modules/gbn-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   focus-gbn:
-    image: docker.verbis.dkfz.de/cache/samply/focus:main
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
     container_name: bridgehead-focus-gbn
     environment:
       API_KEY: ${GBN_FOCUS_BEAM_SECRET_SHORT}
@@ -32,5 +32,5 @@ services:
       - "forward_proxy"
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/bbmri/modules/gbn.root.crt.pem:/conf/root.crt.pem:ro
+      - /srv/docker/bridgehead/bbmri/modules/${GBN_ROOT_CERT}.root.crt.pem:/conf/root.crt.pem:ro
 

bbmri/modules/gbn-setup.sh

@@ -4,8 +4,23 @@ if [ "${ENABLE_GBN}" == "true" ]; then
 	log INFO "GBN setup detected -- will start services for German Biobank Node."
 	OVERRIDE+=" -f ./$PROJECT/modules/gbn-compose.yml"
 
-	# Set required variables
-	GBN_BROKER_ID=broker.bbmri.de
+	# The environment needs to be defined in /etc/bridgehead
+	case "$ENVIRONMENT" in
+		"production")
+			export GBN_BROKER_ID=broker.bbmri.de
+			export GBN_ROOT_CERT=gbn
+			;;
+		"test")
+			export GBN_BROKER_ID=broker.test.bbmri.de
+			export GBN_ROOT_CERT=gbn.test
+			;;
+		*)
+			report_error 6 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
+			export GBN_BROKER_ID=broker.bbmri.de
+			export GBN_ROOT_CERT=gbn
+			;;
+	esac
+	
 	GBN_BROKER_URL=https://${GBN_BROKER_ID}
 	GBN_PROXY_ID=${SITE_ID}.${GBN_BROKER_ID}
 	GBN_FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"

bbmri/modules/gbn.test.root.crt.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUQJjusHYR89Xas+kRbg41aHZxfmcwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjMwODIxMDk1MDI1WhcNMzMw
+ODE4MDk1MDU1WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMP0jt2tSk23Bu+QeogqlFwjbMnqwRcWGKAOF4ch
+aOK2B5u/BnpqIZDZbhfSIJTv8DPe3+nA2VqRfSiW3HbV0auqxx1ii2ZmHYbvO2P/
+Jj6hyIiYYGqCMRVXk7iB+DfMysQEaSJO/7lJSprlVQCl0u7MAQ4q/szVNwcCm2Xi
+iE00Wlota2xTYjnJHYjeaLZL4kQsjqW2aCWHG4q77Z4NXT+lXN9XXedgoXLhuwWl
+UyHhXPjyCVu1iFzsXwSTodPAETGoInRYMqMA7PrbHZu1b2Jz0BwCQ+bark1td+Mf
+l3uP0QduhZnH6zGO0KyUFRzeiesgabv5bgUeSSsIOVjnLJUCAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFME99nPh1Vuo
+7eRaymL2Ps7qGxIdMB8GA1UdIwQYMBaAFME99nPh1Vuo7eRaymL2Ps7qGxIdMBYG
+A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQB0WG0xT00R
+5CA0tVHaNo8bQuAXytu566TspKc5vVd3r6mglj/MiSSQG2MVz+GUU6LnnApgln1P
+pvZuyaldB0QdTTLeJVMr/eFtZonlxqcxkj+VW2Y7mRHT7Xx9GQvzKYvSK5m/+xzH
+pAQl8AirgkoZ5b+ltlzM0pDAH204xj3/skmGqM/o0FKzRtpetHYkZPiquHCmO2Cp
+nTMkv7c2qu5t2Dm5q0Tmb7ZRoA1yIYhDn/UfhTAVWQnoMfXK8oB9nkRRb7pAfOXo
+W1K4A+oWqKrJwfIH/Ycnw7hu8hPuGOyIN/PLnLpJp9M2I67vywp5lIvFib4UukyJ
+wJw6/iTienIA
+-----END CERTIFICATE-----

bridgehead

@@ -66,6 +66,22 @@ loadVars() {
 	detectCompose
 	setHostname
 	setupProxy
+
+	# Set some project-independent default values
+	: ${ENVIRONMENT:=production}
+
+	case "$ENVIRONMENT" in
+		"production")
+			export FOCUS_TAG=main
+			;;
+		"test")
+			export FOCUS_TAG=develop
+			;;
+		*)
+			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
+			export FOCUS_TAG=main
+			;;
+	esac
 }
 
 case "$ACTION" in
@@ -86,6 +102,11 @@ case "$ACTION" in
 		bk_is_running
 		exit $?
 		;;
+	logs)
+		loadVars
+		shift 2
+		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE logs -f $@
+		;;
 	update)
 		loadVars
 		exec ./lib/update-bridgehead.sh $PROJECT

ccp/docker-compose.yml

@@ -19,7 +19,7 @@ services:
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:main
+    image: docker.verbis.dkfz.de/cache/samply/focus:0.4.0
     container_name: bridgehead-focus
     environment:
       API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
@@ -28,7 +28,7 @@ services:
       BLAZE_URL: "http://bridgehead-ccp-blaze:8080/fhir/"
       BEAM_PROXY_URL: http://beam-proxy:8081
       RETRY_COUNT: ${FOCUS_RETRY_COUNT}
-      OBFUSCATE: "no"
+      EPSILON: 0.28
     depends_on:
       - "beam-proxy"
       - "blaze"

ccp/modules/dnpm-compose.yml

@@ -16,10 +16,14 @@ services:
       LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
       HTTP_PROXY: "http://forward_proxy:3128"
       HTTPS_PROXY: "http://forward_proxy:3128"
-      NO_PROXY: beam-proxy,dnpm-backend
+      NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
       RUST_LOG: ${RUST_LOG:-info}
       NO_AUTH: "true"
+      TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
       - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
     labels:
@@ -29,3 +33,7 @@ services:
       - "traefik.http.routers.dnpm-connect.middlewares=dnpm-connect-strip"
       - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
       - "traefik.http.routers.dnpm-connect.tls=true"
+
+  dnpm-echo:
+    image: docker.verbis.dkfz.de/cache/samply/bridgehead-echo:latest
+    container_name: bridgehead-dnpm-echo

ccp/modules/dnpm-node-compose.yml

@@ -0,0 +1,34 @@
+version: "3.7"
+
+services:
+  dnpm-backend:
+    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
+    container_name: bridgehead-dnpm-backend
+    environment:
+      - ZPM_SITE=${ZPM_SITE}
+      - N_RANDOM_FILES=${DNPM_SYNTH_NUM}
+    volumes:
+      - /etc/bridgehead/dnpm:/bwhc_config:ro
+      - ${DNPM_DATA_DIR}:/bwhc_data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
+      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
+      - "traefik.http.routers.bwhc-backend.tls=true"
+
+  dnpm-frontend:
+    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
+    container_name: bridgehead-dnpm-frontend
+    links:
+      - dnpm-backend
+    environment:
+      - NUXT_HOST=0.0.0.0
+      - NUXT_PORT=8080
+      - BACKEND_PROTOCOL=https
+      - BACKEND_HOSTNAME=$HOST
+      - BACKEND_PORT=443
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
+      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
+      - "traefik.http.routers.bwhc-frontend.tls=true"

ccp/modules/dnpm-node-setup.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+if [ -n "${ENABLE_DNPM_NODE}" ]; then
+	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
+	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
+
+	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
+	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+	if [ -z "${ZPM_SITE+x}" ]; then
+		log ERROR "Mandatory variable ZPM_SITE not defined!"
+		exit 1
+	fi
+	if [ -z "${DNPM_DATA_DIR+x}" ]; then
+		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
+		exit 1
+	fi
+	DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
+	if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
+		echo "Override of landing page url already in place"
+	else
+		echo "Adding override of landing page url"
+		if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
+			echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
+		else
+			echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
+		fi
+	fi
+fi

ccp/modules/dnpm-setup.sh

@@ -5,6 +5,11 @@ if [ -n "${ENABLE_DNPM}" ]; then
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
 
 	# Set variables required for Beam-Connect
-	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+	# If the DNPM_NO_PROXY variable is set, prefix it with a comma (as it gets added to a comma separated list)
+	if [ -n "${DNPM_NO_PROXY}" ]; then
+		DNPM_ADDITIONAL_NO_PROXY=",${DNPM_NO_PROXY}"
+	else
+		DNPM_ADDITIONAL_NO_PROXY=""
+	fi
 fi

ccp/modules/id-management-compose.yml

@@ -43,7 +43,7 @@ services:
       - patientlist-db
 
   patientlist-db:
-    image: docker.verbis.dkfz.de/cache/postgres:15.4-alpine
+    image: docker.verbis.dkfz.de/cache/postgres:15.6-alpine
     container_name: bridgehead-patientlist-db
     environment:
       POSTGRES_USER: "mainzelliste"

ccp/modules/mtba-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   mtba:
-    image: docker.verbis.dkfz.de/cache/samply/mtba:develop
+    image: docker.verbis.dkfz.de/cache/samply/mtba:1.0.0
     container_name: bridgehead-mtba
     environment:
       BLAZE_STORE_URL: http://blaze:8080

ccp/root-new.crt.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNTCCAh2gAwIBAgIUN7yzueIZzwpe8PaPEIMY8zoH+eMwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjMwNTIzMTAxNzIzWhcNMzMw
-NTIwMTAxNzUzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAN5JAj+HydSGaxvA0AOcrXVTZ9FfsH0cMVBlQb72
-bGZgrRvkqtB011TNXZfsHl7rPxCY61DcsDJfFq3+8VHT+S9HE0qV1bEwP+oA3xc4
-Opq77av77cNNOqDC7h+jyPhHcUaE33iddmrH9Zn2ofWTSkKHHu3PAe5udCrc2QnD
-4PLRF6gqiEY1mcGknJrXj1ff/X0nRY/m6cnHNXz0Cvh8oPOtbdfGgfZjID2/fJNP
-fNoNKqN+5oJAZ+ZZ9id9rBvKj1ivW3F2EoGjZF268SgZzc5QrM/D1OpSBQf5SF/V
-qUPcQTgt9ry3YR+SZYazLkfKMEOWEa0WsqJVgXdQ6FyergcCAwEAAaN7MHkwDgYD
-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEa70kcseqU5
-bHx2zSt4bG21HokhMB8GA1UdIwQYMBaAFEa70kcseqU5bHx2zSt4bG21HokhMBYG
-A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCGmE7NXW4T
-6J4mV3b132cGEMD7grx5JeiXK5EHMlswUS+Odz0NcBNzhUHdG4WVMbrilHbI5Ua+
-6jdKx5WwnqzjQvElP0MCw6sH/35gbokWgk1provOP99WOFRsQs+9Sm8M2XtMf9HZ
-m3wABwU/O+dhZZ1OT1PjSZD0OKWKqH/KvlsoF5R6P888KpeYFiIWiUNS5z21Jm8A
-ZcllJjiRJ60EmDwSUOQVJJSMOvtr6xTZDZLtAKSN8zN08lsNGzyrFwqjDwU0WTqp
-scMXEGBsWQjlvxqDnXyljepR0oqRIjOvgrWaIgbxcnu98tK/OdBGwlAPKNUW7Crr
-vO+eHxl9iqd4
------END CERTIFICATE-----

lib/functions.sh

@@ -53,7 +53,7 @@ checkOwner(){
 }
 
 printUsage() {
-	echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|adduser|enroll PROJECTNAME"
+	echo "Usage: bridgehead start|stop|logs|is-running|update|install|uninstall|adduser|enroll PROJECTNAME"
 	echo "PROJECTNAME should be one of ccp|bbmri"
 }
 

lib/prerequisites.sh

@@ -67,29 +67,30 @@ log INFO "Checking network access ($BROKER_URL_FOR_PREREQ) ..."
 source /etc/bridgehead/${PROJECT}.conf
 source ${PROJECT}/vars
 
-set +e
-SERVERTIME="$(https_proxy=$HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
-RET=$?
-set -e
-if [ $RET -ne 0 ]; then
-	log WARN "Unable to connect to Samply.Beam broker at $BROKER_URL_FOR_PREREQ. Please check your proxy settings.\nThe currently configured proxy was \"$HTTPS_PROXY_URL\". This error is normal when using proxy authentication."
-	log WARN "Unable to check clock skew due to previous error."
-else
-	log INFO "Checking clock skew ..."
+if [ "${PROJECT}" != "minimal" ]; then
+  set +e
+  SERVERTIME="$(https_proxy=$HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
+  RET=$?
+  set -e
+  if [ $RET -ne 0 ]; then
+	  log WARN "Unable to connect to Samply.Beam broker at $BROKER_URL_FOR_PREREQ. Please check your proxy settings.\nThe currently configured proxy was \"$HTTPS_PROXY_URL\". This error is normal when using proxy authentication."
+  	log WARN "Unable to check clock skew due to previous error."
+  else
+	  log INFO "Checking clock skew ..."
 
-	SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s)
-	MYTIME=$(date +%s)
-	SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME))
-	SKEW=$(echo $SKEW | awk -F- '{print $NF}')
-	SYNCTEXT="For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd."
-	if [ $SKEW -ge 300 ]; then
-		report_error 5 "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. $SYNCTEXT"
-		exit 1
-	elif [ $SKEW -ge 60 ]; then
-		log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server. $SYNCTEXT"
-	fi
+    SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s)
+	  MYTIME=$(date +%s)
+	  SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME))
+	  SKEW=$(echo $SKEW | awk -F- '{print $NF}')
+	  SYNCTEXT="For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd."
+	  if [ $SKEW -ge 300 ]; then
+		  report_error 5 "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. $SYNCTEXT"
+		  exit 1
+	  elif [ $SKEW -ge 60 ]; then
+		  log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server. $SYNCTEXT"
+	  fi
+  fi
 fi
-
 checkPrivKey() {
   if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
     log INFO "Success - private key found."
@@ -100,7 +101,7 @@ checkPrivKey() {
   return 0
 }
 
-if [[ "$@" =~ "noprivkey" ]]; then
+if [[ "$@" =~ "noprivkey" ||  "${PROJECT}" != "minimal" ]]; then
   log INFO "Skipping check for private key for now."
 else
   checkPrivKey || exit 1

lib/update-bridgehead.sh

@@ -86,7 +86,7 @@ done
 # Check docker updates
 log "INFO" "Checking for updates to running docker images ..."
 docker_updated="false"
-for IMAGE in $(cat $PROJECT/docker-compose.yml ${OVERRIDE//-f/} minimal/docker-compose.yml | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
+for IMAGE in $($COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE config | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
     CHANGE="Image $IMAGE updated."

minimal/docker-compose.yml

@@ -55,5 +55,6 @@ services:
       HOST: ${HOST}
       PROJECT: ${PROJECT}
       SITE_NAME: ${SITE_NAME}
+      ENVIRONMENT: "production"
 
 

minimal/modules/dnpm-compose.yml

@@ -18,7 +18,7 @@ services:
       - "forward_proxy"
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/ccp/root-new.crt.pem:/conf/root.crt.pem:ro
+      - /etc/bridgehead/dnpm/aachen.crt.pem:/conf/root.crt.pem:ro
 
   dnpm-beam-connect:
     depends_on: [ dnpm-beam-proxy ]
@@ -32,10 +32,14 @@ services:
       LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
       HTTP_PROXY: http://forward_proxy:3128
       HTTPS_PROXY: http://forward_proxy:3128
-      NO_PROXY: dnpm-beam-proxy,dnpm-backend
+      NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
       RUST_LOG: ${RUST_LOG:-info}
       NO_AUTH: "true"
+      TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
       - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
     labels:
@@ -46,6 +50,10 @@ services:
       - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
       - "traefik.http.routers.dnpm-connect.tls=true"
 
+  dnpm-echo:
+    image: docker.verbis.dkfz.de/cache/samply/bridgehead-echo:latest
+    container_name: bridgehead-dnpm-echo
+
 secrets:
   proxy.pem:
     file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

minimal/modules/dnpm-node-compose.yml

@@ -0,0 +1,34 @@
+version: "3.7"
+
+services:
+  dnpm-backend:
+    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
+    container_name: bridgehead-dnpm-backend
+    environment:
+      - ZPM_SITE=${ZPM_SITE}
+      - N_RANDOM_FILES=${DNPM_SYNTH_NUM}
+    volumes:
+      - /etc/bridgehead/dnpm:/bwhc_config:ro
+      - ${DNPM_DATA_DIR}:/bwhc_data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
+      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
+      - "traefik.http.routers.bwhc-backend.tls=true"
+
+  dnpm-frontend:
+    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
+    container_name: bridgehead-dnpm-frontend
+    links:
+      - dnpm-backend
+    environment:
+      - NUXT_HOST=0.0.0.0
+      - NUXT_PORT=8080
+      - BACKEND_PROTOCOL=https
+      - BACKEND_HOSTNAME=$HOST
+      - BACKEND_PORT=443
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
+      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
+      - "traefik.http.routers.bwhc-frontend.tls=true"

minimal/modules/dnpm-node-setup.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+if [ -n "${ENABLE_DNPM_NODE}" ]; then
+	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
+	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
+
+	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
+	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+	if [ -z "${ZPM_SITE+x}" ]; then
+		log ERROR "Mandatory variable ZPM_SITE not defined!"
+		exit 1
+	fi
+	if [ -z "${DNPM_DATA_DIR+x}" ]; then
+		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
+		exit 1
+	fi
+	DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
+	if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
+		echo "Override of landing page url already in place"
+	else
+		echo "Adding override of landing page url"
+		if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
+			echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
+		else
+			echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
+		fi
+	fi
+fi

minimal/modules/dnpm-setup.sh

@@ -5,9 +5,18 @@ if [ -n "${ENABLE_DNPM}" ]; then
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
 
 	# Set variables required for Beam-Connect
-	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-	DNPM_BROKER_ID="broker.ccp-it.dktk.dkfz.de"
+	DNPM_BROKER_ID="dnpm-aachen-broker.samply.de"
 	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
+	if [ -z ${BROKER_URL_FOR_PREREQ+x} ]; then
+		BROKER_URL_FOR_PREREQ=$DNPM_BROKER_URL
+		log DEBUG "No Broker for clock check set; using $DNPM_BROKER_URL"
+	fi
 	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
+	# If the DNPM_NO_PROXY variable is set, prefix it with a comma (as it gets added to a comma separated list)
+	if [ -n "${DNPM_NO_PROXY}" ]; then
+		DNPM_ADDITIONAL_NO_PROXY=",${DNPM_NO_PROXY}"
+	else
+		DNPM_ADDITIONAL_NO_PROXY=""
+	fi
 fi

minimal/modules/nngm-compose.yml

@@ -0,0 +1,29 @@
+version: "3.7"
+volumes:
+  nngm-rest:
+
+services:
+  connector:
+    container_name: bridgehead-connector
+    image: docker.verbis.dkfz.de/ccp/nngm-rest:main
+    environment:
+      CTS_MAGICPL_API_KEY: ${NNGM_MAGICPL_APIKEY}
+      CTS_API_KEY: ${NNGM_CTS_APIKEY}
+      CRYPT_KEY: ${NNGM_CRYPTKEY}
+      #CTS_MAGICPL_SITE: ${SITE_ID}TODO
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)"
+      - "traefik.http.middlewares.connector_strip.stripprefix.prefixes=/nngm-connector"
+      - "traefik.http.services.connector.loadbalancer.server.port=8080"
+      - "traefik.http.routers.connector.tls=true"
+      - "traefik.http.routers.connector.middlewares=connector_strip,auth-nngm"
+    volumes:
+      - nngm-rest:/var/log
+
+  traefik:
+    labels:
+      - "traefik.http.middlewares.auth-nngm.basicauth.users=${NNGM_AUTH}"
+
+

minimal/modules/nngm-setup.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+if [ -n "$NNGM_CTS_APIKEY" ]; then
+  log INFO "nNGM setup detected -- will start nNGM Connector."
+  OVERRIDE+=" -f ./$PROJECT/modules/nngm-compose.yml"
+fi