Merge pull request #287 from tm16-medma/patch-1

Update ovis-compose.yml

README.md

@@ -76,7 +76,7 @@ The following URLs need to be accessible (prefix with `https://`):
   * git.verbis.dkfz.de
 * To fetch docker images
   * docker.verbis.dkfz.de
-  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/all))
+  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/setup/allow-list/))
     * hub.docker.com
     * registry-1.docker.io
     * production.cloudflare.docker.com
@@ -154,7 +154,7 @@ Pay special attention to:
 Clone the bridgehead repository:
 ```shell
 sudo mkdir -p /srv/docker/
-sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead
+sudo git clone -b main https://github.com/samply/bridgehead.git /srv/docker/bridgehead
 ```
 
 Then, run the installation script:

bridgehead

@@ -53,17 +53,44 @@ case "$PROJECT" in
 		;;
 esac
 
+# Loads config variables and runs the projects setup script
 loadVars() {
-	# Load variables from /etc/bridgehead and /srv/docker/bridgehead
 	set -a
+	# Source the project specific config file
 	source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
+	# Source the project specific local config file if present
+	# This file is ignored by git as oposed to the regular config file as it contains private site information like etl auth data
 	if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
 		log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
 		source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
 	fi
+	# Set execution environment on main default to prod else test
+	if [[ -z "${ENVIRONMENT+x}" ]]; then
+		if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
+			ENVIRONMENT="production"
+		else
+			ENVIRONMENT="test"
+		fi
+	fi
+	# Source the versions of the images components 
+	case "$ENVIRONMENT" in
+		"production")
+			source ./versions/prod
+			;;
+		"test")
+			source ./versions/test
+			;;
+		*)
+			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
+			source ./versions/prod
+			;;
+	esac
 	fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 	setHostname
 	optimizeBlazeMemoryUsage
+	# Run project specific setup if it exists
+	# This will ususally modiy the `OVERRIDE` to include all the compose files that the project depends on
+	# This is also where projects specify which modules to load
 	[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 	set +a
 
@@ -79,26 +106,6 @@ loadVars() {
 	fi
 	detectCompose
 	setupProxy
-
-	# Set some project-independent default values
-	: ${ENVIRONMENT:=production}
-	export ENVIRONMENT
-
-	case "$ENVIRONMENT" in
-		"production")
-			export FOCUS_TAG=main
-			export BEAM_TAG=main
-			;;
-		"test")
-			export FOCUS_TAG=develop
-			export BEAM_TAG=develop
-			;;
-		*)
-			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
-			export FOCUS_TAG=main
-			export BEAM_TAG=main
-			;;
-	esac
 }
 
 case "$ACTION" in

ccp/modules/dnpm-compose.yml

@@ -13,7 +13,7 @@ services:
       PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
       APP_ID: dnpm-connect.${PROXY_ID}
       DISCOVERY_URL: "./conf/central_targets.json"
-      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
+      LOCAL_TARGETS_FILE: "/conf/connect_targets.json"
       HTTP_PROXY: "http://forward_proxy:3128"
       HTTPS_PROXY: "http://forward_proxy:3128"
       NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
@@ -25,7 +25,7 @@ services:
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
+      - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"

ccp/modules/dnpm-node-compose.yml

@@ -1,34 +1,99 @@
 version: "3.7"
 
 services:
-  dnpm-backend:
+  dnpm-mysql:
-    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
+    image: mysql:9
-    container_name: bridgehead-dnpm-backend
+    healthcheck:
+      test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ]
+      interval: 3s
+      timeout: 5s
+      retries: 5
     environment:
-      - ZPM_SITE=${ZPM_SITE}
+      MYSQL_ROOT_HOST: "%"
-      - N_RANDOM_FILES=${DNPM_SYNTH_NUM}
+      MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD}
     volumes:
-      - /etc/bridgehead/dnpm:/bwhc_config:ro
+      - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql
-      - ${DNPM_DATA_DIR}:/bwhc_data
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
-      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
-      - "traefik.http.routers.bwhc-backend.tls=true"
 
-  dnpm-frontend:
+  dnpm-authup:
-    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
+    image: authup/authup:latest
-    container_name: bridgehead-dnpm-frontend
+    container_name: bridgehead-dnpm-authup
-    links:
+    volumes:
-      - dnpm-backend
+      - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable
+    depends_on:
+      dnpm-mysql:
+        condition: service_healthy
+    command: server/core start
     environment:
-      - NUXT_HOST=0.0.0.0
+      - PUBLIC_URL=https://${HOST}/auth/
-      - NUXT_PORT=8080
+      - AUTHORIZE_REDIRECT_URL=https://${HOST}
-      - BACKEND_PROTOCOL=https
+      - ROBOT_ADMIN_ENABLED=true
-      - BACKEND_HOSTNAME=$HOST
+      - ROBOT_ADMIN_SECRET=${DNPM_AUTHUP_SECRET}
-      - BACKEND_PORT=443
+      - ROBOT_ADMIN_SECRET_RESET=true
+      - DB_TYPE=mysql
+      - DB_HOST=dnpm-mysql
+      - DB_USERNAME=root
+      - DB_PASSWORD=${DNPM_MYSQL_ROOT_PASSWORD}
+      - DB_DATABASE=auth
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
+      - "traefik.http.middlewares.authup-strip.stripprefix.prefixes=/auth"
-      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
+      - "traefik.http.routers.dnpm-auth.middlewares=authup-strip"
-      - "traefik.http.routers.bwhc-frontend.tls=true"
+      - "traefik.http.routers.dnpm-auth.rule=PathPrefix(`/auth`)"
+      - "traefik.http.services.dnpm-auth.loadbalancer.server.port=3000"
+      - "traefik.http.routers.dnpm-auth.tls=true"
+
+  dnpm-portal:
+    image: ghcr.io/dnpm-dip/portal:latest
+    container_name: bridgehead-dnpm-portal
+    environment:
+      - NUXT_API_URL=http://dnpm-backend:9000/
+      - NUXT_PUBLIC_API_URL=https://${HOST}/api/
+      - NUXT_AUTHUP_URL=http://dnpm-authup:3000/
+      - NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)"
+      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
+      - "traefik.http.routers.dnpm-frontend.tls=true"
+
+  dnpm-backend:
+    container_name: bridgehead-dnpm-backend
+    image: ghcr.io/dnpm-dip/backend:latest
+    environment:
+      - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME}   # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
+      - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
+      - MTB_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
+      - HATEOAS_HOST=https://${HOST}
+      - CONNECTOR_TYPE=broker
+      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
+    volumes:
+      - /etc/bridgehead/dnpm/config:/dnpm_config
+      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
+    depends_on:
+      dnpm-authup:
+        condition: service_healthy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
+      # expose everything
+      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
+      - "traefik.http.routers.dnpm-backend.tls=true"
+      - "traefik.http.routers.dnpm-backend.service=dnpm-backend"
+      # except ETL
+      - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
+      - "traefik.http.routers.dnpm-backend-etl.tls=true"
+      - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
+      # this needs an ETL processor with support for basic auth
+      - "traefik.http.routers.dnpm-backend-etl.middlewares=auth"
+      # except peer-to-peer
+      - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
+      - "traefik.http.routers.dnpm-backend-peer.tls=true"
+      - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
+      - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
+      # this effectively denies all requests
+      # this is okay, because requests from peers don't go through Traefik
+      - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
+
+  landing:
+    labels:
+      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"

ccp/modules/dnpm-node-setup.sh

@@ -1,28 +1,16 @@
 #!/bin/bash
 
 if [ -n "${ENABLE_DNPM_NODE}" ]; then
-	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
+	log INFO "DNPM setup detected -- will start DNPM:DIP node."
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
 
 	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
-	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	if [ -z "${ZPM_SITE+x}" ]; then
 		log ERROR "Mandatory variable ZPM_SITE not defined!"
 		exit 1
 	fi
-	if [ -z "${DNPM_DATA_DIR+x}" ]; then
+    mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions."
-		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
+    DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1}
-		exit 1
+    DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')"
-	fi
+    DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')"
-	DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
-	if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
-		echo "Override of landing page url already in place"
-	else
-		echo "Adding override of landing page url"
-		if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
-			echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
-		else
-			echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
-		fi
-	fi
 fi

ccp/modules/ovis-compose.yml

@@ -0,0 +1,112 @@
+version: '3.7'
+
+services:
+
+  ovis-traefik-forward-auth:
+      image: quay.io/oauth2-proxy/oauth2-proxy:latest
+      environment:
+        - http_proxy=${http_proxy:-http://forward_proxy:3128}
+        - https_proxy=${https_proxy:-http://forward_proxy:3128}
+        - OAUTH2_PROXY_PROVIDER=oidc
+        - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
+        - OAUTH2_PROXY_OIDC_ISSUER_URL=${OAUTH_ISSUER_URL}
+        - OAUTH2_PROXY_CLIENT_ID=${OAUTH_CLIENT_ID}
+        - OAUTH2_PROXY_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
+        - OAUTH2_PROXY_COOKIE_SECRET=${AUTHENTICATION_SECRET}
+        - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST:-localhost}
+        - OAUTH2_PROXY_COOKIE_REFRESH=4m
+        - OAUTH2_PROXY_COOKIE_EXPIRE=24h
+        - OAUTH2_PROXY_HTTP_ADDRESS=:4180
+        - OAUTH2_PROXY_REVERSE_PROXY=true
+        - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST:-localhost}
+        - OAUTH2_PROXY_UPSTREAMS=static://202
+        - OAUTH2_PROXY_EMAIL_DOMAINS=*
+        #- OAUTH2_PROXY_ALLOWED_GROUPS=app-ovis
+        #- OAUTH2_PROXY_ERRORS_TO_INFO_LOG=true
+        - OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256
+        # For some reason, login.verbis.dkfz.de does not have a "groups" scope but this comes automatically through a
+        # scope called microprofile-jwt. Remove the following line once we have a "groups" scope.
+        - OAUTH2_PROXY_SCOPE=openid profile email
+        # Pass Authorization Header and some user information to spot
+        - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
+        - OAUTH2_PROXY_SET_XAUTHREQUEST=true
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.middlewares.ovis-traefik-forward-auth.forwardauth.address=http://ovis-traefik-forward-auth:4180"
+        - "traefik.http.middlewares.ovis-traefik-forward-auth.forwardauth.authResponseHeaders=Authorization, X-Forwarded-User, X-Auth-Request-User, X-Auth-Request-Email"
+        - "traefik.http.services.ovis-traefik-forward-auth.loadbalancer.server.port=4180"
+        - "traefik.http.routers.oauth2.rule=Host(`${HOST:-localhost}`) && PathPrefix(`/oauth2-ovis/`)"
+        - "traefik.http.routers.oauth2.tls=true"
+
+  fhir-transformer:
+    image: docker.verbis.dkfz.de/ovis/adt-mon-gql-fhir-transformer:latest
+    restart: on-failure
+    environment:
+      - FHIR_SERVER_URL=${FHIR_SERVER_URL:-http://bridgehead-ccp-blaze:8080/fhir}
+      - FHIR_USERNAME=${FHIR_USERNAME}
+      - FHIR_PASSWORD=${FHIR_PASSWORD}
+    volumes:
+      - /var/cache/bridgehead/ccp/ovis/shared_data:/app/output
+
+  mongo:
+    image: mongo:${MONGO_VER:-latest}
+    restart: always
+    command: mongod
+      - /var/cache/bridgehead/ccp/ovis/mongo/init/init.js:/docker-entrypoint-initdb.d/init.js
+
+  backend:
+    image: docker.verbis.dkfz.de/ovis/adt-mon-gql-backend:latest
+    restart: always
+    user: root
+    working_dir: /app
+    environment:
+      - APOLLO_PORT=${APOLLO_PORT:-4001}
+      - CREDOS_PORT=${CREDOS_PORT:-4000}
+      - MONGO_VER=latest
+      - CORS_ORIGIN=*
+      - DB=${DB:-onc_test}
+      - ADRESS=${ADRESS:-mongodb://mongo:27017}
+    depends_on:
+      - mongo
+      - fhir-transformer
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:${APOLLO_PORT:-4001}/health"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+      start_period: 10s
+    entrypoint: >
+      sh -c "
+        # First run the initialization process
+        while [ ! -f /shared/omock.json ]; do
+          echo 'Waiting for omock.json...'
+          sleep 5
+        done;
+        mkdir -p ./prep &&
+        cp /shared/omock.json ./prep/omock.json &&
+        node ./mgDB/prep/preprocessor.mjs &&
+        echo 'Processing complete' &&
+        exec node --watch index.js"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ovis-backend.rule=Host(`${HOST:-localhost}`) && PathPrefix(`/graphql`)"
+      - "traefik.http.routers.ovis-backend.tls=true"
+      - "traefik.http.services.ovis-backend.loadbalancer.server.port=${APOLLO_PORT:-4001}"
+    volumes:
+      - /var/cache/bridgehead/ccp/ovis/shared_data:/shared
+
+  frontend:
+    image: docker.verbis.dkfz.de/ovis/adt-mon-gql-frontend:latest
+    restart: always
+    environment:
+      - PUBLIC_GRAPHQL_URL=https://${HOST:-localhost}/graphql
+    depends_on:
+      backend:
+        condition: service_healthy
+    working_dir: /app
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ovis-frontend.tls=true"
+      - "traefik.http.routers.ovis-frontend.rule=Host(`${HOST:-localhost}`)"
+      - "traefik.http.routers.ovis-frontend.middlewares=traefik-forward-auth"
+      - "traefik.http.services.ovis-frontend.loadbalancer.server.port=5173"

ccp/modules/ovis-setup.sh

@@ -0,0 +1,108 @@
+#!/bin/bash -e
+
+if [ -n "$ENABLE_OVIS" ];then
+    # Setup MongoDB initialization directory if it doesn't exist
+    mkdir -p "/var/cache/bridgehead/ccp/ovis/mongo/init"
+    
+    # Generate MongoDB initialization script directly
+    cat > "/var/cache/bridgehead/ccp/ovis/mongo/init/init.js" << 'EOF'
+db = db.getSiblingDB("test_credos");
+db.createCollection("user");
+db.user.insertMany([{
+    "_id": "OVIS-Root",
+    "createdAt": new Date(),
+    "createdBy": "system",
+    "role": "super-admin",
+    "status": "active",
+    "pseudonymization": false,
+    "darkMode": false,
+    "colorTheme": "CCCMunich",
+    "language":  "de",
+}]);
+
+db = db.getSiblingDB("onc_test");
+db.createCollection("user");
+db.user.insertMany([{
+    "_id": "OVIS-Root",
+    "createdAt": new Date(),
+    "createdBy": "system",
+    "role": "super-admin",
+    "status": "active",
+    "pseudonymization": false,
+    "darkMode": false,
+    "colorTheme": "CCCMunich",
+    "language":  "de",
+}]);
+
+db.ops.insertMany([
+    {"OPSC_4":"1-40","OPS_Gruppen_Text":"Biopsie ohne Inzision an Nervensystem und endokrinen Organen "},
+    {"OPSC_4":"1-44","OPS_Gruppen_Text":"Biopsie ohne Inzision an den Verdauungsorganen"},
+    {"OPSC_4":"1-40","OPS_Gruppen_Text":"Biopsie ohne Inzision an anderen Organen und Geweben"},
+    {"OPSC_4":"1-50","OPS_Gruppen_Text":"Biopsie an Haut, Mamma, Knochen und Muskeln durch Inzision"},
+    {"OPSC_4":"1-51","OPS_Gruppen_Text":"Biopsie an Nervengewebe, Hypophyse, Corpus pineale durch Inzision und Trepanation von Schädelknochen "},
+    {"OPSC_4":"1-55","OPS_Gruppen_Text":"Biopsie an anderen Verdauungsorganen, Zwerchfell und (Retro-)Peritoneum durch Inzision "},
+    {"OPSC_4":"1-56","OPS_Gruppen_Text":"Biopsie an Harnwegen und männlichen Geschlechtsorgannen durch Inzision"},
+    {"OPSC_4":"1-58","OPS_Gruppen_Text":"Biopsie an anderen Organen durch Inzision "},
+    {"OPSC_4":"1-63","OPS_Gruppen_Text":"Diagnostische Endoskopie des oberen Verdauungstraktes"},
+    {"OPSC_4":"1-65","OPS_Gruppen_Text":"Diagnostische Endoskopie des unteren Verdauungstraktes"},
+    {"OPSC_4":"1-69","OPS_Gruppen_Text":"Diagnostische Endoskopie durch Inzision und intraoperativ "},
+    {"OPSC_4":"5-01","OPS_Gruppen_Text":"Inzision (Trepanation) und Exzision an Schädel, Gehirn und Hirnhäuten"},
+    {"OPSC_4":"5-02","OPS_Gruppen_Text":"Andere Operationen  an Schädel, Gehirn und Hirnhäuten"},
+    {"OPSC_4":"5-03","OPS_Gruppen_Text":"Operationen an Rückenmark, Rückenmarkhäuten und Spinalkanal"},
+    {"OPSC_4":"5-05","OPS_Gruppen_Text":"Andere Operationen an Nerven und Nervenganglien "},
+    {"OPSC_4":"5-06","OPS_Gruppen_Text":"Operationen an Schilddrüse und Nebenschilddrüse "},
+    {"OPSC_4":"5-07","OPS_Gruppen_Text":"Operationen an anderen endokrinen Drüsen "},
+    {"OPSC_4":"5-20","OPS_Gruppen_Text":"Andere Operationen an Mittel- und Innenohr "},
+    {"OPSC_4":"5-25","OPS_Gruppen_Text":"Operationen an der Zunge "},
+    {"OPSC_4":"5-31","OPS_Gruppen_Text":"Andere Larynxoperationen und Operationen an der Trachea "},
+    {"OPSC_4":"5-32","OPS_Gruppen_Text":"Exzision und Resektion an Lunge und Bronchus "},
+    {"OPSC_4":"5-33","OPS_Gruppen_Text":"Andere Operationen an Lunge und Bronchus"},
+    {"OPSC_4":"5-34","OPS_Gruppen_Text":"Operationen an Brustwand, Pleura, Mediastinum und Zwerchfell "},
+    {"OPSC_4":"5-37","OPS_Gruppen_Text":"Rhythmuschirurgie und andere Operationen an Herz und Perikard"},
+    {"OPSC_4":"5-38","OPS_Gruppen_Text":"Inzision, Exzision und Verschluß von Blutgefäßen "},
+    {"OPSC_4":"5-39","OPS_Gruppen_Text":"Andere Operationen an Blutgefäßen "},
+    {"OPSC_4":"5-40","OPS_Gruppen_Text":"Operationen am Lymphgewebe "},
+    {"OPSC_4":"5-41","OPS_Gruppen_Text":"Operationen an Milz und Knochenmark "},
+    {"OPSC_4":"5-42","OPS_Gruppen_Text":"Operationen am Ösophagus "},
+    {"OPSC_4":"5-43","OPS_Gruppen_Text":"Inzision, Exzision und Resektion am Magen "},
+    {"OPSC_4":"5-44","OPS_Gruppen_Text":"Erweiterte Magenresektion und andere Operationen am Magen "},
+    {"OPSC_4":"5-45","OPS_Gruppen_Text":"Inzision, Exzision, Resektion und Anastomose an Dünn- und Dickdarm "},
+    {"OPSC_4":"5-46","OPS_Gruppen_Text":"Andere Operationen an Dünn- und Dickdarm "},
+    {"OPSC_4":"5-47","OPS_Gruppen_Text":"Operationen an der Appendix "},
+    {"OPSC_4":"5-48","OPS_Gruppen_Text":"Operationen am Rektum "},
+    {"OPSC_4":"5-49","OPS_Gruppen_Text":"Operationen am Anus "},
+    {"OPSC_4":"5-50","OPS_Gruppen_Text":"Operationen an der Leber "},
+    {"OPSC_4":"5-51","OPS_Gruppen_Text":"Operationen an Gallenblase und Gallenwegen "},
+    {"OPSC_4":"5-52","OPS_Gruppen_Text":"Operationen am Pankreas "},
+    {"OPSC_4":"5-53","OPS_Gruppen_Text":"Verschluß abdominaler Hernien "},
+    {"OPSC_4":"5-54","OPS_Gruppen_Text":"Andere Operationen in der Bauchregion "},
+    {"OPSC_4":"5-55","OPS_Gruppen_Text":"Operationen an der Niere "},
+    {"OPSC_4":"5-56","OPS_Gruppen_Text":"Operationen am Ureter "},
+    {"OPSC_4":"5-57","OPS_Gruppen_Text":"Operationen an der Harnblase "},
+    {"OPSC_4":"5-59","OPS_Gruppen_Text":"Andere Operationen an den Harnorganen "},
+    {"OPSC_4":"5-60","OPS_Gruppen_Text":"Operationen an Prostata und Vesiculae seminales "},
+    {"OPSC_4":"5-61","OPS_Gruppen_Text":"Operationen an Skrotum und Tunica vaginalis testis"},
+    {"OPSC_4":"5-62","OPS_Gruppen_Text":"Operationen am Hoden "},
+    {"OPSC_4":"5-65","OPS_Gruppen_Text":"Operationen am Ovar "},
+    {"OPSC_4":"5-68","OPS_Gruppen_Text":"Inzision, Exzision und Exstirpation des Uterus "},
+    {"OPSC_4":"5-70","OPS_Gruppen_Text":"Operationen an Vagina und Douglasraum "},
+    {"OPSC_4":"5-71","OPS_Gruppen_Text":"Operationen an der Vulva "},
+    {"OPSC_4":"5-85","OPS_Gruppen_Text":"Operationen an Muskeln, Sehnen, Faszien und Schleimbeuteln"},
+    {"OPSC_4":"5-87","OPS_Gruppen_Text":"Exzision und Resektion der Mamma "},
+    {"OPSC_4":"5-89","OPS_Gruppen_Text":"Operationen an Haut und Unterhaut "},
+    {"OPSC_4":"5-90","OPS_Gruppen_Text":"Operative Wiederherstellung und Rekonstruktion von Haut und Unterhaut"},
+    {"OPSC_4":"5-91","OPS_Gruppen_Text":"Andere Operationen an Haut und Unterhaut "},
+    {"OPSC_4":"5-93","OPS_Gruppen_Text":"Angaben zum Transplantat und zu verwendeten Materialien"},
+    {"OPSC_4":"5-98","OPS_Gruppen_Text":"Spezielle Operationstechniken und Operationen bei speziellen Versorgungssituationen "},
+    {"OPSC_4":"8-13","OPS_Gruppen_Text":"Manipulation am Harntrakt"},
+    {"OPSC_4":"8-14","OPS_Gruppen_Text":"Therapeutische Kathedirisierung, Aspiration, Punktion und Spülung "},
+    {"OPSC_4":"8-15","OPS_Gruppen_Text":"Therapeutische Aspiration und Entleerung durch Punktion "},
+    {"OPSC_4":"8-17","OPS_Gruppen_Text":"Spülung (Lavage) "},
+    {"OPSC_4":"8-19","OPS_Gruppen_Text":"Verbände "},
+    {"OPSC_4":"8-77","OPS_Gruppen_Text":"Maßnahmen im Rahmen der Reanimation "},
+    {"OPSC_4":"8-92","OPS_Gruppen_Text":"Neurologisches Monitoring "},
+])
+EOF
+    
+    OVERRIDE+=" -f ./$PROJECT/modules/ovis-compose.yml"
+fi

dhki/vars

@@ -18,3 +18,11 @@ done
 
 idManagementSetup
 obds2fhirRestSetup
+
+for module in modules/*.sh
+do
+    log DEBUG "sourcing $module"
+    source $module
+done
+
+transfairSetup

lib/functions.sh

@@ -318,7 +318,7 @@ function sync_secrets() {
         docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
 
     set -a # Export variables as environment variables
-    source /var/cache/bridgehead/secrets/*
+    source /var/cache/bridgehead/secrets/oidc
     set +a # Export variables in the regular way
 }
 

lib/gitlab-token-helper.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+[ "$1" = "get" ] || exit
+
+source /var/cache/bridgehead/secrets/gitlab_token
+
+# Any non-empty username works, only the token matters
+cat << EOF
+username=bk
+password=$BRIDGEHEAD_CONFIG_REPO_TOKEN
+EOF

lib/gitpassword.sh

@@ -1,41 +0,0 @@
-#!/bin/bash
-
-if [ "$1" != "get" ]; then
-	echo "Usage: $0 get"
-	exit 1
-fi
-
-baseDir() {
-	# see https://stackoverflow.com/questions/59895
-	SOURCE=${BASH_SOURCE[0]}
-	while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
-		DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
-		SOURCE=$(readlink "$SOURCE")
-		[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
-        done
-        DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
-        echo $DIR
-}
-
-BASE=$(baseDir)
-cd $BASE
-
-source lib/functions.sh
-
-assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
-
-PARAMS="$(cat)"
-GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
-
-fetchVarsFromVault GIT_PASSWORD
-
-if [ -z "${GIT_PASSWORD}" ]; then
-	fail_and_report 1 "gitpassword.sh failed: Git password not found."
-fi
-
-cat <<EOF
-protocol=https
-host=$GITHOST
-username=bk-${SITE_ID}
-password=${GIT_PASSWORD}
-EOF

lib/update-bridgehead.sh

@@ -19,7 +19,7 @@ fi
 
 hc_send log "Checking for bridgehead updates ..."
 
-CONFFILE=/etc/bridgehead/$1.conf
+CONFFILE=/etc/bridgehead/$PROJECT.conf
 
 if [ ! -e $CONFFILE ]; then
   fail_and_report 1 "Configuration file $CONFFILE not found."
@@ -33,7 +33,43 @@ export SITE_ID
 checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
 checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
 
-CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
+# Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
+# If it is missing or expired, Secret Sync will create a new token and write it to the file.
+# The git credential helper reads the token from the file during git pull.
+mkdir -p /var/cache/bridgehead/secrets
+touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
+log "INFO" "Running Secret Sync for the GitLab token"
+docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
+docker run --rm \
+  -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
+  -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
+  -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
+  -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
+  -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
+  -e NO_PROXY=localhost,127.0.0.1 \
+  -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
+  -e PROXY_ID=$PROXY_ID \
+  -e BROKER_URL=$BROKER_URL \
+  -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
+  -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN: \
+  docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
+if [ $? -eq 0 ]; then
+  log "INFO" "Secret Sync was successful"
+  # In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
+  CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
+  git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
+  # Set the git credential helper
+  git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
+else
+  log "WARN" "Secret Sync failed"
+  # Remove the git credential helper
+  git -C /etc/bridgehead config --unset credential.helper
+fi
+
+# In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
+# Let's remove it to avoid confusion. This line can be removed at some point the future when we
+# believe that it was removed on all/most production servers.
+git -C /srv/docker/bridgehead config --unset credential.helper
 
 CHANGES=""
 
@@ -45,10 +81,6 @@ for DIR in /etc/bridgehead $(pwd); do
   if [ -n "$OUT" ]; then
     report_error log "The working directory $DIR is modified. Changed files: $OUT"
   fi
-  if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
-    log "INFO" "Configuring repo to use bridgehead git credential helper."
-    git -C $DIR config credential.helper "$CREDHELPER"
-  fi
   old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
     log "INFO" "Git is using no proxy!"

minimal/docker-compose.yml

@@ -16,7 +16,7 @@ services:
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard/`)"
+      - "traefik.http.routers.dashboard.rule=PathPrefix(`/dashboard/`)"
       - "traefik.http.routers.dashboard.entrypoints=websecure"
       - "traefik.http.routers.dashboard.service=api@internal"
       - "traefik.http.routers.dashboard.tls=true"

minimal/modules/dnpm-central-targets.json

@@ -0,0 +1,142 @@
+{
+    "sites": [
+        {
+            "id": "UKFR",
+            "name": "Freiburg",
+            "virtualhost": "ukfr.dnpm.de",
+            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKHD",
+            "name": "Heidelberg",
+            "virtualhost": "ukhd.dnpm.de",
+            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKT",
+            "name": "Tübingen",
+            "virtualhost": "ukt.dnpm.de",
+            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKU",
+            "name": "Ulm",
+            "virtualhost": "uku.dnpm.de",
+            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UM",
+            "name": "Mainz",
+            "virtualhost": "um.dnpm.de",
+            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKMR",
+            "name": "Marburg",
+            "virtualhost": "ukmr.dnpm.de",
+            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKE",
+            "name": "Hamburg",
+            "virtualhost": "uke.dnpm.de",
+            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKA",
+            "name": "Aachen",
+            "virtualhost": "uka.dnpm.de",
+            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "Charite",
+            "name": "Berlin",
+            "virtualhost": "charite.dnpm.de",
+            "beamconnect": "dnpm-connect.berlin-test.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "MRI",
+            "name": "Muenchen-tum",
+            "virtualhost": "mri.dnpm.de",
+            "beamconnect": "dnpm-connect.muenchen-tum.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "KUM",
+            "name": "Muenchen-lmu",
+            "virtualhost": "kum.dnpm.de",
+            "beamconnect": "dnpm-connect.muenchen-lmu.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "MHH",
+            "name": "Hannover",
+            "virtualhost": "mhh.dnpm.de",
+            "beamconnect": "dnpm-connect.hannover.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKDD",
+            "name": "dresden-dnpm",
+            "virtualhost": "ukdd.dnpm.de",
+            "beamconnect": "dnpm-connect.dresden-dnpm.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKB",
+            "name": "Bonn",
+            "virtualhost": "ukb.dnpm.de",
+            "beamconnect": "dnpm-connect.bonn-dnpm.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKD",
+            "name": "Duesseldorf",
+            "virtualhost": "ukd.dnpm.de",
+            "beamconnect": "dnpm-connect.duesseldorf-dnpm.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKK",
+            "name": "Koeln",
+            "virtualhost": "ukk.dnpm.de",
+            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UME",
+            "name": "Essen",
+            "virtualhost": "ume.dnpm.de",
+            "beamconnect": "dnpm-connect.essen.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKM",
+            "name": "Muenster",
+            "virtualhost": "ukm.dnpm.de",
+            "beamconnect": "dnpm-connect.muenster-dnpm.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKF",
+            "name": "Frankfurt",
+            "virtualhost": "ukf.dnpm.de",
+            "beamconnect": "dnpm-connect.frankfurt.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UMG",
+            "name": "Goettingen",
+            "virtualhost": "umg.dnpm.de",
+            "beamconnect": "dnpm-connect.goettingen.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKW",
+            "name": "Würzburg",
+            "virtualhost": "ukw.dnpm.de",
+            "beamconnect": "dnpm-connect.wuerzburg-dnpm.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "UKSH",
+            "name": "Schleswig-Holstein",
+            "virtualhost": "uksh.dnpm.de",
+            "beamconnect": "dnpm-connect.uksh-dnpm.broker.ccp-it.dktk.dkfz.de"
+        },
+        {
+            "id": "TKT",
+            "name": "Test",
+            "virtualhost": "tkt.dnpm.de",
+            "beamconnect": "dnpm-connect.tobias-develop.broker.ccp-it.dktk.dkfz.de"
+        }
+    ]
+}

minimal/modules/dnpm-compose.yml

@@ -29,7 +29,7 @@ services:
       PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
       APP_ID: dnpm-connect.${DNPM_PROXY_ID}
       DISCOVERY_URL: "./conf/central_targets.json"
-      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
+      LOCAL_TARGETS_FILE: "/conf/connect_targets.json"
       HTTP_PROXY: http://forward_proxy:3128
       HTTPS_PROXY: http://forward_proxy:3128
       NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
@@ -41,7 +41,7 @@ services:
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
+      - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"

minimal/modules/dnpm-node-compose.yml

@@ -1,34 +1,99 @@
 version: "3.7"
 
 services:
-  dnpm-backend:
+  dnpm-mysql:
-    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
+    image: mysql:9
-    container_name: bridgehead-dnpm-backend
+    healthcheck:
+      test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ]
+      interval: 3s
+      timeout: 5s
+      retries: 5
     environment:
-      - ZPM_SITE=${ZPM_SITE}
+      MYSQL_ROOT_HOST: "%"
-      - N_RANDOM_FILES=${DNPM_SYNTH_NUM}
+      MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD}
     volumes:
-      - /etc/bridgehead/dnpm:/bwhc_config:ro
+      - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql
-      - ${DNPM_DATA_DIR}:/bwhc_data
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
-      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
-      - "traefik.http.routers.bwhc-backend.tls=true"
 
-  dnpm-frontend:
+  dnpm-authup:
-    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
+    image: authup/authup:latest
-    container_name: bridgehead-dnpm-frontend
+    container_name: bridgehead-dnpm-authup
-    links:
+    volumes:
-      - dnpm-backend
+      - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable
+    depends_on:
+      dnpm-mysql:
+        condition: service_healthy
+    command: server/core start
     environment:
-      - NUXT_HOST=0.0.0.0
+      - PUBLIC_URL=https://${HOST}/auth/
-      - NUXT_PORT=8080
+      - AUTHORIZE_REDIRECT_URL=https://${HOST}
-      - BACKEND_PROTOCOL=https
+      - ROBOT_ADMIN_ENABLED=true
-      - BACKEND_HOSTNAME=$HOST
+      - ROBOT_ADMIN_SECRET=${DNPM_AUTHUP_SECRET}
-      - BACKEND_PORT=443
+      - ROBOT_ADMIN_SECRET_RESET=true
+      - DB_TYPE=mysql
+      - DB_HOST=dnpm-mysql
+      - DB_USERNAME=root
+      - DB_PASSWORD=${DNPM_MYSQL_ROOT_PASSWORD}
+      - DB_DATABASE=auth
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
+      - "traefik.http.middlewares.authup-strip.stripprefix.prefixes=/auth/"
-      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
+      - "traefik.http.routers.dnpm-auth.middlewares=authup-strip"
-      - "traefik.http.routers.bwhc-frontend.tls=true"
+      - "traefik.http.routers.dnpm-auth.rule=PathPrefix(`/auth`)"
+      - "traefik.http.services.dnpm-auth.loadbalancer.server.port=3000"
+      - "traefik.http.routers.dnpm-auth.tls=true"
+
+  dnpm-portal:
+    image: ghcr.io/dnpm-dip/portal:latest
+    container_name: bridgehead-dnpm-portal
+    environment:
+      - NUXT_API_URL=http://dnpm-backend:9000/
+      - NUXT_PUBLIC_API_URL=https://${HOST}/api/
+      - NUXT_AUTHUP_URL=http://dnpm-authup:3000/
+      - NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)"
+      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
+      - "traefik.http.routers.dnpm-frontend.tls=true"
+
+  dnpm-backend:
+    container_name: bridgehead-dnpm-backend
+    image: ghcr.io/dnpm-dip/backend:latest
+    environment:
+      - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME}   # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
+      - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
+      - MTB_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
+      - HATEOAS_HOST=https://${HOST}
+      - CONNECTOR_TYPE=broker
+      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
+    volumes:
+      - /etc/bridgehead/dnpm/config:/dnpm_config
+      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
+    depends_on:
+      dnpm-authup:
+        condition: service_healthy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
+      # expose everything
+      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
+      - "traefik.http.routers.dnpm-backend.tls=true"
+      - "traefik.http.routers.dnpm-backend.service=dnpm-backend"
+      # except ETL
+      - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
+      - "traefik.http.routers.dnpm-backend-etl.tls=true"
+      - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
+      # this needs an ETL processor with support for basic auth
+      - "traefik.http.routers.dnpm-backend-etl.middlewares=auth"
+      # except peer-to-peer
+      - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
+      - "traefik.http.routers.dnpm-backend-peer.tls=true"
+      - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
+      - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
+      # this effectively denies all requests
+      # this is okay, because requests from peers don't go through Traefik
+      - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
+
+  landing:
+    labels:
+      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"

minimal/modules/dnpm-node-setup.sh

@@ -1,28 +1,16 @@
 #!/bin/bash
 
 if [ -n "${ENABLE_DNPM_NODE}" ]; then
-	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
+	log INFO "DNPM setup detected -- will start DNPM:DIP node."
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
 
 	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
-	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	if [ -z "${ZPM_SITE+x}" ]; then
 		log ERROR "Mandatory variable ZPM_SITE not defined!"
 		exit 1
 	fi
-	if [ -z "${DNPM_DATA_DIR+x}" ]; then
+    mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions."
-		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
+    DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1}
-		exit 1
+    DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')"
-	fi
+    DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')"
-	DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
-	if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
-		echo "Override of landing page url already in place"
-	else
-		echo "Adding override of landing page url"
-		if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
-			echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
-		else
-			echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
-		fi
-	fi
 fi

modules/transfair-compose.yml

@@ -0,0 +1,51 @@
+
+services:
+  transfair:
+    image: docker.verbis.dkfz.de/cache/samply/transfair:latest
+    container_name: bridgehead-transfair
+    environment:
+      # NOTE: Those 3 variables need only to be passed if their set, otherwise transfair will complain about empty url values
+      - INSTITUTE_TTP_URL
+      - INSTITUTE_TTP_API_KEY
+      - PROJECT_ID_SYSTEM
+      - FHIR_REQUEST_URL=${FHIR_REQUEST_URL}
+      - FHIR_INPUT_URL=${FHIR_INPUT_URL}
+      - FHIR_OUTPUT_URL=${FHIR_OUTPUT_URL:-http://blaze:8080}
+      - FHIR_REQUEST_CREDENTIALS=${FHIR_REQUEST_CREDENTIALS}
+      - FHIR_INPUT_CREDENTIALS=${FHIR_INPUT_CREDENTIALS}
+      - FHIR_OUTPUT_CREDENTIALS=${FHIR_OUTPUT_CREDENTIALS}
+      - EXCHANGE_ID_SYSTEM=${EXCHANGE_ID_SYSTEM:-SESSION_ID}
+      - DATABASE_URL=sqlite://transfair/data_requests.sql?mode=rwc
+      - RUST_LOG=${RUST_LOG:-info}
+    volumes:
+      - /var/cache/bridgehead/${PROJECT}/transfair:/transfair
+
+  transfair-input-blaze:
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
+    container_name: bridgehead-transfair-input-blaze
+    environment:
+      BASE_URL: "http://bridgehead-transfair-input-blaze:8080"
+      JAVA_TOOL_OPTIONS: "-Xmx1024m"
+      DB_BLOCK_CACHE_SIZE: 1024
+      CQL_EXPR_CACHE_SIZE: 8
+      ENFORCE_REFERENTIAL_INTEGRITY: "false"
+    volumes:
+      - "transfair-input-blaze-data:/app/data"
+    profiles: ["transfair-input-blaze"]
+
+  transfair-request-blaze:
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
+    container_name: bridgehead-transfair-requests-blaze
+    environment:
+      BASE_URL: "http://bridgehead-transfair-requests-blaze:8080"
+      JAVA_TOOL_OPTIONS: "-Xmx1024m"
+      DB_BLOCK_CACHE_SIZE: 1024
+      CQL_EXPR_CACHE_SIZE: 8
+      ENFORCE_REFERENTIAL_INTEGRITY: "false"
+    volumes:
+      - "transfair-request-blaze-data:/app/data"
+    profiles: ["transfair-request-blaze"]
+
+volumes:
+  transfair-input-blaze-data:
+  transfair-request-blaze-data:

modules/transfair-setup.sh

@@ -0,0 +1,22 @@
+#!/bin/bash -e
+
+function transfairSetup() {
+    if [[ -n "$INSTITUTE_TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
+        echo "Starting transfair."
+	    OVERRIDE+=" -f ./modules/transfair-compose.yml"
+	    if [ -n "$FHIR_INPUT_URL" ]; then
+		    log INFO "TransFAIR input fhir store set to external $FHIR_INPUT_URL"
+	    else
+		    log INFO "TransFAIR input fhir store not set writing to internal blaze"
+		    FHIR_INPUT_URL="http://transfair-input-blaze:8080"
+		    OVERRIDE+=" --profile transfair-input-blaze"
+	    fi
+	    if [ -n "$FHIR_REQUEST_URL" ]; then
+		    log INFO "TransFAIR request fhir store set to external $FHIR_REQUEST_URL"
+	    else
+		    log INFO "TransFAIR request fhir store not set writing to internal blaze"
+		    FHIR_REQUEST_URL="http://transfair-requests-blaze:8080"
+		    OVERRIDE+=" --profile transfair-request-blaze"
+	    fi
+    fi
+}

versions/prod

@@ -0,0 +1,2 @@
+FOCUS_TAG=main
+BEAM_TAG=main

versions/test

@@ -0,0 +1,2 @@
+FOCUS_TAG=develop
+BEAM_TAG=develop