feature: add github action for automated pull request for the pilot branch, after pull requests on main

Merge pull request #205 from samply/fix/login-confusion-with-datashield
fix: specify host for id-management login
2025-06-16 23:00:15 +02:00 · 2024-08-27 14:41:06 +02:00 · 2024-08-20 08:22:24 +02:00 · 2024-08-19 17:09:10 +02:00 · 2024-08-19 15:53:54 +02:00 · 2024-08-19 14:43:21 +02:00
54 changed files with 455 additions and 449 deletions
--- a/.github/workflows/auto-pr.yml
+++ b/.github/workflows/auto-pr.yml
@ -0,0 +1,21 @@
+name: Automatically generate Pull Requests for feature/pilot-projects
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+jobs:
+  create_pr:
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Create Pull Request to feature/pilot-projects branch
+        run: gh pr create -B feature/pilot-projects -H main --title 'Create Pull Request to feature/pilot-projects branch' --body 'Created by Github action'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/README.md
+++ b/README.md
@ -200,7 +200,7 @@ sudo systemctl [enable|disable] bridgehead@<PROJECT>.service
 After starting the Bridgehead, you can watch the initialization process with the following command:

 ```shell
-journalctl -u bridgehead@bbmri -f
+/srv/docker/bridgehead/bridgehead logs <project> -f
 ```

 if this exits with something similar to the following:
@ -220,8 +220,9 @@ docker ps
 There should be 6 - 10 Docker proceses. If there are fewer, then you know that something has gone wrong. To see what is going on, run:

 ```shell
-journalctl -u bridgehead@bbmri -f
+/srv/docker/bridgehead/bridgehead logs <Project> -f
 ```
+This translates to a journalctl command so all the regular journalctl flags can be used.

 Once the Bridgehead has passed these checks, take a look at the landing page:

@ -235,7 +236,7 @@ You can either do this in a browser or with curl. If you visit the URL in the br
 curl -k https://localhost
 ```

-If you get errors when you do this, you need to use ```docker logs``` to examine your landing page container in order to determine what is going wrong.
+Should the landing page not show anything, you can inspect the logs of the containers to determine what is going wrong. To do this you can use `./bridgehead docker-logs <Project> -f` to follow the logs of the container. This transaltes to a docker compose logs command meaning all the ususal docker logs flags work.

 If you have chosen to take part in our monitoring program (by setting the ```MONITOR_APIKEY``` variable in the configuration), you will be informed by email when problems are detected in your Bridgehead.

@ -298,19 +299,19 @@ Once you have added your biobank to the Directory you got persistent identifier

 The Bridgehead's **Directory Sync** is an optional feature that keeps the Directory up to date with your local data, e.g. number of samples. Conversely, it also updates the local FHIR store with the latest contact details etc. from the Directory. You must explicitly set your country specific directory URL, username and password to enable this feature.

+You should talk with your local data protection group regarding the information that is published by Directory sync.
+
 Full details can be found in [directory_sync_service](https://github.com/samply/directory_sync_service).

 To enable it, you will need to set these variables to the ```bbmri.conf``` file of your GitLab repository. Here is an example config:

 ```
-DS_DIRECTORY_URL=https://directory.bbmri-eric.eu
 DS_DIRECTORY_USER_NAME=your_directory_username
-DS_DIRECTORY_USER_PASS=qwdnqwswdvqHBVGFR9887
-DS_TIMER_CRON="0 22 * * *"
+DS_DIRECTORY_USER_PASS=your_directory_password
 ```
-You must contact the Directory team for your national node to find the URL, and to register as a user.
+Please contact your National Node to obtain this information.

-Additionally, you should choose when you want Directory sync to run. In the example above, this is set to happen at 10 pm every evening. You can modify this to suit your requirements. The timer specification should follow the [cron](https://crontab.guru) convention.
+Optionally, you **may** change when you want Directory sync to run by specifying a [cron](https://crontab.guru) expression, e.g. `DS_TIMER_CRON="0 22 * * *"` for 10 pm every evening.

 Once you edited the gitlab config, the bridgehead will autoupdate the config with the values and will sync the data.

--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@ -4,12 +4,13 @@ version: "3.7"

 services:
  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:latest
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
    container_name: bridgehead-bbmri-blaze
    environment:
      BASE_URL: "http://bridgehead-bbmri-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx4g"
-      LOG_LEVEL: "debug"
+      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
+      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
--- a/bbmri/modules/directory-sync-compose.yml
+++ b/bbmri/modules/directory-sync-compose.yml
@ -4,7 +4,13 @@ services:
  directory_sync_service:
    image: "docker.verbis.dkfz.de/cache/samply/directory_sync_service"
    environment:
-      DS_DIRECTORY_URL: ${DS_DIRECTORY_URL}
+      DS_DIRECTORY_URL: ${DS_DIRECTORY_URL:-https://directory.bbmri-eric.eu}
      DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}
-      DS_DIRECTORY_PASS_CODE: ${DS_DIRECTORY_PASS_CODE}
-      DS_TIMER_CRON: ${DS_TIMER_CRON}
+      DS_DIRECTORY_USER_PASS: ${DS_DIRECTORY_USER_PASS}
+      DS_TIMER_CRON: ${DS_TIMER_CRON:-0 22 * * *}
+      DS_DIRECTORY_ALLOW_STAR_MODEL: ${DS_DIRECTORY_ALLOW_STAR_MODEL:-true}
+      DS_DIRECTORY_MOCK: ${DS_DIRECTORY_MOCK}
+      DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID}
+      DS_DIRECTORY_COUNTRY: ${DS_DIRECTORY_COUNTRY}
+    depends_on:
+      - "blaze"
--- a/bbmri/modules/dnpm-compose.yml
+++ b/bbmri/modules/dnpm-compose.yml
@ -1,53 +0,0 @@
-version: "3.7"
-
-services:
-  dnpm-beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
-    container_name: bridgehead-dnpm-beam-proxy
-    environment:
-      BROKER_URL: ${DNPM_BROKER_URL}
-      PROXY_ID: ${DNPM_PROXY_ID}
-      APP_dnpm-connect_KEY: ${DNPM_BEAM_SECRET_SHORT}
-      PRIVKEY_FILE: /run/secrets/proxy.pem
-      ALL_PROXY: http://forward_proxy:3128
-      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
-      ROOTCERT_FILE: /conf/root.crt.pem
-    secrets:
-      - proxy.pem
-    depends_on:
-      - "forward_proxy"
-    volumes:
-      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
-
-  dnpm-beam-connect:
-    depends_on: [ dnpm-beam-proxy ]
-    image: docker.verbis.dkfz.de/cache/samply/beam-connect:develop
-    container_name: bridgehead-dnpm-beam-connect
-    environment:
-      PROXY_URL: http://dnpm-beam-proxy:8081
-      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
-      APP_ID: dnpm-connect.${DNPM_PROXY_ID}
-      DISCOVERY_URL: "./conf/central_targets.json"
-      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
-      HTTP_PROXY: http://forward_proxy:3128
-      HTTPS_PROXY: http://forward_proxy:3128
-      NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal
-      RUST_LOG: ${RUST_LOG:-info}
-      NO_AUTH: "true"
-    extra_host:
-      - "host.docker.internal:host-gateway"
-    volumes:
-      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
-      - "traefik.http.middlewares.dnpm-connect-strip.stripprefix.prefixes=/dnpm-connect"
-      - "traefik.http.routers.dnpm-connect.middlewares=dnpm-connect-strip"
-      - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
-      - "traefik.http.routers.dnpm-connect.tls=true"
-
-secrets:
-  proxy.pem:
-    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/bbmri/modules/dnpm-node-compose.yml
+++ b/bbmri/modules/dnpm-node-compose.yml
@ -1,33 +0,0 @@
-version: "3.7"
-
-services:
-  dnpm-backend:
-    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
-    container_name: bridgehead-dnpm-backend
-    environment:
-      - ZPM_SITE=${ZPM_SITE}
-    volumes:
-      - /etc/bridgehead/dnpm:/bwhc_config:ro
-      - ${DNPM_DATA_DIR}:/bwhc_data
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
-      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
-      - "traefik.http.routers.bwhc-backend.tls=true"
-
-  dnpm-frontend:
-    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
-    container_name: bridgehead-dnpm-frontend
-    links:
-      - dnpm-backend
-    environment:
-      - NUXT_HOST=0.0.0.0
-      - NUXT_PORT=8080
-      - BACKEND_PROTOCOL=https
-      - BACKEND_HOSTNAME=$HOST
-      - BACKEND_PORT=443
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
-      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
-      - "traefik.http.routers.bwhc-frontend.tls=true"
--- a/bbmri/modules/dnpm-node-setup.sh
+++ b/bbmri/modules/dnpm-node-setup.sh
@ -1,27 +0,0 @@
-#!/bin/bash
-
-if [ -n "${ENABLE_DNPM_NODE}" ]; then
-	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
-	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
-
-	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
-	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-	if [ -z "${ZPM_SITE+x}" ]; then
-		log ERROR "Mandatory variable ZPM_SITE not defined!"
-		exit 1
-	fi
-	if [ -z "${DNPM_DATA_DIR+x}" ]; then
-		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
-		exit 1
-	fi
-			if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
-				echo "Override of landing page url already in place"
-			else
-				echo "Adding override of landing page url"
-				if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
-					echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
-				else
-					echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
-				fi
-			fi
-fi
--- a/bbmri/modules/dnpm-setup.sh
+++ b/bbmri/modules/dnpm-setup.sh
@ -1,12 +0,0 @@
-#!/bin/bash
-
-if [ -n "${ENABLE_DNPM}" ]; then
-	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam and Beam.Connect for DNPM."
-	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
-
-	# Set variables required for Beam-Connect
-	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-	DNPM_BROKER_ID="broker.ccp-it.dktk.dkfz.de"
-	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
-	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
-fi
--- a/bbmri/vars
+++ b/bbmri/vars
@ -4,7 +4,7 @@
 # Makes only sense for German Biobanks
 : ${ENABLE_GBN:=false}

-FOCUS_RETRY_COUNT=32
+FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem

 for module in $PROJECT/modules/*.sh
--- a/15
+++ b/15
@ -41,7 +41,6 @@ case "$PROJECT" in
 		;;
 esac

-# TODO: Please add proper documentation for variable priorities (1. secrets, 2. vars, 3. PROJECT.local.conf, 4. PROJECT.conf, 5. ???
 loadVars() {
 	# Load variables from /etc/bridgehead and /srv/docker/bridgehead
 	set -a
@ -52,6 +51,7 @@ loadVars() {
 	fi
 	fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 	setHostname
+	optimizeBlazeMemoryUsage
 	[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 	set +a

@ -70,6 +70,7 @@ loadVars() {

 	# Set some project-independent default values
 	: ${ENVIRONMENT:=production}
+	export ENVIRONMENT

 	case "$ENVIRONMENT" in
 		"production")
@ -96,6 +97,8 @@ case "$ACTION" in
 		;;
 	stop)
 		loadVars
+		# Kill stale secret-sync instances if present
+		docker kill $(docker ps -q --filter ancestor=docker.verbis.dkfz.de/cache/samply/secret-sync-local) 2>/dev/null || true
 		# HACK: This is temporarily to properly shut down false bridgehead instances (bridgehead-ccp instead ccp)
 		$COMPOSE -p bridgehead-$PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
@ -104,6 +107,16 @@ case "$ACTION" in
 		bk_is_running
 		exit $?
 		;;
+	logs)
+		loadVars
+		shift 2
+		exec journalctl -u bridgehead@$PROJECT -u bridgehead-update@$PROJECT -a $@
+		;;
+	docker-logs)
+		loadVars
+		shift 2
+		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE logs -f $@
+		;;
 	update)
 		loadVars
 		exec ./lib/update-bridgehead.sh $PROJECT
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@ -2,11 +2,13 @@ version: "3.7"

 services:
  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:latest
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
    container_name: bridgehead-ccp-blaze
    environment:
      BASE_URL: "http://bridgehead-ccp-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx4g"
+      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
+      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
@ -19,7 +21,7 @@ services:
      - "traefik.http.routers.blaze_ccp.tls=true"

  focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:main
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
    container_name: bridgehead-focus
    environment:
      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
@ -29,6 +31,9 @@ services:
      BEAM_PROXY_URL: http://beam-proxy:8081
      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
      EPSILON: 0.28
+      QUERIES_TO_CACHE: '/queries_to_cache.conf'
+    volumes:
+      - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf
    depends_on:
      - "beam-proxy"
      - "blaze"
@ -52,12 +57,6 @@ services:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro

-  traefik:
-    labels:
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2_proxy:4180/"
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
-

 volumes:
  blaze-data:
--- a/ccp/modules/adt2fhir-rest-compose.yml
+++ b/ccp/modules/adt2fhir-rest-compose.yml
@ -1,18 +0,0 @@
-version: "3.7"
-
-services:
-  adt2fhir-rest:
-    container_name: bridgehead-adt2fhir-rest
-    image: docker.verbis.dkfz.de/ccp/adt2fhir-rest:main
-    environment:
-      IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
-      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
-      SALT: ${LOCAL_SALT}
-    restart: always
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.adt2fhir-rest.rule=PathPrefix(`/adt2fhir-rest`)"
-      - "traefik.http.middlewares.adt2fhir-rest_strip.stripprefix.prefixes=/adt2fhir-rest"
-      - "traefik.http.services.adt2fhir-rest.loadbalancer.server.port=8080"
-      - "traefik.http.routers.adt2fhir-rest.tls=true"
-      - "traefik.http.routers.adt2fhir-rest.middlewares=adt2fhir-rest_strip,auth"
--- a/ccp/modules/adt2fhir-rest-setup.sh
+++ b/ccp/modules/adt2fhir-rest-setup.sh
@ -1,13 +0,0 @@
-#!/bin/bash
-
-function adt2fhirRestSetup() {
-  if [ -n "$ENABLE_ADT2FHIR_REST" ]; then
-    log INFO "ADT2FHIR-REST setup detected -- will start adt2fhir-rest API."
-    if [ ! -n "$IDMANAGER_LOCAL_PATIENTLIST_APIKEY" ]; then
-      log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
-      exit 1;
-    fi
-    OVERRIDE+=" -f ./$PROJECT/modules/adt2fhir-rest-compose.yml"
-    LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  fi
-}
--- a/ccp/modules/blaze-secondary-compose.yml
+++ b/ccp/modules/blaze-secondary-compose.yml
@ -0,0 +1,32 @@
+version: "3.7"
+
+services:
+  blaze-secondary:
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
+    container_name: bridgehead-ccp-blaze-secondary
+    environment:
+      BASE_URL: "http://bridgehead-ccp-blaze-secondary:8080"
+      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
+      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
+      ENFORCE_REFERENTIAL_INTEGRITY: "false"
+    volumes:
+      - "blaze-secondary-data:/app/data"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.blaze-secondary_ccp.rule=PathPrefix(`/ccp-localdatamanagement-secondary`)"
+      - "traefik.http.middlewares.ccp_b-secondary_strip.stripprefix.prefixes=/ccp-localdatamanagement-secondary"
+      - "traefik.http.services.blaze-secondary_ccp.loadbalancer.server.port=8080"
+      - "traefik.http.routers.blaze-secondary_ccp.middlewares=ccp_b-secondary_strip,auth"
+      - "traefik.http.routers.blaze-secondary_ccp.tls=true"
+
+  obds2fhir-rest:
+    environment:
+      STORE_PATH: ${STORE_PATH:-http://blaze:8080/fhir}
+
+  exporter:
+    environment:
+      BLAZE_HOST: "blaze-secondary"
+
+volumes:
+  blaze-secondary-data:
--- a/ccp/modules/blaze-secondary-setup.sh
+++ b/ccp/modules/blaze-secondary-setup.sh
@ -0,0 +1,11 @@
+#!/bin/bash
+
+function blazeSecondarySetup() {
+  if [ -n "$ENABLE_SECONDARY_BLAZE" ]; then
+    log INFO "Secondary Blaze setup detected -- will start second blaze."
+    OVERRIDE+=" -f ./$PROJECT/modules/blaze-secondary-compose.yml"
+    #make oBDS2FHIR ignore ID-Management and replace target Blaze
+    PATIENTLIST_URL=" "
+    STORE_PATH="http://blaze-secondary:8080/fhir"
+  fi
+}
--- a/ccp/modules/cbioportal-compose.yml
+++ b/ccp/modules/cbioportal-compose.yml
@ -1,53 +0,0 @@
-version: '3.7'
-
-services:
-  cbioportal:
-    # image: docker.verbis.dkfz.de/ccp/dktk-cbioportal:latest
-    image: dktk-cbioportal
-    container_name: bridgehead-cbioportal
-    environment:
-      DB_PASSWORD: ${CBIOPORTAL_DB_PASSWORD}
-      HTTP_RELATIVE_PATH: "/cbioportal"
-      UPLOAD_HTTP_RELATIVE_PATH: "/cbioportal-upload"
-    depends_on:
-      - cbioportal-database
-      - cbioportal-session
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.cbioportal.rule=PathPrefix(`/cbioportal`)"
-      - "traefik.http.routers.cbioportal.service=cbioportal"
-      - "traefik.http.services.cbioportal.loadbalancer.server.port=8080"
-      - "traefik.http.routers.cbioportal.tls=true"
-      - "traefik.http.routers.cbioportal-upload.rule=PathPrefix(`/cbioportal-upload`)"    
-      - "traefik.http.routers.cbioportal-upload.service=cbioportal-upload"
-      - "traefik.http.routers.cbioportal-upload.tls=true"
-      - "traefik.http.services.cbioportal-upload.loadbalancer.server.port=8001"
-      
-
-  cbioportal-database:
-    image: docker.verbis.dkfz.de/ccp/dktk-cbioportal-database:latest
-    container_name: bridgehead-cbioportal-database
-    environment:
-      MYSQL_DATABASE: cbioportal
-      MYSQL_USER: cbio_user
-      MYSQL_PASSWORD: ${CBIOPORTAL_DB_PASSWORD}
-      MYSQL_ROOT_PASSWORD: ${CBIOPORTAL_DB_ROOT_PASSWORD}
-    volumes:
-      - /var/cache/bridgehead/ccp/cbioportal_db_data:/var/lib/mysql
-
-  cbioportal-session:
-    image: cbioportal/session-service:0.6.1
-    container_name: bridgehead-cbioportal-session
-    environment:
-      SERVER_PORT: 5000
-      JAVA_OPTS: -Dspring.data.mongodb.uri=mongodb://cbioportal-session-database:27017/session-service
-    depends_on:
-      - cbioportal-session-database
-
-  cbioportal-session-database:
-    image: mongo:4.2
-    container_name: bridgehead-cbioportal-session-database
-    environment:
-      MONGO_INITDB_DATABASE: session_service
-    volumes:
-      - /var/cache/bridgehead/ccp/cbioportal_session_db_data:/data/db
--- a/ccp/modules/cbioportal-setup.sh
+++ b/ccp/modules/cbioportal-setup.sh
@ -1,8 +0,0 @@
-#!/bin/bash -e
-
- if [ "$ENABLE_CBIOPORTAL" == true ]; then
-  log INFO "cBioPortal setup detected -- will start cBioPortal service."
-  OVERRIDE+=" -f ./$PROJECT/modules/cbioportal-compose.yml"
-  CBIOPORTAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the cbioportal database. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  CBIOPORTAL_DB_ROOT_PASSWORD="$(echo \"This is a salt string to generate one consistent root password for the cbioportal database. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)" 
- fi
--- a/ccp/modules/cbioportal.md
+++ b/ccp/modules/cbioportal.md
@ -1,10 +0,0 @@
-# CBioPortal Data uploader
-
-
-## Usage
-
-We have integrated an API that allows you to upload data directly to cbioportal without the need to have cbioportal installed in your system.
-
-## Tech stack
-
-We used Flask to add this feature
--- a/ccp/modules/datashield-compose.yml
+++ b/ccp/modules/datashield-compose.yml
@ -44,11 +44,11 @@ services:
      APP_CONTEXT_PATH: "/opal"
      OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
      OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
-      KEYCLOAK_URL: "${KEYCLOAK_URL}"
-      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
-      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}"
-      KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
-      KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}"
+      OIDC_URL: "${OIDC_URL}"
+      OIDC_REALM: "${OIDC_REALM}"
+      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
+      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
      TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}"
      EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
      BEAM_APP_ID: token-manager.${PROXY_ID}
@ -62,7 +62,7 @@ services:

  opal-db:
    container_name: bridgehead-opal-db
-    image: docker.verbis.dkfz.de/cache/postgres:15.4-alpine
+    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
    environment:
      POSTGRES_PASSWORD: "${OPAL_DB_PASSWORD}" # Set in datashield-setup.sh
      POSTGRES_USER: "opal"
@ -98,6 +98,10 @@ services:
      - rstudio

  traefik:
+    labels:
+      - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2-proxy:4180/"
+      - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
+      - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
    networks:
      - default
      - rstudio
@ -111,15 +115,15 @@ services:
      APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET}
      APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET}

-  # TODO: Allow users of group /DataSHIELD and KEYCLOAK_USER_GROUP at the same time:
-  # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/):
-  # --allowed-groups=/DataSHIELD,KEYCLOAK_USER_GROUP
-  oauth2_proxy:
-    image: quay.io/oauth2-proxy/oauth2-proxy
-    container_name: bridgehead_oauth2_proxy
+  # TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time:
+  # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider):
+  # --allowed-groups=/DataSHIELD,OIDC_USER_GROUP
+  oauth2-proxy:
+    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
+    container_name: bridgehead-oauth2proxy
    command: >-
-      --allowed-group=/DataSHIELD
-      --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM}
+      --allowed-group=DataSHIELD
+      --oidc-groups-claim=${OIDC_GROUP_CLAIM}
      --auth-logging=true
      --whitelist-domain=${HOST}
      --http-address="0.0.0.0:4180"
@ -134,10 +138,10 @@ services:
      #OIDC settings
      --provider="keycloak-oidc"
      --provider-display-name="VerbIS Login"
-      --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}"
+      --client-id="${OIDC_PRIVATE_CLIENT_ID}"
      --client-secret="${OIDC_CLIENT_SECRET}"
      --redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
-      --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}"
+      --oidc-issuer-url="${OIDC_ISSUER_URL}"
      --scope="openid email profile"
      --code-challenge-method="S256"
      --skip-provider-button=true
@ -147,9 +151,15 @@ services:
      --pass-access-token=false
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)"
+      - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`)"
      - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
      - "traefik.http.routers.oauth2_proxy.tls=true"
+    environment:
+      http_proxy: "http://forward_proxy:3128"
+      https_proxy: "http://forward_proxy:3128"
+    depends_on:
+      forward_proxy:
+        condition: service_healthy

 secrets:
  opal-cert.pem:
--- a/ccp/modules/datashield-setup.sh
+++ b/ccp/modules/datashield-setup.sh
@ -1,6 +1,14 @@
 #!/bin/bash -e

 if [ "$ENABLE_DATASHIELD" == true ]; then
+  # HACK: This only works because exporter-setup.sh and teiler-setup.sh are sourced after datashield-setup.sh
+  if [ -z "${ENABLE_EXPORTER}" ] || [ "${ENABLE_EXPORTER}" != "true" ]; then
+    log WARN "The ENABLE_EXPORTER variable is either not set or not set to 'true'."
+  fi
+  OAUTH2_CALLBACK=/oauth2/callback
+  OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
+  add_private_oidc_redirect_url "${OAUTH2_CALLBACK}"
+
  log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
  OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
  EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")"
@ -12,22 +20,25 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
  TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)"
  if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
    mkdir -p /tmp/bridgehead/
-    chown -R bridgehead:docker /tmp/bridgehead/
    openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE"
-    chmod g+r /tmp/bridgehead/opal-key.pem
  fi
  mkdir -p /tmp/bridgehead/opal-map
-  jq -n '{"sites": input | map({
+  sites="$(cat ./$PROJECT/modules/datashield-sites.json)"
+  echo "$sites" | docker_jq -n --args '{"sites": input | map({
    "name": .,
    "id": .,
    "virtualhost": "\(.):443",
    "beamconnect": "datashield-connect.\(.).'"$BROKER_ID"'"
-  })}' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/central.json
-  jq -n '[{
+  })}' $sites >/tmp/bridgehead/opal-map/central.json
+  echo "$sites" | docker_jq -n --args '[{
    "external": "'"$SITE_ID"':443",
    "internal": "opal:8443",
    "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'")
-  }]' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/local.json
-  chown -R bridgehead:docker /tmp/bridgehead/
+  }]' >/tmp/bridgehead/opal-map/local.json
+  if [ "$USER" == "root" ]; then
+    chown -R bridgehead:docker /tmp/bridgehead
+    chmod g+wr /tmp/bridgehead/opal-map/*
+    chmod g+r /tmp/bridgehead/opal-key.pem
+  fi
  add_private_oidc_redirect_url "/opal/*"
 fi
--- a/ccp/modules/datashield-mappings.json
+++ b/ccp/modules/datashield-mappings.json
@ -9,5 +9,6 @@
    "frankfurt",
    "essen",
    "dktk-datashield-test",
-    "dktk-test"
+    "dktk-test",
+    "mannheim"
 ]
--- a/ccp/modules/datashield.md
+++ b/ccp/modules/datashield.md
@ -1,5 +1,5 @@
 # DataSHIELD
-This module constitutes the infrastructure to run DataSHIELD within the bridghead. 
+This module constitutes the infrastructure to run DataSHIELD within the bridgehead. 
 For more information about DataSHIELD, please visit https://www.datashield.org/

 ## R-Studio
--- a/ccp/modules/dnpm-compose.yml
+++ b/ccp/modules/dnpm-compose.yml
@ -16,12 +16,14 @@ services:
      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
      HTTP_PROXY: "http://forward_proxy:3128"
      HTTPS_PROXY: "http://forward_proxy:3128"
-      NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal
+      NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
      RUST_LOG: ${RUST_LOG:-info}
      NO_AUTH: "true"
+      TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs
    extra_hosts:
      - "host.docker.internal:host-gateway"
    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
    labels:
@ -31,3 +33,7 @@ services:
      - "traefik.http.routers.dnpm-connect.middlewares=dnpm-connect-strip"
      - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
      - "traefik.http.routers.dnpm-connect.tls=true"
+
+  dnpm-echo:
+    image: docker.verbis.dkfz.de/cache/samply/bridgehead-echo:latest
+    container_name: bridgehead-dnpm-echo
--- a/ccp/modules/dnpm-node-compose.yml
+++ b/ccp/modules/dnpm-node-compose.yml
@ -6,6 +6,7 @@ services:
    container_name: bridgehead-dnpm-backend
    environment:
      - ZPM_SITE=${ZPM_SITE}
+      - N_RANDOM_FILES=${DNPM_SYNTH_NUM}
    volumes:
      - /etc/bridgehead/dnpm:/bwhc_config:ro
      - ${DNPM_DATA_DIR}:/bwhc_data
--- a/ccp/modules/dnpm-node-setup.sh
+++ b/ccp/modules/dnpm-node-setup.sh
@ -14,6 +14,7 @@ if [ -n "${ENABLE_DNPM_NODE}" ]; then
 		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
 		exit 1
 	fi
+	DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
 	if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
 		echo "Override of landing page url already in place"
 	else
--- a/ccp/modules/dnpm-setup.sh
+++ b/ccp/modules/dnpm-setup.sh
@ -6,4 +6,10 @@ if [ -n "${ENABLE_DNPM}" ]; then

 	# Set variables required for Beam-Connect
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+	# If the DNPM_NO_PROXY variable is set, prefix it with a comma (as it gets added to a comma separated list)
+	if [ -n "${DNPM_NO_PROXY}" ]; then
+		DNPM_ADDITIONAL_NO_PROXY=",${DNPM_NO_PROXY}"
+	else
+		DNPM_ADDITIONAL_NO_PROXY=""
+	fi
 fi
--- a/ccp/modules/exporter-compose.yml
+++ b/ccp/modules/exporter-compose.yml
@ -27,7 +27,7 @@ services:
      - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output"

  exporter-db:
-    image: docker.verbis.dkfz.de/cache/postgres:15.4-alpine
+    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
    container_name: bridgehead-ccp-exporter-db
    environment:
      POSTGRES_USER: "exporter"
--- a/ccp/modules/exporter-setup.sh
+++ b/ccp/modules/exporter-setup.sh
@ -3,6 +3,6 @@
 if [ "$ENABLE_EXPORTER" == true ]; then
  log INFO "Exporter setup detected -- will start Exporter service."
  OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
-  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
+  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
 fi
--- a/ccp/modules/fhir2sql-compose.yml
+++ b/ccp/modules/fhir2sql-compose.yml
@ -0,0 +1,25 @@
+version: "3.7"
+
+services:
+  fhir2sql:
+    depends_on:
+      - "dashboard-db"
+      - "blaze"
+    image: docker.verbis.dkfz.de/cache/samply/fhir2sql:latest
+    container_name: bridgehead-ccp-dashboard-fhir2sql
+    environment:
+      BLAZE_BASE_URL: "http://bridgehead-ccp-blaze:8080"
+      PG_HOST: "dashboard-db"
+      PG_USERNAME: "dashboard"
+      PG_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in dashboard-setup.sh
+      PG_DBNAME: "dashboard"
+
+  dashboard-db:
+    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
+    container_name: bridgehead-ccp-dashboard-db
+    environment:
+      POSTGRES_USER: "dashboard"
+      POSTGRES_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in dashboard-setup.sh
+      POSTGRES_DB: "dashboard"
+    volumes:
+      - "/var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data"
--- a/ccp/modules/fhir2sql-setup.sh
+++ b/ccp/modules/fhir2sql-setup.sh
@ -0,0 +1,7 @@
+#!/bin/bash -e
+
+if [ "$ENABLE_FHIR2SQL" == true ]; then
+  log INFO "Dashboard setup detected -- will start Dashboard backend and FHIR2SQL service."
+  OVERRIDE+=" -f ./$PROJECT/modules/fhir2sql-compose.yml"
+  DASHBOARD_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the Dashboard database. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+fi
--- a/ccp/modules/fhir2sql.md
+++ b/ccp/modules/fhir2sql.md
@ -0,0 +1,36 @@
+# fhir2sql
+fhir2sql connects to Blaze, retrieves data, and syncs it with a PostgreSQL database. The application is designed to run continuously, syncing data at regular intervals.
+The Dashboard module is a optional component of the Bridgehead CCP setup. When enabled, it starts two Docker services: **fhir2sql** and **dashboard-db**. Data held in PostgreSQL is only stored temporarily and Blaze is considered to be the 'leading system' or 'source of truth'.
+
+## Services
+### fhir2sql
+* Image: docker.verbis.dkfz.de/cache/samply/fhir2sql:latest
+* Container name: bridgehead-ccp-dashboard-fhir2sql
+* Depends on: dashboard-db
+* Environment variables:
+  - BLAZE_BASE_URL: The base URL of the Blaze FHIR server (set to http://blaze:8080/fhir/)
+  - PG_HOST: The hostname of the PostgreSQL database (set to dashboard-db)
+  - PG_USERNAME: The username for the PostgreSQL database (set to dashboard)
+  - PG_PASSWORD: The password for the PostgreSQL database (set to the value of DASHBOARD_DB_PASSWORD)
+  - PG_DBNAME: The name of the PostgreSQL database (set to dashboard)
+
+### dashboard-db
+
+* Image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
+* Container name: bridgehead-ccp-dashboard-db
+* Environment variables:
+  - POSTGRES_USER: The username for the PostgreSQL database (set to dashboard)
+  - POSTGRES_PASSWORD: The password for the PostgreSQL database (set to the value of DASHBOARD_DB_PASSWORD)
+  - POSTGRES_DB: The name of the PostgreSQL database (set to dashboard)
+* Volumes:
+  - /var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data
+
+The volume used by dashboard-db can be removed safely and should be restored to a working order by re-importing data from Blaze.
+
+### Environment Variables
+* DASHBOARD_DB_PASSWORD: A generated password for the PostgreSQL database, created using a salt string and the SHA1 hash function.
+* POSTGRES_TAG: The tag of the PostgreSQL image to use (not set in this module, but required by the dashboard-db service).
+
+
+### Setup
+To enable the Dashboard module, set the ENABLE_FHIR2SQL environment variable to true. The dashboard-setup.sh script will then start the fhir2sql and dashboard-db services, using the environment variables and volumes defined above.
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@ -14,21 +14,22 @@ services:
      MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY}
      MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
      MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
-      MAGICPL_OIDC_CLIENT_ID: ${IDMANAGER_AUTH_CLIENT_ID}
-      MAGICPL_OIDC_CLIENT_SECRET: ${IDMANAGER_AUTH_CLIENT_SECRET}
    depends_on:
      - patientlist
+      - traefik-forward-auth
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)"
      - "traefik.http.services.id-manager.loadbalancer.server.port=8080"
      - "traefik.http.routers.id-manager.tls=true"
+      - "traefik.http.routers.id-manager.middlewares=traefik-forward-auth-idm"

  patientlist:
    image: docker.verbis.dkfz.de/bridgehead/mainzelliste
    container_name: bridgehead-patientlist
    environment:
      - TOMCAT_REVERSEPROXY_FQDN=${HOST}
+      - TOMCAT_REVERSEPROXY_SSL=true
      - ML_SITE=${IDMANAGEMENT_FRIENDLY_ID}
      - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
      - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
@ -44,7 +45,7 @@ services:
      - patientlist-db

  patientlist-db:
-    image: docker.verbis.dkfz.de/cache/postgres:15.6-alpine
+    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
    container_name: bridgehead-patientlist-db
    environment:
      POSTGRES_USER: "mainzelliste"
@ -55,5 +56,41 @@ services:
      # NOTE: Add backups here. This is only imported if /var/lib/bridgehead/data/patientlist/ is empty!!!
      - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"

+  traefik-forward-auth:
+    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:v7.6.0
+    environment:
+      - http_proxy=http://forward_proxy:3128
+      - https_proxy=http://forward_proxy:3128
+      - OAUTH2_PROXY_PROVIDER=oidc
+      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
+      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://login.verbis.dkfz.de/realms/master
+      - OAUTH2_PROXY_CLIENT_ID=bridgehead-${SITE_ID}
+      - OAUTH2_PROXY_CLIENT_SECRET=${IDMANAGER_AUTH_CLIENT_SECRET}
+      - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
+      - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
+      - OAUTH2_PROXY_HTTP_ADDRESS=:4180
+      - OAUTH2_PROXY_REVERSE_PROXY=true
+      - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST}
+      - OAUTH2_PROXY_UPSTREAMS=static://202
+      - OAUTH2_PROXY_EMAIL_DOMAINS=*
+      - OAUTH2_PROXY_SCOPE=openid profile email
+      # Pass Authorization Header and some user information to backend services
+      - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
+      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
+      # Keycloak has an expiration time of 60s therefore oauth2-proxy needs to refresh after that
+      - OAUTH2_PROXY_COOKIE_REFRESH=60s
+      - OAUTH2_PROXY_ALLOWED_GROUPS=DKTK-CCP-PPSN
+      - OAUTH2_PROXY_PROXY_PREFIX=/oauth2-idm
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4180"
+      - "traefik.http.routers.traefik-forward-auth.rule=Host(`${HOST}`) && PathPrefix(`/oauth2-idm`)"
+      - "traefik.http.routers.traefik-forward-auth.tls=true"
+      - "traefik.http.middlewares.traefik-forward-auth-idm.forwardauth.address=http://traefik-forward-auth:4180"
+      - "traefik.http.middlewares.traefik-forward-auth-idm.forwardauth.authResponseHeaders=Authorization"
+    depends_on:
+      forward_proxy:
+        condition: service_healthy
+
 volumes:
  patientlist-db-data:
--- a/ccp/modules/login-compose.yml
+++ b/ccp/modules/login-compose.yml
@ -1,47 +0,0 @@
-version: "3.7"
-
-services:
-
-  login-db:
-    image: docker.verbis.dkfz.de/cache/postgres:15.4-alpine
-    container_name: bridgehead-login-db
-    environment:
-      POSTGRES_USER: "keycloak"
-      POSTGRES_PASSWORD: "${KEYCLOAK_DB_PASSWORD}" # Set in login-setup.sh
-      POSTGRES_DB: "keycloak"
-    tmpfs:
-      - /var/lib/postgresql/data
-# Consider removing this comment once we have collected experience in production.
-#    volumes:
-#      - "bridgehead-login-db:/var/lib/postgresql/data"
-
-  login:
-    image: docker.verbis.dkfz.de/ccp/dktk-keycloak:latest
-    container_name: bridgehead-login
-    environment:
-      KEYCLOAK_ADMIN: "admin"
-      KEYCLOAK_ADMIN_PASSWORD: "${LDM_AUTH}"
-      TEILER_ADMIN: "${PROJECT}"
-      TEILER_ADMIN_PASSWORD: "${LDM_AUTH}"
-      TEILER_ADMIN_FIRST_NAME: "${OPERATOR_FIRST_NAME}"
-      TEILER_ADMIN_LAST_NAME: "${OPERATOR_LAST_NAME}"
-      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
-      KC_DB_PASSWORD: "${KEYCLOAK_DB_PASSWORD}" # Set in login-setup.sh
-      KC_HOSTNAME_URL: "https://${HOST}/login"
-      KC_HOSTNAME_STRICT: "false"
-      KC_PROXY_ADDRESS_FORWARDING: "true"
-      TEILER_ORCHESTRATOR_EXTERN_URL: "https://${HOST}/ccp-teiler"
-    command:
-      - start-dev --import-realm --proxy edge --http-relative-path=/login
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.login.rule=PathPrefix(`/login`)"
-      - "traefik.http.services.login.loadbalancer.server.port=8080"
-      - "traefik.http.routers.login.tls=true"
-    depends_on:
-      - login-db
-
-# Consider removing this comment once we have collected experience in production.
-#volumes:
-#  bridgehead-login-db:
-#    name: "bridgehead-login-db"
--- a/ccp/modules/login-setup.sh
+++ b/ccp/modules/login-setup.sh
@ -1,7 +0,0 @@
-#!/bin/bash -e
-
-if [ "$ENABLE_LOGIN" == true ]; then
-  log INFO "Login setup detected -- will start Login services."
-  OVERRIDE+=" -f ./$PROJECT/modules/login-compose.yml"
-  KEYCLOAK_DB_PASSWORD="$(generate_password \"local Keycloak\")"
-fi
--- a/ccp/modules/login.md
+++ b/ccp/modules/login.md
@ -1,13 +0,0 @@
-# Login
-The login component is a local Keycloak instance. In the future will be replaced by the central keycloak instance
-or maybe can be used to add local identity providers to the bridgehead or just to simplify the configuration of
-the central keycloak instance for the integration of every new bridgehead.
-The basic configuration of our Keycloak instance is contained in a small json file.
-
-### Teiler User
-Currently, the local keycloak is used by the teiler. There is a basic admin user in the basic configuration of keycloak.
-The user can be configured with the environment variables TEILER_ADMIN_XXX.
-
-## Login-DB
-Keycloak requires a local database for its configuration. However, as we use an initial json configuration file, if no
-local identity provider is configured nor any local user, theoretically we don't need a volume for the login.
--- a/ccp/modules/mtba-compose.yml
+++ b/ccp/modules/mtba-compose.yml
@ -2,7 +2,6 @@ version: "3.7"

 services:
  mtba:
-    #image: docker.verbis.dkfz.de/cache/samply/mtba:latest
    image: docker.verbis.dkfz.de/cache/samply/mtba:develop
    container_name: bridgehead-mtba
    environment:
@ -21,11 +20,11 @@ services:
      FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE:-LF}
      CSV_DELIMITER: ${MTBA_CSV_DELIMITER:-TAB}
      HTTP_RELATIVE_PATH: "/mtba"
-      KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}"
-      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}"
-      KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
-      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
-      KEYCLOAK_URL: "${KEYCLOAK_URL}"
+      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
+      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
+      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      OIDC_REALM: "${OIDC_REALM}"
+      OIDC_URL: "${OIDC_URL}"

    labels:
      - "traefik.enable=true"
--- a/ccp/modules/mtba-setup.sh
+++ b/ccp/modules/mtba-setup.sh
@ -5,7 +5,6 @@ function mtbaSetup() {
    log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal."
    if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
      log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
-      exit 1;
    fi
    OVERRIDE+=" -f ./$PROJECT/modules/mtba-compose.yml"
    add_private_oidc_redirect_url "/mtba/*"
--- a/ccp/modules/obds2fhir-rest-compose.yml
+++ b/ccp/modules/obds2fhir-rest-compose.yml
@ -0,0 +1,20 @@
+version: "3.7"
+
+services:
+  obds2fhir-rest:
+    container_name: bridgehead-obds2fhir-rest
+    image: docker.verbis.dkfz.de/ccp/obds2fhir-rest:main
+    environment:
+      IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
+      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
+      SALT: ${LOCAL_SALT}
+      KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false}
+      MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist}
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)"
+      - "traefik.http.middlewares.obds2fhir-rest_strip.stripprefix.prefixes=/obds2fhir-rest,/adt2fhir-rest"
+      - "traefik.http.services.obds2fhir-rest.loadbalancer.server.port=8080"
+      - "traefik.http.routers.obds2fhir-rest.tls=true"
+      - "traefik.http.routers.obds2fhir-rest.middlewares=obds2fhir-rest_strip,auth"
--- a/ccp/modules/obds2fhir-rest-setup.sh
+++ b/ccp/modules/obds2fhir-rest-setup.sh
@ -0,0 +1,13 @@
+#!/bin/bash
+
+function obds2fhirRestSetup() {
+  if [ -n "$ENABLE_OBDS2FHIR_REST" ]; then
+    log INFO "oBDS2FHIR-REST setup detected -- will start obds2fhir-rest module."
+    if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
+      log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
+      PATIENTLIST_URL=" "
+    fi
+    OVERRIDE+=" -f ./$PROJECT/modules/obds2fhir-rest-compose.yml"
+    LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+  fi
+}
--- a/ccp/modules/teiler-compose.yml
+++ b/ccp/modules/teiler-compose.yml
@ -15,11 +15,11 @@ services:
    environment:
      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
-      DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE_LOWER_CASE}"
+      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
      HTTP_RELATIVE_PATH: "/ccp-teiler"

  teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:latest
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
    container_name: bridgehead-teiler-dashboard
    labels:
      - "traefik.enable=true"
@ -29,12 +29,12 @@ services:
      - "traefik.http.middlewares.teiler_dashboard_ccp_strip.stripprefix.prefixes=/ccp-teiler-dashboard"
      - "traefik.http.routers.teiler_dashboard_ccp.middlewares=teiler_dashboard_ccp_strip"
    environment:
-      DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
+      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
-      KEYCLOAK_URL: "${KEYCLOAK_URL}"
-      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
-      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PUBLIC_CLIENT_ID}"
-      KEYCLOAK_TOKEN_GROUP: "${KEYCLOAK_GROUP_CLAIM}"
+      OIDC_URL: "${OIDC_URL}"
+      OIDC_REALM: "${OIDC_REALM}"
+      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
+      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
      TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
      TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
@ -43,15 +43,14 @@ services:
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
      TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
-      TEILER_USER: "${KEYCLOAK_USER_GROUP}"
-      TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}"
+      TEILER_USER: "${OIDC_USER_GROUP}"
+      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
      REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
      EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"


  teiler-backend:
-    # image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
-    image: dktk-teiler-backend
+    image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
    container_name: bridgehead-teiler-backend
    labels:
      - "traefik.enable=true"
@ -64,7 +63,7 @@ services:
      LOG_LEVEL: "INFO"
      APPLICATION_PORT: "8085"
      APPLICATION_ADDRESS: "${HOST}"
-      DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
+      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
--- a/ccp/modules/teiler-setup.sh
+++ b/ccp/modules/teiler-setup.sh
@ -3,5 +3,7 @@
 if [ "$ENABLE_TEILER" == true ];then
  log INFO "Teiler setup detected -- will start Teiler services."
  OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
+  TEILER_DEFAULT_LANGUAGE=DE
+  TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
  add_public_oidc_redirect_url "/ccp-teiler/*"
 fi
--- a/ccp/modules/teiler-ui-compose.yml
+++ b/ccp/modules/teiler-ui-compose.yml
--- a/ccp/queries_to_cache.conf
+++ b/ccp/queries_to_cache.conf
@ -0,0 +1,2 @@
+bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCgpjb250ZXh0IFBhdGllbnQKCgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX1BSSU1BUllfRElBR05PU0lTX05PX1NPUlRfU1RSQVRJRklFUgpES1RLX1NUUkFUX0FHRV9DTEFTU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKCiAgREtUS19TVFJBVF9ISVNUT0xPR1lfU1RSQVRJRklFUgpES1RLX1NUUkFUX0RFRl9JTl9JTklUSUFMX1BPUFVMQVRJT04KdHJ1ZQ==
+bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCmNvZGVzeXN0ZW0gaWNkMTA6ICdodHRwOi8vZmhpci5kZS9Db2RlU3lzdGVtL2JmYXJtL2ljZC0xMC1nbScKY29kZXN5c3RlbSBtb3JwaDogJ3VybjpvaWQ6Mi4xNi44NDAuMS4xMTM4ODMuNi40My4xJwoKY29udGV4dCBQYXRpZW50CgoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUklNQVJZX0RJQUdOT1NJU19OT19TT1JUX1NUUkFUSUZJRVIKREtUS19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCgogIERLVEtfU1RSQVRfSElTVE9MT0dZX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDNjEnIGZyb20gaWNkMTBdKSBhbmQgCigoZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDAvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDcvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0ODAvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg1MDAvMycpKQ==
--- a/ccp/vars
+++ b/ccp/vars
@ -2,30 +2,23 @@ BROKER_ID=broker.ccp-it.dktk.dkfz.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-FOCUS_RETRY_COUNT=32
+FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem

 BROKER_URL_FOR_PREREQ=$BROKER_URL
-DEFAULT_LANGUAGE=DE
-DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,}
-ENABLE_EXPORTER=true
-ENABLE_TEILER=true
-#ENABLE_DATASHIELD=true

-KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
-KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
-KEYCLOAK_PRIVATE_CLIENT_ID=${SITE_ID}-private
-KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public
-# TODO: Change Keycloak Realm to productive. "test-realm-01" is only for testing
-KEYCLOAK_REALM="${KEYCLOAK_REALM:-test-realm-01}"
-KEYCLOAK_URL="https://login.verbis.dkfz.de"
-KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}"
-KEYCLOAK_GROUP_CLAIM="groups"
-OAUTH2_CALLBACK=/oauth2/callback
-OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
+OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
+OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
+OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
+OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
+# Use "test-realm-01" for testing
+OIDC_REALM="${OIDC_REALM:-master}"
+OIDC_URL="https://login.verbis.dkfz.de"
+OIDC_ISSUER_URL="${OIDC_URL}/realms/${OIDC_REALM}"
+OIDC_GROUP_CLAIM="groups"

-add_private_oidc_redirect_url "${OAUTH2_CALLBACK}"
+POSTGRES_TAG=15.6-alpine

 for module in $PROJECT/modules/*.sh
 do
@ -35,4 +28,5 @@ done

 idManagementSetup
 mtbaSetup
-adt2fhirRestSetup
+obds2fhirRestSetup
+blazeSecondarySetup
--- a/lib/functions.sh
+++ b/lib/functions.sh
@ -53,7 +53,7 @@ checkOwner(){
 }

 printUsage() {
-	echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|adduser|enroll PROJECTNAME"
+	echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|install|uninstall|adduser|enroll PROJECTNAME"
 	echo "PROJECTNAME should be one of ccp|bbmri"
 }

@ -155,6 +155,28 @@ setHostname() {
 	fi
 }

+# This function optimizes the usage of memory through blaze, according to the official performance tuning guide:
+#   https://github.com/samply/blaze/blob/master/docs/tuning-guide.md
+# Short summary of the adjustments made:
+# - set blaze memory cap to a quarter of the system memory
+# - set db block cache size to a quarter of the system memory
+# - limit resource count allowed in blaze to 1,25M per 4GB available system memory
+optimizeBlazeMemoryUsage() {
+	if [ -z "$BLAZE_MEMORY_CAP" ]; then
+	   system_memory_in_mb=$(LC_ALL=C free -m | grep 'Mem:' | awk '{print $2}');
+	   export BLAZE_MEMORY_CAP=$(($system_memory_in_mb/4));
+	fi
+	if [ -z "$BLAZE_RESOURCE_CACHE_CAP" ]; then
+		available_system_memory_chunks=$((BLAZE_MEMORY_CAP / 1000))
+		if [ $available_system_memory_chunks -eq 0 ]; then
+			log WARN "Only ${BLAZE_MEMORY_CAP} system memory available for Blaze. If your Blaze stores more than 128000 fhir ressources it will run significally slower."
+			export BLAZE_RESOURCE_CACHE_CAP=128000;
+		else
+			export BLAZE_RESOURCE_CACHE_CAP=$((available_system_memory_chunks * 312500))
+		fi
+	fi
+}
+
 # Takes 1) The Backup Directory Path 2) The name of the Service to be backuped
 # Creates 3 Backups: 1) For the past seven days 2) For the current month and 3) for each calendar week
 createEncryptedPostgresBackup(){
@ -267,7 +289,7 @@ function sync_secrets() {
    if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
        secret_sync_args="OIDC:OIDC_CLIENT_SECRET:private;$OIDC_PRIVATE_REDIRECT_URLS"
    fi
-    if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
+    if [[ $OIDC_PUBLIC_REDIRECT_URLS != "" ]]; then
        if [[ $secret_sync_args == "" ]]; then
            secret_sync_args="OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS"
        else
@ -277,22 +299,22 @@ function sync_secrets() {
    if [[ $secret_sync_args == "" ]]; then
        return
    fi
-    mkdir -p /var/cache/bridgehead/secrets/
+    mkdir -p /var/cache/bridgehead/secrets/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/secrets/'. Please run sudo './bridgehead install $PROJECT' again."
    touch /var/cache/bridgehead/secrets/oidc
-    chown -R bridgehead:docker /var/cache/bridgehead/secrets
-    # The oidc provider will need to be switched based on the project at some point I guess
    docker run --rm \
        -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
        -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
        -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
        -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
        -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-        -e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \
+        -e NO_PROXY=localhost,127.0.0.1 \
+        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
        -e PROXY_ID=$PROXY_ID \
        -e BROKER_URL=$BROKER_URL \
        -e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
        -e SECRET_DEFINITIONS=$secret_sync_args \
        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
+
    set -a # Export variables as environment variables
    source /var/cache/bridgehead/secrets/*
    set +a # Export variables in the regular way
@ -334,7 +356,7 @@ generate_password(){
  local random_special=${special:$n:1}

  local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret."
-  local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/\//A/g')
+  local main_password=$(echo "${combined_text}" | sha1sum | openssl pkeyutl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/\//A/g')

  echo "${main_password}${random_digit}${random_upper}${random_lower}${random_special}"
 }
@ -343,5 +365,9 @@ generate_password(){
 generate_simple_password(){
  local seed_text="$1"
  local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret."
-  echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g'
+  echo "${combined_text}" | sha1sum | openssl pkeyutl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g'
+}
+
+docker_jq() {
+    docker run --rm -i docker.verbis.dkfz.de/cache/jqlang/jq:latest "$@"
 }
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@ -89,6 +89,9 @@ elif [[ "$DEV_MODE" == "DEV" ]]; then
 fi

 chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
+mkdir -p /tmp/bridgehead /var/cache/bridgehead
+chown -R bridgehead:docker /tmp/bridgehead /var/cache/bridgehead
+chmod -R g+wr /var/cache/bridgehead /tmp/bridgehead

 log INFO "System preparation is completed and configuration is present."

--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@ -67,6 +67,7 @@ log INFO "Checking network access ($BROKER_URL_FOR_PREREQ) ..."
 source /etc/bridgehead/${PROJECT}.conf
 source ${PROJECT}/vars

+if [ "${PROJECT}" != "minimal" ]; then
  set +e
  SERVERTIME="$(https_proxy=$HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
  RET=$?
@ -89,7 +90,7 @@ else
 		  log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server. $SYNCTEXT"
 	  fi
  fi
-
+fi
 checkPrivKey() {
  if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
    log INFO "Success - private key found."
@ -100,7 +101,7 @@ checkPrivKey() {
  return 0
 }

-if [[ "$@" =~ "noprivkey" ]]; then
+if [[ "$@" =~ "noprivkey" ||  "${PROJECT}" != "minimal" ]]; then
  log INFO "Skipping check for private key for now."
 else
  checkPrivKey || exit 1
--- a/lib/systemd/bridgehead-update@.timer
+++ b/lib/systemd/bridgehead-update@.timer
@ -1,8 +1,9 @@
 [Unit]
-Description=Hourly Updates of Bridgehead (%i)
+Description=Daily Updates at 6am of Bridgehead (%i)

 [Timer]
-OnCalendar=*-*-* *:00:00
+OnCalendar=*-*-* 06:00:00
+Persistent=true

 [Install]
 WantedBy=basic.target
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@ -86,7 +86,7 @@ done
 # Check docker updates
 log "INFO" "Checking for updates to running docker images ..."
 docker_updated="false"
-for IMAGE in $(cat $PROJECT/docker-compose.yml ${OVERRIDE//-f/} minimal/docker-compose.yml | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
+for IMAGE in $($COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE config | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
  log "INFO" "Checking for Updates of Image: $IMAGE"
  if docker pull $IMAGE | grep "Downloaded newer image"; then
    CHANGE="Image $IMAGE updated."
--- a/minimal/docker-compose.yml
+++ b/minimal/docker-compose.yml
@ -42,6 +42,9 @@ services:
      - /var/spool/squid
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
+    healthcheck:
+      # Wait 1s before marking this service healthy. Required for the oauth2-proxy to talk to the OIDC provider on startup which will fail if the forward proxy is not started yet.
+      test: ["CMD", "sleep", "1"]

  landing:
    container_name: bridgehead-landingpage
@ -55,5 +58,4 @@ services:
      HOST: ${HOST}
      PROJECT: ${PROJECT}
      SITE_NAME: ${SITE_NAME}
-
-
+      ENVIRONMENT: ${ENVIRONMENT}
--- a/minimal/modules/dnpm-compose.yml
+++ b/minimal/modules/dnpm-compose.yml
@ -32,12 +32,14 @@ services:
      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
      HTTP_PROXY: http://forward_proxy:3128
      HTTPS_PROXY: http://forward_proxy:3128
-      NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal
+      NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
      RUST_LOG: ${RUST_LOG:-info}
      NO_AUTH: "true"
+      TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs
    extra_hosts:
      - "host.docker.internal:host-gateway"
    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
    labels:
@ -48,6 +50,10 @@ services:
      - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
      - "traefik.http.routers.dnpm-connect.tls=true"

+  dnpm-echo:
+    image: docker.verbis.dkfz.de/cache/samply/bridgehead-echo:latest
+    container_name: bridgehead-dnpm-echo
+
 secrets:
  proxy.pem:
    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/minimal/modules/dnpm-node-compose.yml
+++ b/minimal/modules/dnpm-node-compose.yml
@ -6,6 +6,7 @@ services:
    container_name: bridgehead-dnpm-backend
    environment:
      - ZPM_SITE=${ZPM_SITE}
+      - N_RANDOM_FILES=${DNPM_SYNTH_NUM}
    volumes:
      - /etc/bridgehead/dnpm:/bwhc_config:ro
      - ${DNPM_DATA_DIR}:/bwhc_data
--- a/minimal/modules/dnpm-node-setup.sh
+++ b/minimal/modules/dnpm-node-setup.sh
@ -14,6 +14,7 @@ if [ -n "${ENABLE_DNPM_NODE}" ]; then
 		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
 		exit 1
 	fi
+	DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
 	if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
 		echo "Override of landing page url already in place"
 	else
--- a/minimal/modules/dnpm-setup.sh
+++ b/minimal/modules/dnpm-setup.sh
@ -13,4 +13,10 @@ if [ -n "${ENABLE_DNPM}" ]; then
 		log DEBUG "No Broker for clock check set; using $DNPM_BROKER_URL"
 	fi
 	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
+	# If the DNPM_NO_PROXY variable is set, prefix it with a comma (as it gets added to a comma separated list)
+	if [ -n "${DNPM_NO_PROXY}" ]; then
+		DNPM_ADDITIONAL_NO_PROXY=",${DNPM_NO_PROXY}"
+	else
+		DNPM_ADDITIONAL_NO_PROXY=""
+	fi
 fi