fix: Disable landing page for now

Ensure Mainzelliste returns SSL in Responses

bbmri/docker-compose.yml

@@ -8,8 +8,9 @@ services:
     container_name: bridgehead-bbmri-blaze
     environment:
       BASE_URL: "http://bridgehead-bbmri-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx4g"
+      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
-      LOG_LEVEL: "debug"
+      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
       ENFORCE_REFERENTIAL_INTEGRITY: "false"
     volumes:
       - "blaze-data:/app/data"

bbmri/modules/dnpm-compose.yml

@@ -1,53 +0,0 @@
-version: "3.7"
-
-services:
-  dnpm-beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
-    container_name: bridgehead-dnpm-beam-proxy
-    environment:
-      BROKER_URL: ${DNPM_BROKER_URL}
-      PROXY_ID: ${DNPM_PROXY_ID}
-      APP_dnpm-connect_KEY: ${DNPM_BEAM_SECRET_SHORT}
-      PRIVKEY_FILE: /run/secrets/proxy.pem
-      ALL_PROXY: http://forward_proxy:3128
-      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
-      ROOTCERT_FILE: /conf/root.crt.pem
-    secrets:
-      - proxy.pem
-    depends_on:
-      - "forward_proxy"
-    volumes:
-      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
-
-  dnpm-beam-connect:
-    depends_on: [ dnpm-beam-proxy ]
-    image: docker.verbis.dkfz.de/cache/samply/beam-connect:develop
-    container_name: bridgehead-dnpm-beam-connect
-    environment:
-      PROXY_URL: http://dnpm-beam-proxy:8081
-      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
-      APP_ID: dnpm-connect.${DNPM_PROXY_ID}
-      DISCOVERY_URL: "./conf/central_targets.json"
-      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
-      HTTP_PROXY: http://forward_proxy:3128
-      HTTPS_PROXY: http://forward_proxy:3128
-      NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal
-      RUST_LOG: ${RUST_LOG:-info}
-      NO_AUTH: "true"
-    extra_host:
-      - "host.docker.internal:host-gateway"
-    volumes:
-      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
-      - "traefik.http.middlewares.dnpm-connect-strip.stripprefix.prefixes=/dnpm-connect"
-      - "traefik.http.routers.dnpm-connect.middlewares=dnpm-connect-strip"
-      - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
-      - "traefik.http.routers.dnpm-connect.tls=true"
-
-secrets:
-  proxy.pem:
-    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

bbmri/modules/dnpm-node-compose.yml

@@ -1,33 +0,0 @@
-version: "3.7"
-
-services:
-  dnpm-backend:
-    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
-    container_name: bridgehead-dnpm-backend
-    environment:
-      - ZPM_SITE=${ZPM_SITE}
-    volumes:
-      - /etc/bridgehead/dnpm:/bwhc_config:ro
-      - ${DNPM_DATA_DIR}:/bwhc_data
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
-      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
-      - "traefik.http.routers.bwhc-backend.tls=true"
-
-  dnpm-frontend:
-    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
-    container_name: bridgehead-dnpm-frontend
-    links:
-      - dnpm-backend
-    environment:
-      - NUXT_HOST=0.0.0.0
-      - NUXT_PORT=8080
-      - BACKEND_PROTOCOL=https
-      - BACKEND_HOSTNAME=$HOST
-      - BACKEND_PORT=443
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
-      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
-      - "traefik.http.routers.bwhc-frontend.tls=true"

bbmri/modules/dnpm-node-setup.sh

@@ -1,27 +0,0 @@
-#!/bin/bash
-
-if [ -n "${ENABLE_DNPM_NODE}" ]; then
-	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
-	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
-
-	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
-	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-	if [ -z "${ZPM_SITE+x}" ]; then
-		log ERROR "Mandatory variable ZPM_SITE not defined!"
-		exit 1
-	fi
-	if [ -z "${DNPM_DATA_DIR+x}" ]; then
-		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
-		exit 1
-	fi
-			if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
-				echo "Override of landing page url already in place"
-			else
-				echo "Adding override of landing page url"
-				if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
-					echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
-				else
-					echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
-				fi
-			fi
-fi

bbmri/modules/dnpm-setup.sh

@@ -1,12 +0,0 @@
-#!/bin/bash
-
-if [ -n "${ENABLE_DNPM}" ]; then
-	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam and Beam.Connect for DNPM."
-	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
-
-	# Set variables required for Beam-Connect
-	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-	DNPM_BROKER_ID="broker.ccp-it.dktk.dkfz.de"
-	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
-	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
-fi

bridgehead

@@ -28,6 +28,9 @@ fi
 case "$PROJECT" in
 	ccp)
 		#nothing extra to do
+        ;;
+	leme)
+		#nothing extra to do
 		;;
 	bbmri)
 		#nothing extra to do
@@ -41,7 +44,6 @@ case "$PROJECT" in
 		;;
 esac
 
-# TODO: Please add proper documentation for variable priorities (1. secrets, 2. vars, 3. PROJECT.local.conf, 4. PROJECT.conf, 5. ???
 loadVars() {
 	# Load variables from /etc/bridgehead and /srv/docker/bridgehead
 	set -a
@@ -52,6 +54,7 @@ loadVars() {
 	fi
 	fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 	setHostname
+	optimizeBlazeMemoryUsage
 	[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 	set +a
 
@@ -90,12 +93,14 @@ case "$ACTION" in
 		loadVars
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
-        sync_secrets
+		sync_secrets
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
 		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
 		loadVars
+		# Kill stale secret-sync instances if present
+		docker kill $(docker ps -q --filter ancestor=docker.verbis.dkfz.de/cache/samply/secret-sync-local) 2>/dev/null || true
 		# HACK: This is temporarily to properly shut down false bridgehead instances (bridgehead-ccp instead ccp)
 		$COMPOSE -p bridgehead-$PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
@@ -104,6 +109,11 @@ case "$ACTION" in
 		bk_is_running
 		exit $?
 		;;
+	logs)
+		loadVars
+		shift 2
+		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE logs -f $@
+		;;
 	update)
 		loadVars
 		exec ./lib/update-bridgehead.sh $PROJECT

ccp/docker-compose.yml

@@ -6,7 +6,9 @@ services:
     container_name: bridgehead-ccp-blaze
     environment:
       BASE_URL: "http://bridgehead-ccp-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx4g"
+      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
+      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
       ENFORCE_REFERENTIAL_INTEGRITY: "false"
     volumes:
       - "blaze-data:/app/data"
@@ -19,7 +21,7 @@ services:
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:main
+    image: docker.verbis.dkfz.de/cache/samply/focus:0.4.4
     container_name: bridgehead-focus
     environment:
       API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
@@ -52,12 +54,6 @@ services:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
 
-  traefik:
-    labels:
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2_proxy:4180/"
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
-
 
 volumes:
   blaze-data:

ccp/modules/cbioportal-compose.yml

@@ -1,53 +0,0 @@
-version: '3.7'
-
-services:
-  cbioportal:
-    # image: docker.verbis.dkfz.de/ccp/dktk-cbioportal:latest
-    image: dktk-cbioportal
-    container_name: bridgehead-cbioportal
-    environment:
-      DB_PASSWORD: ${CBIOPORTAL_DB_PASSWORD}
-      HTTP_RELATIVE_PATH: "/cbioportal"
-      UPLOAD_HTTP_RELATIVE_PATH: "/cbioportal-upload"
-    depends_on:
-      - cbioportal-database
-      - cbioportal-session
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.cbioportal.rule=PathPrefix(`/cbioportal`)"
-      - "traefik.http.routers.cbioportal.service=cbioportal"
-      - "traefik.http.services.cbioportal.loadbalancer.server.port=8080"
-      - "traefik.http.routers.cbioportal.tls=true"
-      - "traefik.http.routers.cbioportal-upload.rule=PathPrefix(`/cbioportal-upload`)"    
-      - "traefik.http.routers.cbioportal-upload.service=cbioportal-upload"
-      - "traefik.http.routers.cbioportal-upload.tls=true"
-      - "traefik.http.services.cbioportal-upload.loadbalancer.server.port=8001"
-      
-
-  cbioportal-database:
-    image: docker.verbis.dkfz.de/ccp/dktk-cbioportal-database:latest
-    container_name: bridgehead-cbioportal-database
-    environment:
-      MYSQL_DATABASE: cbioportal
-      MYSQL_USER: cbio_user
-      MYSQL_PASSWORD: ${CBIOPORTAL_DB_PASSWORD}
-      MYSQL_ROOT_PASSWORD: ${CBIOPORTAL_DB_ROOT_PASSWORD}
-    volumes:
-      - /var/cache/bridgehead/ccp/cbioportal_db_data:/var/lib/mysql
-
-  cbioportal-session:
-    image: cbioportal/session-service:0.6.1
-    container_name: bridgehead-cbioportal-session
-    environment:
-      SERVER_PORT: 5000
-      JAVA_OPTS: -Dspring.data.mongodb.uri=mongodb://cbioportal-session-database:27017/session-service
-    depends_on:
-      - cbioportal-session-database
-
-  cbioportal-session-database:
-    image: mongo:4.2
-    container_name: bridgehead-cbioportal-session-database
-    environment:
-      MONGO_INITDB_DATABASE: session_service
-    volumes:
-      - /var/cache/bridgehead/ccp/cbioportal_session_db_data:/data/db

ccp/modules/cbioportal-setup.sh

@@ -1,8 +0,0 @@
-#!/bin/bash -e
-
- if [ "$ENABLE_CBIOPORTAL" == true ]; then
-  log INFO "cBioPortal setup detected -- will start cBioPortal service."
-  OVERRIDE+=" -f ./$PROJECT/modules/cbioportal-compose.yml"
-  CBIOPORTAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the cbioportal database. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  CBIOPORTAL_DB_ROOT_PASSWORD="$(echo \"This is a salt string to generate one consistent root password for the cbioportal database. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)" 
- fi

ccp/modules/cbioportal.md

@@ -1,10 +0,0 @@
-# CBioPortal Data uploader
-
-
-## Usage
-
-We have integrated an API that allows you to upload data directly to cbioportal without the need to have cbioportal installed in your system.
-
-## Tech stack
-
-We used Flask to add this feature

ccp/modules/datashield-compose.yml

@@ -44,11 +44,11 @@ services:
       APP_CONTEXT_PATH: "/opal"
       OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
       OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
-      KEYCLOAK_URL: "${KEYCLOAK_URL}"
+      OIDC_URL: "${OIDC_URL}"
-      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
+      OIDC_REALM: "${OIDC_REALM}"
-      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}"
+      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
-      KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
-      KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}"
+      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
       TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}"
       EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
       BEAM_APP_ID: token-manager.${PROXY_ID}
@@ -62,7 +62,7 @@ services:
 
   opal-db:
     container_name: bridgehead-opal-db
-    image: docker.verbis.dkfz.de/cache/postgres:15.4-alpine
+    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
     environment:
       POSTGRES_PASSWORD: "${OPAL_DB_PASSWORD}" # Set in datashield-setup.sh
       POSTGRES_USER: "opal"
@@ -96,8 +96,12 @@ services:
     networks:
       - default
       - rstudio
-  
+
   traefik:
+    labels:
+      - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2-proxy:4180/"
+      - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
+      - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
     networks:
       - default
       - rstudio
@@ -111,15 +115,15 @@ services:
       APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET}
       APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET}
 
-  # TODO: Allow users of group /DataSHIELD and KEYCLOAK_USER_GROUP at the same time:
+  # TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time:
-  # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/):
+  # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider):
-  # --allowed-groups=/DataSHIELD,KEYCLOAK_USER_GROUP
+  # --allowed-groups=/DataSHIELD,OIDC_USER_GROUP
-  oauth2_proxy:
+  oauth2-proxy:
-    image: quay.io/oauth2-proxy/oauth2-proxy
+    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
-    container_name: bridgehead_oauth2_proxy
+    container_name: bridgehead-oauth2proxy
     command: >-
-      --allowed-group=/DataSHIELD
+      --allowed-group=DataSHIELD
-      --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM}
+      --oidc-groups-claim=${OIDC_GROUP_CLAIM}
       --auth-logging=true
       --whitelist-domain=${HOST}
       --http-address="0.0.0.0:4180"
@@ -134,10 +138,10 @@ services:
       #OIDC settings
       --provider="keycloak-oidc"
       --provider-display-name="VerbIS Login"
-      --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}"
+      --client-id="${OIDC_PRIVATE_CLIENT_ID}"
       --client-secret="${OIDC_CLIENT_SECRET}"
       --redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
-      --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}"
+      --oidc-issuer-url="${OIDC_ISSUER_URL}"
       --scope="openid email profile"
       --code-challenge-method="S256"
       --skip-provider-button=true
@@ -150,6 +154,12 @@ services:
       - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)"
       - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
       - "traefik.http.routers.oauth2_proxy.tls=true"
+    environment:
+      http_proxy: "http://forward_proxy:3128"
+      https_proxy: "http://forward_proxy:3128"
+    depends_on:
+      forward_proxy:
+        condition: service_healthy
 
 secrets:
   opal-cert.pem:

ccp/modules/datashield-setup.sh

@@ -1,6 +1,14 @@
 #!/bin/bash -e
 
 if [ "$ENABLE_DATASHIELD" == true ]; then
+  # HACK: This only works because exporter-setup.sh and teiler-setup.sh are sourced after datashield-setup.sh
+  if [ -z "${ENABLE_EXPORTER}" ] || [ "${ENABLE_EXPORTER}" != "true" ]; then
+    log WARN "The ENABLE_EXPORTER variable is either not set or not set to 'true'."
+  fi
+  OAUTH2_CALLBACK=/oauth2/callback
+  OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
+  add_private_oidc_redirect_url "${OAUTH2_CALLBACK}"
+
   log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
   OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
   EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")"
@@ -12,22 +20,25 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
   TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)"
   if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
     mkdir -p /tmp/bridgehead/
-    chown -R bridgehead:docker /tmp/bridgehead/
     openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE"
-    chmod g+r /tmp/bridgehead/opal-key.pem
   fi
   mkdir -p /tmp/bridgehead/opal-map
-  jq -n '{"sites": input | map({
+  sites="$(cat ./$PROJECT/modules/datashield-sites.json)"
+  echo "$sites" | docker_jq -n --args '{"sites": input | map({
     "name": .,
     "id": .,
     "virtualhost": "\(.):443",
     "beamconnect": "datashield-connect.\(.).'"$BROKER_ID"'"
-  })}' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/central.json
+  })}' $sites >/tmp/bridgehead/opal-map/central.json
-  jq -n '[{
+  echo "$sites" | docker_jq -n --args '[{
     "external": "'"$SITE_ID"':443",
     "internal": "opal:8443",
     "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'")
-  }]' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/local.json
+  }]' >/tmp/bridgehead/opal-map/local.json
-  chown -R bridgehead:docker /tmp/bridgehead/
+  if [ "$USER" == "root" ]; then
+    chown -R bridgehead:docker /tmp/bridgehead
+    chmod g+wr /tmp/bridgehead/opal-map/*
+    chmod g+r /tmp/bridgehead/opal-key.pem
+  fi
   add_private_oidc_redirect_url "/opal/*"
 fi

ccp/modules/datashield-sites.json

@@ -9,5 +9,6 @@
     "frankfurt",
     "essen",
     "dktk-datashield-test",
-    "dktk-test"
+    "dktk-test",
+    "mannheim"
 ]

ccp/modules/dnpm-compose.yml

@@ -16,12 +16,14 @@ services:
       LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
       HTTP_PROXY: "http://forward_proxy:3128"
       HTTPS_PROXY: "http://forward_proxy:3128"
-      NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal
+      NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
       RUST_LOG: ${RUST_LOG:-info}
       NO_AUTH: "true"
+      TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs
     extra_hosts:
       - "host.docker.internal:host-gateway"
     volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
       - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
     labels:
@@ -31,3 +33,7 @@ services:
       - "traefik.http.routers.dnpm-connect.middlewares=dnpm-connect-strip"
       - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
       - "traefik.http.routers.dnpm-connect.tls=true"
+
+  dnpm-echo:
+    image: docker.verbis.dkfz.de/cache/samply/bridgehead-echo:latest
+    container_name: bridgehead-dnpm-echo

ccp/modules/dnpm-node-compose.yml

@@ -6,6 +6,7 @@ services:
     container_name: bridgehead-dnpm-backend
     environment:
       - ZPM_SITE=${ZPM_SITE}
+      - N_RANDOM_FILES=${DNPM_SYNTH_NUM}
     volumes:
       - /etc/bridgehead/dnpm:/bwhc_config:ro
       - ${DNPM_DATA_DIR}:/bwhc_data

ccp/modules/dnpm-node-setup.sh

@@ -14,14 +14,15 @@ if [ -n "${ENABLE_DNPM_NODE}" ]; then
 		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
 		exit 1
 	fi
-			if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
+	DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
-				echo "Override of landing page url already in place"
+	if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
-			else
+		echo "Override of landing page url already in place"
-				echo "Adding override of landing page url"
+	else
-				if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
+		echo "Adding override of landing page url"
-					echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
+		if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
-				else
+			echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
-					echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
+		else
-				fi
+			echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
-			fi
+		fi
+	fi
 fi

ccp/modules/dnpm-setup.sh

@@ -6,4 +6,10 @@ if [ -n "${ENABLE_DNPM}" ]; then
 
 	# Set variables required for Beam-Connect
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+	# If the DNPM_NO_PROXY variable is set, prefix it with a comma (as it gets added to a comma separated list)
+	if [ -n "${DNPM_NO_PROXY}" ]; then
+		DNPM_ADDITIONAL_NO_PROXY=",${DNPM_NO_PROXY}"
+	else
+		DNPM_ADDITIONAL_NO_PROXY=""
+	fi
 fi

ccp/modules/exporter-compose.yml

@@ -27,7 +27,7 @@ services:
       - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output"
 
   exporter-db:
-    image: docker.verbis.dkfz.de/cache/postgres:15.4-alpine
+    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
     container_name: bridgehead-ccp-exporter-db
     environment:
       POSTGRES_USER: "exporter"

ccp/modules/exporter-setup.sh

@@ -3,6 +3,6 @@
 if [ "$ENABLE_EXPORTER" == true ]; then
   log INFO "Exporter setup detected -- will start Exporter service."
   OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
-  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
+  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
 fi

ccp/modules/id-management-compose.yml

@@ -29,6 +29,7 @@ services:
     container_name: bridgehead-patientlist
     environment:
       - TOMCAT_REVERSEPROXY_FQDN=${HOST}
+      - TOMCAT_REVERSEPROXY_SSL=true
       - ML_SITE=${IDMANAGEMENT_FRIENDLY_ID}
       - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
       - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
@@ -44,7 +45,7 @@ services:
       - patientlist-db
 
   patientlist-db:
-    image: docker.verbis.dkfz.de/cache/postgres:15.6-alpine
+    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
     container_name: bridgehead-patientlist-db
     environment:
       POSTGRES_USER: "mainzelliste"

ccp/modules/login-compose.yml

@@ -1,47 +0,0 @@
-version: "3.7"
-
-services:
-
-  login-db:
-    image: docker.verbis.dkfz.de/cache/postgres:15.4-alpine
-    container_name: bridgehead-login-db
-    environment:
-      POSTGRES_USER: "keycloak"
-      POSTGRES_PASSWORD: "${KEYCLOAK_DB_PASSWORD}" # Set in login-setup.sh
-      POSTGRES_DB: "keycloak"
-    tmpfs:
-      - /var/lib/postgresql/data
-# Consider removing this comment once we have collected experience in production.
-#    volumes:
-#      - "bridgehead-login-db:/var/lib/postgresql/data"
-
-  login:
-    image: docker.verbis.dkfz.de/ccp/dktk-keycloak:latest
-    container_name: bridgehead-login
-    environment:
-      KEYCLOAK_ADMIN: "admin"
-      KEYCLOAK_ADMIN_PASSWORD: "${LDM_AUTH}"
-      TEILER_ADMIN: "${PROJECT}"
-      TEILER_ADMIN_PASSWORD: "${LDM_AUTH}"
-      TEILER_ADMIN_FIRST_NAME: "${OPERATOR_FIRST_NAME}"
-      TEILER_ADMIN_LAST_NAME: "${OPERATOR_LAST_NAME}"
-      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
-      KC_DB_PASSWORD: "${KEYCLOAK_DB_PASSWORD}" # Set in login-setup.sh
-      KC_HOSTNAME_URL: "https://${HOST}/login"
-      KC_HOSTNAME_STRICT: "false"
-      KC_PROXY_ADDRESS_FORWARDING: "true"
-      TEILER_ORCHESTRATOR_EXTERN_URL: "https://${HOST}/ccp-teiler"
-    command:
-      - start-dev --import-realm --proxy edge --http-relative-path=/login
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.login.rule=PathPrefix(`/login`)"
-      - "traefik.http.services.login.loadbalancer.server.port=8080"
-      - "traefik.http.routers.login.tls=true"
-    depends_on:
-      - login-db
-
-# Consider removing this comment once we have collected experience in production.
-#volumes:
-#  bridgehead-login-db:
-#    name: "bridgehead-login-db"

ccp/modules/login-setup.sh

@@ -1,7 +0,0 @@
-#!/bin/bash -e
-
-if [ "$ENABLE_LOGIN" == true ]; then
-  log INFO "Login setup detected -- will start Login services."
-  OVERRIDE+=" -f ./$PROJECT/modules/login-compose.yml"
-  KEYCLOAK_DB_PASSWORD="$(generate_password \"local Keycloak\")"
-fi

ccp/modules/login.md

@@ -1,13 +0,0 @@
-# Login
-The login component is a local Keycloak instance. In the future will be replaced by the central keycloak instance
-or maybe can be used to add local identity providers to the bridgehead or just to simplify the configuration of
-the central keycloak instance for the integration of every new bridgehead.
-The basic configuration of our Keycloak instance is contained in a small json file.
-
-### Teiler User
-Currently, the local keycloak is used by the teiler. There is a basic admin user in the basic configuration of keycloak.
-The user can be configured with the environment variables TEILER_ADMIN_XXX.
-
-## Login-DB
-Keycloak requires a local database for its configuration. However, as we use an initial json configuration file, if no
-local identity provider is configured nor any local user, theoretically we don't need a volume for the login.

ccp/modules/mtba-compose.yml

@@ -2,7 +2,6 @@ version: "3.7"
 
 services:
   mtba:
-    #image: docker.verbis.dkfz.de/cache/samply/mtba:latest
     image: docker.verbis.dkfz.de/cache/samply/mtba:develop
     container_name: bridgehead-mtba
     environment:
@@ -21,11 +20,11 @@ services:
       FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE:-LF}
       CSV_DELIMITER: ${MTBA_CSV_DELIMITER:-TAB}
       HTTP_RELATIVE_PATH: "/mtba"
-      KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}"
+      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
-      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}"
+      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
-      KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
-      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
+      OIDC_REALM: "${OIDC_REALM}"
-      KEYCLOAK_URL: "${KEYCLOAK_URL}"
+      OIDC_URL: "${OIDC_URL}"
 
     labels:
       - "traefik.enable=true"

ccp/modules/teiler-compose.yml

@@ -15,11 +15,11 @@ services:
     environment:
       TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
       TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
-      DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE_LOWER_CASE}"
+      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
       HTTP_RELATIVE_PATH: "/ccp-teiler"
 
   teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:latest
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
     container_name: bridgehead-teiler-dashboard
     labels:
       - "traefik.enable=true"
@@ -29,12 +29,12 @@ services:
       - "traefik.http.middlewares.teiler_dashboard_ccp_strip.stripprefix.prefixes=/ccp-teiler-dashboard"
       - "traefik.http.routers.teiler_dashboard_ccp.middlewares=teiler_dashboard_ccp_strip"
     environment:
-      DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
+      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
       TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
-      KEYCLOAK_URL: "${KEYCLOAK_URL}"
+      OIDC_URL: "${OIDC_URL}"
-      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
+      OIDC_REALM: "${OIDC_REALM}"
-      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PUBLIC_CLIENT_ID}"
+      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
-      KEYCLOAK_TOKEN_GROUP: "${KEYCLOAK_GROUP_CLAIM}"
+      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
       TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
       TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
       TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
@@ -43,15 +43,14 @@ services:
       TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
       TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
       TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
-      TEILER_USER: "${KEYCLOAK_USER_GROUP}"
+      TEILER_USER: "${OIDC_USER_GROUP}"
-      TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}"
+      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
       REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
       EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"
 
 
   teiler-backend:
-    # image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
+    image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
-    image: dktk-teiler-backend
     container_name: bridgehead-teiler-backend
     labels:
       - "traefik.enable=true"
@@ -64,7 +63,7 @@ services:
       LOG_LEVEL: "INFO"
       APPLICATION_PORT: "8085"
       APPLICATION_ADDRESS: "${HOST}"
-      DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
+      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
       CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf"
       TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
       TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"

ccp/modules/teiler-setup.sh

@@ -3,5 +3,7 @@
 if [ "$ENABLE_TEILER" == true ];then
   log INFO "Teiler setup detected -- will start Teiler services."
   OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
+  TEILER_DEFAULT_LANGUAGE=DE
+  TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
   add_public_oidc_redirect_url "/ccp-teiler/*"
 fi

ccp/vars

@@ -7,25 +7,18 @@ SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 
 BROKER_URL_FOR_PREREQ=$BROKER_URL
-DEFAULT_LANGUAGE=DE
-DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,}
-ENABLE_EXPORTER=true
-ENABLE_TEILER=true
-#ENABLE_DATASHIELD=true
 
-KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
+OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
-KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
+OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
-KEYCLOAK_PRIVATE_CLIENT_ID=${SITE_ID}-private
+OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
-KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public
+OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
-# TODO: Change Keycloak Realm to productive. "test-realm-01" is only for testing
+# Use "test-realm-01" for testing
-KEYCLOAK_REALM="${KEYCLOAK_REALM:-test-realm-01}"
+OIDC_REALM="${OIDC_REALM:-master}"
-KEYCLOAK_URL="https://login.verbis.dkfz.de"
+OIDC_URL="https://login.verbis.dkfz.de"
-KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}"
+OIDC_ISSUER_URL="${OIDC_URL}/realms/${OIDC_REALM}"
-KEYCLOAK_GROUP_CLAIM="groups"
+OIDC_GROUP_CLAIM="groups"
-OAUTH2_CALLBACK=/oauth2/callback
-OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
 
-add_private_oidc_redirect_url "${OAUTH2_CALLBACK}"
+POSTGRES_TAG=15.6-alpine
 
 for module in $PROJECT/modules/*.sh
 do

leme/docker-compose.yml

@@ -0,0 +1,62 @@
+
+services:
+  blaze:
+    image: docker.verbis.dkfz.de/cache/samply/blaze:latest
+    container_name: bridgehead-leme-blaze
+    environment:
+      BASE_URL: "http://bridgehead-leme-blaze:8080"
+      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
+      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
+      ENFORCE_REFERENTIAL_INTEGRITY: "false"
+    volumes:
+      - "blaze-data:/app/data"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.blaze_leme.rule=PathPrefix(`/leme-localdatamanagement`)"
+      - "traefik.http.middlewares.leme_b_strip.stripprefix.prefixes=/leme-localdatamanagement"
+      - "traefik.http.services.blaze_leme.loadbalancer.server.port=8080"
+      - "traefik.http.routers.blaze_leme.middlewares=leme_b_strip,auth"
+      - "traefik.http.routers.blaze_leme.tls=true"
+
+  focus:
+    image: docker.verbis.dkfz.de/cache/samply/focus:0.4.4
+    container_name: bridgehead-focus
+    environment:
+      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
+      BEAM_APP_ID_LONG: focus.${PROXY_ID}
+      PROXY_ID: ${PROXY_ID}
+      BLAZE_URL: "http://bridgehead-leme-blaze:8080/fhir/"
+      BEAM_PROXY_URL: http://beam-proxy:8081
+      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
+      EPSILON: 0.28
+    depends_on:
+      - "beam-proxy"
+      - "blaze"
+
+  beam-proxy:
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
+    container_name: bridgehead-beam-proxy
+    environment:
+      BROKER_URL: ${BROKER_URL}
+      PROXY_ID: ${PROXY_ID}
+      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
+      PRIVKEY_FILE: /run/secrets/proxy.pem
+      ALL_PROXY: http://forward_proxy:3128
+      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
+      ROOTCERT_FILE: /conf/root.crt.pem
+    secrets:
+      - proxy.pem
+    depends_on:
+      - "forward_proxy"
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
+      - /srv/docker/bridgehead/leme/root.crt.pem:/conf/root.crt.pem:ro
+
+
+volumes:
+  blaze-data:
+
+secrets:
+  proxy.pem:
+    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

leme/root.crt.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUHtDdZ+L/Z1YmwlrHJRelJFLAGh0wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwNTEzMTExMTQyWhcNMzQw
+NTExMTExMjExWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMLGngURLDDleDC/jGUSU12z9nfJBFrHItWQkcQk
+uZPOhCB55mD18aMtLmpXcHQ4MZdDOCHjA7n3gZa04PvueuLht57z3Uyk+M9C1Oor
+9KpnJWLogWtVJ9iaLrIGGS+lwttpglISg+7nZIszrCVaq2/mLe/Il47D7EifmA8L
+T+/gNd470tvAWaFn3pmeNJ2CHZ0ld+6CSOweerfPHq44DrZeCO8nRl/+v/JTizLg
+Fxjr2N38TohL4S8/QLIWtyQLZJbshuWAMwd7WtMXWqGPrIIDC8NiIQW8Yb1zjdoD
+/Ghmw6yfr+/m02GpJTe4rVhYJT9WYZS6wUbRlK1WTuy8T2ECAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMdNeYJQr5e5
+Cmh3NzSg/6eQF0IxMB8GA1UdIwQYMBaAFMdNeYJQr5e5Cmh3NzSg/6eQF0IxMBYG
+A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQBl3iQUJYKz
+E82f1SMyd9EHx4xs5fwVAKpndDkPBo4QbRHCeSfEnkxJHtluaDXJF0MaWMbvNps1
+99afOVjZCDa5UQUqneyBTbY1tHr3gyYV/doe4FIHA799D2dKlyxu6sPNzRZJGppT
+gaueKzc3jKINER1LcdOaPmSogNGNezCwOsAkmwuPQMrzMT8JPlLEGh0vfG4B994w
+ECxyC3PicjXvq5UOCwYiGSwawqTznLUb3FO6SFYS1mNv2inVaNfLzkuCkdIyyqeU
+dc/h6tuDSC+CKAy+/qoDNzG9KD+mI8kVyhhIrQ++vQ9bbRtWr5aQzaq+fyDJNXx3
+IQvYUuSR8Nab
+-----END CERTIFICATE-----

leme/vars

@@ -0,0 +1,14 @@
+BROKER_ID=broker-test.health-innovation-lab.eu
+BROKER_URL=http://${BROKER_ID}
+PROXY_ID=${SITE_ID}.${BROKER_ID}
+FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+FOCUS_RETRY_COUNT=32
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
+
+BROKER_URL_FOR_PREREQ=$BROKER_URL
+
+# for module in $PROJECT/modules/*.sh
+# do
+#     log DEBUG "sourcing $module"
+#     source $module
+# done

lib/functions.sh

@@ -53,7 +53,7 @@ checkOwner(){
 }
 
 printUsage() {
-	echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|adduser|enroll PROJECTNAME"
+	echo "Usage: bridgehead start|stop|logs|is-running|update|install|uninstall|adduser|enroll PROJECTNAME"
 	echo "PROJECTNAME should be one of ccp|bbmri"
 }
 
@@ -155,6 +155,28 @@ setHostname() {
 	fi
 }
 
+# This function optimizes the usage of memory through blaze, according to the official performance tuning guide:
+#   https://github.com/samply/blaze/blob/master/docs/tuning-guide.md
+# Short summary of the adjustments made:
+# - set blaze memory cap to a quarter of the system memory
+# - set db block cache size to a quarter of the system memory
+# - limit resource count allowed in blaze to 1,25M per 4GB available system memory
+optimizeBlazeMemoryUsage() {
+	if [ -z "$BLAZE_MEMORY_CAP" ]; then
+	   system_memory_in_mb=$(LC_ALL=C free -m | grep 'Mem:' | awk '{print $2}');
+	   export BLAZE_MEMORY_CAP=$(($system_memory_in_mb/4));
+	fi
+	if [ -z "$BLAZE_RESOURCE_CACHE_CAP" ]; then
+		available_system_memory_chunks=$((BLAZE_MEMORY_CAP / 1000))
+		if [ $available_system_memory_chunks -eq 0 ]; then
+			log WARN "Only ${BLAZE_MEMORY_CAP} system memory available for Blaze. If your Blaze stores more than 128000 fhir ressources it will run significally slower."
+			export BLAZE_RESOURCE_CACHE_CAP=128000;
+		else
+			export BLAZE_RESOURCE_CACHE_CAP=$((available_system_memory_chunks * 312500))
+		fi
+	fi
+}
+
 # Takes 1) The Backup Directory Path 2) The name of the Service to be backuped
 # Creates 3 Backups: 1) For the past seven days 2) For the current month and 3) for each calendar week
 createEncryptedPostgresBackup(){
@@ -267,32 +289,32 @@ function sync_secrets() {
     if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
         secret_sync_args="OIDC:OIDC_CLIENT_SECRET:private;$OIDC_PRIVATE_REDIRECT_URLS"
     fi
-    if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
+    if [[ $OIDC_PUBLIC_REDIRECT_URLS != "" ]]; then
         if [[ $secret_sync_args == "" ]]; then
             secret_sync_args="OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS"
-        else 
+        else
             secret_sync_args+="${delimiter}OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS"
         fi
     fi
     if [[ $secret_sync_args == "" ]]; then
         return
     fi
-    mkdir -p /var/cache/bridgehead/secrets/
+    mkdir -p /var/cache/bridgehead/secrets/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/secrets/'. Please run sudo './bridgehead install $PROJECT' again."
     touch /var/cache/bridgehead/secrets/oidc
-    chown -R bridgehead:docker /var/cache/bridgehead/secrets
-    # The oidc provider will need to be switched based on the project at some point I guess
     docker run --rm \
         -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
         -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
         -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
         -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
         -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-        -e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \
+        -e NO_PROXY=localhost,127.0.0.1 \
+        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
         -e PROXY_ID=$PROXY_ID \
         -e BROKER_URL=$BROKER_URL \
         -e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
         -e SECRET_DEFINITIONS=$secret_sync_args \
         docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
+
     set -a # Export variables as environment variables
     source /var/cache/bridgehead/secrets/*
     set +a # Export variables in the regular way
@@ -334,7 +356,7 @@ generate_password(){
   local random_special=${special:$n:1}
 
   local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret."
-  local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/\//A/g')
+  local main_password=$(echo "${combined_text}" | sha1sum | openssl pkeyutl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/\//A/g')
 
   echo "${main_password}${random_digit}${random_upper}${random_lower}${random_special}"
 }
@@ -343,5 +365,9 @@ generate_password(){
 generate_simple_password(){
   local seed_text="$1"
   local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret."
-  echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g'
+  echo "${combined_text}" | sha1sum | openssl pkeyutl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g'
+}
+
+docker_jq() {
+    docker run --rm -i docker.verbis.dkfz.de/cache/jqlang/jq:latest "$@"
 }

lib/prepare-system.sh

@@ -49,6 +49,9 @@ case "$PROJECT" in
 	ccp)
 		site_configuration_repository_middle="git.verbis.dkfz.de/bridgehead-configurations/bridgehead-config-"
 		;;
+    leme)
+		site_configuration_repository_middle="git.verbis.dkfz.de/bridgehead-configurations/bridgehead-config-"
+		;;
 	bbmri)
 		site_configuration_repository_middle="git.verbis.dkfz.de/bbmri-bridgehead-configs/"
 		;;
@@ -89,6 +92,9 @@ elif [[ "$DEV_MODE" == "DEV" ]]; then
 fi
 
 chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
+mkdir -p /tmp/bridgehead /var/cache/bridgehead
+chown -R bridgehead:docker /tmp/bridgehead /var/cache/bridgehead
+chmod -R g+wr /var/cache/bridgehead /tmp/bridgehead
 
 log INFO "System preparation is completed and configuration is present."
 

lib/prerequisites.sh

@@ -67,29 +67,30 @@ log INFO "Checking network access ($BROKER_URL_FOR_PREREQ) ..."
 source /etc/bridgehead/${PROJECT}.conf
 source ${PROJECT}/vars
 
-set +e
+if [ "${PROJECT}" != "minimal" ]; then
-SERVERTIME="$(https_proxy=$HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
+  set +e
-RET=$?
+  SERVERTIME="$(https_proxy=$HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
-set -e
+  RET=$?
-if [ $RET -ne 0 ]; then
+  set -e
-	log WARN "Unable to connect to Samply.Beam broker at $BROKER_URL_FOR_PREREQ. Please check your proxy settings.\nThe currently configured proxy was \"$HTTPS_PROXY_URL\". This error is normal when using proxy authentication."
+  if [ $RET -ne 0 ]; then
-	log WARN "Unable to check clock skew due to previous error."
+	  log WARN "Unable to connect to Samply.Beam broker at $BROKER_URL_FOR_PREREQ. Please check your proxy settings.\nThe currently configured proxy was \"$HTTPS_PROXY_URL\". This error is normal when using proxy authentication."
-else
+  	log WARN "Unable to check clock skew due to previous error."
-	log INFO "Checking clock skew ..."
+  else
+	  log INFO "Checking clock skew ..."
 
-	SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s)
+    SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s)
-	MYTIME=$(date +%s)
+	  MYTIME=$(date +%s)
-	SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME))
+	  SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME))
-	SKEW=$(echo $SKEW | awk -F- '{print $NF}')
+	  SKEW=$(echo $SKEW | awk -F- '{print $NF}')
-	SYNCTEXT="For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd."
+	  SYNCTEXT="For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd."
-	if [ $SKEW -ge 300 ]; then
+	  if [ $SKEW -ge 300 ]; then
-		report_error 5 "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. $SYNCTEXT"
+		  report_error 5 "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. $SYNCTEXT"
-		exit 1
+		  exit 1
-	elif [ $SKEW -ge 60 ]; then
+	  elif [ $SKEW -ge 60 ]; then
-		log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server. $SYNCTEXT"
+		  log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server. $SYNCTEXT"
-	fi
+	  fi
+  fi
 fi
-
 checkPrivKey() {
   if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
     log INFO "Success - private key found."
@@ -100,7 +101,7 @@ checkPrivKey() {
   return 0
 }
 
-if [[ "$@" =~ "noprivkey" ]]; then
+if [[ "$@" =~ "noprivkey" ||  "${PROJECT}" != "minimal" ]]; then
   log INFO "Skipping check for private key for now."
 else
   checkPrivKey || exit 1

lib/update-bridgehead.sh

@@ -86,7 +86,7 @@ done
 # Check docker updates
 log "INFO" "Checking for updates to running docker images ..."
 docker_updated="false"
-for IMAGE in $(cat $PROJECT/docker-compose.yml ${OVERRIDE//-f/} minimal/docker-compose.yml | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
+for IMAGE in $($COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE config | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
     CHANGE="Image $IMAGE updated."

minimal/docker-compose.yml

@@ -42,18 +42,19 @@ services:
       - /var/spool/squid
     volumes:
       - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
+    healthcheck:
+      # Wait 1s before marking this service healthy. Required for the oauth2-proxy to talk to the OIDC provider on startup which will fail if the forward proxy is not started yet.
+      test: ["CMD", "sleep", "1"]
 
-  landing:
+  # landing:
-    container_name: bridgehead-landingpage
+  #   container_name: bridgehead-landingpage
-    image: docker.verbis.dkfz.de/cache/samply/bridgehead-landingpage:main
+  #   image: docker.verbis.dkfz.de/cache/samply/bridgehead-landingpage:main
-    labels:
+  #   labels:
-      - "traefik.enable=true"
+  #     - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+  #     - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
+  #     - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
+  #     - "traefik.http.routers.landing.tls=true"
-    environment:
+  #   environment:
-      HOST: ${HOST}
+  #     HOST: ${HOST}
-      PROJECT: ${PROJECT}
+  #     PROJECT: ${PROJECT}
-      SITE_NAME: ${SITE_NAME}
+  #     SITE_NAME: ${SITE_NAME}
-
-

minimal/modules/dnpm-compose.yml

@@ -32,12 +32,14 @@ services:
       LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
       HTTP_PROXY: http://forward_proxy:3128
       HTTPS_PROXY: http://forward_proxy:3128
-      NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal
+      NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
       RUST_LOG: ${RUST_LOG:-info}
       NO_AUTH: "true"
+      TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs
     extra_hosts:
       - "host.docker.internal:host-gateway"
     volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
       - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
     labels:
@@ -48,6 +50,10 @@ services:
       - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
       - "traefik.http.routers.dnpm-connect.tls=true"
 
+  dnpm-echo:
+    image: docker.verbis.dkfz.de/cache/samply/bridgehead-echo:latest
+    container_name: bridgehead-dnpm-echo
+
 secrets:
   proxy.pem:
     file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

minimal/modules/dnpm-node-compose.yml

@@ -6,6 +6,7 @@ services:
     container_name: bridgehead-dnpm-backend
     environment:
       - ZPM_SITE=${ZPM_SITE}
+      - N_RANDOM_FILES=${DNPM_SYNTH_NUM}
     volumes:
       - /etc/bridgehead/dnpm:/bwhc_config:ro
       - ${DNPM_DATA_DIR}:/bwhc_data

minimal/modules/dnpm-node-setup.sh

@@ -14,14 +14,15 @@ if [ -n "${ENABLE_DNPM_NODE}" ]; then
 		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
 		exit 1
 	fi
-			if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
+	DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
-				echo "Override of landing page url already in place"
+	if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
-			else
+		echo "Override of landing page url already in place"
-				echo "Adding override of landing page url"
+	else
-				if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
+		echo "Adding override of landing page url"
-					echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
+		if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
-				else
+			echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
-					echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
+		else
-				fi
+			echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
-			fi
+		fi
+	fi
 fi

minimal/modules/dnpm-setup.sh

@@ -13,4 +13,10 @@ if [ -n "${ENABLE_DNPM}" ]; then
 		log DEBUG "No Broker for clock check set; using $DNPM_BROKER_URL"
 	fi
 	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
+	# If the DNPM_NO_PROXY variable is set, prefix it with a comma (as it gets added to a comma separated list)
+	if [ -n "${DNPM_NO_PROXY}" ]; then
+		DNPM_ADDITIONAL_NO_PROXY=",${DNPM_NO_PROXY}"
+	else
+		DNPM_ADDITIONAL_NO_PROXY=""
+	fi
 fi