Changed: image used for cbioportal and teiler backend

Changed:
- used image for cbioportal in cbioportal-compose to the Harbor image - Ran tests to make sure cbioportal and cbioportal API work in Teiler backend.
2025-06-16 21:50:14 +02:00 · 2024-02-13 15:12:46 +01:00 · 2024-02-13 15:12:46 +01:00 · 2024-02-13 15:12:46 +01:00 · 2024-02-13 15:12:46 +01:00 · 2024-02-13 15:12:46 +01:00
113 changed files with 633 additions and 2561 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -1 +0,0 @@
 *  @samply/bridgehead-developers
--- a/.github/scripts/rename_inactive_branches.py
+++ b/.github/scripts/rename_inactive_branches.py
@ -1,39 +0,0 @@
 import os
 import requests
 from datetime import datetime, timedelta
 # Configuration
 GITHUB_TOKEN = os.getenv('GITHUB_TOKEN')
 REPO = 'samply/bridgehead'
 HEADERS = {'Authorization': f'token {GITHUB_TOKEN}', 'Accept': 'application/vnd.github.v3+json'}
 API_URL = f'https://api.github.com/repos/{REPO}/branches'
 INACTIVE_DAYS = 365
 CUTOFF_DATE = datetime.now() - timedelta(days=INACTIVE_DAYS)
 # Fetch all branches
 def get_branches():
    response = requests.get(API_URL, headers=HEADERS)
    response.raise_for_status()
    return response.json() if response.status_code == 200 else []
 # Rename inactive branches
 def rename_branch(old_name, new_name):
    rename_url = f'https://api.github.com/repos/{REPO}/branches/{old_name}/rename'
    response = requests.post(rename_url, json={'new_name': new_name}, headers=HEADERS)
    response.raise_for_status()
    print(f"Renamed branch {old_name} to {new_name}" if response.status_code == 201 else f"Failed to rename {old_name}: {response.status_code}")
 # Check if the branch is inactive
 def is_inactive(commit_url):
    last_commit_date = requests.get(commit_url, headers=HEADERS).json()['commit']['committer']['date']
    return datetime.strptime(last_commit_date, '%Y-%m-%dT%H:%M:%SZ') < CUTOFF_DATE
 # Rename inactive branches
 def main():
    for branch in get_branches():
        if is_inactive(branch['commit']['url']):
            #rename_branch(branch['name'], f"archived/{branch['name']}")
            print(f"[LOG] Branch '{branch['name']}' is inactive and would be renamed to 'archived/{branch['name']}'")
 if __name__ == "__main__":
    main()
--- a/.github/workflows/rename-inactive-branches.yml
+++ b/.github/workflows/rename-inactive-branches.yml
@ -1,27 +0,0 @@
 name: Cleanup - Rename Inactive Branches
 on:
  schedule:
    - cron: '0 0 * * 0'  # Runs every Sunday at midnight
 jobs:
  archive-stale-branches:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v2
      - name: Set up Python
        uses: actions/setup-python@v2
        with:
          python-version: '3.x'
      - name: Install Libraries
        run: pip install requests
      - name: Run Script to Rename Inactive Branches
        run: |
          python .github/scripts/rename_inactive_branches.py
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/README.md
+++ b/README.md
@ -22,16 +22,11 @@ This repository is the starting point for any information and tools you will nee
    - [TLS terminating proxies](#tls-terminating-proxies)
    - [File structure](#file-structure)
    - [BBMRI-ERIC Directory entry needed](#bbmri-eric-directory-entry-needed)
    - [Directory sync tool](#directory-sync-tool)
    - [Loading data](#loading-data)
    - [Teiler (Frontend)](#teiler-frontend)
    - [Data Exporter Service](#data-exporter-service)
      - [Data Quality Report](#data-quality-report)
 4. [Things you should know](#things-you-should-know)
    - [Auto-Updates](#auto-updates)
    - [Auto-Backups](#auto-backups)
    - [Non-Linux OS](#non-linux-os)
    - [FAQ](#faq)
 5. [Troubleshooting](#troubleshooting)
    - [Docker Daemon Proxy Configuration](#docker-daemon-proxy-configuration)
    - [Monitoring](#monitoring)
@ -39,7 +34,7 @@ This repository is the starting point for any information and tools you will nee
 ## Requirements
-The data protection officer at your site will probably want to know exactly what our software does with patient data, and you may need to get their approval before you are allowed to install a Bridgehead. To help you with this, we have provided some data protection concepts:
+The data protection group at your site will probably want to know exactly what our software does with patient data, and you may need to get their approval before you are allowed to install a Bridgehead. To help you with this, we have provided some data protection concepts:
 - [Germany](https://www.bbmri.de/biobanking/it/infrastruktur/datenschutzkonzept/)
@ -51,8 +46,6 @@ Hardware requirements strongly depend on the specific use-cases of your network
 - 32 GB RAM
 - 160GB Hard Drive, SSD recommended
 We recommend using a dedicated VM for the Bridgehead, with no other applications running on it. While the Bridgehead can, in principle, run on a shared VM, you might run into surprising problems such as resource conflicts (e.g., two apps using tcp port 443).
 ### Software
 You are strongly recommended to install the Bridgehead under a Linux operating system (but see the section [Non-Linux OS](#non-linux-os)). You will need root (administrator) priveleges on this machine in order to perform the deployment. We recommend the newest Ubuntu LTS server release.
@ -81,7 +74,7 @@ The following URLs need to be accessible (prefix with `https://`):
  * git.verbis.dkfz.de
 * To fetch docker images
  * docker.verbis.dkfz.de
-  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/setup/allow-list/))
+  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/all))
    * hub.docker.com
    * registry-1.docker.io
    * production.cloudflare.docker.com
@ -159,7 +152,7 @@ Pay special attention to:
 Clone the bridgehead repository:
 ```shell
 sudo mkdir -p /srv/docker/
-sudo git clone -b main https://github.com/samply/bridgehead.git /srv/docker/bridgehead
+sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead
 ```
 Then, run the installation script:
@ -207,7 +200,7 @@ sudo systemctl [enable|disable] bridgehead@<PROJECT>.service
 After starting the Bridgehead, you can watch the initialization process with the following command:
 ```shell
-/srv/docker/bridgehead/bridgehead logs <project> -f
+journalctl -u bridgehead@bbmri -f
 ```
 if this exits with something similar to the following:
@ -227,9 +220,8 @@ docker ps
 There should be 6 - 10 Docker proceses. If there are fewer, then you know that something has gone wrong. To see what is going on, run:
 ```shell
-/srv/docker/bridgehead/bridgehead logs <Project> -f
+journalctl -u bridgehead@bbmri -f
 ```
 This translates to a journalctl command so all the regular journalctl flags can be used.
 Once the Bridgehead has passed these checks, take a look at the landing page:
@ -243,7 +235,7 @@ You can either do this in a browser or with curl. If you visit the URL in the br
 curl -k https://localhost
 ```
-Should the landing page not show anything, you can inspect the logs of the containers to determine what is going wrong. To do this you can use `./bridgehead docker-logs <Project> -f` to follow the logs of the container. This transaltes to a docker compose logs command meaning all the ususal docker logs flags work.
+If you get errors when you do this, you need to use ```docker logs``` to examine your landing page container in order to determine what is going wrong.
 If you have chosen to take part in our monitoring program (by setting the ```MONITOR_APIKEY``` variable in the configuration), you will be informed by email when problems are detected in your Bridgehead.
@ -259,8 +251,6 @@ sh bridgehead uninstall
 ## Site-specific configuration
 [How to Change Config Access Token](docs/update-access-token.md)
 ### HTTPS Access
 Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de).
@ -306,38 +296,26 @@ Once you have added your biobank to the Directory you got persistent identifier
 ### Directory sync tool
-The Bridgehead's **Directory Sync** is an optional feature that keeps the BBMRI-ERIC Directory up to date with your local data, e.g. number of samples. Conversely, it can also update the local FHIR store with the latest contact details etc. from the  BBMRI-ERIC Directory.
+The Bridgehead's **Directory Sync** is an optional feature that keeps the Directory up to date with your local data, e.g. number of samples. Conversely, it also updates the local FHIR store with the latest contact details etc. from the Directory. You must explicitly set your country specific directory URL, username and password to enable this feature.
-You should talk with your local data protection group regarding the information that is published by Directory sync.
+Full details can be found in [directory_sync_service](https://github.com/samply/directory_sync_service).
-To enable it, you will need to explicitly set the username and password variables for BBMRI-ERIC Directory login in the configuration file of your GitLab repository (e.g. ```bbmri.conf```). Here is an example minimal config:
+To enable it, you will need to set these variables to the ```bbmri.conf``` file of your GitLab repository. Here is an example config:
 ```
 DS_DIRECTORY_URL=https://directory.bbmri-eric.eu
 DS_DIRECTORY_USER_NAME=your_directory_username
-DS_DIRECTORY_USER_PASS=your_directory_password
+DS_DIRECTORY_USER_PASS=qwdnqwswdvqHBVGFR9887
 DS_TIMER_CRON="0 22 * * *"
 ```
-Please contact your National Node or Directory support (directory-dev@helpdesk.bbmri-eric.eu) to obtain these credentials.
+You must contact the Directory team for your national node to find the URL, and to register as a user.
-The following environment variables can be used from within your config file to control the behavior of Directory sync:
+Additionally, you should choose when you want Directory sync to run. In the example above, this is set to happen at 10 pm every evening. You can modify this to suit your requirements. The timer specification should follow the [cron](https://crontab.guru) convention.
-| Variable                           | Purpose                                                                                                                                                              | Default if not specified               |
+Once you edited the gitlab config, the bridgehead will autoupdate the config with the values and will sync the data.
 |:-----------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------|
 | DS_DIRECTORY_URL                   | Base URL of the Directory                                                                                                                                            | https://directory-backend.molgenis.net |
 | DS_DIRECTORY_USER_NAME             | User name for logging in to Directory **Mandatory**                                                                                                                  |                                        |
 | DS_DIRECTORY_USER_PASS             | Password for logging in to Directory **Mandatory**                                                                                                                   |                                        |
 | DS_DIRECTORY_DEFAULT_COLLECTION_ID | ID of collection to be used if not in samples                                                                                                                        |                                        |
 | DS_DIRECTORY_ALLOW_STAR_MODEL      | Set to 'True' to send star model info to Directory                                                                                                                   | True                                  |
 | DS_FHIR_STORE_URL                  | URL for FHIR store                                                                                                                                                   | http://bridgehead-bbmri-blaze:8080     |
 | DS_TIMER_CRON                      | Execution interval for Directory sync, [cron](https://crontab.guru) format                                                                                           | 0 22 * * *                             |
 | DS_IMPORT_BIOBANKS                 | Set to 'True' to import biobank metadata from Directory                                                                                                              | True                                  |
 | DS_IMPORT_COLLECTIONS              | Set to 'True' to import collection metadata from Directory                                                                                                           | True                                  |
 Once you have finished editing the config, the Bridgehead will autoupdate the config with the values and will sync data at regular intervals, using the time specified in DS_TIMER_CRON.
 There will be a delay before the effects of Directory sync become visible. First, you will need to wait until the time you have specified in ```TIMER_CRON```. Second, the information will then be synchronized from your national node with the central European Directory. This can take up to 24 hours.
 More details of Directory sync can be found in [directory_sync_service](https://github.com/samply/directory_sync_service).
 ### Loading data
 The data accessed by the federated search is held in the Bridgehead in a FHIR store (we use Blaze).
@ -357,24 +335,6 @@ The storage space on your hard drive will depend on the number of FHIR resources
 For more information on Blaze performance, please refer to [import performance](https://github.com/samply/blaze/blob/master/docs/performance/import.md).
 ### Clearing data
 The Bridgehead's FHIR store, Blaze, saves its data in a Docker volume. This means that the data will persist even if you stop the Bridgehead. You can clear existing data from the FHIR store by deleting the relevant Docker volume.
 First, stop the Bridgehead:
 ```shell
 sudo systemctl stop bridgehead@<PROJECT>.service
 ```
 Now remove the volume:
 ```shell
 docker volume rm <PROJECT>_blaze-data
 ```
 Finally, restart the Bridgehead:
 ```shell
 sudo systemctl start bridgehead@<PROJECT>.service
 ```
 You will need to do this for example if you are using a VM as a test environment and you subsequently want to use the same VM for production.
 #### ETL for BBMRI and GBA
 Normally, you will need to build your own ETL to feed the Bridgehead. However, there is one case where a short cut might be available:
@ -382,39 +342,6 @@ Normally, you will need to build your own ETL to feed the Bridgehead. However, t
 You can find the profiles for generating FHIR in [Simplifier](https://simplifier.net/bbmri.de/~resources?category=Profile).
 ### Teiler (Frontend)
 Teiler is the web-based frontend of the Bridgehead, providing access to its various internal, and external services and components.   
 To learn how to integrate your custom module into Teiler, please refer to https://github.com/samply/teiler-dashboard.
 - To activate Teiler, set the following environment variable in your `<PROJECT>.conf` file:  
 ```bash
 ENABLE_TEILER=true
 ```
 [For further information](ccp/modules/teiler.md)  
 ### Data Exporter Service
 The Exporter is a dedicated service for extracting and exporting Bridgehead data in (tabular) formats such as Excel, CSV, Opal, JSON, XML, ...  
 - To enable the Exporter service, set the following environment variable in your `<PROJECT>.conf` file:  
 ```bash
 ENABLE_EXPORTER=true
 ```
 #### Data Quality Report
 To assess the quality and plausibility of your imported data, the Reporter component is pre-configured to generate Excel reports with data quality metrics and statistical analyses. Reporter is part of the Exporter and can be enabled by setting the same environment variable in your `<PROJECT>.conf` file:
 ```bash
 ENABLE_EXPORTER=true
 ```
 For convenience, it's recommended to enable the Teiler web frontend alongside the Exporter to access export and quality control features via a web interface: set the following environment varibles in your `<PROJECT>.conf` file:
 ```bash
 ENABLE_TEILER=true
 ENABLE_EXPORTER=true
 ```
 [For further information](ccp/modules/exporter.md)  
 ## Things you should know
 ### Auto-Updates
@ -454,54 +381,6 @@ We have tested the installation procedure with an Ubuntu 22.04 guest system runn
 Installation under WSL ought to work, but we have not tested this.
 ### FAQ
 **Q: How is the security of GitHub pulls, volumes/containers, and image signing ensured?**
 A: Changes to Git branches that could be delivered to sites (main and develop) must be accepted via a pull request with at least two positive reviews.
 Containers/images are not built manually, but rather automatically through a CI/CD pipeline, so that an image can be rolled back to a defined code version at any time without changes.
 **Note:** If firewall access for (outgoing) connections to GitHub and/or Docker Hub is problematic at the site, mirrors for both services are available, operated by the DKFZ.
 **Q: How is authentication between users and components regulated?**
 A: When setting up a Bridgehead, a private key and a so-called Certificate Sign Request (CSR) are generated locally. This CSR is manually signed by the broker operator, which allows the Bridgehead access to the network infrastructure.
 All communication runs via Samply.Beam and is therefore end-to-end encrypted, but also signed. This allows the integrity and authenticity of the sender to be technically verified (which happens automatically both in the broker and at the recipients).
 The connection to the broker is additionally secured using traditional TLS (transport encryption over https).
 **Q: Are there any statistics on incoming traffic from the Bridgehead (what goes in and what goes out)?**
 A: Incoming and outgoing traffic can only enter/leave the Bridgehead via a forward or reverse proxy, respectively. These components log all connections.
 Statistical analysis is not currently being conducted, but is on the roadmap for some projects. We are also working on a dashboard for all tasks/responses delivered via Samply.Beam.
 **Q: How is container access controlled, and what permission level is used?**
 A: Currently, it is not possible to run the Bridgehead "out-of-the-box" as a rootless Docker Compose stack. The main reason is the operation of the reverse proxy (Traefik), which binds to the privileged ports 80 (HTTP) and 443 (HTTPS).
 Otherwise, there are no known technical obstacles, although we don't have concrete experience implementing this.
 At the file system level, a "bridgehead" user is created during installation, which manages the configuration and Bridgehead folders.
 **Q: Is a cloud installation (not a company-owned one, but an external service provider) possible?**
 A: Technically, yes. This is primarily a data protection issue between the participant and their cloud provider.
 The Bridgehead contains a data storage system that, during use, contains sensitive patient and sample data.
 There are cloud providers with whom appropriately worded contracts can be concluded to make this possible.
 Of course, the details must be discussed with the responsible data protection officer.
 **Q: What needs to be considered regarding the Docker distribution/registry, and how is it used here?**
 A: The Bridgehead images are located both in Docker Hub and mirrored in a registry operated by the DKFZ.
 The latter is used by default, avoiding potential issues with Docker Hub URL activation or rate limits.
 When using automatic updates (highly recommended), an daily check is performed for:
 - site configuration updates
 - Bridgehead software updates
 - container image updates
 If updates are found, they are downloaded and applied.
 See the first question for the control mechanism.
 **Q: Is data only transferred one-way (Bridgehead/FHIR Store → Central/Locator), or is two-way access necessary?**
 A: By using Samply.Beam, only one outgoing connection to the broker is required at the network level (i.e., Bridgehead → Broker).
 ## Troubleshooting
 ### Docker Daemon Proxy Configuration
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@ -4,14 +4,12 @@ version: "3.7"
 services:
  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/blaze:latest
    container_name: bridgehead-bbmri-blaze
    environment:
      BASE_URL: "http://bridgehead-bbmri-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
+      JAVA_TOOL_OPTIONS: "-Xmx4g"
-      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
+      LOG_LEVEL: "debug"
      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
--- a/bbmri/modules/directory-sync-compose.yml
+++ b/bbmri/modules/directory-sync-compose.yml
@ -4,15 +4,7 @@ services:
  directory_sync_service:
    image: "docker.verbis.dkfz.de/cache/samply/directory_sync_service"
    environment:
-      DS_DIRECTORY_URL: ${DS_DIRECTORY_URL:-https://directory.bbmri-eric.eu}
+      DS_DIRECTORY_URL: ${DS_DIRECTORY_URL}
      DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}
-      DS_DIRECTORY_USER_PASS: ${DS_DIRECTORY_USER_PASS}
+      DS_DIRECTORY_PASS_CODE: ${DS_DIRECTORY_PASS_CODE}
-      DS_TIMER_CRON: ${DS_TIMER_CRON:-0 22 * * *}
+      DS_TIMER_CRON: ${DS_TIMER_CRON}
      DS_DIRECTORY_ALLOW_STAR_MODEL: ${DS_DIRECTORY_ALLOW_STAR_MODEL:-true}
      DS_DIRECTORY_MOCK: ${DS_DIRECTORY_MOCK}
      DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID}
      DS_DIRECTORY_COUNTRY: ${DS_DIRECTORY_COUNTRY}
      DS_IMPORT_BIOBANKS: ${DS_IMPORT_BIOBANKS:-true}
      DS_IMPORT_COLLECTIONS: ${DS_IMPORT_COLLECTIONS:-true}
    depends_on:
      - "blaze"
--- a/bbmri/modules/dnpm-compose.yml
+++ b/bbmri/modules/dnpm-compose.yml
@ -0,0 +1,53 @@
 version: "3.7"
 services:
  dnpm-beam-proxy:
    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
    container_name: bridgehead-dnpm-beam-proxy
    environment:
      BROKER_URL: ${DNPM_BROKER_URL}
      PROXY_ID: ${DNPM_PROXY_ID}
      APP_dnpm-connect_KEY: ${DNPM_BEAM_SECRET_SHORT}
      PRIVKEY_FILE: /run/secrets/proxy.pem
      ALL_PROXY: http://forward_proxy:3128
      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
      ROOTCERT_FILE: /conf/root.crt.pem
    secrets:
      - proxy.pem
    depends_on:
      - "forward_proxy"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
  dnpm-beam-connect:
    depends_on: [ dnpm-beam-proxy ]
    image: docker.verbis.dkfz.de/cache/samply/beam-connect:develop
    container_name: bridgehead-dnpm-beam-connect
    environment:
      PROXY_URL: http://dnpm-beam-proxy:8081
      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
      APP_ID: dnpm-connect.${DNPM_PROXY_ID}
      DISCOVERY_URL: "./conf/central_targets.json"
      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
      HTTP_PROXY: http://forward_proxy:3128
      HTTPS_PROXY: http://forward_proxy:3128
      NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal
      RUST_LOG: ${RUST_LOG:-info}
      NO_AUTH: "true"
    extra_host:
      - "host.docker.internal:host-gateway"
    volumes:
      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
      - "traefik.http.middlewares.dnpm-connect-strip.stripprefix.prefixes=/dnpm-connect"
      - "traefik.http.routers.dnpm-connect.middlewares=dnpm-connect-strip"
      - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
      - "traefik.http.routers.dnpm-connect.tls=true"
 secrets:
  proxy.pem:
    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/bbmri/modules/dnpm-node-compose.yml
+++ b/bbmri/modules/dnpm-node-compose.yml
@ -0,0 +1,33 @@
 version: "3.7"
 services:
  dnpm-backend:
    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
    container_name: bridgehead-dnpm-backend
    environment:
      - ZPM_SITE=${ZPM_SITE}
    volumes:
      - /etc/bridgehead/dnpm:/bwhc_config:ro
      - ${DNPM_DATA_DIR}:/bwhc_data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
      - "traefik.http.routers.bwhc-backend.tls=true"
  dnpm-frontend:
    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
    container_name: bridgehead-dnpm-frontend
    links:
      - dnpm-backend
    environment:
      - NUXT_HOST=0.0.0.0
      - NUXT_PORT=8080
      - BACKEND_PROTOCOL=https
      - BACKEND_HOSTNAME=$HOST
      - BACKEND_PORT=443
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
      - "traefik.http.routers.bwhc-frontend.tls=true"
--- a/bbmri/modules/dnpm-node-setup.sh
+++ b/bbmri/modules/dnpm-node-setup.sh
@ -0,0 +1,27 @@
 #!/bin/bash
 if [ -n "${ENABLE_DNPM_NODE}" ]; then
 	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
 	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	if [ -z "${ZPM_SITE+x}" ]; then
 		log ERROR "Mandatory variable ZPM_SITE not defined!"
 		exit 1
 	fi
 	if [ -z "${DNPM_DATA_DIR+x}" ]; then
 		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
 		exit 1
 	fi
 			if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
 				echo "Override of landing page url already in place"
 			else
 				echo "Adding override of landing page url"
 				if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
 					echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
 				else
 					echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
 				fi
 			fi
 fi
--- a/bbmri/modules/dnpm-setup.sh
+++ b/bbmri/modules/dnpm-setup.sh
@ -0,0 +1,12 @@
 #!/bin/bash
 if [ -n "${ENABLE_DNPM}" ]; then
 	log INFO "DNPM setup detected (Beam.Connect) -- will start Beam and Beam.Connect for DNPM."
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
 	# Set variables required for Beam-Connect
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 	DNPM_BROKER_ID="broker.ccp-it.dktk.dkfz.de"
 	DNPM_BROKER_URL="https://${DNPM_BROKER_ID}"
 	DNPM_PROXY_ID="${SITE_ID}.${DNPM_BROKER_ID}"
 fi
--- a/bbmri/modules/eric-compose.yml
+++ b/bbmri/modules/eric-compose.yml
@ -2,7 +2,7 @@ version: "3.7"
 services:
  focus-eric:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-bbmri
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
    container_name: bridgehead-focus-eric
    environment:
      API_KEY: ${ERIC_FOCUS_BEAM_SECRET_SHORT}
@ -16,7 +16,7 @@ services:
      - "blaze"
  beam-proxy-eric:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
    container_name: bridgehead-beam-proxy-eric
    environment:
      BROKER_URL: ${ERIC_BROKER_URL}
--- a/bbmri/modules/eric-setup.sh
+++ b/bbmri/modules/eric-setup.sh
@ -10,10 +10,6 @@ if [ "${ENABLE_ERIC}" == "true" ]; then
 			export ERIC_BROKER_ID=broker.bbmri.samply.de
 			export ERIC_ROOT_CERT=eric
 			;;
 		"acceptance")
 			export ERIC_BROKER_ID=broker-acc.bbmri-acc.samply.de
 			export ERIC_ROOT_CERT=eric.acc
 			;;
 		"test")
 			export ERIC_BROKER_ID=broker-test.bbmri-test.samply.de
 			export ERIC_ROOT_CERT=eric.test
--- a/bbmri/modules/eric.acc.root.crt.pem
+++ b/bbmri/modules/eric.acc.root.crt.pem
@ -1,20 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDNTCCAh2gAwIBAgIUFzdpDi1OLdXyogtCsktHFhCILtMwDQYJKoZIhvcNAQEL
 BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjUwNjEwMTQzNjE1WhcNMzUw
 NjA4MTQzNjQ1WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
 AQEBBQADggEPADCCAQoCggEBALpJCWE9Qe19R9DqotdkPV6jfiuJSKI3UYkCWdWG
 nRfkKB6OaY5t3JCHDqaEME9FwSd2nFXhTp5F6snG/K7g8MCLIEzGzuSnrdjGqINq
 zXLfgqnxvQpPR4ARLNNgnKxZaq7m4Q3T/l+QAshK6CnCUWFQ6q5x3g/pZHFP2USd
 /G2FtDHX6YK4bHbbnigIPG6PdY2RYy60i30XGdIPBNf82XGkAtPUBz731gHOV5Vg
 d+jfAqTwZAhYC2CcNmswFw1H9GrvTI/9KZWKcZNUIqemc0A/FyEyONUM18/vjQ7D
 lUwOcQsgAg44QTOUPgqXv3sJPQM5EnGuv3yYV9u6Y2i78M8CAwEAAaN7MHkwDgYD
 VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPrDeNWgtEyZ
 VM0yeoRZdK2QGjyvMB8GA1UdIwQYMBaAFPrDeNWgtEyZVM0yeoRZdK2QGjyvMBYG
 A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQAD2S0kqL18
 laewh+qnyZ0WMq12mLV/Rwll6ZuShCx2uAu3UZuIGWk3l7gG5zlws+i+zbaNcn4o
 HsS3WG9kiNLOMKp8LXGkjErl6RaQr+kb8qgYFTPjOr6v0OdVn6ve9RDNYB5Hd+zE
 9jAWmS8PfS2AldE4VAd0C4pWTAinhnKGrKdn1YAX5x+LMq1y0lc1Pd4CDgsjD6SS
 3td7JtenXqCX0mN0XSeck7vvFGa6QpcQoVcN9tRENctHZTwyeGA21IkXylpFPUkE
 LT60k48fNC8TZkBlfvtVGRebpm5krXIKEaVy5LniEpSuOR4hTqsgoQDntBjW4zHA
 GeWQ1wQNTEBX
 -----END CERTIFICATE-----
--- a/bbmri/modules/exporter-compose.yml
+++ b/bbmri/modules/exporter-compose.yml
@ -1,86 +0,0 @@
 version: "3.7"
 services:
  exporter:
    image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
    container_name: bridgehead-bbmri-exporter
    environment:
      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
      LOG_LEVEL: "INFO"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
      CROSS_ORIGINS: "https://${HOST}"
      EXPORTER_DB_USER: "exporter"
      EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
      EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
      HTTP_RELATIVE_PATH: "/bbmri-exporter"
      SITE: "${SITE_ID}"
      HTTP_SERVLET_REQUEST_SCHEME: "https"
      OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.exporter_bbmri.rule=PathPrefix(`/bbmri-exporter`)"
      - "traefik.http.services.exporter_bbmri.loadbalancer.server.port=8092"
      - "traefik.http.routers.exporter_bbmri.tls=true"
      - "traefik.http.middlewares.exporter_bbmri_strip.stripprefix.prefixes=/bbmri-exporter"
      - "traefik.http.routers.exporter_bbmri.middlewares=exporter_bbmri_strip"
      # Main router
      - "traefik.http.routers.exporter_bbmri.priority=20"
      # API router
      - "traefik.http.routers.exporter_bbmri_api.middlewares=exporter_bbmri_strip,exporter_auth"
      - "traefik.http.routers.exporter_bbmri_api.rule=PathRegexp(`/bbmri-exporter/.+`)"
      - "traefik.http.routers.exporter_bbmri_api.tls=true"
      - "traefik.http.routers.exporter_bbmri_api.priority=25"
      # Shared middlewares
      - "traefik.http.middlewares.exporter_auth.basicauth.users=${EXPORTER_USER}"
    volumes:
      - "/var/cache/bridgehead/bbmri/exporter-files:/app/exporter-files/output"
  exporter-db:
    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
    container_name: bridgehead-bbmri-exporter-db
    environment:
      POSTGRES_USER: "exporter"
      POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
      POSTGRES_DB: "exporter"
    volumes:
      # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
      - "/var/cache/bridgehead/bbmri/exporter-db:/var/lib/postgresql/data"
  reporter:
    image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
    container_name: bridgehead-bbmri-reporter
    environment:
      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
      LOG_LEVEL: "INFO"
      CROSS_ORIGINS: "https://${HOST}"
      HTTP_RELATIVE_PATH: "/bbmri-reporter"
      SITE: "${SITE_ID}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
      EXPORTER_URL: "http://exporter:8092"
      LOG_FHIR_VALIDATION: "false"
      HTTP_SERVLET_REQUEST_SCHEME: "https"
    # In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
    # However, in the first executions in the bbmri sites, this volume seems to be very important. A report is
    # a process that can take several hours, because it depends on the exporter.
    # There is a risk that the bridgehead restarts, losing the already created export.
    volumes:
      - "/var/cache/bridgehead/bbmri/reporter-files:/app/reports"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.reporter_bbmri.rule=PathPrefix(`/bbmri-reporter`)"
      - "traefik.http.services.reporter_bbmri.loadbalancer.server.port=8095"
      - "traefik.http.routers.reporter_bbmri.tls=true"
      - "traefik.http.middlewares.reporter_bbmri_strip.stripprefix.prefixes=/bbmri-reporter"
      - "traefik.http.routers.reporter_bbmri.middlewares=reporter_bbmri_strip"
      - "traefik.http.routers.reporter_bbmri.priority=20"
      - "traefik.http.routers.reporter_bbmri_api.middlewares=reporter_bbmri_strip,exporter_auth"
      - "traefik.http.routers.reporter_bbmri_api.rule=PathRegexp(`/bbmri-reporter/.+`)"
      - "traefik.http.routers.reporter_bbmri_api.tls=true"
      - "traefik.http.routers.reporter_bbmri_api.priority=25"
--- a/bbmri/modules/exporter-setup.sh
+++ b/bbmri/modules/exporter-setup.sh
@ -1,8 +0,0 @@
 #!/bin/bash -e
 if [ "$ENABLE_EXPORTER" == true ]; then
  log INFO "Exporter setup detected -- will start Exporter service."
  OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
 fi
--- a/bbmri/modules/exporter.md
+++ b/bbmri/modules/exporter.md
@ -1,15 +0,0 @@
 # Exporter and Reporter
 ## Exporter
 The exporter is a REST API that exports the data of the different databases of the bridgehead in a set of tables.
 It can accept different output formats as CSV, Excel, JSON or XML. It can also export data into Opal.
 ## Exporter-DB
 It is a database to save queries for its execution in the exporter. 
 The exporter manages also the different executions of the same query in through the database.
 ## Reporter
 This component is a plugin of the exporter that allows to create more complex Excel reports described in templates.
 It is compatible with different template engines as Groovy, Thymeleaf,...
 It is perfect to generate a document as our traditional CCP quality report.
--- a/bbmri/modules/gbn-compose.yml
+++ b/bbmri/modules/gbn-compose.yml
@ -2,7 +2,7 @@ version: "3.7"
 services:
  focus-gbn:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-bbmri
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
    container_name: bridgehead-focus-gbn
    environment:
      API_KEY: ${GBN_FOCUS_BEAM_SECRET_SHORT}
@ -16,7 +16,7 @@ services:
      - "blaze"
  beam-proxy-gbn:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
    container_name: bridgehead-beam-proxy-gbn
    environment:
      BROKER_URL: ${GBN_BROKER_URL}
--- a/bbmri/modules/teiler-compose.yml
+++ b/bbmri/modules/teiler-compose.yml
@ -1,70 +0,0 @@
 version: "3.7"
 services:
  teiler-orchestrator:
    image: docker.verbis.dkfz.de/cache/samply/teiler-orchestrator:latest
    container_name: bridgehead-teiler-orchestrator
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_orchestrator_bbmri.rule=PathPrefix(`/bbmri-teiler`)"
      - "traefik.http.services.teiler_orchestrator_bbmri.loadbalancer.server.port=9000"
      - "traefik.http.routers.teiler_orchestrator_bbmri.tls=true"
      - "traefik.http.middlewares.teiler_orchestrator_bbmri_strip.stripprefix.prefixes=/bbmri-teiler"
      - "traefik.http.routers.teiler_orchestrator_bbmri.middlewares=teiler_orchestrator_bbmri_strip"
    environment:
      TEILER_BACKEND_URL: "https://${HOST}/bbmri-teiler-backend"
      TEILER_DASHBOARD_URL: "https://${HOST}/bbmri-teiler-dashboard"
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
      HTTP_RELATIVE_PATH: "/bbmri-teiler"
  teiler-dashboard:
    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
    container_name: bridgehead-teiler-dashboard
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_dashboard_bbmri.rule=PathPrefix(`/bbmri-teiler-dashboard`)"
      - "traefik.http.services.teiler_dashboard_bbmri.loadbalancer.server.port=80"
      - "traefik.http.routers.teiler_dashboard_bbmri.tls=true"
      - "traefik.http.middlewares.teiler_dashboard_bbmri_strip.stripprefix.prefixes=/bbmri-teiler-dashboard"
      - "traefik.http.routers.teiler_dashboard_bbmri.middlewares=teiler_dashboard_bbmri_strip"
    environment:
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      TEILER_BACKEND_URL: "https://${HOST}/bbmri-teiler-backend"
      TEILER_DASHBOARD_URL: "https://${HOST}/bbmri-teiler-dashboard"
      OIDC_URL: "${OIDC_URL}"
      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
      TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
      TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
      TEILER_PROJECT: "${PROJECT}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/bbmri-teiler"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/bbmri-teiler"
      TEILER_USER: "${OIDC_USER_GROUP}"
      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
      REPORTER_DEFAULT_TEMPLATE_ID: "bbmri-qb"
      EXPORTER_DEFAULT_TEMPLATE_ID: "bbmri"
  teiler-backend:
    image: docker.verbis.dkfz.de/ccp/bbmri-teiler-backend:latest
    container_name: bridgehead-teiler-backend
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_backend_bbmri.rule=PathPrefix(`/bbmri-teiler-backend`)"
      - "traefik.http.services.teiler_backend_bbmri.loadbalancer.server.port=8085"
      - "traefik.http.routers.teiler_backend_bbmri.tls=true"
      - "traefik.http.middlewares.teiler_backend_bbmri_strip.stripprefix.prefixes=/bbmri-teiler-backend"
      - "traefik.http.routers.teiler_backend_bbmri.middlewares=teiler_backend_bbmri_strip"
    environment:
      LOG_LEVEL: "INFO"
      APPLICATION_PORT: "8085"
      APPLICATION_ADDRESS: "${HOST}"
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/bbmri-teiler"
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/bbmri-teiler"
      TEILER_DASHBOARD_DE_URL: "https://${HOST}/bbmri-teiler-dashboard/de"
      TEILER_DASHBOARD_EN_URL: "https://${HOST}/bbmri-teiler-dashboard/en"
      HTTP_PROXY: "http://forward_proxy:3128"
--- a/bbmri/modules/teiler-setup.sh
+++ b/bbmri/modules/teiler-setup.sh
@ -1,8 +0,0 @@
 #!/bin/bash -e
 if [ "$ENABLE_TEILER" == true ];then
  log INFO "Teiler setup detected -- will start Teiler services."
  OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
  TEILER_DEFAULT_LANGUAGE=EN
  TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
 fi
--- a/bbmri/modules/teiler.md
+++ b/bbmri/modules/teiler.md
@ -1,19 +0,0 @@
 # Teiler
 This module orchestrates the different microfrontends of the bridgehead as a single page application.  
 ## Teiler Orchestrator
 Single SPA component that consists on the root HTML site of the single page application and a javascript code that
 gets the information about the microfrontend calling the teiler backend and is responsible for registering them. With the
 resulting mapping, it can initialize, mount and unmount the required microfrontends on the fly. 
 The microfrontends run independently in different containers and can be based on different frameworks (Angular, Vue, React,...)
 This microfrontends can run as single alone but need an extension with Single-SPA (https://single-spa.js.org/docs/ecosystem).
 There are also available three templates (Angular, Vue, React) to be directly extended to be used directly in the teiler.
 ## Teiler Dashboard
 It consists on the main dashboard and a set of embedded services.
 ### Login
 user and password in ccp.local.conf
 ## Teiler Backend
 In this component, the microfrontends are configured.
--- a/bbmri/vars
+++ b/bbmri/vars
@ -1,16 +1,11 @@
 BROKER_ID=broker-test.bbmri-test.samply.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 # Makes sense for all European Biobanks
 : ${ENABLE_ERIC:=true}
 # Makes only sense for German Biobanks
 : ${ENABLE_GBN:=false}
-FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
+FOCUS_RETRY_COUNT=32
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 for module in $PROJECT/modules/*.sh
 do
--- a/76
+++ b/76
@ -32,18 +32,6 @@ case "$PROJECT" in
 	bbmri)
 		#nothing extra to do
 		;;
 	cce)
 		#nothing extra to do
 		;;
 	itcc)
 		#nothing extra to do
 		;;
 	kr)
 		#nothing extra to do
 		;;
 	dhki)
 		#nothing extra to do
 		;;
 	minimal)
 		#nothing extra to do
 		;;
@ -53,47 +41,17 @@ case "$PROJECT" in
 		;;
 esac
-# Loads config variables and runs the projects setup script
+# TODO: Please add proper documentation for variable priorities (1. secrets, 2. vars, 3. PROJECT.local.conf, 4. PROJECT.conf, 5. ???
 loadVars() {
 	# Load variables from /etc/bridgehead and /srv/docker/bridgehead
 	set -a
 	# Source the project specific config file
 	source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
 	# Source the project specific local config file if present
 	# This file is ignored by git as oposed to the regular config file as it contains private site information like etl auth data
 	if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
 		log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
 		source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
 	fi
 	# Set execution environment on main default to prod else test
 	if [[ -z "${ENVIRONMENT+x}" ]]; then
 		if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
 			ENVIRONMENT="production"
 		else
 			ENVIRONMENT="test" # we have acceptance environment in BBMRI ERIC and it would be more appropriate to default to that one in case the data they have in BH is real, but I'm gonna leave it as is for backward compatibility
 		fi
 	fi
 	# Source the versions of the images components 
 	case "$ENVIRONMENT" in
 		"production")
 			source ./versions/prod
 			;;
 		"test")
 			source ./versions/test
 			;;
 		"acceptance")
 			source ./versions/acceptance
 			;;
 		*)
 			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
 			source ./versions/prod
 			;;
 	esac
 	fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 	setHostname
 	optimizeBlazeMemoryUsage
 	# Run project specific setup if it exists
 	# This will ususally modiy the `OVERRIDE` to include all the compose files that the project depends on
 	# This is also where projects specify which modules to load
 	[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 	set +a
@ -109,6 +67,22 @@ loadVars() {
 	fi
 	detectCompose
 	setupProxy
 	# Set some project-independent default values
 	: ${ENVIRONMENT:=production}
 	case "$ENVIRONMENT" in
 		"production")
 			export FOCUS_TAG=main
 			;;
 		"test")
 			export FOCUS_TAG=develop
 			;;
 		*)
 			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
 			export FOCUS_TAG=main
 			;;
 	esac
 }
 case "$ACTION" in
@ -116,14 +90,12 @@ case "$ACTION" in
 		loadVars
 		hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
 		checkRequirements
-		sync_secrets
+        sync_secrets
 		hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
 		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
 		;;
 	stop)
 		loadVars
 		# Kill stale secret-sync instances if present
 		docker kill $(docker ps -q --filter ancestor=docker.verbis.dkfz.de/cache/samply/secret-sync-local) 2>/dev/null || true
 		# HACK: This is temporarily to properly shut down false bridgehead instances (bridgehead-ccp instead ccp)
 		$COMPOSE -p bridgehead-$PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
@ -132,16 +104,6 @@ case "$ACTION" in
 		bk_is_running
 		exit $?
 		;;
 	logs)
 		loadVars
 		shift 2
 		exec journalctl -u bridgehead@$PROJECT -u bridgehead-update@$PROJECT -a $@
 		;;
 	docker-logs)
 		loadVars
 		shift 2
 		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE logs -f $@
 		;;
 	update)
 		loadVars
 		exec ./lib/update-bridgehead.sh $PROJECT
--- a/cce/docker-compose.yml
+++ b/cce/docker-compose.yml
@ -1,68 +0,0 @@
 version: "3.7"
 services:
  blaze:
    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
    container_name: bridgehead-cce-blaze
    environment:
      BASE_URL: "http://bridgehead-cce-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.blaze_cce.rule=PathPrefix(`/cce-localdatamanagement`)"
      - "traefik.http.middlewares.cce_b_strip.stripprefix.prefixes=/cce-localdatamanagement"
      - "traefik.http.services.blaze_cce.loadbalancer.server.port=8080"
      - "traefik.http.routers.blaze_cce.middlewares=cce_b_strip,auth"
      - "traefik.http.routers.blaze_cce.tls=true"
  focus:
    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
    container_name: bridgehead-focus
    environment:
      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
      BEAM_APP_ID_LONG: focus.${PROXY_ID}
      PROXY_ID: ${PROXY_ID}
      BLAZE_URL: "http://bridgehead-cce-blaze:8080/fhir/"
      BEAM_PROXY_URL: http://beam-proxy:8081
      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
    volumes:
      - /srv/docker/bridgehead/cce/queries_to_cache.conf:/queries_to_cache.conf:ro
    depends_on:
      - "beam-proxy"
      - "blaze"
  beam-proxy:
    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
    container_name: bridgehead-beam-proxy
    environment:
      BROKER_URL: ${BROKER_URL}
      PROXY_ID: ${PROXY_ID}
      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
      PRIVKEY_FILE: /run/secrets/proxy.pem
      ALL_PROXY: http://forward_proxy:3128
      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
      ROOTCERT_FILE: /conf/root.crt.pem
    secrets:
      - proxy.pem
    depends_on:
      - "forward_proxy"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /srv/docker/bridgehead/cce/root.crt.pem:/conf/root.crt.pem:ro
 volumes:
  blaze-data:
 secrets:
  proxy.pem:
    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/cce/modules/lens-compose.yml
+++ b/cce/modules/lens-compose.yml
@ -1,33 +0,0 @@
 version: "3.7"
 services:
  landing:
    container_name: lens_federated-search
    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
      - "traefik.http.services.landing.loadbalancer.server.port=80"
      - "traefik.http.routers.landing.tls=true"
  spot:
    image: docker.verbis.dkfz.de/ccp-private/central-spot
    environment:
      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
      BEAM_URL: http://beam-proxy:8081
      BEAM_PROXY_ID: ${SITE_ID}
      BEAM_BROKER_ID: ${BROKER_ID}
      BEAM_APP_ID: "focus"
      PROJECT_METADATA: "cce_supervisors"
    depends_on:
      - "beam-proxy"
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.spot.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
      - "traefik.http.routers.spot.tls=true"
      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot"
--- a/cce/modules/lens-setup.sh
+++ b/cce/modules/lens-setup.sh
@ -1,5 +0,0 @@
 #!/bin/bash
 if [ -n "$ENABLE_LENS" ];then
  OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml"
 fi
--- a/cce/queries_to_cache.conf
+++ b/cce/queries_to_cache.conf
@ -1,2 +0,0 @@
 bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0FHRV9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OCnRydWU=
 bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIGljZDEwOiAnaHR0cDovL2ZoaXIuZGUvQ29kZVN5c3RlbS9iZmFybS9pY2QtMTAtZ20nCmNvZGVzeXN0ZW0gbW9ycGg6ICd1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjYuNDMuMScKCmNvbnRleHQgUGF0aWVudAoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9BR0VfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCkRLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgooKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDNjEnIGZyb20gaWNkMTBdKSBhbmQKKChleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODE0MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQ3LzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0ODAvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODUwMC8zJykpKQ==
--- a/cce/root.crt.pem
+++ b/cce/root.crt.pem
@ -1,20 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDNTCCAh2gAwIBAgIUW34NEb7bl0+Ywx+I1VKtY5vpAOowDQYJKoZIhvcNAQEL
 BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTIyMTMzNzEzWhcNMzQw
 MTE5MTMzNzQzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
 AQEBBQADggEPADCCAQoCggEBAL5UegLXTlq3XRRj8LyFs3aF0tpRPVoW9RXp5kFI
 TnBvyO6qjNbMDT/xK+4iDtEX4QQUvsxAKxfXbe9i1jpdwjgH7JHaSGm2IjAiKLqO
 OXQQtguWwfNmmp96Ql13ArLj458YH08xMO/w2NFWGwB/hfARa4z/T0afFuc/tKJf
 XbGCG9xzJ9tmcG45QN8NChGhVvaTweNdVxGWlpHxmi0Mn8OM9CEuB7nPtTTiBuiu
 pRC2zVVmNjVp4ktkAqL7IHOz+/F5nhiz6tOika9oD3376Xj055lPznLcTQn2+4d7
 K7ZrBopCFxIQPjkgmYRLfPejbpdUjK1UVJw7hbWkqWqH7JMCAwEAAaN7MHkwDgYD
 VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGjvRcaIP4HM
 poIguUAK9YL2n7fbMB8GA1UdIwQYMBaAFGjvRcaIP4HMpoIguUAK9YL2n7fbMBYG
 A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCbzycJSaDm
 AXXNJqQ88djrKs5MDXS8RIjS/cu2ayuLaYDe+BzVmUXNA0Vt9nZGdaz63SLLcjpU
 fNSxBfKbwmf7s30AK8Cnfj9q4W/BlBeVizUHQsg1+RQpDIdMrRQrwkXv8mfLw+w5
 3oaXNW6W/8KpBp/H8TBZ6myl6jCbeR3T8EMXBwipMGop/1zkbF01i98Xpqmhx2+l
 n+80ofPsSspOo5XmgCZym8CD/m/oFHmjcvOfpOCvDh4PZ+i37pmbSlCYoMpla3u/
 7MJMP5lugfLBYNDN2p+V4KbHP/cApCDT5UWLOeAWjgiZQtHH5ilDeYqEc1oPjyJt
 Rtup0MTxSJtN
 -----END CERTIFICATE-----
--- a/cce/vars
+++ b/cce/vars
@ -1,14 +0,0 @@
 BROKER_ID=test-no-real-data.broker.samply.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 SUPPORT_EMAIL=manoj.waikar@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@ -2,14 +2,11 @@ version: "3.7"
 services:
  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/blaze:latest
    container_name: bridgehead-ccp-blaze
    environment:
      BASE_URL: "http://bridgehead-ccp-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
+      JAVA_TOOL_OPTIONS: "-Xmx4g"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
@ -22,7 +19,7 @@ services:
      - "traefik.http.routers.blaze_ccp.tls=true"
  focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-dktk
+    image: docker.verbis.dkfz.de/cache/samply/focus:main
    container_name: bridgehead-focus
    environment:
      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
@ -32,16 +29,12 @@ services:
      BEAM_PROXY_URL: http://beam-proxy:8081
      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
    volumes:
      - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf:ro
    depends_on:
      - "beam-proxy"
      - "blaze"
  beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
    container_name: bridgehead-beam-proxy
    environment:
      BROKER_URL: ${BROKER_URL}
@ -59,6 +52,13 @@ services:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
  traefik:
    labels:
      - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2_proxy:4180/"
      - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
      - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
 volumes:
  blaze-data:
--- a/ccp/modules/adt2fhir-rest-compose.yml
+++ b/ccp/modules/adt2fhir-rest-compose.yml
@ -0,0 +1,18 @@
 version: "3.7"
 services:
  adt2fhir-rest:
    container_name: bridgehead-adt2fhir-rest
    image: docker.verbis.dkfz.de/ccp/adt2fhir-rest:main
    environment:
      IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
      SALT: ${LOCAL_SALT}
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.adt2fhir-rest.rule=PathPrefix(`/adt2fhir-rest`)"
      - "traefik.http.middlewares.adt2fhir-rest_strip.stripprefix.prefixes=/adt2fhir-rest"
      - "traefik.http.services.adt2fhir-rest.loadbalancer.server.port=8080"
      - "traefik.http.routers.adt2fhir-rest.tls=true"
      - "traefik.http.routers.adt2fhir-rest.middlewares=adt2fhir-rest_strip,auth"
--- a/ccp/modules/adt2fhir-rest-setup.sh
+++ b/ccp/modules/adt2fhir-rest-setup.sh
@ -0,0 +1,13 @@
 #!/bin/bash
 function adt2fhirRestSetup() {
  if [ -n "$ENABLE_ADT2FHIR_REST" ]; then
    log INFO "ADT2FHIR-REST setup detected -- will start adt2fhir-rest API."
    if [ ! -n "$IDMANAGER_LOCAL_PATIENTLIST_APIKEY" ]; then
      log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
      exit 1;
    fi
    OVERRIDE+=" -f ./$PROJECT/modules/adt2fhir-rest-compose.yml"
    LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
  fi
 }
--- a/ccp/modules/blaze-secondary-compose.yml
+++ b/ccp/modules/blaze-secondary-compose.yml
@ -1,32 +0,0 @@
 version: "3.7"
 services:
  blaze-secondary:
    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
    container_name: bridgehead-ccp-blaze-secondary
    environment:
      BASE_URL: "http://bridgehead-ccp-blaze-secondary:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-secondary-data:/app/data"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.blaze-secondary_ccp.rule=PathPrefix(`/ccp-localdatamanagement-secondary`)"
      - "traefik.http.middlewares.ccp_b-secondary_strip.stripprefix.prefixes=/ccp-localdatamanagement-secondary"
      - "traefik.http.services.blaze-secondary_ccp.loadbalancer.server.port=8080"
      - "traefik.http.routers.blaze-secondary_ccp.middlewares=ccp_b-secondary_strip,auth"
      - "traefik.http.routers.blaze-secondary_ccp.tls=true"
  obds2fhir-rest:
    environment:
      STORE_PATH: ${STORE_PATH:-http://blaze:8080/fhir}
  exporter:
    environment:
      BLAZE_HOST: "blaze-secondary"
 volumes:
  blaze-secondary-data:
--- a/ccp/modules/blaze-secondary-setup.sh
+++ b/ccp/modules/blaze-secondary-setup.sh
@ -1,11 +0,0 @@
 #!/bin/bash
 function blazeSecondarySetup() {
  if [ -n "$ENABLE_SECONDARY_BLAZE" ]; then
    log INFO "Secondary Blaze setup detected -- will start second blaze."
    OVERRIDE+=" -f ./$PROJECT/modules/blaze-secondary-compose.yml"
    #make oBDS2FHIR ignore ID-Management and replace target Blaze
    PATIENTLIST_URL=" "
    STORE_PATH="http://blaze-secondary:8080/fhir"
  fi
 }
--- a/ccp/modules/cbioportal-compose.yml
+++ b/ccp/modules/cbioportal-compose.yml
@ -0,0 +1,53 @@
 version: '3.7'
 services:
  cbioportal:
    # image: docker.verbis.dkfz.de/ccp/dktk-cbioportal:latest
    image: dktk-cbioportal
    container_name: bridgehead-cbioportal
    environment:
      DB_PASSWORD: ${CBIOPORTAL_DB_PASSWORD}
      HTTP_RELATIVE_PATH: "/cbioportal"
      UPLOAD_HTTP_RELATIVE_PATH: "/cbioportal-upload"
    depends_on:
      - cbioportal-database
      - cbioportal-session
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.cbioportal.rule=PathPrefix(`/cbioportal`)"
      - "traefik.http.routers.cbioportal.service=cbioportal"
      - "traefik.http.services.cbioportal.loadbalancer.server.port=8080"
      - "traefik.http.routers.cbioportal.tls=true"
      - "traefik.http.routers.cbioportal-upload.rule=PathPrefix(`/cbioportal-upload`)"    
      - "traefik.http.routers.cbioportal-upload.service=cbioportal-upload"
      - "traefik.http.routers.cbioportal-upload.tls=true"
      - "traefik.http.services.cbioportal-upload.loadbalancer.server.port=8001"
  cbioportal-database:
    image: docker.verbis.dkfz.de/ccp/dktk-cbioportal-database:latest
    container_name: bridgehead-cbioportal-database
    environment:
      MYSQL_DATABASE: cbioportal
      MYSQL_USER: cbio_user
      MYSQL_PASSWORD: ${CBIOPORTAL_DB_PASSWORD}
      MYSQL_ROOT_PASSWORD: ${CBIOPORTAL_DB_ROOT_PASSWORD}
    volumes:
      - /var/cache/bridgehead/ccp/cbioportal_db_data:/var/lib/mysql
  cbioportal-session:
    image: cbioportal/session-service:0.6.1
    container_name: bridgehead-cbioportal-session
    environment:
      SERVER_PORT: 5000
      JAVA_OPTS: -Dspring.data.mongodb.uri=mongodb://cbioportal-session-database:27017/session-service
    depends_on:
      - cbioportal-session-database
  cbioportal-session-database:
    image: mongo:4.2
    container_name: bridgehead-cbioportal-session-database
    environment:
      MONGO_INITDB_DATABASE: session_service
    volumes:
      - /var/cache/bridgehead/ccp/cbioportal_session_db_data:/data/db
--- a/ccp/modules/cbioportal-setup.sh
+++ b/ccp/modules/cbioportal-setup.sh
@ -0,0 +1,8 @@
 #!/bin/bash -e
 if [ "$ENABLE_CBIOPORTAL" == true ]; then
  log INFO "cBioPortal setup detected -- will start cBioPortal service."
  OVERRIDE+=" -f ./$PROJECT/modules/cbioportal-compose.yml"
  CBIOPORTAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the cbioportal database. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
  CBIOPORTAL_DB_ROOT_PASSWORD="$(echo \"This is a salt string to generate one consistent root password for the cbioportal database. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)" 
 fi
--- a/ccp/modules/cbioportal.md
+++ b/ccp/modules/cbioportal.md
@ -0,0 +1,10 @@
 # CBioPortal Data uploader
 ## Usage
 We have integrated an API that allows you to upload data directly to cbioportal without the need to have cbioportal installed in your system.
 ## Tech stack
 We used Flask to add this feature
--- a/ccp/modules/datashield-compose.yml
+++ b/ccp/modules/datashield-compose.yml
@ -44,10 +44,11 @@ services:
      APP_CONTEXT_PATH: "/opal"
      OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
      OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
-      OIDC_URL: "${OIDC_URL}"
+      KEYCLOAK_URL: "${KEYCLOAK_URL}"
-      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
+      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
-      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}"
-      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
+      KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
      KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}"
      TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}"
      EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
      BEAM_APP_ID: token-manager.${PROXY_ID}
@ -61,7 +62,7 @@ services:
  opal-db:
    container_name: bridgehead-opal-db
-    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
+    image: docker.verbis.dkfz.de/cache/postgres:15.4-alpine
    environment:
      POSTGRES_PASSWORD: "${OPAL_DB_PASSWORD}" # Set in datashield-setup.sh
      POSTGRES_USER: "opal"
@ -95,12 +96,8 @@ services:
    networks:
      - default
      - rstudio
-
+  
  traefik:
    labels:
      - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2-proxy:4180/"
      - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
      - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
    networks:
      - default
      - rstudio
@ -114,15 +111,15 @@ services:
      APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET}
      APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET}
-  # TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time:
+  # TODO: Allow users of group /DataSHIELD and KEYCLOAK_USER_GROUP at the same time:
-  # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider):
+  # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/):
-  # --allowed-groups=/DataSHIELD,OIDC_USER_GROUP
+  # --allowed-groups=/DataSHIELD,KEYCLOAK_USER_GROUP
-  oauth2-proxy:
+  oauth2_proxy:
-    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
+    image: quay.io/oauth2-proxy/oauth2-proxy
-    container_name: bridgehead-oauth2proxy
+    container_name: bridgehead_oauth2_proxy
    command: >-
-      --allowed-group=DataSHIELD
+      --allowed-group=/DataSHIELD
-      --oidc-groups-claim=${OIDC_GROUP_CLAIM}
+      --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM}
      --auth-logging=true
      --whitelist-domain=${HOST}
      --http-address="0.0.0.0:4180"
@ -137,10 +134,10 @@ services:
      #OIDC settings
      --provider="keycloak-oidc"
      --provider-display-name="VerbIS Login"
-      --client-id="${OIDC_PRIVATE_CLIENT_ID}"
+      --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}"
      --client-secret="${OIDC_CLIENT_SECRET}"
      --redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
-      --oidc-issuer-url="${OIDC_URL}"
+      --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}"
      --scope="openid email profile"
      --code-challenge-method="S256"
      --skip-provider-button=true
@ -150,15 +147,9 @@ services:
      --pass-access-token=false
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.oauth2_proxy.rule=PathPrefix(`/oauth2`)"
+      - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)"
      - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
      - "traefik.http.routers.oauth2_proxy.tls=true"
    environment:
      http_proxy: "http://forward_proxy:3128"
      https_proxy: "http://forward_proxy:3128"
    depends_on:
      forward_proxy:
        condition: service_healthy
 secrets:
  opal-cert.pem:
--- a/ccp/modules/datashield-mappings.json
+++ b/ccp/modules/datashield-mappings.json
@ -9,7 +9,5 @@
    "frankfurt",
    "essen",
    "dktk-datashield-test",
-    "dktk-test",
+    "dktk-test"
    "mannheim",
    "central-ds-orchestrator"
 ]
--- a/ccp/modules/datashield-setup.sh
+++ b/ccp/modules/datashield-setup.sh
@ -1,14 +1,6 @@
 #!/bin/bash -e
 if [ "$ENABLE_DATASHIELD" == true ]; then
  # HACK: This only works because exporter-setup.sh and teiler-setup.sh are sourced after datashield-setup.sh
  if [ -z "${ENABLE_EXPORTER}" ] || [ "${ENABLE_EXPORTER}" != "true" ]; then
    log WARN "The ENABLE_EXPORTER variable is either not set or not set to 'true'."
  fi
  OAUTH2_CALLBACK=/oauth2/callback
  OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
  add_private_oidc_redirect_url "${OAUTH2_CALLBACK}"
  log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
  OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
  EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")"
@ -20,25 +12,22 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
  TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)"
  if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
    mkdir -p /tmp/bridgehead/
    chown -R bridgehead:docker /tmp/bridgehead/
    openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE"
    chmod g+r /tmp/bridgehead/opal-key.pem
  fi
  mkdir -p /tmp/bridgehead/opal-map
-  sites="$(cat ./$PROJECT/modules/datashield-sites.json)"
+  jq -n '{"sites": input | map({
  echo "$sites" | docker_jq -n --args '{"sites": input | map({
    "name": .,
    "id": .,
    "virtualhost": "\(.):443",
    "beamconnect": "datashield-connect.\(.).'"$BROKER_ID"'"
-  })}' $sites >/tmp/bridgehead/opal-map/central.json
+  })}' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/central.json
-  echo "$sites" | docker_jq -n --args '[{
+  jq -n '[{
    "external": "'"$SITE_ID"':443",
    "internal": "opal:8443",
-    "allowed": input | map("\(.).'"$BROKER_ID"'")
+    "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'")
-  }]' >/tmp/bridgehead/opal-map/local.json
+  }]' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/local.json
-  if [ "$USER" == "root" ]; then
+  chown -R bridgehead:docker /tmp/bridgehead/
    chown -R bridgehead:docker /tmp/bridgehead
    chmod g+wr /tmp/bridgehead/opal-map/*
    chmod g+r /tmp/bridgehead/opal-key.pem
  fi
  add_private_oidc_redirect_url "/opal/*"
 fi
--- a/ccp/modules/datashield.md
+++ b/ccp/modules/datashield.md
@ -1,5 +1,5 @@
 # DataSHIELD
-This module constitutes the infrastructure to run DataSHIELD within the bridgehead. 
+This module constitutes the infrastructure to run DataSHIELD within the bridghead. 
 For more information about DataSHIELD, please visit https://www.datashield.org/
 ## R-Studio
--- a/ccp/modules/dnpm-compose.yml
+++ b/ccp/modules/dnpm-compose.yml
@ -13,19 +13,17 @@ services:
      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
      APP_ID: dnpm-connect.${PROXY_ID}
      DISCOVERY_URL: "./conf/central_targets.json"
-      LOCAL_TARGETS_FILE: "/conf/connect_targets.json"
+      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
      HTTP_PROXY: "http://forward_proxy:3128"
      HTTPS_PROXY: "http://forward_proxy:3128"
-      NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
+      NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal
      RUST_LOG: ${RUST_LOG:-info}
      NO_AUTH: "true"
      TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs
    extra_hosts:
      - "host.docker.internal:host-gateway"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro
+      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
@ -33,7 +31,3 @@ services:
      - "traefik.http.routers.dnpm-connect.middlewares=dnpm-connect-strip"
      - "traefik.http.services.dnpm-connect.loadbalancer.server.port=8062"
      - "traefik.http.routers.dnpm-connect.tls=true"
  dnpm-echo:
    image: docker.verbis.dkfz.de/cache/samply/bridgehead-echo:latest
    container_name: bridgehead-dnpm-echo
--- a/ccp/modules/dnpm-node-compose.yml
+++ b/ccp/modules/dnpm-node-compose.yml
@ -1,99 +1,33 @@
 version: "3.7"
 services:
  dnpm-mysql:
    image: mysql:9
    healthcheck:
      test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ]
      interval: 3s
      timeout: 5s
      retries: 5
    environment:
      MYSQL_ROOT_HOST: "%"
      MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD}
    volumes:
      - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql
  dnpm-authup:
    image: authup/authup:latest
    container_name: bridgehead-dnpm-authup
    volumes:
      - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable
    depends_on:
      dnpm-mysql:
        condition: service_healthy
    command: server/core start
    environment:
      - PUBLIC_URL=https://${HOST}/auth/
      - AUTHORIZE_REDIRECT_URL=https://${HOST}
      - ROBOT_ADMIN_ENABLED=true
      - ROBOT_ADMIN_SECRET=${DNPM_AUTHUP_SECRET}
      - ROBOT_ADMIN_SECRET_RESET=true
      - DB_TYPE=mysql
      - DB_HOST=dnpm-mysql
      - DB_USERNAME=root
      - DB_PASSWORD=${DNPM_MYSQL_ROOT_PASSWORD}
      - DB_DATABASE=auth
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.authup-strip.stripprefix.prefixes=/auth"
      - "traefik.http.routers.dnpm-auth.middlewares=authup-strip"
      - "traefik.http.routers.dnpm-auth.rule=PathPrefix(`/auth`)"
      - "traefik.http.services.dnpm-auth.loadbalancer.server.port=3000"
      - "traefik.http.routers.dnpm-auth.tls=true"
  dnpm-portal:
    image: ghcr.io/dnpm-dip/portal:latest
    container_name: bridgehead-dnpm-portal
    environment:
      - NUXT_API_URL=http://dnpm-backend:9000/
      - NUXT_PUBLIC_API_URL=https://${HOST}/api/
      - NUXT_AUTHUP_URL=http://dnpm-authup:3000/
      - NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)"
      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
      - "traefik.http.routers.dnpm-frontend.tls=true"
  dnpm-backend:
    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
    container_name: bridgehead-dnpm-backend
    image: ghcr.io/dnpm-dip/backend:latest
    environment:
-      - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME}   # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
+      - ZPM_SITE=${ZPM_SITE}
      - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
      - MTB_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
      - HATEOAS_HOST=https://${HOST}
      - CONNECTOR_TYPE=broker
      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
    volumes:
-      - /etc/bridgehead/dnpm/config:/dnpm_config
+      - /etc/bridgehead/dnpm:/bwhc_config:ro
-      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
+      - ${DNPM_DATA_DIR}:/bwhc_data
    depends_on:
      dnpm-authup:
        condition: service_healthy
    labels:
      - "traefik.enable=true"
-      - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
+      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
-      # expose everything
+      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
-      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
+      - "traefik.http.routers.bwhc-backend.tls=true"
      - "traefik.http.routers.dnpm-backend.tls=true"
      - "traefik.http.routers.dnpm-backend.service=dnpm-backend"
      # except ETL
      - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
      - "traefik.http.routers.dnpm-backend-etl.tls=true"
      - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
      # this needs an ETL processor with support for basic auth
      - "traefik.http.routers.dnpm-backend-etl.middlewares=auth"
      # except peer-to-peer
      - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
      - "traefik.http.routers.dnpm-backend-peer.tls=true"
      - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
      - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
      # this effectively denies all requests
      # this is okay, because requests from peers don't go through Traefik
      - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
-  landing:
+  dnpm-frontend:
    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
    container_name: bridgehead-dnpm-frontend
    links:
      - dnpm-backend
    environment:
      - NUXT_HOST=0.0.0.0
      - NUXT_PORT=8080
      - BACKEND_PROTOCOL=https
      - BACKEND_HOSTNAME=$HOST
      - BACKEND_PORT=443
    labels:
-      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"
+      - "traefik.enable=true"
      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
      - "traefik.http.routers.bwhc-frontend.tls=true"
--- a/ccp/modules/dnpm-node-setup.sh
+++ b/ccp/modules/dnpm-node-setup.sh
@ -1,16 +1,27 @@
 #!/bin/bash
 if [ -n "${ENABLE_DNPM_NODE}" ]; then
-	log INFO "DNPM setup detected -- will start DNPM:DIP node."
+	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
 	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	if [ -z "${ZPM_SITE+x}" ]; then
 		log ERROR "Mandatory variable ZPM_SITE not defined!"
 		exit 1
 	fi
-    mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions."
+	if [ -z "${DNPM_DATA_DIR+x}" ]; then
-    DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1}
+		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
-    DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')"
+		exit 1
-    DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')"
+	fi
 			if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
 				echo "Override of landing page url already in place"
 			else
 				echo "Adding override of landing page url"
 				if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
 					echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
 				else
 					echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
 				fi
 			fi
 fi
--- a/ccp/modules/dnpm-setup.sh
+++ b/ccp/modules/dnpm-setup.sh
@ -6,10 +6,4 @@ if [ -n "${ENABLE_DNPM}" ]; then
 	# Set variables required for Beam-Connect
 	DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 	# If the DNPM_NO_PROXY variable is set, prefix it with a comma (as it gets added to a comma separated list)
 	if [ -n "${DNPM_NO_PROXY}" ]; then
 		DNPM_ADDITIONAL_NO_PROXY=",${DNPM_NO_PROXY}"
 	else
 		DNPM_ADDITIONAL_NO_PROXY=""
 	fi
 fi
--- a/ccp/modules/exporter-compose.yml
+++ b/ccp/modules/exporter-compose.yml
@ -27,7 +27,7 @@ services:
      - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output"
  exporter-db:
-    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
+    image: docker.verbis.dkfz.de/cache/postgres:15.4-alpine
    container_name: bridgehead-ccp-exporter-db
    environment:
      POSTGRES_USER: "exporter"
@ -65,8 +65,3 @@ services:
      - "traefik.http.routers.reporter_ccp.tls=true"
      - "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter"
      - "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip"
  focus:
    environment:
      EXPORTER_URL: "http://exporter:8092"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
--- a/ccp/modules/exporter-setup.sh
+++ b/ccp/modules/exporter-setup.sh
@ -3,6 +3,6 @@
 if [ "$ENABLE_EXPORTER" == true ]; then
  log INFO "Exporter setup detected -- will start Exporter service."
  OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
-  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
+  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
 fi
--- a/ccp/modules/fhir2sql-compose.yml
+++ b/ccp/modules/fhir2sql-compose.yml
@ -1,29 +0,0 @@
 version: "3.7"
 services:
  fhir2sql:
    depends_on:
      - "dashboard-db"
      - "blaze"
    image: docker.verbis.dkfz.de/cache/samply/fhir2sql:latest
    container_name: bridgehead-ccp-dashboard-fhir2sql
    environment:
      BLAZE_BASE_URL: "http://bridgehead-ccp-blaze:8080"
      PG_HOST: "dashboard-db"
      PG_USERNAME: "dashboard"
      PG_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in dashboard-setup.sh
      PG_DBNAME: "dashboard"
  dashboard-db:
    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
    container_name: bridgehead-ccp-dashboard-db
    environment:
      POSTGRES_USER: "dashboard"
      POSTGRES_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in dashboard-setup.sh
      POSTGRES_DB: "dashboard"
    volumes:
      - "/var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data"
  focus:
    environment:
      POSTGRES_CONNECTION_STRING: "postgresql://dashboard:${DASHBOARD_DB_PASSWORD}@dashboard-db/dashboard"
--- a/ccp/modules/fhir2sql-setup.sh
+++ b/ccp/modules/fhir2sql-setup.sh
@ -1,8 +0,0 @@
 #!/bin/bash -e
 if [ "$ENABLE_FHIR2SQL" == true ]; then
  log INFO "Dashboard setup detected -- will start Dashboard backend and FHIR2SQL service."
  OVERRIDE+=" -f ./$PROJECT/modules/fhir2sql-compose.yml"
  DASHBOARD_DB_PASSWORD="$(generate_simple_password 'fhir2sql')"
  FOCUS_ENDPOINT_TYPE="blaze-and-sql"
 fi
--- a/ccp/modules/fhir2sql.md
+++ b/ccp/modules/fhir2sql.md
@ -1,36 +0,0 @@
 # fhir2sql
 fhir2sql connects to Blaze, retrieves data, and syncs it with a PostgreSQL database. The application is designed to run continuously, syncing data at regular intervals.
 The Dashboard module is a optional component of the Bridgehead CCP setup. When enabled, it starts two Docker services: **fhir2sql** and **dashboard-db**. Data held in PostgreSQL is only stored temporarily and Blaze is considered to be the 'leading system' or 'source of truth'.
 ## Services
 ### fhir2sql
 * Image: docker.verbis.dkfz.de/cache/samply/fhir2sql:latest
 * Container name: bridgehead-ccp-dashboard-fhir2sql
 * Depends on: dashboard-db
 * Environment variables:
  - BLAZE_BASE_URL: The base URL of the Blaze FHIR server (set to http://blaze:8080/fhir/)
  - PG_HOST: The hostname of the PostgreSQL database (set to dashboard-db)
  - PG_USERNAME: The username for the PostgreSQL database (set to dashboard)
  - PG_PASSWORD: The password for the PostgreSQL database (set to the value of DASHBOARD_DB_PASSWORD)
  - PG_DBNAME: The name of the PostgreSQL database (set to dashboard)
 ### dashboard-db
 * Image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
 * Container name: bridgehead-ccp-dashboard-db
 * Environment variables:
  - POSTGRES_USER: The username for the PostgreSQL database (set to dashboard)
  - POSTGRES_PASSWORD: The password for the PostgreSQL database (set to the value of DASHBOARD_DB_PASSWORD)
  - POSTGRES_DB: The name of the PostgreSQL database (set to dashboard)
 * Volumes:
  - /var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data
 The volume used by dashboard-db can be removed safely and should be restored to a working order by re-importing data from Blaze.
 ### Environment Variables
 * DASHBOARD_DB_PASSWORD: A generated password for the PostgreSQL database, created using a salt string and the SHA1 hash function.
 * POSTGRES_TAG: The tag of the PostgreSQL image to use (not set in this module, but required by the dashboard-db service).
 ### Setup
 To enable the Dashboard module, set the ENABLE_FHIR2SQL environment variable to true. The dashboard-setup.sh script will then start the fhir2sql and dashboard-db services, using the environment variables and volumes defined above.
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@ -14,30 +14,21 @@ services:
      MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY}
      MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
      MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
      MAGICPL_OIDC_CLIENT_ID: ${IDMANAGER_AUTH_CLIENT_ID}
      MAGICPL_OIDC_CLIENT_SECRET: ${IDMANAGER_AUTH_CLIENT_SECRET}
    depends_on:
      - patientlist
      - traefik-forward-auth
    labels:
      - "traefik.enable=true"
      # Router with Authentication
      - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)"
      - "traefik.http.services.id-manager.loadbalancer.server.port=8080"
      - "traefik.http.routers.id-manager.tls=true"
      - "traefik.http.routers.id-manager.middlewares=traefik-forward-auth-idm"
      - "traefik.http.routers.id-manager.service=id-manager-service"
      # Router without Authentication
      - "traefik.http.routers.id-manager-compatibility.rule=PathPrefix(`/id-manager/paths/translator/getIds`)"
      - "traefik.http.routers.id-manager-compatibility.tls=true"
      - "traefik.http.routers.id-manager-compatibility.service=id-manager-service"
      # Definition of Service
      - "traefik.http.services.id-manager-service.loadbalancer.server.port=8080"
      - "traefik.http.services.id-manager-service.loadbalancer.server.scheme=http"
  patientlist:
    image: docker.verbis.dkfz.de/bridgehead/mainzelliste
    container_name: bridgehead-patientlist
    environment:
      - TOMCAT_REVERSEPROXY_FQDN=${HOST}
      - TOMCAT_REVERSEPROXY_SSL=true
      - ML_SITE=${IDMANAGEMENT_FRIENDLY_ID}
      - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
      - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
@ -53,7 +44,7 @@ services:
      - patientlist-db
  patientlist-db:
-    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
+    image: docker.verbis.dkfz.de/cache/postgres:15.6-alpine
    container_name: bridgehead-patientlist-db
    environment:
      POSTGRES_USER: "mainzelliste"
@ -64,49 +55,5 @@ services:
      # NOTE: Add backups here. This is only imported if /var/lib/bridgehead/data/patientlist/ is empty!!!
      - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"
  traefik-forward-auth:
    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
    environment:
      - http_proxy=http://forward_proxy:3128
      - https_proxy=http://forward_proxy:3128
      - OAUTH2_PROXY_PROVIDER=oidc
      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://login.verbis.dkfz.de/realms/master
      - OAUTH2_PROXY_CLIENT_ID=bridgehead-${SITE_ID}
      - OAUTH2_PROXY_CLIENT_SECRET=${IDMANAGER_AUTH_CLIENT_SECRET}
      - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
      - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_idm
      - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
      - OAUTH2_PROXY_HTTP_ADDRESS=:4180
      - OAUTH2_PROXY_REVERSE_PROXY=true
      - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST}
      - OAUTH2_PROXY_UPSTREAMS=static://202
      - OAUTH2_PROXY_EMAIL_DOMAINS=*
      - OAUTH2_PROXY_SCOPE=openid profile email
      # Pass Authorization Header and some user information to backend services
      - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
      # Keycloak has an expiration time of 60s therefore oauth2-proxy needs to refresh after that
      - OAUTH2_PROXY_COOKIE_REFRESH=60s
      - OAUTH2_PROXY_ALLOWED_GROUPS=DKTK-CCP-PPSN
      - OAUTH2_PROXY_PROXY_PREFIX=/oauth2-idm
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4180"
      - "traefik.http.routers.traefik-forward-auth.rule=Host(`${HOST}`) && PathPrefix(`/oauth2-idm`)"
      - "traefik.http.routers.traefik-forward-auth.tls=true"
      - "traefik.http.middlewares.traefik-forward-auth-idm.forwardauth.address=http://traefik-forward-auth:4180"
      - "traefik.http.middlewares.traefik-forward-auth-idm.forwardauth.authResponseHeaders=Authorization"
    depends_on:
      forward_proxy:
        condition: service_healthy
  ccp-patient-project-identificator:
    image: docker.verbis.dkfz.de/cache/samply/ccp-patient-project-identificator
    container_name: bridgehead-ccp-patient-project-identificator
    environment:
      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
      SITE_NAME: ${IDMANAGEMENT_FRIENDLY_ID}
 volumes:
  patientlist-db-data:
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@ -3,7 +3,7 @@
 function idManagementSetup() {
 	if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
 		log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)."
-		OVERRIDE+=" -f ./ccp/modules/id-management-compose.yml"
+		OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
 		# Auto Generate local Passwords
 		PATIENTLIST_POSTGRES_PASSWORD="$(echo \"id-management-module-db-password-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
--- a/ccp/modules/login-compose.yml
+++ b/ccp/modules/login-compose.yml
@ -0,0 +1,47 @@
 version: "3.7"
 services:
  login-db:
    image: docker.verbis.dkfz.de/cache/postgres:15.4-alpine
    container_name: bridgehead-login-db
    environment:
      POSTGRES_USER: "keycloak"
      POSTGRES_PASSWORD: "${KEYCLOAK_DB_PASSWORD}" # Set in login-setup.sh
      POSTGRES_DB: "keycloak"
    tmpfs:
      - /var/lib/postgresql/data
 # Consider removing this comment once we have collected experience in production.
 #    volumes:
 #      - "bridgehead-login-db:/var/lib/postgresql/data"
  login:
    image: docker.verbis.dkfz.de/ccp/dktk-keycloak:latest
    container_name: bridgehead-login
    environment:
      KEYCLOAK_ADMIN: "admin"
      KEYCLOAK_ADMIN_PASSWORD: "${LDM_AUTH}"
      TEILER_ADMIN: "${PROJECT}"
      TEILER_ADMIN_PASSWORD: "${LDM_AUTH}"
      TEILER_ADMIN_FIRST_NAME: "${OPERATOR_FIRST_NAME}"
      TEILER_ADMIN_LAST_NAME: "${OPERATOR_LAST_NAME}"
      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
      KC_DB_PASSWORD: "${KEYCLOAK_DB_PASSWORD}" # Set in login-setup.sh
      KC_HOSTNAME_URL: "https://${HOST}/login"
      KC_HOSTNAME_STRICT: "false"
      KC_PROXY_ADDRESS_FORWARDING: "true"
      TEILER_ORCHESTRATOR_EXTERN_URL: "https://${HOST}/ccp-teiler"
    command:
      - start-dev --import-realm --proxy edge --http-relative-path=/login
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.login.rule=PathPrefix(`/login`)"
      - "traefik.http.services.login.loadbalancer.server.port=8080"
      - "traefik.http.routers.login.tls=true"
    depends_on:
      - login-db
 # Consider removing this comment once we have collected experience in production.
 #volumes:
 #  bridgehead-login-db:
 #    name: "bridgehead-login-db"
--- a/ccp/modules/login-setup.sh
+++ b/ccp/modules/login-setup.sh
@ -0,0 +1,7 @@
 #!/bin/bash -e
 if [ "$ENABLE_LOGIN" == true ]; then
  log INFO "Login setup detected -- will start Login services."
  OVERRIDE+=" -f ./$PROJECT/modules/login-compose.yml"
  KEYCLOAK_DB_PASSWORD="$(generate_password \"local Keycloak\")"
 fi
--- a/ccp/modules/login.md
+++ b/ccp/modules/login.md
@ -0,0 +1,13 @@
 # Login
 The login component is a local Keycloak instance. In the future will be replaced by the central keycloak instance
 or maybe can be used to add local identity providers to the bridgehead or just to simplify the configuration of
 the central keycloak instance for the integration of every new bridgehead.
 The basic configuration of our Keycloak instance is contained in a small json file.
 ### Teiler User
 Currently, the local keycloak is used by the teiler. There is a basic admin user in the basic configuration of keycloak.
 The user can be configured with the environment variables TEILER_ADMIN_XXX.
 ## Login-DB
 Keycloak requires a local database for its configuration. However, as we use an initial json configuration file, if no
 local identity provider is configured nor any local user, theoretically we don't need a volume for the login.
--- a/ccp/modules/mtba-compose.yml
+++ b/ccp/modules/mtba-compose.yml
@ -2,6 +2,7 @@ version: "3.7"
 services:
  mtba:
    #image: docker.verbis.dkfz.de/cache/samply/mtba:latest
    image: docker.verbis.dkfz.de/cache/samply/mtba:develop
    container_name: bridgehead-mtba
    environment:
@ -20,10 +21,11 @@ services:
      FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE:-LF}
      CSV_DELIMITER: ${MTBA_CSV_DELIMITER:-TAB}
      HTTP_RELATIVE_PATH: "/mtba"
-      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
+      KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}"
-      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
+      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}"
-      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
-      OIDC_URL: "${OIDC_URL}"
+      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
      KEYCLOAK_URL: "${KEYCLOAK_URL}"
    labels:
      - "traefik.enable=true"
--- a/ccp/modules/mtba-setup.sh
+++ b/ccp/modules/mtba-setup.sh
@ -5,6 +5,7 @@ function mtbaSetup() {
    log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal."
    if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
      log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
      exit 1;
    fi
    OVERRIDE+=" -f ./$PROJECT/modules/mtba-compose.yml"
    add_private_oidc_redirect_url "/mtba/*"
--- a/ccp/modules/nngm-compose.yml
+++ b/ccp/modules/nngm-compose.yml
@ -12,6 +12,7 @@ services:
      CTS_API_KEY: ${NNGM_CTS_APIKEY}
      CRYPT_KEY: ${NNGM_CRYPTKEY}
      #CTS_MAGICPL_SITE: ${SITE_ID}TODO
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)"
--- a/ccp/modules/obds2fhir-rest-compose.yml
+++ b/ccp/modules/obds2fhir-rest-compose.yml
@ -1,19 +0,0 @@
 version: "3.7"
 services:
  obds2fhir-rest:
    container_name: bridgehead-obds2fhir-rest
    image: docker.verbis.dkfz.de/samply/obds2fhir-rest:main
    environment:
      IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
      SALT: ${LOCAL_SALT}
      KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false}
      MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)"
      - "traefik.http.middlewares.obds2fhir-rest_strip.stripprefix.prefixes=/obds2fhir-rest,/adt2fhir-rest"
      - "traefik.http.services.obds2fhir-rest.loadbalancer.server.port=8080"
      - "traefik.http.routers.obds2fhir-rest.tls=true"
      - "traefik.http.routers.obds2fhir-rest.middlewares=obds2fhir-rest_strip,auth"
--- a/ccp/modules/obds2fhir-rest-setup.sh
+++ b/ccp/modules/obds2fhir-rest-setup.sh
@ -1,13 +0,0 @@
 #!/bin/bash
 function obds2fhirRestSetup() {
  if [ -n "$ENABLE_OBDS2FHIR_REST" ]; then
    log INFO "oBDS2FHIR-REST setup detected -- will start obds2fhir-rest module."
    if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
      log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
      PATIENTLIST_URL=" "
    fi
    OVERRIDE+=" -f ./ccp/modules/obds2fhir-rest-compose.yml"
    LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
  fi
 }
--- a/ccp/modules/teiler-compose.yml
+++ b/ccp/modules/teiler-compose.yml
@ -15,11 +15,11 @@ services:
    environment:
      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
-      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
+      DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE_LOWER_CASE}"
      HTTP_RELATIVE_PATH: "/ccp-teiler"
  teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:latest
    container_name: bridgehead-teiler-dashboard
    labels:
      - "traefik.enable=true"
@ -29,27 +29,29 @@ services:
      - "traefik.http.middlewares.teiler_dashboard_ccp_strip.stripprefix.prefixes=/ccp-teiler-dashboard"
      - "traefik.http.routers.teiler_dashboard_ccp.middlewares=teiler_dashboard_ccp_strip"
    environment:
-      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
+      DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
-      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
+      KEYCLOAK_URL: "${KEYCLOAK_URL}"
-      OIDC_URL: "${OIDC_URL}"
+      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
-      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
+      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PUBLIC_CLIENT_ID}"
-      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
+      KEYCLOAK_TOKEN_GROUP: "${KEYCLOAK_GROUP_CLAIM}"
      TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
      TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
      TEILER_PROJECT: "${PROJECT}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
      TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
-      TEILER_USER: "${OIDC_USER_GROUP}"
+      TEILER_USER: "${KEYCLOAK_USER_GROUP}"
-      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
+      TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}"
      REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
      EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"
  teiler-backend:
-    image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
+    # image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
    image: dktk-teiler-backend
    container_name: bridgehead-teiler-backend
    labels:
      - "traefik.enable=true"
@ -62,12 +64,19 @@ services:
      LOG_LEVEL: "INFO"
      APPLICATION_PORT: "8085"
      APPLICATION_ADDRESS: "${HOST}"
-      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
+      DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
      CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
      TEILER_DASHBOARD_DE_URL: "https://${HOST}/ccp-teiler-dashboard/de"
      TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en"
      CENTRAX_URL: "${CENTRAXX_URL}"
      HTTP_PROXY: "http://forward_proxy:3128"
      ENABLE_MTBA: "${ENABLE_MTBA}"
      ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
-      IDMANAGER_UPLOAD_APIKEY: "${IDMANAGER_UPLOAD_APIKEY}" # Only used to check if the ID Manager is active
+    secrets:
      - ccp.conf
 secrets:
  ccp.conf:
    file: /etc/bridgehead/ccp.conf
--- a/ccp/modules/teiler-setup.sh
+++ b/ccp/modules/teiler-setup.sh
@ -3,7 +3,5 @@
 if [ "$ENABLE_TEILER" == true ];then
  log INFO "Teiler setup detected -- will start Teiler services."
  OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
  TEILER_DEFAULT_LANGUAGE=DE
  TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
  add_public_oidc_redirect_url "/ccp-teiler/*"
 fi
--- a/ccp/modules/teiler-ui-compose.yml
+++ b/ccp/modules/teiler-ui-compose.yml
--- a/ccp/modules/teiler.md
+++ b/ccp/modules/teiler.md
@ -1,180 +1,19 @@
 # Teiler
-
+This module orchestrates the different microfrontends of the bridgehead as a single page application.  
 **Teiler** is the central frontend of the **bridgehead system**. It brings together multiple independent tools—each built as a **microfrontend**—into a single, unified web application.
 Users interact with Teiler as one coherent interface, but behind the scenes, it dynamically integrates and displays self-contained modules developed with different technologies (**Angular**, **Vue**, **React**, etc.). This modular approach makes Teiler highly flexible, allowing teams to develop, deploy, and maintain features independently.
 Teiler ensures:
 * **A consistent look and feel** across tools.
 * **Smooth navigation** between components.
 * **Seamless user authentication** across the entire interface.
 Each independent tool integrated into Teiler is called a **bridgehead app**. A bridgehead app can be:
 - A fully standalone microfrontend with its own frontend and backend services.
 - An embedded service inside the Teiler Dashboard.
 - An external link to another service, possibly hosted on a central server or elsewhere in the federated research network.
 The modularity of Teiler enables it to adapt easily to the evolving needs of the research federated network by simply adding, updating, or removing bridgehead apps.
 Below is a breakdown of Teiler's internal components that make this orchestration possible.
 - [Teiler Orchestrator](#teiler-orchestrator)  
 - [Teiler Dashboard](#teiler-dashboard)  
 - [Teiler Backend](#teiler-backend)
 ---
 ## Teiler Orchestrator
 Single SPA component that consists on the root HTML site of the single page application and a javascript code that
 gets the information about the microfrontend calling the teiler backend and is responsible for registering them. With the
 resulting mapping, it can initialize, mount and unmount the required microfrontends on the fly. 
-The **Teiler Orchestrator** is the entry point of the **Single Page Application (SPA)**. It consists of:
+The microfrontends run independently in different containers and can be based on different frameworks (Angular, Vue, React,...)
-
+This microfrontends can run as single alone but need an extension with Single-SPA (https://single-spa.js.org/docs/ecosystem).
- An **HTML root page**.
+There are also available three templates (Angular, Vue, React) to be directly extended to be used directly in the teiler.
 - A **JavaScript layer** that:
  - **Retrieves microfrontend configurations** from the backend.
  - **Registers and manages** the microfrontends using [**Single-SPA**](https://single-spa.js.org/), the framework Teiler uses to create and coordinate its microfrontend environment.
 Using this information, the orchestrator dynamically **loads the correct microfrontend** for a given route and manages its **lifecycle** (*init*, *mount*, *unmount*) in real time.
 **Microfrontends** run in their own containers and can be implemented with any major frontend framework. To be compatible with Teiler, they must integrate with **Single-SPA**.
 To encourage developers to create their own microfrontends and integrate them into Teiler, we provide **starter templates** for **Angular**, **Vue**, and **React**. Developing a new microfrontend is straightforward:
 1. Use one of the templates.
 2. Extend it with your own functionality.
 3. Add its configuration in the **Teiler Backend**.
 This modular approach accelerates development and fosters collaboration.
 **GitHub repository:** [https://github.com/samply/teiler-orchestrator](https://github.com/samply/teiler-orchestrator)
 ---
 ## Teiler Dashboard
-
+It consists on the main dashboard and a set of embedded services.
-The **Teiler Dashboard** is the unified interface users interact with after logging in. It provides:
+### Login
-
+user and password in ccp.local.conf
 - A **single point of access** where various bridgehead apps are embedded as microfrontends.
 - **Central navigation** and **session management** for a smooth user experience.
 ### Authentication and Authorization
 Teiler uses **OpenID Connect (OIDC)** for user authentication, accessible via the **top navigation bar**.
 We consider three possible **application roles**:
 | Role   | Description                                               |
 |--------|-----------------------------------------------------------|
 | Public | Accessible by any user without the need to log in         |
 | User   | Normal users working with various bridgehead applications |
 | Admin  | Bridgehead system administrators                           |
 It is possible to **deactivate OIDC authentication** entirely. In such cases, **all apps must have at least the public role** to allow access. While this may be suitable for development or testing, we **strongly encourage** at least some external authentication mechanism or network-level access control to secure the bridgehead environment.
 Alternatively, basic authentication can be enforced through the existing **Traefik infrastructure** integrated with the bridgehead.
 **GitHub repository:** [https://github.com/samply/teiler-dashboard](https://github.com/samply/teiler-dashboard)
 ---
 ## Teiler Backend
-
+In this component, the microfrontends are configured.
 The **Teiler Backend** serves as the central configuration hub for all microfrontends and bridgehead apps. It defines:
 - Which bridgehead apps are available.
 - Their loading URLs and routes.
 - Optional metadata such as display names, icons, roles, and activation status.
 It enables the orchestrator to remain **generic and flexible**, adapting dynamically to whatever apps are defined in the backend configuration.
 ### Assets Directory
 There is an **assets** directory where you can save images and other static files to be accessible to your microfrontends. This helps configure and customize apps more easily and quickly.
 Assets can be referenced via:
 ```
 <Teiler Backend URL>/assets/<filename>
 ```
 ### App Configuration via Environment Variables
 Apps are configured using environment variables with the following structure:
 ```
 TEILER_APP<Number>_<suffix>
 Optional: TEILER_APP<Number>_<LanguageCode>_<suffix>
 ```
 - The **number** is just for grouping variables for a single app and has no intrinsic meaning.
 - The **app** is the unit within Teiler, shown as a box in the dashboard.
 - Apps can be:
  - Embedded apps inside the Teiler Dashboard (there is a helper Python script for generating embedded apps: [create-embedded-app.py](https://github.com/samply/teiler-dashboard/blob/main/create-embedded-app.py))
  - External links (e.g., central services outside the local bridgehead instance)
 - An app's frontend (microfrontend or embedded app) can either contain the entire functionality or serve as a frontend communicating with other backend microservices in the bridgehead.
 Currently supported languages in the main projects DKTK and BBMRI are **English (EN)** and **German (DE)**, but the system can be extended to other languages.
 The Teiler Dashboard requests variables from the backend for each app and passes the desired language code. If a language-specific variable is unavailable, the default language value is returned.
 ### App Availability Monitoring
 The Teiler Backend regularly **pings apps** to check availability and displays status messages such as:
 - "Frontend not available"
 - "Backend not available"
 - "Frontend and Backend not available"
 ### Accepted TEILER_APP Variable Suffixes
 | Suffix           | Description                                                                                                   |
 |------------------|---------------------------------------------------------------------------------------------------------------|
 | NAME             | Identifier of the app (no spaces). For embedded apps, must match the identifier defined in Teiler Dashboard.  |
 | TITLE            | Display title shown to users.                                                                                  |
 | DESCRIPTION      | Brief description of the app.                                                                                   |
 | BACKENDURL       | URL of the backend microservice (if applicable).                                                              |
 | BACKENDCHECKURL  | URL that the backend pings to verify backend availability. Defaults to BACKENDURL if not specified.             |
 | SOURCEURL        | URL of the microfrontend or external link (not used for embedded apps).                                        |
 | SOURCECHECKURL   | URL to ping to check microfrontend or external link availability. Defaults to SOURCEURL if not specified.       |
 | ROLES            | Comma-separated roles allowed: `TEILER_PUBLIC`, `TEILER_USER`, `TEILER_ADMIN`.                                 |
 | ISACTIVATED      | `true` or `false`. Used to temporarily deactivate an app without deleting its config.                           |
 | ICONCLASS        | Bootstrap icon class to display in app box (e.g., `"bi bi-search"`).                                           |
 | ICONSOURCEURL    | URL to an image icon. Prefer using local assets instead of external URLs.                                       |
 | ORDER            | Relative display order of the app in the dashboard.                                                            |
 | ISEXTERNALLINK   | `true` or `false`. Indicates if the app is an external link outside the local bridgehead.                       |
 | ISLOCAL          | `true` or `false`. Indicates if the app runs locally within the bridgehead site or on a central server.         |
 *Note:* Embedded apps often have many of these variables preconfigured and may not require manual specification. See the [Teiler Dashboard documentation](https://github.com/samply/teiler-dashboard) for details.
 ### Additional Teiler Backend Variables for Dashboard Configuration
 | Variable Prefix                    | Description                                                                                                  |
 |------------------------------------|--------------------------------------------------------------------------------------------------------------|
 | TEILER_DASHBOARD_                  | General configuration of the dashboard.                                                                     |
 | TEILER_DASHBOARD_&lt;LangCode&gt;_ | Language-specific configuration overrides.                                                                   |
 Important suffixes include:
 | Suffix           | Description                                                      |
 |------------------|------------------------------------------------------------------|
 | WELCOME_TITLE    | Title shown on the initial screen before login.                  |
 | WELCOME_TEXT     | Welcome message or instructions before login.                    |
 | FURTHER_INFO     | Additional informational text or links.                          |
 | BACKGROUND_IMAGE_URL | URL to a background image (SVG recommended for scalability).  |
 | LOGO_URL         | URL to the project or bridgehead logo.                           |
 | LOGO_HEIGHT      | Height of the displayed logo.                                    |
 | LOGO_TEXT        | Title text of the bridgehead (e.g., "DKTK Bridgehead").          |
 | COLOR_PALETTE    | JSON link to color palettes for text, lines, icons, and background (especially for SVGs).                   |
 | COLOR_PROFILE    | Selected color profile from the palette.                         |
 | FONT             | Font family for the dashboard text.                             |
 ---
 **GitHub repository:** [https://github.com/samply/teiler-backend](https://github.com/samply/teiler-backend)
 ---
 If you want to create your own bridgehead app and integrate it into Teiler, start by selecting a template or building a microfrontend compatible with **Single-SPA**. Then add your app’s configuration in the Teiler Backend as described above.
 This flexible, modular design enables easy expansion
--- a/ccp/queries_to_cache.conf
+++ b/ccp/queries_to_cache.conf
@ -1,3 +0,0 @@
 bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCgpjb250ZXh0IFBhdGllbnQKCgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX1BSSU1BUllfRElBR05PU0lTX05PX1NPUlRfU1RSQVRJRklFUgpES1RLX1NUUkFUX0FHRV9DTEFTU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfUkVQTEFDRV9TUEVDSU1FTl9TVFJBVElGSUVSaWYgSW5Jbml0aWFsUG9wdWxhdGlvbiB0aGVuIFtTcGVjaW1lbl0gZWxzZSB7fSBhcyBMaXN0PFNwZWNpbWVuPgpES1RLX1NUUkFUX1BST0NFRFVSRV9TVFJBVElGSUVSCgpES1RLX1NUUkFUX01FRElDQVRJT05fU1RSQVRJRklFUgoKICBES1RLX1JFUExBQ0VfSElTVE9MT0dZX1NUUkFUSUZJRVIKIGlmIGhpc3RvLmNvZGUuY29kaW5nLndoZXJlKGNvZGUgPSAnNTk4NDctNCcpLmNvZGUuZmlyc3QoKSBpcyBudWxsIHRoZW4gMCBlbHNlIDEKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OCnRydWU=
 bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCmNvZGVzeXN0ZW0gaWNkMTA6ICdodHRwOi8vZmhpci5kZS9Db2RlU3lzdGVtL2JmYXJtL2ljZC0xMC1nbScKY29kZXN5c3RlbSBtb3JwaDogJ3VybjpvaWQ6Mi4xNi44NDAuMS4xMTM4ODMuNi40My4xJwoKY29udGV4dCBQYXRpZW50CgoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUklNQVJZX0RJQUdOT1NJU19OT19TT1JUX1NUUkFUSUZJRVIKREtUS19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1JFUExBQ0VfU1BFQ0lNRU5fU1RSQVRJRklFUmlmIEluSW5pdGlhbFBvcHVsYXRpb24gdGhlbiBbU3BlY2ltZW5dIGVsc2Uge30gYXMgTGlzdDxTcGVjaW1lbj4KREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKCiAgREtUS19SRVBMQUNFX0hJU1RPTE9HWV9TVFJBVElGSUVSCiBpZiBoaXN0by5jb2RlLmNvZGluZy53aGVyZShjb2RlID0gJzU5ODQ3LTQnKS5jb2RlLmZpcnN0KCkgaXMgbnVsbCB0aGVuIDAgZWxzZSAxCkRLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTihleGlzdHMgW0NvbmRpdGlvbjogQ29kZSAnQzYxJyBmcm9tIGljZDEwXSkgYW5kIAooKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQwLzMnKSBvciAKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQ3LzMnKSBvciAKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4NDgwLzMnKSBvciAKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4NTAwLzMnKSk=
 ORGANOID_DASHBOARD_PUBLIC
--- a/ccp/vars
+++ b/ccp/vars
@ -2,18 +2,30 @@ BROKER_ID=broker.ccp-it.dktk.dkfz.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
+FOCUS_RETRY_COUNT=32
 SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 DEFAULT_LANGUAGE=DE
 DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,}
 ENABLE_EXPORTER=true
 ENABLE_TEILER=true
 #ENABLE_DATASHIELD=true
-OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
+KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
-OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
+KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
-OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
+KEYCLOAK_PRIVATE_CLIENT_ID=${SITE_ID}-private
-OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
+KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public
-OIDC_URL="https://login.verbis.dkfz.de/realms/test-realm-01"
+# TODO: Change Keycloak Realm to productive. "test-realm-01" is only for testing
-OIDC_GROUP_CLAIM="groups"
+KEYCLOAK_REALM="${KEYCLOAK_REALM:-test-realm-01}"
 KEYCLOAK_URL="https://login.verbis.dkfz.de"
 KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}"
 KEYCLOAK_GROUP_CLAIM="groups"
 OAUTH2_CALLBACK=/oauth2/callback
 OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
 add_private_oidc_redirect_url "${OAUTH2_CALLBACK}"
 for module in $PROJECT/modules/*.sh
 do
@ -23,13 +35,4 @@ done
 idManagementSetup
 mtbaSetup
-obds2fhirRestSetup
+adt2fhirRestSetup
 blazeSecondarySetup
 for module in modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
 transfairSetup
--- a/dhki/docker-compose.yml
+++ b/dhki/docker-compose.yml
@ -1,66 +0,0 @@
 version: "3.7"
 services:
  blaze:
    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
    container_name: bridgehead-dhki-blaze
    environment:
      BASE_URL: "http://bridgehead-dhki-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.blaze_dhki.rule=PathPrefix(`/dhki-localdatamanagement`)"
      - "traefik.http.middlewares.dhki_b_strip.stripprefix.prefixes=/dhki-localdatamanagement"
      - "traefik.http.services.blaze_dhki.loadbalancer.server.port=8080"
      - "traefik.http.routers.blaze_dhki.middlewares=dhki_b_strip,auth"
      - "traefik.http.routers.blaze_dhki.tls=true"
  focus:
    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
    container_name: bridgehead-focus
    environment:
      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
      BEAM_APP_ID_LONG: focus.${PROXY_ID}
      PROXY_ID: ${PROXY_ID}
      BLAZE_URL: "http://bridgehead-dhki-blaze:8080/fhir/"
      BEAM_PROXY_URL: http://beam-proxy:8081
      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
    volumes:
      - /srv/docker/bridgehead/dhki/queries_to_cache.conf:/queries_to_cache.conf:ro
    depends_on:
      - "beam-proxy"
      - "blaze"
  beam-proxy:
    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
    container_name: bridgehead-beam-proxy
    environment:
      BROKER_URL: ${BROKER_URL}
      PROXY_ID: ${PROXY_ID}
      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
      PRIVKEY_FILE: /run/secrets/proxy.pem
      ALL_PROXY: http://forward_proxy:3128
      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
      ROOTCERT_FILE: /conf/root.crt.pem
    secrets:
      - proxy.pem
    depends_on:
      - "forward_proxy"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /srv/docker/bridgehead/dhki/root.crt.pem:/conf/root.crt.pem:ro
 volumes:
  blaze-data:
 secrets:
  proxy.pem:
    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/dhki/queries_to_cache.conf
+++ b/dhki/queries_to_cache.conf
@ -1,2 +0,0 @@
 bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0FHRV9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRIS0lfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREhLSV9TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKCkRIS0lfU1RSQVRfRU5DT1VOVEVSX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OCnRydWU=
 bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIGljZDEwOiAnaHR0cDovL2ZoaXIuZGUvQ29kZVN5c3RlbS9iZmFybS9pY2QtMTAtZ20nCmNvZGVzeXN0ZW0gbW9ycGg6ICd1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjYuNDMuMScKCmNvbnRleHQgUGF0aWVudAoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9BR0VfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpESEtJX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRIS0lfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCgpESEtJX1NUUkFUX0VOQ09VTlRFUl9TVFJBVElGSUVSCkRLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgooKChleGlzdHMgW0NvbmRpdGlvbjogQ29kZSAnQzM0LjknIGZyb20gaWNkMTBdKSBvcgooZXhpc3RzIFtDb25kaXRpb246IENvZGUgJ0MzNC44JyBmcm9tIGljZDEwXSkgb3IKKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDMzQuMCcgZnJvbSBpY2QxMF0pIG9yCihleGlzdHMgW0NvbmRpdGlvbjogQ29kZSAnQzM0LjInIGZyb20gaWNkMTBdKSBvcgooZXhpc3RzIFtDb25kaXRpb246IENvZGUgJ0MzNC4xJyBmcm9tIGljZDEwXSkgb3IKKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDMzQuMycgZnJvbSBpY2QxMF0pKSBhbmQKKChleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODE0MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQxLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDMvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODE0Ny8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MjUwLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgyNTEvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODI1Mi8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MjUzLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgyNTUvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODI2MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MzEwLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgzMzMvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODQ3MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4NDgwLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0OTAvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODU1MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MDUyLzMnKSkp
--- a/dhki/root.crt.pem
+++ b/dhki/root.crt.pem
@ -1,20 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDNTCCAh2gAwIBAgIUSWUPebUMNfJvPKMjdgX+WiH+OXgwDQYJKoZIhvcNAQEL
 BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTA1MDg1NTM4WhcNMzQw
 MTAyMDg1NjA4WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
 AQEBBQADggEPADCCAQoCggEBAL/nvo9Bn1/6Z/K4BKoLM6/mVziM4cmXTVx4npVz
 pnptwPPFU4rz47akRZ6ZMD5MO0bsyvaxG1nwVrW3aAGC42JIGTdZHKwMKrd35sxw
 k3YlGJagGUs+bKHUCL55OcSmyDWlh/UhA8+eeJWjOt9u0nYXv+vi+N4JSHA0oC9D
 bTF1v+7blrTQagf7PTPSF3pe22iXOjJYdOkZMWoMoNAjn6F958fkLNLY3csOZwvP
 /3eyNNawyAEPWeIm33Zk630NS8YHggz6WCqwXvuaKb6910mRP8jgauaYsqgsOyDt
 pbWuvk//aZWdGeN9RNsAA8eGppygiwm/m9eRC6I0shDwv6ECAwEAAaN7MHkwDgYD
 VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFn/dbW1J3ry
 7TBzbKo3H4vJr2MiMB8GA1UdIwQYMBaAFFn/dbW1J3ry7TBzbKo3H4vJr2MiMBYG
 A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCa2V8B8aad
 XNDS1EUIi9oMdvGvkolcdFwx9fI++qu9xSIaZs5GETHck3oYKZF0CFP5ESnKDn5w
 enWgm5M0y+hVZppzB163WmET1efBXwrdyn8j4336NjX352h63JGWCaI2CfZ1qG1p
 kf5W9CVXllSFaJe5r994ovgyHvK2ucWwe8l8iMJbQhH79oKi/9uJMCD6aUXnpg1K
 nPHW1lsVx6foqYWijdBdtFU2i7LSH2OYo0nb1PgRnY/SABV63JHfJnqW9dZy4f7G
 rpsvvrmFrKmEnCZH0n6qveY3Z5bMD94Yx0ebkCTYEqAw3pV65gwxrzBTpEg6dgF0
 eG0eKFUS0REJ
 -----END CERTIFICATE-----
--- a/dhki/vars
+++ b/dhki/vars
@ -1,26 +0,0 @@
 BROKER_ID=broker.hector.dkfz.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 for module in ccp/modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
 idManagementSetup
 obds2fhirRestSetup
 for module in modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
 transfairSetup
--- a/docs/update-access-token.md
+++ b/docs/update-access-token.md
@ -1,42 +0,0 @@
 ## How to Change Config Access Token
 ### 1. Generate a New Access Token
 1. Go to your Git configuration repository provider, it might be either [git.verbis.dkfz.de](https://git.verbis.dkfz.de) or [gitlab.bbmri-eric.eu](https://gitlab.bbmri-eric.eu).  
 2. Navigate to the configuration repository for your site.  
 3. Go to **Settings → Access Tokens** to check if your Access Token is valid or expired.  
   - **If expired**, create a new Access Token.  
 4. Configure the new Access Token with the following settings:  
   - **Expiration date**: One year from today, minus one day.  
   - **Role**: Developer.  
   - **Scope**: Only `read_repository`.  
 5. Save the newly generated Access Token in a secure location.  
 ---
 ### 2. Replace the Old Access Token
 1. Navigate to `/etc/bridgehead` in your system.  
 2. Run the following command to retrieve the current Git remote URL:  
   ```bash
   git remote get-url origin
   ```
   Example output:  
   ```
   https://name40dkfz-heidelberg.de:<old_access_token>@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git
   ```
 3. Replace `<old_access_token>` with your new Access Token in the URL.  
 4. Set the updated URL using the following command:  
   ```bash
   git remote set-url origin https://name40dkfz-heidelberg.de:<new_access_token>@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git
   ```
 5. Start the Bridgehead update service by running:  
   ```bash
   systemctl start bridgehead-update@<project>
   ```
 6. View the output to ensure the update process is successful:  
   ```bash
   journalctl -u bridgehead-update@<project> -f
   ```
--- a/itcc/docker-compose.yml
+++ b/itcc/docker-compose.yml
@ -1,68 +0,0 @@
 version: "3.7"
 services:
  blaze:
    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
    container_name: bridgehead-itcc-blaze
    environment:
      BASE_URL: "http://bridgehead-itcc-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.blaze_itcc.rule=PathPrefix(`/itcc-localdatamanagement`)"
      - "traefik.http.middlewares.itcc_b_strip.stripprefix.prefixes=/itcc-localdatamanagement"
      - "traefik.http.services.blaze_itcc.loadbalancer.server.port=8080"
      - "traefik.http.routers.blaze_itcc.middlewares=itcc_b_strip,auth"
      - "traefik.http.routers.blaze_itcc.tls=true"
  focus:
    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
    container_name: bridgehead-focus
    environment:
      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
      BEAM_APP_ID_LONG: focus.${PROXY_ID}
      PROXY_ID: ${PROXY_ID}
      BLAZE_URL: "http://bridgehead-itcc-blaze:8080/fhir/"
      BEAM_PROXY_URL: http://beam-proxy:8081
      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
    volumes:
      - /srv/docker/bridgehead/itcc/queries_to_cache.conf:/queries_to_cache.conf:ro
    depends_on:
      - "beam-proxy"
      - "blaze"
  beam-proxy:
    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
    container_name: bridgehead-beam-proxy
    environment:
      BROKER_URL: ${BROKER_URL}
      PROXY_ID: ${PROXY_ID}
      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
      PRIVKEY_FILE: /run/secrets/proxy.pem
      ALL_PROXY: http://forward_proxy:3128
      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
      ROOTCERT_FILE: /conf/root.crt.pem
    secrets:
      - proxy.pem
    depends_on:
      - "forward_proxy"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /srv/docker/bridgehead/itcc/root.crt.pem:/conf/root.crt.pem:ro
 volumes:
  blaze-data:
 secrets:
  proxy.pem:
    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/itcc/modules/lens-compose.yml
+++ b/itcc/modules/lens-compose.yml
@ -1,33 +0,0 @@
 version: "3.7"
 services:
  landing:
    container_name: lens_federated-search
    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
      - "traefik.http.services.landing.loadbalancer.server.port=80"
      - "traefik.http.routers.landing.tls=true"
  spot:
    image: docker.verbis.dkfz.de/ccp-private/central-spot
    environment:
      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
      BEAM_URL: http://beam-proxy:8081
      BEAM_PROXY_ID: ${SITE_ID}
      BEAM_BROKER_ID: ${BROKER_ID}
      BEAM_APP_ID: "focus"
      PROJECT_METADATA: "dktk_supervisors"
    depends_on:
      - "beam-proxy"
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.spot.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
      - "traefik.http.routers.spot.tls=true"
      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot"
--- a/itcc/modules/lens-setup.sh
+++ b/itcc/modules/lens-setup.sh
@ -1,5 +0,0 @@
 #!/bin/bash
 if [ -n "$ENABLE_LENS" ];then
  OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml"
 fi
--- a/itcc/queries_to_cache.conf
+++ b/itcc/queries_to_cache.conf
@ -1,2 +0,0 @@
 bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CkRLVEtfU1RSQVRfR0VOREVSX1NUUkFUSUZJRVIKICBES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCiAgSVRDQ19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgogIERLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgp0cnVl
 bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIG1vbGVjdWxhck1hcmtlcjogJ2h0dHA6Ly93d3cuZ2VuZW5hbWVzLm9yZycKCmNvbnRleHQgUGF0aWVudApES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCiAgREtUS19TVFJBVF9ESUFHTk9TSVNfU1RSQVRJRklFUgogIElUQ0NfU1RSQVRfQUdFX0NMQVNTX1NUUkFUSUZJRVIKICBES1RLX1NUUkFUX0RFRl9JTl9JTklUSUFMX1BPUFVMQVRJT04KKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNjk1NDgtNicgZnJvbSBsb2luY10gTwp3aGVyZSBPLmNvbXBvbmVudC53aGVyZShjb2RlLmNvZGluZyBjb250YWlucyBDb2RlICc0ODAxOC02JyBmcm9tIGxvaW5jKS52YWx1ZS5jb2RpbmcgY29udGFpbnMgQ29kZSAnQlJBRicgZnJvbSBtb2xlY3VsYXJNYXJrZXIp
--- a/itcc/root.crt.pem
+++ b/itcc/root.crt.pem
@ -1,20 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDNTCCAh2gAwIBAgIUW34NEb7bl0+Ywx+I1VKtY5vpAOowDQYJKoZIhvcNAQEL
 BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTIyMTMzNzEzWhcNMzQw
 MTE5MTMzNzQzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
 AQEBBQADggEPADCCAQoCggEBAL5UegLXTlq3XRRj8LyFs3aF0tpRPVoW9RXp5kFI
 TnBvyO6qjNbMDT/xK+4iDtEX4QQUvsxAKxfXbe9i1jpdwjgH7JHaSGm2IjAiKLqO
 OXQQtguWwfNmmp96Ql13ArLj458YH08xMO/w2NFWGwB/hfARa4z/T0afFuc/tKJf
 XbGCG9xzJ9tmcG45QN8NChGhVvaTweNdVxGWlpHxmi0Mn8OM9CEuB7nPtTTiBuiu
 pRC2zVVmNjVp4ktkAqL7IHOz+/F5nhiz6tOika9oD3376Xj055lPznLcTQn2+4d7
 K7ZrBopCFxIQPjkgmYRLfPejbpdUjK1UVJw7hbWkqWqH7JMCAwEAAaN7MHkwDgYD
 VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGjvRcaIP4HM
 poIguUAK9YL2n7fbMB8GA1UdIwQYMBaAFGjvRcaIP4HMpoIguUAK9YL2n7fbMBYG
 A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCbzycJSaDm
 AXXNJqQ88djrKs5MDXS8RIjS/cu2ayuLaYDe+BzVmUXNA0Vt9nZGdaz63SLLcjpU
 fNSxBfKbwmf7s30AK8Cnfj9q4W/BlBeVizUHQsg1+RQpDIdMrRQrwkXv8mfLw+w5
 3oaXNW6W/8KpBp/H8TBZ6myl6jCbeR3T8EMXBwipMGop/1zkbF01i98Xpqmhx2+l
 n+80ofPsSspOo5XmgCZym8CD/m/oFHmjcvOfpOCvDh4PZ+i37pmbSlCYoMpla3u/
 7MJMP5lugfLBYNDN2p+V4KbHP/cApCDT5UWLOeAWjgiZQtHH5ilDeYqEc1oPjyJt
 Rtup0MTxSJtN
 -----END CERTIFICATE-----
--- a/itcc/vars
+++ b/itcc/vars
@ -1,14 +0,0 @@
 BROKER_ID=test-no-real-data.broker.samply.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
--- a/kr/docker-compose.yml
+++ b/kr/docker-compose.yml
@ -1,67 +0,0 @@
 version: "3.7"
 services:
  landing:
    deploy:
      replicas: 0 #deactivate landing page
  blaze:
    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
    container_name: bridgehead-kr-blaze
    environment:
      BASE_URL: "http://bridgehead-kr-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.blaze_kr.rule=PathPrefix(`/kr-localdatamanagement`)"
      - "traefik.http.middlewares.kr_b_strip.stripprefix.prefixes=/kr-localdatamanagement"
      - "traefik.http.services.blaze_kr.loadbalancer.server.port=8080"
      - "traefik.http.routers.blaze_kr.middlewares=kr_b_strip,auth"
      - "traefik.http.routers.blaze_kr.tls=true"
  focus:
    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
    container_name: bridgehead-focus
    environment:
      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
      BEAM_APP_ID_LONG: focus.${PROXY_ID}
      PROXY_ID: ${PROXY_ID}
      BLAZE_URL: "http://bridgehead-kr-blaze:8080/fhir/"
      BEAM_PROXY_URL: http://beam-proxy:8081
      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
      EPSILON: 0.28
    depends_on:
      - "beam-proxy"
      - "blaze"
  beam-proxy:
    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
    container_name: bridgehead-beam-proxy
    environment:
      BROKER_URL: ${BROKER_URL}
      PROXY_ID: ${PROXY_ID}
      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
      PRIVKEY_FILE: /run/secrets/proxy.pem
      ALL_PROXY: http://forward_proxy:3128
      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
      ROOTCERT_FILE: /conf/root.crt.pem
    secrets:
      - proxy.pem
    depends_on:
      - "forward_proxy"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /srv/docker/bridgehead/kr/root.crt.pem:/conf/root.crt.pem:ro
 volumes:
  blaze-data:
 secrets:
  proxy.pem:
    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/kr/modules/export-and-qb.curl-templates
+++ b/kr/modules/export-and-qb.curl-templates
@ -1,6 +0,0 @@
 # Full Excel Export
 curl --location --request POST 'https://${HOST}/ccp-exporter/request?query=Patient&query-format=FHIR_PATH&template-id=ccp&output-format=EXCEL' \
 --header 'x-api-key: ${EXPORT_API_KEY}'
 # QB
 curl --location --request POST 'https://${HOST}/ccp-reporter/generate?template-id=ccp'
--- a/kr/modules/exporter-compose.yml
+++ b/kr/modules/exporter-compose.yml
@ -1,67 +0,0 @@
 version: "3.7"
 services:
  exporter:
    image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
    container_name: bridgehead-ccp-exporter
    environment:
      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
      LOG_LEVEL: "INFO"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
      CROSS_ORIGINS: "https://${HOST}"
      EXPORTER_DB_USER: "exporter"
      EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
      EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
      HTTP_RELATIVE_PATH: "/ccp-exporter"
      SITE: "${SITE_ID}"
      HTTP_SERVLET_REQUEST_SCHEME: "https"
      OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"
      - "traefik.http.services.exporter_ccp.loadbalancer.server.port=8092"
      - "traefik.http.routers.exporter_ccp.tls=true"
      - "traefik.http.middlewares.exporter_ccp_strip.stripprefix.prefixes=/ccp-exporter"
      - "traefik.http.routers.exporter_ccp.middlewares=exporter_ccp_strip"
    volumes:
      - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output"
  exporter-db:
    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
    container_name: bridgehead-ccp-exporter-db
    environment:
      POSTGRES_USER: "exporter"
      POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
      POSTGRES_DB: "exporter"
    volumes:
      # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
      - "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data"
  reporter:
    image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
    container_name: bridgehead-ccp-reporter
    environment:
      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
      LOG_LEVEL: "INFO"
      CROSS_ORIGINS: "https://${HOST}"
      HTTP_RELATIVE_PATH: "/ccp-reporter"
      SITE: "${SITE_ID}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
      EXPORTER_URL: "http://exporter:8092"
      LOG_FHIR_VALIDATION: "false"
      HTTP_SERVLET_REQUEST_SCHEME: "https"
    # In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
    # However, in the first executions in the CCP sites, this volume seems to be very important. A report is
    # a process that can take several hours, because it depends on the exporter.
    # There is a risk that the bridgehead restarts, losing the already created export.
    volumes:
      - "/var/cache/bridgehead/ccp/reporter-files:/app/reports"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.reporter_ccp.rule=PathPrefix(`/ccp-reporter`)"
      - "traefik.http.services.reporter_ccp.loadbalancer.server.port=8095"
      - "traefik.http.routers.reporter_ccp.tls=true"
      - "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter"
      - "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip"
--- a/kr/modules/exporter-setup.sh
+++ b/kr/modules/exporter-setup.sh
@ -1,8 +0,0 @@
 #!/bin/bash -e
 if [ "$ENABLE_EXPORTER" == true ]; then
  log INFO "Exporter setup detected -- will start Exporter service."
  OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
 fi
--- a/kr/modules/exporter.md
+++ b/kr/modules/exporter.md
@ -1,15 +0,0 @@
 # Exporter and Reporter
 ## Exporter
 The exporter is a REST API that exports the data of the different databases of the bridgehead in a set of tables.
 It can accept different output formats as CSV, Excel, JSON or XML. It can also export data into Opal.
 ## Exporter-DB
 It is a database to save queries for its execution in the exporter. 
 The exporter manages also the different executions of the same query in through the database.
 ## Reporter
 This component is a plugin of the exporter that allows to create more complex Excel reports described in templates.
 It is compatible with different template engines as Groovy, Thymeleaf,...
 It is perfect to generate a document as our traditional CCP quality report.
--- a/kr/modules/lens-compose.yml
+++ b/kr/modules/lens-compose.yml
@ -1,35 +0,0 @@
 version: "3.7"
 services:
  landing:
    deploy:
      replicas: 1 #reactivate if lens is in use
    container_name: lens_federated-search
    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
      - "traefik.http.services.landing.loadbalancer.server.port=80"
      - "traefik.http.routers.landing.tls=true"
  spot:
    image: docker.verbis.dkfz.de/ccp-private/central-spot
    environment:
      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
      BEAM_URL: http://beam-proxy:8081
      BEAM_PROXY_ID: ${SITE_ID}
      BEAM_BROKER_ID: ${BROKER_ID}
      BEAM_APP_ID: "focus"
      PROJECT_METADATA: "kr_supervisors"
    depends_on:
      - "beam-proxy"
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.spot.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
      - "traefik.http.routers.spot.tls=true"
      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot"
--- a/kr/modules/lens-setup.sh
+++ b/kr/modules/lens-setup.sh
@ -1,5 +0,0 @@
 #!/bin/bash
 if [ -n "$ENABLE_LENS" ];then
  OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml"
 fi
--- a/kr/modules/obds2fhir-rest-compose.yml
+++ b/kr/modules/obds2fhir-rest-compose.yml
@ -1,19 +0,0 @@
 version: "3.7"
 services:
  obds2fhir-rest:
    container_name: bridgehead-obds2fhir-rest
    image: docker.verbis.dkfz.de/ccp/obds2fhir-rest:main
    environment:
      IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
      SALT: ${LOCAL_SALT}
      KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false}
      MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)"
      - "traefik.http.middlewares.obds2fhir-rest_strip.stripprefix.prefixes=/obds2fhir-rest,/adt2fhir-rest"
      - "traefik.http.services.obds2fhir-rest.loadbalancer.server.port=8080"
      - "traefik.http.routers.obds2fhir-rest.tls=true"
      - "traefik.http.routers.obds2fhir-rest.middlewares=obds2fhir-rest_strip,auth"
--- a/kr/modules/obds2fhir-rest-setup.sh
+++ b/kr/modules/obds2fhir-rest-setup.sh
@ -1,13 +0,0 @@
 #!/bin/bash
 function obds2fhirRestSetup() {
  if [ -n "$ENABLE_OBDS2FHIR_REST" ]; then
    log INFO "oBDS2FHIR-REST setup detected -- will start obds2fhir-rest module."
    if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
      log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
      PATIENTLIST_URL=" "
    fi
    OVERRIDE+=" -f ./$PROJECT/modules/obds2fhir-rest-compose.yml"
    LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
  fi
 }
--- a/kr/modules/teiler-compose.yml
+++ b/kr/modules/teiler-compose.yml
@ -1,79 +0,0 @@
 version: "3.7"
 services:
  teiler-orchestrator:
    image: docker.verbis.dkfz.de/cache/samply/teiler-orchestrator:latest
    container_name: bridgehead-teiler-orchestrator
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_orchestrator_ccp.rule=PathPrefix(`/ccp-teiler`)"
      - "traefik.http.services.teiler_orchestrator_ccp.loadbalancer.server.port=9000"
      - "traefik.http.routers.teiler_orchestrator_ccp.tls=true"
      - "traefik.http.middlewares.teiler_orchestrator_ccp_strip.stripprefix.prefixes=/ccp-teiler"
      - "traefik.http.routers.teiler_orchestrator_ccp.middlewares=teiler_orchestrator_ccp_strip"
    environment:
      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
      HTTP_RELATIVE_PATH: "/ccp-teiler"
  teiler-dashboard:
    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
    container_name: bridgehead-teiler-dashboard
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_dashboard_ccp.rule=PathPrefix(`/ccp-teiler-dashboard`)"
      - "traefik.http.services.teiler_dashboard_ccp.loadbalancer.server.port=80"
      - "traefik.http.routers.teiler_dashboard_ccp.tls=true"
      - "traefik.http.middlewares.teiler_dashboard_ccp_strip.stripprefix.prefixes=/ccp-teiler-dashboard"
      - "traefik.http.routers.teiler_dashboard_ccp.middlewares=teiler_dashboard_ccp_strip"
    environment:
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
      OIDC_URL: "${OIDC_URL}"
      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
      TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
      TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
      TEILER_PROJECT: "${PROJECT}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
      TEILER_USER: "${OIDC_USER_GROUP}"
      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
      REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
      EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"
  teiler-backend:
    image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
    container_name: bridgehead-teiler-backend
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_backend_ccp.rule=PathPrefix(`/ccp-teiler-backend`)"
      - "traefik.http.services.teiler_backend_ccp.loadbalancer.server.port=8085"
      - "traefik.http.routers.teiler_backend_ccp.tls=true"
      - "traefik.http.middlewares.teiler_backend_ccp_strip.stripprefix.prefixes=/ccp-teiler-backend"
      - "traefik.http.routers.teiler_backend_ccp.middlewares=teiler_backend_ccp_strip"
    environment:
      LOG_LEVEL: "INFO"
      APPLICATION_PORT: "8085"
      APPLICATION_ADDRESS: "${HOST}"
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
      TEILER_DASHBOARD_DE_URL: "https://${HOST}/ccp-teiler-dashboard/de"
      TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en"
      HTTP_PROXY: "http://forward_proxy:3128"
      ENABLE_MTBA: "${ENABLE_MTBA}"
      ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
    secrets:
      - ccp.conf
 secrets:
  ccp.conf:
    file: /etc/bridgehead/ccp.conf
--- a/kr/modules/teiler-setup.sh
+++ b/kr/modules/teiler-setup.sh
@ -1,9 +0,0 @@
 #!/bin/bash -e
 if [ "$ENABLE_TEILER" == true ];then
  log INFO "Teiler setup detected -- will start Teiler services."
  OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
  TEILER_DEFAULT_LANGUAGE=DE
  TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
  add_public_oidc_redirect_url "/ccp-teiler/*"
 fi
--- a/kr/modules/teiler.md
+++ b/kr/modules/teiler.md
@ -1,19 +0,0 @@
 # Teiler
 This module orchestrates the different microfrontends of the bridgehead as a single page application.  
 ## Teiler Orchestrator
 Single SPA component that consists on the root HTML site of the single page application and a javascript code that
 gets the information about the microfrontend calling the teiler backend and is responsible for registering them. With the
 resulting mapping, it can initialize, mount and unmount the required microfrontends on the fly. 
 The microfrontends run independently in different containers and can be based on different frameworks (Angular, Vue, React,...)
 This microfrontends can run as single alone but need an extension with Single-SPA (https://single-spa.js.org/docs/ecosystem).
 There are also available three templates (Angular, Vue, React) to be directly extended to be used directly in the teiler.
 ## Teiler Dashboard
 It consists on the main dashboard and a set of embedded services.
 ### Login
 user and password in ccp.local.conf
 ## Teiler Backend
 In this component, the microfrontends are configured.
--- a/kr/root.crt.pem
+++ b/kr/root.crt.pem
@ -1,20 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDNTCCAh2gAwIBAgIUW34NEb7bl0+Ywx+I1VKtY5vpAOowDQYJKoZIhvcNAQEL
 BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTIyMTMzNzEzWhcNMzQw
 MTE5MTMzNzQzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
 AQEBBQADggEPADCCAQoCggEBAL5UegLXTlq3XRRj8LyFs3aF0tpRPVoW9RXp5kFI
 TnBvyO6qjNbMDT/xK+4iDtEX4QQUvsxAKxfXbe9i1jpdwjgH7JHaSGm2IjAiKLqO
 OXQQtguWwfNmmp96Ql13ArLj458YH08xMO/w2NFWGwB/hfARa4z/T0afFuc/tKJf
 XbGCG9xzJ9tmcG45QN8NChGhVvaTweNdVxGWlpHxmi0Mn8OM9CEuB7nPtTTiBuiu
 pRC2zVVmNjVp4ktkAqL7IHOz+/F5nhiz6tOika9oD3376Xj055lPznLcTQn2+4d7
 K7ZrBopCFxIQPjkgmYRLfPejbpdUjK1UVJw7hbWkqWqH7JMCAwEAAaN7MHkwDgYD
 VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGjvRcaIP4HM
 poIguUAK9YL2n7fbMB8GA1UdIwQYMBaAFGjvRcaIP4HMpoIguUAK9YL2n7fbMBYG
 A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCbzycJSaDm
 AXXNJqQ88djrKs5MDXS8RIjS/cu2ayuLaYDe+BzVmUXNA0Vt9nZGdaz63SLLcjpU
 fNSxBfKbwmf7s30AK8Cnfj9q4W/BlBeVizUHQsg1+RQpDIdMrRQrwkXv8mfLw+w5
 3oaXNW6W/8KpBp/H8TBZ6myl6jCbeR3T8EMXBwipMGop/1zkbF01i98Xpqmhx2+l
 n+80ofPsSspOo5XmgCZym8CD/m/oFHmjcvOfpOCvDh4PZ+i37pmbSlCYoMpla3u/
 7MJMP5lugfLBYNDN2p+V4KbHP/cApCDT5UWLOeAWjgiZQtHH5ilDeYqEc1oPjyJt
 Rtup0MTxSJtN
 -----END CERTIFICATE-----
--- a/kr/vars
+++ b/kr/vars
@ -1,16 +0,0 @@
 BROKER_ID=test-no-real-data.broker.samply.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
 obds2fhirRestSetup
--- a/lib/functions.sh
+++ b/lib/functions.sh
@ -53,8 +53,8 @@ checkOwner(){
 }
 printUsage() {
-	echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|install|uninstall|adduser|enroll PROJECTNAME"
+	echo "Usage: bridgehead start|stop|is-running|update|install|uninstall|adduser|enroll PROJECTNAME"
-	echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc|kr|dhki"
+	echo "PROJECTNAME should be one of ccp|bbmri"
 }
 checkRequirements() {
@ -116,7 +116,7 @@ assertVarsNotEmpty() {
 	MISSING_VARS=""
 	for VAR in $@; do
-		if [ -z "${!VAR}" ]; then
+	if [ -z "${!VAR}" ]; then
 			MISSING_VARS+="$VAR "
 		fi
 	done
@ -155,30 +155,6 @@ setHostname() {
 	fi
 }
 # This function optimizes the usage of memory through blaze, according to the official performance tuning guide:
 #   https://github.com/samply/blaze/blob/master/docs/tuning-guide.md
 # Short summary of the adjustments made:
 # - set blaze memory cap to a quarter of the system memory
 # - set db block cache size to a quarter of the system memory
 # - limit resource count allowed in blaze to 1,25M per 4GB available system memory
 optimizeBlazeMemoryUsage() {
 	if [ -z "$BLAZE_MEMORY_CAP" ]; then
 	   system_memory_in_mb=$(LC_ALL=C free -m | grep 'Mem:' | awk '{print $2}');
 	   export BLAZE_MEMORY_CAP=$(($system_memory_in_mb/4));
 	fi
 	if [ -z "$BLAZE_RESOURCE_CACHE_CAP" ]; then
 		available_system_memory_chunks=$((BLAZE_MEMORY_CAP / 1000))
 		if [ $available_system_memory_chunks -eq 0 ]; then
 			log WARN "Only ${BLAZE_MEMORY_CAP} system memory available for Blaze. If your Blaze stores more than 128000 fhir ressources it will run significally slower."
 			export BLAZE_RESOURCE_CACHE_CAP=128000;
 			export BLAZE_CQL_CACHE_CAP=32;
 		else
 			export BLAZE_RESOURCE_CACHE_CAP=$((available_system_memory_chunks * 312500))
 			export BLAZE_CQL_CACHE_CAP=$((($system_memory_in_mb/4)/16));
 		fi
 	fi
 }
 # Takes 1) The Backup Directory Path 2) The name of the Service to be backuped
 # Creates 3 Backups: 1) For the past seven days 2) For the current month and 3) for each calendar week
 createEncryptedPostgresBackup(){
@ -291,104 +267,37 @@ function sync_secrets() {
    if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
        secret_sync_args="OIDC:OIDC_CLIENT_SECRET:private;$OIDC_PRIVATE_REDIRECT_URLS"
    fi
-    if [[ $OIDC_PUBLIC_REDIRECT_URLS != "" ]]; then
+    if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
        if [[ $secret_sync_args == "" ]]; then
            secret_sync_args="OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS"
-        else
+        else 
            secret_sync_args+="${delimiter}OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS"
        fi
    fi
    if [[ $secret_sync_args == "" ]]; then
        return
    fi
-    mkdir -p /var/cache/bridgehead/secrets/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/secrets/'. Please run sudo './bridgehead install $PROJECT' again."
+    mkdir -p /var/cache/bridgehead/secrets/
    touch /var/cache/bridgehead/secrets/oidc
    chown -R bridgehead:docker /var/cache/bridgehead/secrets
    # The oidc provider will need to be switched based on the project at some point I guess
    docker run --rm \
        -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
        -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
        -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
        -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
        -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-        -e NO_PROXY=localhost,127.0.0.1 \
+        -e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \
        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
        -e PROXY_ID=$PROXY_ID \
        -e BROKER_URL=$BROKER_URL \
-        -e OIDC_PROVIDER=secret-sync-central.central-secret-sync.$BROKER_ID \
+        -e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
        -e SECRET_DEFINITIONS=$secret_sync_args \
        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
    set -a # Export variables as environment variables
-    source /var/cache/bridgehead/secrets/oidc
+    source /var/cache/bridgehead/secrets/*
    set +a # Export variables in the regular way
 }
 function secret_sync_gitlab_token() {
    # Map the origin of the git repository /etc/bridgehead to the prefix recognized by Secret Sync
    local gitlab
    case "$(git -C /etc/bridgehead remote get-url origin)" in
        *git.verbis.dkfz.de*) gitlab=verbis;;
        *gitlab.bbmri-eric.eu*) gitlab=bbmri;;
        *)
            log "WARN" "Not running Secret Sync because the git repository /etc/bridgehead has unknown origin"
            return
            ;;
    esac
    if [ "$PROJECT" == "bbmri" ]; then
        # If the project is BBMRI, use the BBMRI-ERIC broker and not the GBN broker
        proxy_id=$ERIC_PROXY_ID
        broker_url=$ERIC_BROKER_URL
        broker_id=$ERIC_BROKER_ID
        root_crt_file="/srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem"
    else
        proxy_id=$PROXY_ID
        broker_url=$BROKER_URL
        broker_id=$BROKER_ID
        root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem"
    fi
    # Create a temporary directory for Secret Sync that is valid per boot
    secret_sync_tempdir="/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)"
    mkdir -p $secret_sync_tempdir
    # Use Secret Sync to validate the GitLab token in $secret_sync_tempdir/cache.
    # If it is missing or expired, Secret Sync will create a new token and write it to the file.
    # The git credential helper reads the token from the file during git pull.
    log "INFO" "Running Secret Sync for the GitLab token (gitlab=$gitlab)"
    docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
    docker run --rm \
        -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
        -v $root_crt_file:/run/secrets/root.crt.pem:ro \
        -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
        -v $secret_sync_tempdir:/secret-sync/ \
        -e CACHE_PATH=/secret-sync/gitlab-token \
        -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
        -e NO_PROXY=localhost,127.0.0.1 \
        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
        -e PROXY_ID=$proxy_id \
        -e BROKER_URL=$broker_url \
        -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.central-secret-sync.$broker_id \
        -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN:$gitlab \
        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
    if [ $? -eq 0 ]; then
        log "INFO" "Secret Sync was successful"
        # In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
        CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
        git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
        # Set the git credential helper
        git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
    else
        log "WARN" "Secret Sync failed"
        # Remove the git credential helper
        git -C /etc/bridgehead config --unset credential.helper
    fi
    # In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
    # Let's remove it to avoid confusion. This line can be removed at some point the future when we
    # believe that it was removed on all/most production servers.
    git -C /srv/docker/bridgehead config --unset credential.helper
 }
 capitalize_first_letter() {
    input="$1"
    capitalized="$(tr '[:lower:]' '[:upper:]' <<< ${input:0:1})${input:1}"
@ -425,7 +334,7 @@ generate_password(){
  local random_special=${special:$n:1}
  local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret."
-  local main_password=$(echo "${combined_text}" | sha1sum | openssl pkeyutl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/\//A/g')
+  local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/\//A/g')
  echo "${main_password}${random_digit}${random_upper}${random_lower}${random_special}"
 }
@ -434,9 +343,5 @@ generate_password(){
 generate_simple_password(){
  local seed_text="$1"
  local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret."
-  echo "${combined_text}" | sha1sum | openssl pkeyutl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g'
+  echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g'
 }
 docker_jq() {
    docker run --rm -i docker.verbis.dkfz.de/cache/jqlang/jq:latest "$@"
 }
--- a/lib/gitlab-token-helper.sh
+++ b/lib/gitlab-token-helper.sh
@ -1,11 +0,0 @@
 #!/bin/bash
 [ "$1" = "get" ] || exit
 source "/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)/gitlab-token"
 # Any non-empty username works, only the token matters
 cat << EOF
 username=bk
 password=$BRIDGEHEAD_CONFIG_REPO_TOKEN
 EOF
--- a/lib/gitpassword.sh
+++ b/lib/gitpassword.sh
@ -0,0 +1,41 @@
 #!/bin/bash
 if [ "$1" != "get" ]; then
 	echo "Usage: $0 get"
 	exit 1
 fi
 baseDir() {
 	# see https://stackoverflow.com/questions/59895
 	SOURCE=${BASH_SOURCE[0]}
 	while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
 		DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
 		SOURCE=$(readlink "$SOURCE")
 		[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
        done
        DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
        echo $DIR
 }
 BASE=$(baseDir)
 cd $BASE
 source lib/functions.sh
 assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
 PARAMS="$(cat)"
 GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
 fetchVarsFromVault GIT_PASSWORD
 if [ -z "${GIT_PASSWORD}" ]; then
 	fail_and_report 1 "gitpassword.sh failed: Git password not found."
 fi
 cat <<EOF
 protocol=https
 host=$GITHOST
 username=bk-${SITE_ID}
 password=${GIT_PASSWORD}
 EOF
--- a/lib/install-bridgehead.sh
+++ b/lib/install-bridgehead.sh
@ -41,20 +41,6 @@ if [ ! -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then
  add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT
 fi
 if [ -z "$TRANSFAIR_AUTH" ]; then
  if [[ -n "$TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
    log "INFO" "Now generating basic auth user for transfair API (see adduser in bridgehead for more information). "
    generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
    add_basic_auth_user "transfair" $generated_passwd "TRANSFAIR_AUTH" $PROJECT
  fi
 fi
 if [ -z "$EXPORTER_USER" ]; then
  log "INFO" "Now generating basic auth for the exporter and reporter (see adduser in bridgehead for more information). "
  generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
  add_basic_auth_user $PROJECT $generated_passwd "EXPORTER_USER" $PROJECT
 fi
 log "INFO" "Registering system units for bridgehead and bridgehead-update"
 cp -v \
    lib/systemd/bridgehead\@.service \
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@ -52,21 +52,6 @@ case "$PROJECT" in
 	bbmri)
 		site_configuration_repository_middle="git.verbis.dkfz.de/bbmri-bridgehead-configs/"
 		;;
 	cce)
 		site_configuration_repository_middle="git.verbis.dkfz.de/cce-sites/"
 		;;
 	itcc)
 		site_configuration_repository_middle="git.verbis.dkfz.de/itcc-sites/"
        ;;
    dhki)
        site_configuration_repository_middle="git.verbis.dkfz.de/dhki/"
 		;;
 	kr)
 		site_configuration_repository_middle="git.verbis.dkfz.de/krebsregister-sites/"
 		;;
 	dhki)
 		site_configuration_repository_middle="git.verbis.dkfz.de/dhki/"
 		;;
 	minimal)
 		site_configuration_repository_middle="git.verbis.dkfz.de/minimal-bridgehead-configs/"
 		;;
@ -104,9 +89,6 @@ elif [[ "$DEV_MODE" == "DEV" ]]; then
 fi
 chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead
 mkdir -p /tmp/bridgehead /var/cache/bridgehead
 chown -R bridgehead:docker /tmp/bridgehead /var/cache/bridgehead
 chmod -R g+wr /var/cache/bridgehead /tmp/bridgehead
 log INFO "System preparation is completed and configuration is present."
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@ -3,16 +3,14 @@
 source lib/functions.sh
 detectCompose
 CONFIG_DIR="/etc/bridgehead/"
 COMPONENT_DIR="/srv/docker/bridgehead/"
 if ! id "bridgehead" &>/dev/null; then
  log ERROR "User bridgehead does not exist. Please run bridgehead install $PROJECT"
  exit 1
 fi
-checkOwner "${CONFIG_DIR}" bridgehead || exit 1
+checkOwner /srv/docker/bridgehead bridgehead || exit 1
-checkOwner "${COMPONENT_DIR}" bridgehead || exit 1
+checkOwner /etc/bridgehead bridgehead || exit 1
 ## Check if user is a su
 log INFO "Checking if all prerequisites are met ..."
@ -34,31 +32,31 @@ fi
 log INFO "Checking configuration ..."
 ## Download submodule
-if [ ! -d "${CONFIG_DIR}" ]; then
+if [ ! -d "/etc/bridgehead/" ]; then
-  fail_and_report 1 "Please set up the config folder at ${CONFIG_DIR}. Instruction are in the readme."
+  fail_and_report 1 "Please set up the config folder at /etc/bridgehead. Instruction are in the readme."
 fi
 # TODO: Check all required variables here in a generic loop
 #check if project env is present
-if [ -d "${CONFIG_DIR}${PROJECT}.conf" ]; then
+if [ -d "/etc/bridgehead/${PROJECT}.conf" ]; then
-   fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under ${CONFIG_DIR}${PROJECT}.conf."
+   fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under /etc/bridgehead-config/${PROJECT}.conf."
 fi
 # TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
 log INFO "Checking ssl cert for accessing bridgehead via https"
-if [ ! -d "${CONFIG_DIR}traefik-tls" ]; then
+if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
  log WARN "TLS certs for accessing bridgehead via https missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...) and put into /etc/bridgehead/traefik-tls"
  mkdir -p /etc/bridgehead/traefik-tls
 fi
-if [ ! -e "${CONFIG_DIR}traefik-tls/fullchain.pem" ]; then
+if [ ! -e "/etc/bridgehead/traefik-tls/fullchain.pem" ]; then
  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/privkey.pem -out /etc/bridgehead/traefik-tls/fullchain.pem -days 3650 -subj "/CN=$HOST"
 fi
-if [ -e "${CONFIG_DIR}"vault.conf ]; then
+if [ -e /etc/bridgehead/vault.conf ]; then
  if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
    fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
  fi
@ -66,54 +64,48 @@ fi
 log INFO "Checking network access ($BROKER_URL_FOR_PREREQ) ..."
-source "${CONFIG_DIR}${PROJECT}".conf
+source /etc/bridgehead/${PROJECT}.conf
 source ${PROJECT}/vars
-if [ "${PROJECT}" != "minimal" ]; then
+set +e
-  set +e
+SERVERTIME="$(https_proxy=$HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
-  SERVERTIME="$(https_proxy=$HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
+RET=$?
-  RET=$?
+set -e
-  set -e
+if [ $RET -ne 0 ]; then
-  if [ $RET -ne 0 ]; then
+	log WARN "Unable to connect to Samply.Beam broker at $BROKER_URL_FOR_PREREQ. Please check your proxy settings.\nThe currently configured proxy was \"$HTTPS_PROXY_URL\". This error is normal when using proxy authentication."
-	  log WARN "Unable to connect to Samply.Beam broker at $BROKER_URL_FOR_PREREQ. Please check your proxy settings.\nThe currently configured proxy was \"$HTTPS_PROXY_URL\". This error is normal when using proxy authentication."
+	log WARN "Unable to check clock skew due to previous error."
-  	log WARN "Unable to check clock skew due to previous error."
+else
-  else
+	log INFO "Checking clock skew ..."
 	  log INFO "Checking clock skew ..."
-    SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s)
+	SERVERTIME_AS_TIMESTAMP=$(date --date="$SERVERTIME" +%s)
-	  MYTIME=$(date +%s)
+	MYTIME=$(date +%s)
-	  SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME))
+	SKEW=$(($SERVERTIME_AS_TIMESTAMP - $MYTIME))
-	  SKEW=$(echo $SKEW | awk -F- '{print $NF}')
+	SKEW=$(echo $SKEW | awk -F- '{print $NF}')
-	  SYNCTEXT="For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd."
+	SYNCTEXT="For example, consider entering a correct NTP server (e.g. your institution's Active Directory Domain Controller in /etc/systemd/timesyncd.conf (option NTP=) and restart systemd-timesyncd."
-	  if [ $SKEW -ge 300 ]; then
+	if [ $SKEW -ge 300 ]; then
-		  report_error 5 "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. $SYNCTEXT"
+		report_error 5 "Your clock is not synchronized (${SKEW}s off). This will cause Samply.Beam's certificate will fail. Please setup time synchronization. $SYNCTEXT"
-		  exit 1
+		exit 1
-	  elif [ $SKEW -ge 60 ]; then
+	elif [ $SKEW -ge 60 ]; then
-		  log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server. $SYNCTEXT"
+		log WARN "Your clock is more than a minute off (${SKEW}s). Consider syncing to a time server. $SYNCTEXT"
-	  fi
+	fi
  fi
 fi
 checkPrivKey() {
-  if [ -e "${CONFIG_DIR}pki/${SITE_ID}.priv.pem" ]; then
+  if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
    log INFO "Success - private key found."
  else
-    log ERROR "Unable to find private key at ${CONFIG_DIR}pki/${SITE_ID}.priv.pem. To fix, please run\n  bridgehead enroll ${PROJECT}\nand follow the instructions."
+    log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run\n  bridgehead enroll ${PROJECT}\nand follow the instructions."
    return 1
  fi
  return 0
 }
-if [[ "$@" =~ "noprivkey" ||  "${PROJECT}" != "minimal" ]]; then
+if [[ "$@" =~ "noprivkey" ]]; then
  log INFO "Skipping check for private key for now."
 else
  checkPrivKey || exit 1
 fi
 for dir in  "${CONFIG_DIR}" "${COMPONENT_DIR}"; do
  log INFO "Checking branch: $(cd $dir && echo "$dir $(git branch --show-current)")"
  hc_send log "Checking branch: $(cd $dir && echo "$dir $(git branch --show-current)")"
 done
 log INFO "Success - all prerequisites are met!"
 hc_send log "Success - all prerequisites are met!"
--- a/lib/systemd/bridgehead-update@.timer
+++ b/lib/systemd/bridgehead-update@.timer
@ -1,9 +1,8 @@
 [Unit]
-Description=Daily Updates at 6am of Bridgehead (%i)
+Description=Hourly Updates of Bridgehead (%i)
 [Timer]
-OnCalendar=*-*-* 06:00:00
+OnCalendar=*-*-* *:00:00
 Persistent=true
 [Install]
 WantedBy=basic.target
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@ -19,7 +19,7 @@ fi
 hc_send log "Checking for bridgehead updates ..."
-CONFFILE=/etc/bridgehead/$PROJECT.conf
+CONFFILE=/etc/bridgehead/$1.conf
 if [ ! -e $CONFFILE ]; then
  fail_and_report 1 "Configuration file $CONFFILE not found."
@ -33,7 +33,7 @@ export SITE_ID
 checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
 checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
-secret_sync_gitlab_token
+CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 CHANGES=""
@ -45,6 +45,10 @@ for DIR in /etc/bridgehead $(pwd); do
  if [ -n "$OUT" ]; then
    report_error log "The working directory $DIR is modified. Changed files: $OUT"
  fi
  if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
    log "INFO" "Configuring repo to use bridgehead git credential helper."
    git -C $DIR config credential.helper "$CREDHELPER"
  fi
  old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
  if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
    log "INFO" "Git is using no proxy!"
@ -54,8 +58,7 @@ for DIR in /etc/bridgehead $(pwd); do
    OUT=$(retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1)
  fi
  if [ $? -ne 0 ]; then
-    OUT_SAN=$(echo $OUT | sed -E 's|://[^:]+:[^@]+@|://credentials@|g')
+    report_error log "Unable to update git $DIR: $OUT"
    report_error log "Unable to update git $DIR: $OUT_SAN"
  fi
  new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
@ -83,7 +86,7 @@ done
 # Check docker updates
 log "INFO" "Checking for updates to running docker images ..."
 docker_updated="false"
-for IMAGE in $($COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE config | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
+for IMAGE in $(cat $PROJECT/docker-compose.yml ${OVERRIDE//-f/} minimal/docker-compose.yml | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
  log "INFO" "Checking for Updates of Image: $IMAGE"
  if docker pull $IMAGE | grep "Downloaded newer image"; then
    CHANGE="Image $IMAGE updated."
--- a/minimal/docker-compose.yml
+++ b/minimal/docker-compose.yml
@ -10,13 +10,13 @@ services:
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.file.directory=/configuration/
-      - --api.dashboard=false
+      - --api.dashboard=true
      - --accesslog=true
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.dashboard.rule=PathPrefix(`/dashboard/`)"
+      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.tls=true"
@ -42,9 +42,6 @@ services:
      - /var/spool/squid
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
    healthcheck:
      # Wait 1s before marking this service healthy. Required for the oauth2-proxy to talk to the OIDC provider on startup which will fail if the forward proxy is not started yet.
      test: ["CMD", "sleep", "1"]
  landing:
    container_name: bridgehead-landingpage
@ -58,4 +55,5 @@ services:
      HOST: ${HOST}
      PROJECT: ${PROJECT}
      SITE_NAME: ${SITE_NAME}
-      ENVIRONMENT: ${ENVIRONMENT}
+
--- a/minimal/modules/dnpm-central-targets.json
+++ b/minimal/modules/dnpm-central-targets.json
@ -1,142 +0,0 @@
 {
    "sites": [
        {
            "id": "UKFR",
            "name": "Freiburg",
            "virtualhost": "ukfr.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKHD",
            "name": "Heidelberg",
            "virtualhost": "ukhd.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKT",
            "name": "Tübingen",
            "virtualhost": "ukt.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKU",
            "name": "Ulm",
            "virtualhost": "uku.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UM",
            "name": "Mainz",
            "virtualhost": "um.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKMR",
            "name": "Marburg",
            "virtualhost": "ukmr.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKE",
            "name": "Hamburg",
            "virtualhost": "uke.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKA",
            "name": "Aachen",
            "virtualhost": "uka.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "Charite",
            "name": "Berlin",
            "virtualhost": "charite.dnpm.de",
            "beamconnect": "dnpm-connect.berlin-test.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "MRI",
            "name": "Muenchen-tum",
            "virtualhost": "mri.dnpm.de",
            "beamconnect": "dnpm-connect.muenchen-tum.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "KUM",
            "name": "Muenchen-lmu",
            "virtualhost": "kum.dnpm.de",
            "beamconnect": "dnpm-connect.muenchen-lmu.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "MHH",
            "name": "Hannover",
            "virtualhost": "mhh.dnpm.de",
            "beamconnect": "dnpm-connect.hannover.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKDD",
            "name": "dresden-dnpm",
            "virtualhost": "ukdd.dnpm.de",
            "beamconnect": "dnpm-connect.dresden-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKB",
            "name": "Bonn",
            "virtualhost": "ukb.dnpm.de",
            "beamconnect": "dnpm-connect.bonn-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKD",
            "name": "Duesseldorf",
            "virtualhost": "ukd.dnpm.de",
            "beamconnect": "dnpm-connect.duesseldorf-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKK",
            "name": "Koeln",
            "virtualhost": "ukk.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UME",
            "name": "Essen",
            "virtualhost": "ume.dnpm.de",
            "beamconnect": "dnpm-connect.essen.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKM",
            "name": "Muenster",
            "virtualhost": "ukm.dnpm.de",
            "beamconnect": "dnpm-connect.muenster-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKF",
            "name": "Frankfurt",
            "virtualhost": "ukf.dnpm.de",
            "beamconnect": "dnpm-connect.frankfurt.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UMG",
            "name": "Goettingen",
            "virtualhost": "umg.dnpm.de",
            "beamconnect": "dnpm-connect.goettingen.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKW",
            "name": "Würzburg",
            "virtualhost": "ukw.dnpm.de",
            "beamconnect": "dnpm-connect.wuerzburg-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKSH",
            "name": "Schleswig-Holstein",
            "virtualhost": "uksh.dnpm.de",
            "beamconnect": "dnpm-connect.uksh-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "TKT",
            "name": "Test",
            "virtualhost": "tkt.dnpm.de",
            "beamconnect": "dnpm-connect.tobias-develop.broker.ccp-it.dktk.dkfz.de"
        }
    ]
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
MuhannadBaraghith	5ca134c35d	Changed: image used for cbioportal and teiler backend	2024-02-13 15:12:46 +01:00
MuhannadBaraghith	c565d14ee4	Changed: - used image for cbioportal in cbioportal-compose to the Harbor image - Ran tests to make sure cbioportal and cbioportal API work in Teiler backend.	2024-02-13 15:12:46 +01:00
juarez	a9c09c0d05	Added: cBioPortal	2024-02-13 15:12:46 +01:00
janskiba	2f663c45e8	Add `dsCCPhos`	2024-02-13 15:12:46 +01:00
janskiba	ebbe64abee	Only sync secrets on startup	2024-02-13 15:12:46 +01:00
janskiba	26c9e1286d	fix: Use strong pw for opal	2024-02-13 15:12:46 +01:00
janskiba	92984d24f3	fix: Generate stable passwords	2024-02-13 15:12:46 +01:00
juarez	abedfdaf64	Added: volume for opal metadata db (III)	2024-02-13 15:12:46 +01:00
juarez	c751b72e0e	Added: volume for opal metadata db (II)	2024-02-13 15:12:46 +01:00
juarez	65eee84a4f	Added: volume for opal metadata db	2024-02-13 15:12:45 +01:00
janskiba	c0f497255c	Add test sites	2024-02-13 15:12:45 +01:00
janskiba	56c2955b5d	Add central token manager beam id	2024-02-13 15:12:45 +01:00
juarez	0ced9b0e4e	Added: allowed-groups	2024-02-13 15:12:45 +01:00
juarez	bb23d6f25b	Added: Enable MTBA and Enable DataSHIELD to Teiler Backend	2024-02-13 15:12:45 +01:00
juarez	8ac4e36ac1	Default values for MTBA	2024-02-13 15:12:45 +01:00
juarez	4e809f66cb	Use develop version of mtba	2024-02-13 15:12:45 +01:00
juarez	ca9f88421c	Use last version of mtba	2024-02-13 15:12:45 +01:00
juarez	8579bc879f	Only users of group DataSHIELD can use R-Studio	2024-02-13 15:12:45 +01:00
juarez	18dda72e84	teiler-orchestrator and teiler-dashboard latest	2024-02-13 15:12:45 +01:00
Jan	164d1a66fb	fix: undo permission changes on startup	2024-02-13 15:12:45 +01:00
Jan	ca7772421b	fix: only change permissions on related files	2024-02-13 15:12:45 +01:00
janskiba	2ec44c9d48	fix: opal ssl cert	2024-02-13 15:12:45 +01:00
janskiba	9231c99141	fix: chown syntax	2024-02-13 15:12:45 +01:00
janskiba	2542c478c1	fix: beam connect site renaming	2024-02-13 15:12:45 +01:00
janskiba	7fb27efae3	fix: Change permissions on new bridgehead dirs	2024-02-13 15:12:45 +01:00
janskiba	efd26aa761	fix: generate the right beam connect mappings	2024-02-13 15:12:45 +01:00
janskiba	cd36ab455b	feat: Add token-manager to beam	2024-02-13 15:12:45 +01:00
janskiba	e9eccd5cab	fix: Restrict rstudio network access	2024-02-13 15:12:45 +01:00
juarez	381633d4a0	move OAUTH2_SECRET	2024-02-13 15:12:45 +01:00
juarez	30760075a6	add default template-ids of exporter and reporter	2024-02-13 15:12:44 +01:00
juarez	1299ee2ab4	mtba develop	2024-02-13 15:12:44 +01:00
juarez	fe56cbbc19	add /oauth2/callback and /mtba to Keycloak private client	2024-02-13 15:12:44 +01:00
juarez	bd784e703a	mtba latest	2024-02-13 15:12:44 +01:00
juarez	109426cf43	Use develop branch for mtba	2024-02-13 15:12:44 +01:00
janskiba	40d6c7cae5	fix: public client generation	2024-02-13 15:12:44 +01:00
janskiba	a3c7a002fd	Better redirect url handeling	2024-02-13 15:12:44 +01:00
juarez	91903fae24	Add oauth2_proxy	2024-02-13 15:12:44 +01:00
juarez	ea0435bee3	Add comment about PASSWORD and DISABLE_AUTH in R-Studio	2024-02-13 15:12:44 +01:00
juarez	ad1b00d16e	Add proxy to R-Studio for loading R packages	2024-02-13 15:12:44 +01:00
juarez	e696d3b5dd	Add Keycloak to MTBA	2024-02-13 15:12:44 +01:00
juarez	b683d07f48	Add keycloak configuration	2024-02-13 15:12:44 +01:00
juarez	eea53cd877	Add R-Studio Admin Password	2024-02-13 15:12:44 +01:00
juarez	b0ced71197	Add generate_password function	2024-02-13 15:12:44 +01:00
juarez	185143c084	Bugfix: Export /var/cache/bridgehead/secrets as environment variables	2024-02-13 15:12:44 +01:00
janskiba	0a1070c3a5	Account for ip address host values	2024-02-13 15:12:44 +01:00
janskiba	8505057863	Remove port handeling when generating redirect url	2024-02-13 15:12:44 +01:00
juarez	72d37c87f9	Add function generate_redirect_urls	2024-02-13 15:12:44 +01:00
janskiba	8aa851bfe4	Update oidc provider to new url	2024-02-13 15:12:44 +01:00
janskiba	67831ba57b	Generate addtional redirect url	2024-02-13 15:12:43 +01:00
juarez	0545189cec	Integrate central Keycloak in Teiler	2024-02-13 15:12:43 +01:00
Jan Skiba	faf46f9fea	Make sure path exists	2024-02-13 15:12:43 +01:00
Jan Skiba	c8e215199c	Setup hostname earlier	2024-02-13 15:12:43 +01:00
janskiba	c2b994e0d1	Update to new secret-sync semantics	2024-02-13 15:12:43 +01:00
janskiba	4cd66f6689	Add secret sync to the bridgehead	2024-02-13 15:12:43 +01:00
juarez	e99913cdc3	Bugfix: Add version in every docker compose file	2024-02-13 15:12:43 +01:00
juarez	afacdae20e	Remove unnecessary version of docker-compose.override files	2024-02-13 15:12:43 +01:00
juarez	33d955f17d	Bugfix: Add version in every docker compose file	2024-02-13 15:12:43 +01:00
juarez	c0ff03da6b	Remove unnecessary version of docker-compose.override files	2024-02-13 15:12:43 +01:00
juarez	6582db0523	MTBA 1.0.0	2024-02-13 15:12:43 +01:00
juarez	27948c2a64	Remove nngmSetup in vars	2024-02-13 15:12:43 +01:00
Martin Lablans	c8e7cd5f25	Prevent creation of volumes	2024-02-13 15:12:43 +01:00
lablans	f2c55ade84	Use Bridgehead's internal http proxy	2024-02-13 15:12:43 +01:00
Martin Lablans	b20758bc3d	Make Opal use proxy server	2024-02-13 15:12:43 +01:00
janskiba	8d22ea2c19	Use newest version of `beam-connect`	2024-02-13 15:12:43 +01:00
juarez	9eaaeb5064	Update export template script: FHIR_QUERY to FHIR_PATH	2024-02-13 15:12:43 +01:00
juarez	c9b19a9368	/var/cache for mtba	2024-02-13 15:12:43 +01:00
juarez	b0b599c96b	Add docu about login in teiler	2024-02-13 15:12:43 +01:00
juarez	b7c6b15425	Bugfix: datashield local.json as array	2024-02-13 15:12:43 +01:00
Martin Lablans	8e181a85c2	Prevent anonymous volume creation	2024-02-13 15:12:42 +01:00
juarez	b9dbfd4803	Bugfix: Exporter and Reporter /var/cache volumes	2024-02-13 15:12:42 +01:00
juarez	3389145c1d	Postgres 15.4 in datashield, exporter and login	2024-02-13 15:12:42 +01:00
djuarezgf	7d8b83b10c	Update ccp/modules/mtba.md Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com>	2024-02-13 15:12:42 +01:00
juarez	d799554f86	Bugfix: Add version of docker-compose	2024-02-13 15:12:42 +01:00
janskiba	4a4a1d76a7	Make sure copy works and the correct owner is set	2024-02-13 15:12:42 +01:00
janskiba	785dff29bf	Add all sites	2024-02-13 15:12:42 +01:00
janskiba	1f9733aa4d	Auto generate mappings	2024-02-13 15:12:42 +01:00
juarez	c5578f81ee	Add ccp to /var/cache/bridgehead/* volumes	2024-02-13 15:12:42 +01:00
lablans	fa5459c4dd	Rewrite comments	2024-02-13 15:12:42 +01:00
lablans	31320a856c	Move exporter db to /var/cache/bridgehead	2024-02-13 15:12:42 +01:00
lablans	a340b959c2	Exporter cache	2024-02-13 15:12:42 +01:00
lablans	c7d0bcf94d	Rework commented sections	2024-02-13 15:12:42 +01:00
lablans	51ca9efe11	Autogenerate maps for Opal's beam-connect. To be completed by @Threated with a map-generator in the script.	2024-02-13 15:12:42 +01:00
lablans	1ef6142306	Cache opal in /var/cache/bridgehead	2024-02-13 15:12:42 +01:00
juarez	e71495c70f	Bugfix: Add version in every docker compose file	2024-02-13 15:12:42 +01:00
juarez	e6b7a63ef7	#!/bin/bash -e	2024-02-13 15:12:42 +01:00
juarez	86ca652e8d	Bugfix: LDM_AUTH instead of LDM_PASSWORD	2024-02-13 15:12:42 +01:00
juarez	d1a0153a6e	Rename Teiler Backend, Teiler Dashboard and Teiler Orchestrator	2024-02-13 15:12:42 +01:00
juarez	5b88df4912	Add site to exporter and reporter	2024-02-13 15:12:41 +01:00
juarez	8345a9b1f1	Add forward proxy to teiler-core	2024-02-13 15:12:41 +01:00
juarez	3d210ea303	Bugfix: mtba labels	2024-02-13 15:12:41 +01:00
juarez	d8451c0426	Bugfix: exporter	2024-02-13 15:12:41 +01:00
juarez	b63eb141f6	Disable datashield	2024-02-13 15:12:41 +01:00
juarez	f24dfa43ef	Bugfix: MTBA path prefix	2024-02-13 15:12:41 +01:00
juarez	b6e03f3a78	Enable datashield	2024-02-13 15:12:41 +01:00
juarez	8d1a7e7374	Comment Keycloak volume	2024-02-13 15:12:41 +01:00
juarez	4b705be264	Fix comment in login-compose.yml	2024-02-13 15:12:41 +01:00
juarez	3e79598533	Remove old comment of exporter-setup.sh	2024-02-13 15:12:41 +01:00
juarez	6a97630bf1	Comment on datashield volume	2024-02-13 15:12:41 +01:00
juarez	3fdda8b8d4	Comment on export and report volumes	2024-02-13 15:12:41 +01:00
juarez	de0193b99b	Bugfix: JAVA_OPTS for exporter	2024-02-13 15:12:41 +01:00
juarez	08c9e6c822	Add mtba module documentation	2024-02-13 15:12:41 +01:00
juarez	61bfd661eb	Add teiler-ui module documentation	2024-02-13 15:12:41 +01:00
janskiba	9e0c7fb5ca	Add some docs about beam-connect	2024-02-13 15:12:41 +01:00
juarez	ce5f94881f	Add login module documentation	2024-02-13 15:12:41 +01:00
juarez	cb332142c3	Add Exporter module documentation	2024-02-13 15:12:41 +01:00
juarez	0cad79575b	Add DataSHIELD module documentation	2024-02-13 15:12:41 +01:00
juarez	5f77168f65	Add JAVA_OPTS to reporter and exporter	2024-02-13 15:12:41 +01:00
juarez	361950ba7f	Enable Login, Teiler and Exporter	2024-02-13 15:12:41 +01:00
juarez	cb659b87f1	Export and QB Curl templates	2024-02-13 15:12:40 +01:00
juarez	0801ebe5a5	Generate exporter api key automatically	2024-02-13 15:12:40 +01:00
juarez	ceb089ddd7	Add default language to ccp	2024-02-13 15:12:40 +01:00
juarez	f71832dd65	Remove updater cron of teiler-core	2024-02-13 15:12:40 +01:00
juarez	17036d459e	Remove clean temp files configuration of exporter	2024-02-13 15:12:40 +01:00
juarez	146417f103	Add explanation why is the volume of exporter-db currently so important for us.	2024-02-13 15:12:40 +01:00
juarez	0cd0dc555b	Add Teiler Admin to Keycloak	2024-02-13 15:12:40 +01:00
juarez	d3ecef5f04	Remove IS_DKTK_SITE	2024-02-13 15:12:40 +01:00
juarez	0caf98224f	User default user rstudio in rstudio	2024-02-13 15:12:40 +01:00
Martin Lablans	412419494c	Generate DATASHIELD_CONNECT_SECRET automatically	2024-02-13 15:12:40 +01:00
Martin Lablans	2f7797b1f1	Update ccp/modules/datashield-compose.yml	2024-02-13 15:12:40 +01:00
Martin Lablans	dcd31bfd7c	Update ccp/modules/datashield-compose.yml	2024-02-13 15:12:40 +01:00
Martin Lablans	90afe71b1b	Use LDM_PASSWORD for all admin passwords	2024-02-13 15:12:40 +01:00
juarez	d5924e64a3	Enable only if true	2024-02-13 15:12:40 +01:00
juarez	dfa12ca686	Remove todo in rstudio	2024-02-13 15:12:40 +01:00
juarez	213ac6370a	Remove unnecessary version of docker-compose.override files	2024-02-13 15:12:40 +01:00
juarez	9732ef33b7	R-Server rock-base:6.3	2024-02-13 15:12:40 +01:00
juarez	dc6e0a349f	User postgres if docker.verbis.dkfz.de	2024-02-13 15:12:40 +01:00
juarez	cb909dbcd4	Remove ports of beam-connect in datashield-compose.yml	2024-02-13 15:12:40 +01:00
juarez	69f1748ae7	Generate passwords only if modules are enabled	2024-02-13 15:12:40 +01:00
juarez	0cbbee6906	Add http scheme to exporter	2024-02-13 15:12:39 +01:00
janskiba	7170612376	Migrate to new app key syntax	2024-02-13 15:12:39 +01:00
juarez	44134550ac	update new broker	2024-02-13 15:12:39 +01:00
juarez	4ba5144140	Add parameter LOG_FHIR_VALIDATION to exporter	2024-02-13 15:12:39 +01:00
juarez	0d07a09296	Add reporter	2024-02-13 15:12:39 +01:00
janskiba	5b62a1a248	Switch to `no-auth` branch of beam-connect	2024-02-13 15:12:39 +01:00
janskiba	bdf943f94e	secrets are readonly by default	2024-02-13 15:12:39 +01:00
janskiba	bc476ed0a8	change to dockerhub image	2024-02-13 15:12:39 +01:00
janskiba	f351cc931c	Change beam-connect version and load opal cert	2024-02-13 15:12:39 +01:00
janskiba	9dd3c24a6d	Change cert permission and location	2024-02-13 15:12:39 +01:00
juarez	b4581e8b3a	ccp.conf in teiler-core as secret	2024-02-13 15:12:39 +01:00
juarez	da49437ada	Add opal certificate	2024-02-13 15:12:39 +01:00
juarez	1f4c2cad03	Remove unnecessary volumes	2024-02-13 15:12:39 +01:00
juarez	cae40aa39a	Remove mongo db	2024-02-13 15:12:39 +01:00
juarez	8679d46b62	Add Opal Password in Exporter	2024-02-13 15:12:39 +01:00
Martin Lablans	1438c32455	expose beam connect ports	2024-02-13 15:12:39 +01:00
Martin Lablans	bfd33c0c1b	Fix beam connect app id	2024-02-13 15:12:39 +01:00
Martin Lablans	0230303bd5	beam connect and move beam-connect config	2024-02-13 15:12:39 +01:00
juarez	a86e594e85	Experiment	2024-02-13 15:12:39 +01:00
Martin Lablans	0807e52160	Add beam connect to docekr-compose	2024-02-13 15:12:39 +01:00
juarez	75f9b73e98	Experiment	2024-02-13 15:12:38 +01:00
juarez	90e2f2e40b	Add DataSHIELD	2024-02-13 15:12:38 +01:00
juarez	b0da23ac1c	Bugfix: cross origins of exporter	2024-02-13 15:12:38 +01:00
juarez	c836a7554f	Merge id-management-setup with main	2024-02-13 15:12:38 +01:00
juarez	fdd26083b6	Change salt string for exporter and login	2024-02-13 15:12:38 +01:00
juarez	3dcf83e4e8	Adapt teiler-ui to traefik	2024-02-13 15:12:38 +01:00
juarez	a13b851edd	Add keycloak teiler app to teiler-ui	2024-02-13 15:12:38 +01:00
juarez	a2e9a86bc0	Change volume names for teiler components	2024-02-13 15:12:38 +01:00
juarez	1bb6df65fe	Add stripprefix to teiler-ui	2024-02-13 15:12:38 +01:00
juarez	8e591773f4	Add stripprefix to teiler-core	2024-02-13 15:12:38 +01:00
juarez	d915debbbb	Add forward strategy to teiler-core	2024-02-13 15:12:38 +01:00
juarez	2c7bdfd868	Add forward strategy to teiler-core	2024-02-13 15:12:38 +01:00
juarez	cf255bf08b	Deactivate traffik for mtba	2024-02-13 15:12:38 +01:00
juarez	813a698dbb	Tidy teiler and mtba volumes	2024-02-13 15:12:38 +01:00
juarez	30090f3633	Add Teiler Core	2024-02-13 15:12:38 +01:00
juarez	52f311ba1c	Add Endpoint for Teiler	2024-02-13 15:12:38 +01:00
juarez	f32d124fda	Update Teiler Core config	2024-02-13 15:12:38 +01:00
juarez	8140b6dd7b	Add original Keycloak config	2024-02-13 15:12:38 +01:00
p.delpy@dkfz-heidelberg.de	a63bdbde54	update keykloak config	2024-02-13 15:12:37 +01:00
p.delpy@dkfz-heidelberg.de	7b24e2b427	beautiful config	2024-02-13 15:12:37 +01:00
juarez	5a9ab31fa4	Rename teiler to exporter (bugfix)	2024-02-13 15:12:37 +01:00
juarez	85d333cfe8	Rename teiler to exporter	2024-02-13 15:12:37 +01:00
juarez	0b61fc7f29	Configure login extern URLs	2024-02-13 15:12:37 +01:00
juarez	39981c310c	Bugfix: services in teiler-ui-compose.yml	2024-02-13 15:12:37 +01:00
juarez	2f72ac2dc9	Change images of dktk-teiler and dktk-keycloak	2024-02-13 15:12:37 +01:00
juarez	81c0db0349	Add nngm and exliquid modules	2024-02-13 15:12:37 +01:00
juarez	005e5a1bf0	Add Teiler UI and Teiler module	2024-02-13 15:12:37 +01:00
		`@ -1,2 +0,0 @@`
			bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0FHRV9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OCnRydWU=
			bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIGljZDEwOiAnaHR0cDovL2ZoaXIuZGUvQ29kZVN5c3RlbS9iZmFybS9pY2QtMTAtZ20nCmNvZGVzeXN0ZW0gbW9ycGg6ICd1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjYuNDMuMScKCmNvbnRleHQgUGF0aWVudAoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9BR0VfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCkRLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgooKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDNjEnIGZyb20gaWNkMTBdKSBhbmQKKChleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODE0MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQ3LzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0ODAvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODUwMC8zJykpKQ==
		`@ -1,2 +0,0 @@`
			`bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CkRLVEtfU1RSQVRfR0VOREVSX1NUUkFUSUZJRVIKICBES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCiAgSVRDQ19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgogIERLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgp0cnVl`
			bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIG1vbGVjdWxhck1hcmtlcjogJ2h0dHA6Ly93d3cuZ2VuZW5hbWVzLm9yZycKCmNvbnRleHQgUGF0aWVudApES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCiAgREtUS19TVFJBVF9ESUFHTk9TSVNfU1RSQVRJRklFUgogIElUQ0NfU1RSQVRfQUdFX0NMQVNTX1NUUkFUSUZJRVIKICBES1RLX1NUUkFUX0RFRl9JTl9JTklUSUFMX1BPUFVMQVRJT04KKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNjk1NDgtNicgZnJvbSBsb2luY10gTwp3aGVyZSBPLmNvbXBvbmVudC53aGVyZShjb2RlLmNvZGluZyBjb250YWlucyBDb2RlICc0ODAxOC02JyBmcm9tIGxvaW5jKS52YWx1ZS5jb2RpbmcgY29udGFpbnMgQ29kZSAnQlJBRicgZnJvbSBtb2xlY3VsYXJNYXJrZXIp