Merge pull request #314 from samply/develop

fix: Create Exporter User only if Exporter is enabled (#317 )
chore: update eric.acc.root.crt.pem (#316 )
2025-06-16 20:40:15 +02:00 · 2025-06-11 11:29:09 +02:00 · 2025-06-11 09:34:41 +02:00 · 2025-06-10 16:48:22 +02:00 · 2025-06-10 11:03:18 +02:00 · 2025-06-05 16:55:03 +02:00
71 changed files with 1224 additions and 230 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -0,0 +1 @@
 *  @samply/bridgehead-developers
--- a/.github/scripts/rename_inactive_branches.py
+++ b/.github/scripts/rename_inactive_branches.py
@ -0,0 +1,39 @@
 import os
 import requests
 from datetime import datetime, timedelta
 # Configuration
 GITHUB_TOKEN = os.getenv('GITHUB_TOKEN')
 REPO = 'samply/bridgehead'
 HEADERS = {'Authorization': f'token {GITHUB_TOKEN}', 'Accept': 'application/vnd.github.v3+json'}
 API_URL = f'https://api.github.com/repos/{REPO}/branches'
 INACTIVE_DAYS = 365
 CUTOFF_DATE = datetime.now() - timedelta(days=INACTIVE_DAYS)
 # Fetch all branches
 def get_branches():
    response = requests.get(API_URL, headers=HEADERS)
    response.raise_for_status()
    return response.json() if response.status_code == 200 else []
 # Rename inactive branches
 def rename_branch(old_name, new_name):
    rename_url = f'https://api.github.com/repos/{REPO}/branches/{old_name}/rename'
    response = requests.post(rename_url, json={'new_name': new_name}, headers=HEADERS)
    response.raise_for_status()
    print(f"Renamed branch {old_name} to {new_name}" if response.status_code == 201 else f"Failed to rename {old_name}: {response.status_code}")
 # Check if the branch is inactive
 def is_inactive(commit_url):
    last_commit_date = requests.get(commit_url, headers=HEADERS).json()['commit']['committer']['date']
    return datetime.strptime(last_commit_date, '%Y-%m-%dT%H:%M:%SZ') < CUTOFF_DATE
 # Rename inactive branches
 def main():
    for branch in get_branches():
        if is_inactive(branch['commit']['url']):
            #rename_branch(branch['name'], f"archived/{branch['name']}")
            print(f"[LOG] Branch '{branch['name']}' is inactive and would be renamed to 'archived/{branch['name']}'")
 if __name__ == "__main__":
    main()
--- a/.github/workflows/rename-inactive-branches.yml
+++ b/.github/workflows/rename-inactive-branches.yml
@ -0,0 +1,27 @@
 name: Cleanup - Rename Inactive Branches
 on:
  schedule:
    - cron: '0 0 * * 0'  # Runs every Sunday at midnight
 jobs:
  archive-stale-branches:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v2
      - name: Set up Python
        uses: actions/setup-python@v2
        with:
          python-version: '3.x'
      - name: Install Libraries
        run: pip install requests
      - name: Run Script to Rename Inactive Branches
        run: |
          python .github/scripts/rename_inactive_branches.py
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/README.md
+++ b/README.md
@ -22,11 +22,16 @@ This repository is the starting point for any information and tools you will nee
    - [TLS terminating proxies](#tls-terminating-proxies)
    - [File structure](#file-structure)
    - [BBMRI-ERIC Directory entry needed](#bbmri-eric-directory-entry-needed)
    - [Directory sync tool](#directory-sync-tool)
    - [Loading data](#loading-data)
    - [Teiler (Frontend)](#teiler-frontend)
    - [Data Exporter Service](#data-exporter-service)
      - [Data Quality Report](#data-quality-report)
 4. [Things you should know](#things-you-should-know)
    - [Auto-Updates](#auto-updates)
    - [Auto-Backups](#auto-backups)
    - [Non-Linux OS](#non-linux-os)
    - [FAQ](#faq)
 5. [Troubleshooting](#troubleshooting)
    - [Docker Daemon Proxy Configuration](#docker-daemon-proxy-configuration)
    - [Monitoring](#monitoring)
@ -76,7 +81,7 @@ The following URLs need to be accessible (prefix with `https://`):
  * git.verbis.dkfz.de
 * To fetch docker images
  * docker.verbis.dkfz.de
-  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/all))
+  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/setup/allow-list/))
    * hub.docker.com
    * registry-1.docker.io
    * production.cloudflare.docker.com
@ -154,7 +159,7 @@ Pay special attention to:
 Clone the bridgehead repository:
 ```shell
 sudo mkdir -p /srv/docker/
-sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead
+sudo git clone -b main https://github.com/samply/bridgehead.git /srv/docker/bridgehead
 ```
 Then, run the installation script:
@ -254,6 +259,8 @@ sh bridgehead uninstall
 ## Site-specific configuration
 [How to Change Config Access Token](docs/update-access-token.md)
 ### HTTPS Access
 Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de).
@ -299,26 +306,38 @@ Once you have added your biobank to the Directory you got persistent identifier
 ### Directory sync tool
-The Bridgehead's **Directory Sync** is an optional feature that keeps the Directory up to date with your local data, e.g. number of samples. Conversely, it also updates the local FHIR store with the latest contact details etc. from the Directory. You must explicitly set your country specific directory URL, username and password to enable this feature.
+The Bridgehead's **Directory Sync** is an optional feature that keeps the BBMRI-ERIC Directory up to date with your local data, e.g. number of samples. Conversely, it can also update the local FHIR store with the latest contact details etc. from the  BBMRI-ERIC Directory.
 You should talk with your local data protection group regarding the information that is published by Directory sync.
-Full details can be found in [directory_sync_service](https://github.com/samply/directory_sync_service).
+To enable it, you will need to explicitly set the username and password variables for BBMRI-ERIC Directory login in the configuration file of your GitLab repository (e.g. ```bbmri.conf```). Here is an example minimal config:
 To enable it, you will need to set these variables to the ```bbmri.conf``` file of your GitLab repository. Here is an example config:
 ```
 DS_DIRECTORY_USER_NAME=your_directory_username
 DS_DIRECTORY_USER_PASS=your_directory_password
 ```
-Please contact your National Node to obtain this information.
+Please contact your National Node or Directory support (directory-dev@helpdesk.bbmri-eric.eu) to obtain these credentials.
-Optionally, you **may** change when you want Directory sync to run by specifying a [cron](https://crontab.guru) expression, e.g. `DS_TIMER_CRON="0 22 * * *"` for 10 pm every evening.
+The following environment variables can be used from within your config file to control the behavior of Directory sync:
-Once you edited the gitlab config, the bridgehead will autoupdate the config with the values and will sync the data.
+| Variable                           | Purpose                                                                                                                                                              | Default if not specified               |
 |:-----------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------|
 | DS_DIRECTORY_URL                   | Base URL of the Directory                                                                                                                                            | https://directory-backend.molgenis.net |
 | DS_DIRECTORY_USER_NAME             | User name for logging in to Directory **Mandatory**                                                                                                                  |                                        |
 | DS_DIRECTORY_USER_PASS             | Password for logging in to Directory **Mandatory**                                                                                                                   |                                        |
 | DS_DIRECTORY_DEFAULT_COLLECTION_ID | ID of collection to be used if not in samples                                                                                                                        |                                        |
 | DS_DIRECTORY_ALLOW_STAR_MODEL      | Set to 'True' to send star model info to Directory                                                                                                                   | True                                  |
 | DS_FHIR_STORE_URL                  | URL for FHIR store                                                                                                                                                   | http://bridgehead-bbmri-blaze:8080     |
 | DS_TIMER_CRON                      | Execution interval for Directory sync, [cron](https://crontab.guru) format                                                                                           | 0 22 * * *                             |
 | DS_IMPORT_BIOBANKS                 | Set to 'True' to import biobank metadata from Directory                                                                                                              | True                                  |
 | DS_IMPORT_COLLECTIONS              | Set to 'True' to import collection metadata from Directory                                                                                                           | True                                  |
 Once you have finished editing the config, the Bridgehead will autoupdate the config with the values and will sync data at regular intervals, using the time specified in DS_TIMER_CRON.
 There will be a delay before the effects of Directory sync become visible. First, you will need to wait until the time you have specified in ```TIMER_CRON```. Second, the information will then be synchronized from your national node with the central European Directory. This can take up to 24 hours.
 More details of Directory sync can be found in [directory_sync_service](https://github.com/samply/directory_sync_service).
 ### Loading data
 The data accessed by the federated search is held in the Bridgehead in a FHIR store (we use Blaze).
@ -338,6 +357,24 @@ The storage space on your hard drive will depend on the number of FHIR resources
 For more information on Blaze performance, please refer to [import performance](https://github.com/samply/blaze/blob/master/docs/performance/import.md).
 ### Clearing data
 The Bridgehead's FHIR store, Blaze, saves its data in a Docker volume. This means that the data will persist even if you stop the Bridgehead. You can clear existing data from the FHIR store by deleting the relevant Docker volume.
 First, stop the Bridgehead:
 ```shell
 sudo systemctl stop bridgehead@<PROJECT>.service
 ```
 Now remove the volume:
 ```shell
 docker volume rm <PROJECT>_blaze-data
 ```
 Finally, restart the Bridgehead:
 ```shell
 sudo systemctl start bridgehead@<PROJECT>.service
 ```
 You will need to do this for example if you are using a VM as a test environment and you subsequently want to use the same VM for production.
 #### ETL for BBMRI and GBA
 Normally, you will need to build your own ETL to feed the Bridgehead. However, there is one case where a short cut might be available:
@ -345,6 +382,36 @@ Normally, you will need to build your own ETL to feed the Bridgehead. However, t
 You can find the profiles for generating FHIR in [Simplifier](https://simplifier.net/bbmri.de/~resources?category=Profile).
 ### Teiler (Frontend)
 Teiler is the web-based frontend of the Bridgehead, providing access to its various internal, and external services and components.   
 To learn how to integrate your custom module into Teiler, please refer to https://github.com/samply/teiler-dashboard.
 - To activate Teiler, set the following environment variable in your `<PROJECT>.conf` file:  
 ```bash
 ENABLE_TEILER=true
 ```
 ### Data Exporter Service
 The Exporter is a dedicated service for extracting and exporting Bridgehead data in (tabular) formats such as Excel, CSV, Opal, JSON, XML, ...  
 - To enable the Exporter service, set the following environment variable in your `<PROJECT>.conf` file:  
 ```bash
 ENABLE_EXPORTER=true
 #### Data Quality Report
 To assess the quality and plausibility of your imported data, the Reporter component is pre-configured to generate Excel reports with data quality metrics and statistical analyses. Reporter is part of the Exporter and can be enabled by setting the same environment variable in your `<PROJECT>.conf` file:
 ```bash
 ENABLE_EXPORTER=true
 ```
 For convenience, it's recommended to enable the Teiler web frontend alongside the Exporter to access export and quality control features via a web interface: set the following environment varibles in your `<PROJECT>.conf` file:
 ```bash
 ENABLE_TEILER=true
 ENABLE_EXPORTER=true
 ```
 ## Things you should know
 ### Auto-Updates
@ -384,6 +451,54 @@ We have tested the installation procedure with an Ubuntu 22.04 guest system runn
 Installation under WSL ought to work, but we have not tested this.
 ### FAQ
 **Q: How is the security of GitHub pulls, volumes/containers, and image signing ensured?**
 A: Changes to Git branches that could be delivered to sites (main and develop) must be accepted via a pull request with at least two positive reviews.
 Containers/images are not built manually, but rather automatically through a CI/CD pipeline, so that an image can be rolled back to a defined code version at any time without changes.
 **Note:** If firewall access for (outgoing) connections to GitHub and/or Docker Hub is problematic at the site, mirrors for both services are available, operated by the DKFZ.
 **Q: How is authentication between users and components regulated?**
 A: When setting up a Bridgehead, a private key and a so-called Certificate Sign Request (CSR) are generated locally. This CSR is manually signed by the broker operator, which allows the Bridgehead access to the network infrastructure.
 All communication runs via Samply.Beam and is therefore end-to-end encrypted, but also signed. This allows the integrity and authenticity of the sender to be technically verified (which happens automatically both in the broker and at the recipients).
 The connection to the broker is additionally secured using traditional TLS (transport encryption over https).
 **Q: Are there any statistics on incoming traffic from the Bridgehead (what goes in and what goes out)?**
 A: Incoming and outgoing traffic can only enter/leave the Bridgehead via a forward or reverse proxy, respectively. These components log all connections.
 Statistical analysis is not currently being conducted, but is on the roadmap for some projects. We are also working on a dashboard for all tasks/responses delivered via Samply.Beam.
 **Q: How is container access controlled, and what permission level is used?**
 A: Currently, it is not possible to run the Bridgehead "out-of-the-box" as a rootless Docker Compose stack. The main reason is the operation of the reverse proxy (Traefik), which binds to the privileged ports 80 (HTTP) and 443 (HTTPS).
 Otherwise, there are no known technical obstacles, although we don't have concrete experience implementing this.
 At the file system level, a "bridgehead" user is created during installation, which manages the configuration and Bridgehead folders.
 **Q: Is a cloud installation (not a company-owned one, but an external service provider) possible?**
 A: Technically, yes. This is primarily a data protection issue between the participant and their cloud provider.
 The Bridgehead contains a data storage system that, during use, contains sensitive patient and sample data.
 There are cloud providers with whom appropriately worded contracts can be concluded to make this possible.
 Of course, the details must be discussed with the responsible data protection officer.
 **Q: What needs to be considered regarding the Docker distribution/registry, and how is it used here?**
 A: The Bridgehead images are located both in Docker Hub and mirrored in a registry operated by the DKFZ.
 The latter is used by default, avoiding potential issues with Docker Hub URL activation or rate limits.
 When using automatic updates (highly recommended), an daily check is performed for:
 - site configuration updates
 - Bridgehead software updates
 - container image updates
 If updates are found, they are downloaded and applied.
 See the first question for the control mechanism.
 **Q: Is data only transferred one-way (Bridgehead/FHIR Store → Central/Locator), or is two-way access necessary?**
 A: By using Samply.Beam, only one outgoing connection to the broker is required at the network level (i.e., Bridgehead → Broker).
 ## Troubleshooting
 ### Docker Daemon Proxy Configuration
--- a/bbmri/modules/directory-sync-compose.yml
+++ b/bbmri/modules/directory-sync-compose.yml
@ -12,5 +12,7 @@ services:
      DS_DIRECTORY_MOCK: ${DS_DIRECTORY_MOCK}
      DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID}
      DS_DIRECTORY_COUNTRY: ${DS_DIRECTORY_COUNTRY}
      DS_IMPORT_BIOBANKS: ${DS_IMPORT_BIOBANKS:-true}
      DS_IMPORT_COLLECTIONS: ${DS_IMPORT_COLLECTIONS:-true}
    depends_on:
      - "blaze"
--- a/bbmri/modules/eric-compose.yml
+++ b/bbmri/modules/eric-compose.yml
@ -2,7 +2,7 @@ version: "3.7"
 services:
  focus-eric:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-bbmri
    container_name: bridgehead-focus-eric
    environment:
      API_KEY: ${ERIC_FOCUS_BEAM_SECRET_SHORT}
--- a/bbmri/modules/eric-setup.sh
+++ b/bbmri/modules/eric-setup.sh
@ -10,6 +10,10 @@ if [ "${ENABLE_ERIC}" == "true" ]; then
 			export ERIC_BROKER_ID=broker.bbmri.samply.de
 			export ERIC_ROOT_CERT=eric
 			;;
 		"acceptance")
 			export ERIC_BROKER_ID=broker-acc.bbmri-acc.samply.de
 			export ERIC_ROOT_CERT=eric.acc
 			;;
 		"test")
 			export ERIC_BROKER_ID=broker-test.bbmri-test.samply.de
 			export ERIC_ROOT_CERT=eric.test
--- a/bbmri/modules/eric.acc.root.crt.pem
+++ b/bbmri/modules/eric.acc.root.crt.pem
@ -0,0 +1,20 @@
 -----BEGIN CERTIFICATE-----
 MIIDNTCCAh2gAwIBAgIUFzdpDi1OLdXyogtCsktHFhCILtMwDQYJKoZIhvcNAQEL
 BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjUwNjEwMTQzNjE1WhcNMzUw
 NjA4MTQzNjQ1WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
 AQEBBQADggEPADCCAQoCggEBALpJCWE9Qe19R9DqotdkPV6jfiuJSKI3UYkCWdWG
 nRfkKB6OaY5t3JCHDqaEME9FwSd2nFXhTp5F6snG/K7g8MCLIEzGzuSnrdjGqINq
 zXLfgqnxvQpPR4ARLNNgnKxZaq7m4Q3T/l+QAshK6CnCUWFQ6q5x3g/pZHFP2USd
 /G2FtDHX6YK4bHbbnigIPG6PdY2RYy60i30XGdIPBNf82XGkAtPUBz731gHOV5Vg
 d+jfAqTwZAhYC2CcNmswFw1H9GrvTI/9KZWKcZNUIqemc0A/FyEyONUM18/vjQ7D
 lUwOcQsgAg44QTOUPgqXv3sJPQM5EnGuv3yYV9u6Y2i78M8CAwEAAaN7MHkwDgYD
 VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPrDeNWgtEyZ
 VM0yeoRZdK2QGjyvMB8GA1UdIwQYMBaAFPrDeNWgtEyZVM0yeoRZdK2QGjyvMBYG
 A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQAD2S0kqL18
 laewh+qnyZ0WMq12mLV/Rwll6ZuShCx2uAu3UZuIGWk3l7gG5zlws+i+zbaNcn4o
 HsS3WG9kiNLOMKp8LXGkjErl6RaQr+kb8qgYFTPjOr6v0OdVn6ve9RDNYB5Hd+zE
 9jAWmS8PfS2AldE4VAd0C4pWTAinhnKGrKdn1YAX5x+LMq1y0lc1Pd4CDgsjD6SS
 3td7JtenXqCX0mN0XSeck7vvFGa6QpcQoVcN9tRENctHZTwyeGA21IkXylpFPUkE
 LT60k48fNC8TZkBlfvtVGRebpm5krXIKEaVy5LniEpSuOR4hTqsgoQDntBjW4zHA
 GeWQ1wQNTEBX
 -----END CERTIFICATE-----
--- a/bbmri/modules/exporter-compose.yml
+++ b/bbmri/modules/exporter-compose.yml
@ -0,0 +1,86 @@
 version: "3.7"
 services:
  exporter:
    image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
    container_name: bridgehead-bbmri-exporter
    environment:
      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
      LOG_LEVEL: "INFO"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
      CROSS_ORIGINS: "https://${HOST}"
      EXPORTER_DB_USER: "exporter"
      EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
      EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
      HTTP_RELATIVE_PATH: "/bbmri-exporter"
      SITE: "${SITE_ID}"
      HTTP_SERVLET_REQUEST_SCHEME: "https"
      OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.exporter_bbmri.rule=PathPrefix(`/bbmri-exporter`)"
      - "traefik.http.services.exporter_bbmri.loadbalancer.server.port=8092"
      - "traefik.http.routers.exporter_bbmri.tls=true"
      - "traefik.http.middlewares.exporter_bbmri_strip.stripprefix.prefixes=/bbmri-exporter"
      - "traefik.http.routers.exporter_bbmri.middlewares=exporter_bbmri_strip"
      # Main router
      - "traefik.http.routers.exporter_bbmri.priority=20"
      # API router
      - "traefik.http.routers.exporter_bbmri_api.middlewares=exporter_bbmri_strip,exporter_auth"
      - "traefik.http.routers.exporter_bbmri_api.rule=PathRegexp(`/bbmri-exporter/.+`)"
      - "traefik.http.routers.exporter_bbmri_api.tls=true"
      - "traefik.http.routers.exporter_bbmri_api.priority=25"
      # Shared middlewares
      - "traefik.http.middlewares.exporter_auth.basicauth.users=${EXPORTER_USER}"
    volumes:
      - "/var/cache/bridgehead/bbmri/exporter-files:/app/exporter-files/output"
  exporter-db:
    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
    container_name: bridgehead-bbmri-exporter-db
    environment:
      POSTGRES_USER: "exporter"
      POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
      POSTGRES_DB: "exporter"
    volumes:
      # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
      - "/var/cache/bridgehead/bbmri/exporter-db:/var/lib/postgresql/data"
  reporter:
    image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
    container_name: bridgehead-bbmri-reporter
    environment:
      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
      LOG_LEVEL: "INFO"
      CROSS_ORIGINS: "https://${HOST}"
      HTTP_RELATIVE_PATH: "/bbmri-reporter"
      SITE: "${SITE_ID}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
      EXPORTER_URL: "http://exporter:8092"
      LOG_FHIR_VALIDATION: "false"
      HTTP_SERVLET_REQUEST_SCHEME: "https"
    # In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
    # However, in the first executions in the bbmri sites, this volume seems to be very important. A report is
    # a process that can take several hours, because it depends on the exporter.
    # There is a risk that the bridgehead restarts, losing the already created export.
    volumes:
      - "/var/cache/bridgehead/bbmri/reporter-files:/app/reports"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.reporter_bbmri.rule=PathPrefix(`/bbmri-reporter`)"
      - "traefik.http.services.reporter_bbmri.loadbalancer.server.port=8095"
      - "traefik.http.routers.reporter_bbmri.tls=true"
      - "traefik.http.middlewares.reporter_bbmri_strip.stripprefix.prefixes=/bbmri-reporter"
      - "traefik.http.routers.reporter_bbmri.middlewares=reporter_bbmri_strip"
      - "traefik.http.routers.reporter_bbmri.priority=20"
      - "traefik.http.routers.reporter_bbmri_api.middlewares=reporter_bbmri_strip,exporter_auth"
      - "traefik.http.routers.reporter_bbmri_api.rule=PathRegexp(`/bbmri-reporter/.+`)"
      - "traefik.http.routers.reporter_bbmri_api.tls=true"
      - "traefik.http.routers.reporter_bbmri_api.priority=25"
--- a/bbmri/modules/exporter-setup.sh
+++ b/bbmri/modules/exporter-setup.sh
@ -0,0 +1,8 @@
 #!/bin/bash -e
 if [ "$ENABLE_EXPORTER" == true ]; then
  log INFO "Exporter setup detected -- will start Exporter service."
  OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
 fi
--- a/bbmri/modules/exporter.md
+++ b/bbmri/modules/exporter.md
@ -0,0 +1,15 @@
 # Exporter and Reporter
 ## Exporter
 The exporter is a REST API that exports the data of the different databases of the bridgehead in a set of tables.
 It can accept different output formats as CSV, Excel, JSON or XML. It can also export data into Opal.
 ## Exporter-DB
 It is a database to save queries for its execution in the exporter. 
 The exporter manages also the different executions of the same query in through the database.
 ## Reporter
 This component is a plugin of the exporter that allows to create more complex Excel reports described in templates.
 It is compatible with different template engines as Groovy, Thymeleaf,...
 It is perfect to generate a document as our traditional CCP quality report.
--- a/bbmri/modules/gbn-compose.yml
+++ b/bbmri/modules/gbn-compose.yml
@ -2,7 +2,7 @@ version: "3.7"
 services:
  focus-gbn:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-bbmri
    container_name: bridgehead-focus-gbn
    environment:
      API_KEY: ${GBN_FOCUS_BEAM_SECRET_SHORT}
--- a/bbmri/modules/teiler-compose.yml
+++ b/bbmri/modules/teiler-compose.yml
@ -0,0 +1,70 @@
 version: "3.7"
 services:
  teiler-orchestrator:
    image: docker.verbis.dkfz.de/cache/samply/teiler-orchestrator:latest
    container_name: bridgehead-teiler-orchestrator
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_orchestrator_bbmri.rule=PathPrefix(`/bbmri-teiler`)"
      - "traefik.http.services.teiler_orchestrator_bbmri.loadbalancer.server.port=9000"
      - "traefik.http.routers.teiler_orchestrator_bbmri.tls=true"
      - "traefik.http.middlewares.teiler_orchestrator_bbmri_strip.stripprefix.prefixes=/bbmri-teiler"
      - "traefik.http.routers.teiler_orchestrator_bbmri.middlewares=teiler_orchestrator_bbmri_strip"
    environment:
      TEILER_BACKEND_URL: "https://${HOST}/bbmri-teiler-backend"
      TEILER_DASHBOARD_URL: "https://${HOST}/bbmri-teiler-dashboard"
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
      HTTP_RELATIVE_PATH: "/bbmri-teiler"
  teiler-dashboard:
    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
    container_name: bridgehead-teiler-dashboard
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_dashboard_bbmri.rule=PathPrefix(`/bbmri-teiler-dashboard`)"
      - "traefik.http.services.teiler_dashboard_bbmri.loadbalancer.server.port=80"
      - "traefik.http.routers.teiler_dashboard_bbmri.tls=true"
      - "traefik.http.middlewares.teiler_dashboard_bbmri_strip.stripprefix.prefixes=/bbmri-teiler-dashboard"
      - "traefik.http.routers.teiler_dashboard_bbmri.middlewares=teiler_dashboard_bbmri_strip"
    environment:
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      TEILER_BACKEND_URL: "https://${HOST}/bbmri-teiler-backend"
      TEILER_DASHBOARD_URL: "https://${HOST}/bbmri-teiler-dashboard"
      OIDC_URL: "${OIDC_URL}"
      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
      TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
      TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
      TEILER_PROJECT: "${PROJECT}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/bbmri-teiler"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/bbmri-teiler"
      TEILER_USER: "${OIDC_USER_GROUP}"
      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
      REPORTER_DEFAULT_TEMPLATE_ID: "bbmri-qb"
      EXPORTER_DEFAULT_TEMPLATE_ID: "bbmri"
  teiler-backend:
    image: docker.verbis.dkfz.de/ccp/bbmri-teiler-backend:latest
    container_name: bridgehead-teiler-backend
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_backend_bbmri.rule=PathPrefix(`/bbmri-teiler-backend`)"
      - "traefik.http.services.teiler_backend_bbmri.loadbalancer.server.port=8085"
      - "traefik.http.routers.teiler_backend_bbmri.tls=true"
      - "traefik.http.middlewares.teiler_backend_bbmri_strip.stripprefix.prefixes=/bbmri-teiler-backend"
      - "traefik.http.routers.teiler_backend_bbmri.middlewares=teiler_backend_bbmri_strip"
    environment:
      LOG_LEVEL: "INFO"
      APPLICATION_PORT: "8085"
      APPLICATION_ADDRESS: "${HOST}"
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/bbmri-teiler"
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/bbmri-teiler"
      TEILER_DASHBOARD_DE_URL: "https://${HOST}/bbmri-teiler-dashboard/de"
      TEILER_DASHBOARD_EN_URL: "https://${HOST}/bbmri-teiler-dashboard/en"
      HTTP_PROXY: "http://forward_proxy:3128"
--- a/bbmri/modules/teiler-setup.sh
+++ b/bbmri/modules/teiler-setup.sh
@ -0,0 +1,8 @@
 #!/bin/bash -e
 if [ "$ENABLE_TEILER" == true ];then
  log INFO "Teiler setup detected -- will start Teiler services."
  OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
  TEILER_DEFAULT_LANGUAGE=EN
  TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
 fi
--- a/bbmri/modules/teiler.md
+++ b/bbmri/modules/teiler.md
@ -0,0 +1,19 @@
 # Teiler
 This module orchestrates the different microfrontends of the bridgehead as a single page application.  
 ## Teiler Orchestrator
 Single SPA component that consists on the root HTML site of the single page application and a javascript code that
 gets the information about the microfrontend calling the teiler backend and is responsible for registering them. With the
 resulting mapping, it can initialize, mount and unmount the required microfrontends on the fly. 
 The microfrontends run independently in different containers and can be based on different frameworks (Angular, Vue, React,...)
 This microfrontends can run as single alone but need an extension with Single-SPA (https://single-spa.js.org/docs/ecosystem).
 There are also available three templates (Angular, Vue, React) to be directly extended to be used directly in the teiler.
 ## Teiler Dashboard
 It consists on the main dashboard and a set of embedded services.
 ### Login
 user and password in ccp.local.conf
 ## Teiler Backend
 In this component, the microfrontends are configured.
--- a/bbmri/vars
+++ b/bbmri/vars
@ -1,3 +1,9 @@
 BROKER_ID=broker-test.bbmri-test.samply.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 # Makes sense for all European Biobanks
 : ${ENABLE_ERIC:=true}
@ -5,9 +11,7 @@
 : ${ENABLE_GBN:=false}
 FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 source versions
 for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
--- a/54
+++ b/54
@ -53,18 +53,48 @@ case "$PROJECT" in
 		;;
 esac
 # Loads config variables and runs the projects setup script
 loadVars() {
 	# Load variables from /etc/bridgehead and /srv/docker/bridgehead
 	set -a
 	# Source the project specific config file
 	source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
 	# Source the project specific local config file if present
 	# This file is ignored by git as oposed to the regular config file as it contains private site information like etl auth data
 	if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
 		log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
 		source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
 	fi
 	# Set execution environment on main default to prod else test
 	if [[ -z "${ENVIRONMENT+x}" ]]; then
 		if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
 			ENVIRONMENT="production"
 		else
 			ENVIRONMENT="test" # we have acceptance environment in BBMRI ERIC and it would be more appropriate to default to that one in case the data they have in BH is real, but I'm gonna leave it as is for backward compatibility
 		fi
 	fi
 	# Source the versions of the images components 
 	case "$ENVIRONMENT" in
 		"production")
 			source ./versions/prod
 			;;
 		"test")
 			source ./versions/test
 			;;
 		"acceptance")
 			source ./versions/acceptance
 			;;
 		*)
 			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
 			source ./versions/prod
 			;;
 	esac
 	fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 	setHostname
 	optimizeBlazeMemoryUsage
-	[ -e ./$PROJECT/vars ] && source ./versions ./$PROJECT/vars
+	# Run project specific setup if it exists
 	# This will ususally modiy the `OVERRIDE` to include all the compose files that the project depends on
 	# This is also where projects specify which modules to load
 	[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 	set +a
 	OVERRIDE=${OVERRIDE:=""}
@ -79,26 +109,6 @@ loadVars() {
 	fi
 	detectCompose
 	setupProxy
 	# Set some project-independent default values
 	: ${ENVIRONMENT:=production}
 	export ENVIRONMENT
 	case "$ENVIRONMENT" in
 		"production")
 			export FOCUS_TAG=main
 			export BEAM_TAG=main
 			;;
 		"test")
 			export FOCUS_TAG=develop
 			export BEAM_TAG=develop
 			;;
 		*)
 			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
 			export FOCUS_TAG=main
 			export BEAM_TAG=main
 			;;
 	esac
 }
 case "$ACTION" in
--- a/cce/docker-compose.yml
+++ b/cce/docker-compose.yml
@ -8,7 +8,8 @@ services:
      BASE_URL: "http://bridgehead-cce-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
+      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
@ -31,6 +32,10 @@ services:
      BEAM_PROXY_URL: http://beam-proxy:8081
      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
    volumes:
      - /srv/docker/bridgehead/cce/queries_to_cache.conf:/queries_to_cache.conf:ro
    depends_on:
      - "beam-proxy"
      - "blaze"
--- a/cce/queries_to_cache.conf
+++ b/cce/queries_to_cache.conf
@ -0,0 +1,2 @@
 bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0FHRV9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OCnRydWU=
 bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIGljZDEwOiAnaHR0cDovL2ZoaXIuZGUvQ29kZVN5c3RlbS9iZmFybS9pY2QtMTAtZ20nCmNvZGVzeXN0ZW0gbW9ycGg6ICd1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjYuNDMuMScKCmNvbnRleHQgUGF0aWVudAoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9BR0VfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCkRLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgooKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDNjEnIGZyb20gaWNkMTBdKSBhbmQKKChleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODE0MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQ3LzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0ODAvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODUwMC8zJykpKQ==
--- a/cce/vars
+++ b/cce/vars
@ -7,7 +7,6 @@ SUPPORT_EMAIL=manoj.waikar@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 source versions
 for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@ -22,7 +22,7 @@ services:
      - "traefik.http.routers.blaze_ccp.tls=true"
  focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-dktk
    container_name: bridgehead-focus
    environment:
      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
@ -33,8 +33,9 @@ services:
      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
    volumes:
-      - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf
+      - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf:ro
    depends_on:
      - "beam-proxy"
      - "blaze"
@ -58,7 +59,6 @@ services:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
 volumes:
  blaze-data:
--- a/ccp/modules/blaze-secondary-compose.yml
+++ b/ccp/modules/blaze-secondary-compose.yml
@ -8,8 +8,7 @@ services:
      BASE_URL: "http://bridgehead-ccp-blaze-secondary:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-secondary-data:/app/data"
--- a/ccp/modules/datashield-compose.yml
+++ b/ccp/modules/datashield-compose.yml
@ -45,7 +45,6 @@ services:
      OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
      OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
      OIDC_URL: "${OIDC_URL}"
      OIDC_REALM: "${OIDC_REALM}"
      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
@ -141,7 +140,7 @@ services:
      --client-id="${OIDC_PRIVATE_CLIENT_ID}"
      --client-secret="${OIDC_CLIENT_SECRET}"
      --redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
-      --oidc-issuer-url="${OIDC_ISSUER_URL}"
+      --oidc-issuer-url="${OIDC_URL}"
      --scope="openid email profile"
      --code-challenge-method="S256"
      --skip-provider-button=true
--- a/ccp/modules/dnpm-compose.yml
+++ b/ccp/modules/dnpm-compose.yml
@ -13,7 +13,7 @@ services:
      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
      APP_ID: dnpm-connect.${PROXY_ID}
      DISCOVERY_URL: "./conf/central_targets.json"
-      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
+      LOCAL_TARGETS_FILE: "/conf/connect_targets.json"
      HTTP_PROXY: "http://forward_proxy:3128"
      HTTPS_PROXY: "http://forward_proxy:3128"
      NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
@ -25,7 +25,7 @@ services:
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
+      - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
--- a/ccp/modules/dnpm-node-compose.yml
+++ b/ccp/modules/dnpm-node-compose.yml
@ -1,34 +1,99 @@
 version: "3.7"
 services:
-  dnpm-backend:
+  dnpm-mysql:
-    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
+    image: mysql:9
-    container_name: bridgehead-dnpm-backend
+    healthcheck:
      test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ]
      interval: 3s
      timeout: 5s
      retries: 5
    environment:
-      - ZPM_SITE=${ZPM_SITE}
+      MYSQL_ROOT_HOST: "%"
-      - N_RANDOM_FILES=${DNPM_SYNTH_NUM}
+      MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD}
    volumes:
-      - /etc/bridgehead/dnpm:/bwhc_config:ro
+      - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql
      - ${DNPM_DATA_DIR}:/bwhc_data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
      - "traefik.http.routers.bwhc-backend.tls=true"
-  dnpm-frontend:
+  dnpm-authup:
-    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
+    image: authup/authup:latest
-    container_name: bridgehead-dnpm-frontend
+    container_name: bridgehead-dnpm-authup
-    links:
+    volumes:
-      - dnpm-backend
+      - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable
    depends_on:
      dnpm-mysql:
        condition: service_healthy
    command: server/core start
    environment:
-      - NUXT_HOST=0.0.0.0
+      - PUBLIC_URL=https://${HOST}/auth/
-      - NUXT_PORT=8080
+      - AUTHORIZE_REDIRECT_URL=https://${HOST}
-      - BACKEND_PROTOCOL=https
+      - ROBOT_ADMIN_ENABLED=true
-      - BACKEND_HOSTNAME=$HOST
+      - ROBOT_ADMIN_SECRET=${DNPM_AUTHUP_SECRET}
-      - BACKEND_PORT=443
+      - ROBOT_ADMIN_SECRET_RESET=true
      - DB_TYPE=mysql
      - DB_HOST=dnpm-mysql
      - DB_USERNAME=root
      - DB_PASSWORD=${DNPM_MYSQL_ROOT_PASSWORD}
      - DB_DATABASE=auth
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
+      - "traefik.http.middlewares.authup-strip.stripprefix.prefixes=/auth"
-      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
+      - "traefik.http.routers.dnpm-auth.middlewares=authup-strip"
-      - "traefik.http.routers.bwhc-frontend.tls=true"
+      - "traefik.http.routers.dnpm-auth.rule=PathPrefix(`/auth`)"
      - "traefik.http.services.dnpm-auth.loadbalancer.server.port=3000"
      - "traefik.http.routers.dnpm-auth.tls=true"
  dnpm-portal:
    image: ghcr.io/dnpm-dip/portal:latest
    container_name: bridgehead-dnpm-portal
    environment:
      - NUXT_API_URL=http://dnpm-backend:9000/
      - NUXT_PUBLIC_API_URL=https://${HOST}/api/
      - NUXT_AUTHUP_URL=http://dnpm-authup:3000/
      - NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)"
      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
      - "traefik.http.routers.dnpm-frontend.tls=true"
  dnpm-backend:
    container_name: bridgehead-dnpm-backend
    image: ghcr.io/dnpm-dip/backend:latest
    environment:
      - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME}   # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
      - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
      - MTB_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
      - HATEOAS_HOST=https://${HOST}
      - CONNECTOR_TYPE=broker
      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
    volumes:
      - /etc/bridgehead/dnpm/config:/dnpm_config
      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
    depends_on:
      dnpm-authup:
        condition: service_healthy
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
      # expose everything
      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
      - "traefik.http.routers.dnpm-backend.tls=true"
      - "traefik.http.routers.dnpm-backend.service=dnpm-backend"
      # except ETL
      - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
      - "traefik.http.routers.dnpm-backend-etl.tls=true"
      - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
      # this needs an ETL processor with support for basic auth
      - "traefik.http.routers.dnpm-backend-etl.middlewares=auth"
      # except peer-to-peer
      - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
      - "traefik.http.routers.dnpm-backend-peer.tls=true"
      - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
      - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
      # this effectively denies all requests
      # this is okay, because requests from peers don't go through Traefik
      - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
  landing:
    labels:
      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"
--- a/ccp/modules/dnpm-node-setup.sh
+++ b/ccp/modules/dnpm-node-setup.sh
@ -1,28 +1,16 @@
 #!/bin/bash
 if [ -n "${ENABLE_DNPM_NODE}" ]; then
-	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
+	log INFO "DNPM setup detected -- will start DNPM:DIP node."
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
 	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	if [ -z "${ZPM_SITE+x}" ]; then
 		log ERROR "Mandatory variable ZPM_SITE not defined!"
 		exit 1
 	fi
-	if [ -z "${DNPM_DATA_DIR+x}" ]; then
+    mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions."
-		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
+    DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1}
-		exit 1
+    DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')"
-	fi
+    DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')"
 	DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
 	if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
 		echo "Override of landing page url already in place"
 	else
 		echo "Adding override of landing page url"
 		if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
 			echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
 		else
 			echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
 		fi
 	fi
 fi
--- a/ccp/modules/exporter-compose.yml
+++ b/ccp/modules/exporter-compose.yml
@ -65,3 +65,8 @@ services:
      - "traefik.http.routers.reporter_ccp.tls=true"
      - "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter"
      - "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip"
  focus:
    environment:
      EXPORTER_URL: "http://exporter:8092"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
--- a/ccp/modules/fhir2sql-compose.yml
+++ b/ccp/modules/fhir2sql-compose.yml
@ -23,3 +23,7 @@ services:
      POSTGRES_DB: "dashboard"
    volumes:
      - "/var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data"
  focus:
    environment:
      POSTGRES_CONNECTION_STRING: "postgresql://dashboard:${DASHBOARD_DB_PASSWORD}@dashboard-db/dashboard"
--- a/ccp/modules/fhir2sql-setup.sh
+++ b/ccp/modules/fhir2sql-setup.sh
@ -4,4 +4,5 @@ if [ "$ENABLE_FHIR2SQL" == true ]; then
  log INFO "Dashboard setup detected -- will start Dashboard backend and FHIR2SQL service."
  OVERRIDE+=" -f ./$PROJECT/modules/fhir2sql-compose.yml"
  DASHBOARD_DB_PASSWORD="$(generate_simple_password 'fhir2sql')"
  FOCUS_ENDPOINT_TYPE="blaze-and-sql"
 fi
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@ -101,5 +101,12 @@ services:
      forward_proxy:
        condition: service_healthy
  ccp-patient-project-identificator:
    image: docker.verbis.dkfz.de/cache/samply/ccp-patient-project-identificator
    container_name: bridgehead-ccp-patient-project-identificator
    environment:
      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
      SITE_NAME: ${IDMANAGEMENT_FRIENDLY_ID}
 volumes:
  patientlist-db-data:
--- a/ccp/modules/mtba-compose.yml
+++ b/ccp/modules/mtba-compose.yml
@ -23,7 +23,6 @@ services:
      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
      OIDC_REALM: "${OIDC_REALM}"
      OIDC_URL: "${OIDC_URL}"
    labels:
--- a/ccp/modules/nngm-compose.yml
+++ b/ccp/modules/nngm-compose.yml
@ -12,7 +12,6 @@ services:
      CTS_API_KEY: ${NNGM_CTS_APIKEY}
      CRYPT_KEY: ${NNGM_CRYPTKEY}
      #CTS_MAGICPL_SITE: ${SITE_ID}TODO
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)"
--- a/ccp/modules/obds2fhir-rest-compose.yml
+++ b/ccp/modules/obds2fhir-rest-compose.yml
@ -3,14 +3,13 @@ version: "3.7"
 services:
  obds2fhir-rest:
    container_name: bridgehead-obds2fhir-rest
-    image: docker.verbis.dkfz.de/ccp/obds2fhir-rest:main
+    image: docker.verbis.dkfz.de/samply/obds2fhir-rest:main
    environment:
      IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
      SALT: ${LOCAL_SALT}
      KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false}
      MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist}
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)"
--- a/ccp/modules/teiler-compose.yml
+++ b/ccp/modules/teiler-compose.yml
@ -31,8 +31,8 @@ services:
    environment:
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
      OIDC_URL: "${OIDC_URL}"
      OIDC_REALM: "${OIDC_REALM}"
      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
      TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
@ -41,7 +41,6 @@ services:
      TEILER_PROJECT: "${PROJECT}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
      TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
      TEILER_USER: "${OIDC_USER_GROUP}"
      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
@ -64,18 +63,11 @@ services:
      APPLICATION_PORT: "8085"
      APPLICATION_ADDRESS: "${HOST}"
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
      TEILER_DASHBOARD_DE_URL: "https://${HOST}/ccp-teiler-dashboard/de"
      TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en"
      CENTRAX_URL: "${CENTRAXX_URL}"
      HTTP_PROXY: "http://forward_proxy:3128"
      ENABLE_MTBA: "${ENABLE_MTBA}"
      ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
-    secrets:
+      IDMANAGER_UPLOAD_APIKEY: "${IDMANAGER_UPLOAD_APIKEY}" # Only used to check if the ID Manager is active
      - ccp.conf
 secrets:
  ccp.conf:
    file: /etc/bridgehead/ccp.conf
--- a/ccp/queries_to_cache.conf
+++ b/ccp/queries_to_cache.conf
@ -1,2 +1,3 @@
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCgpjb250ZXh0IFBhdGllbnQKCgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX1BSSU1BUllfRElBR05PU0lTX05PX1NPUlRfU1RSQVRJRklFUgpES1RLX1NUUkFUX0FHRV9DTEFTU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKCiAgREtUS19TVFJBVF9ISVNUT0xPR1lfU1RSQVRJRklFUgpES1RLX1NUUkFUX0RFRl9JTl9JTklUSUFMX1BPUFVMQVRJT04KdHJ1ZQ==
+bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCgpjb250ZXh0IFBhdGllbnQKCgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX1BSSU1BUllfRElBR05PU0lTX05PX1NPUlRfU1RSQVRJRklFUgpES1RLX1NUUkFUX0FHRV9DTEFTU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfUkVQTEFDRV9TUEVDSU1FTl9TVFJBVElGSUVSaWYgSW5Jbml0aWFsUG9wdWxhdGlvbiB0aGVuIFtTcGVjaW1lbl0gZWxzZSB7fSBhcyBMaXN0PFNwZWNpbWVuPgpES1RLX1NUUkFUX1BST0NFRFVSRV9TVFJBVElGSUVSCgpES1RLX1NUUkFUX01FRElDQVRJT05fU1RSQVRJRklFUgoKICBES1RLX1JFUExBQ0VfSElTVE9MT0dZX1NUUkFUSUZJRVIKIGlmIGhpc3RvLmNvZGUuY29kaW5nLndoZXJlKGNvZGUgPSAnNTk4NDctNCcpLmNvZGUuZmlyc3QoKSBpcyBudWxsIHRoZW4gMCBlbHNlIDEKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OCnRydWU=
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCmNvZGVzeXN0ZW0gaWNkMTA6ICdodHRwOi8vZmhpci5kZS9Db2RlU3lzdGVtL2JmYXJtL2ljZC0xMC1nbScKY29kZXN5c3RlbSBtb3JwaDogJ3VybjpvaWQ6Mi4xNi44NDAuMS4xMTM4ODMuNi40My4xJwoKY29udGV4dCBQYXRpZW50CgoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUklNQVJZX0RJQUdOT1NJU19OT19TT1JUX1NUUkFUSUZJRVIKREtUS19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCgogIERLVEtfU1RSQVRfSElTVE9MT0dZX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDNjEnIGZyb20gaWNkMTBdKSBhbmQgCigoZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDAvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDcvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0ODAvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg1MDAvMycpKQ==
+bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCmNvZGVzeXN0ZW0gaWNkMTA6ICdodHRwOi8vZmhpci5kZS9Db2RlU3lzdGVtL2JmYXJtL2ljZC0xMC1nbScKY29kZXN5c3RlbSBtb3JwaDogJ3VybjpvaWQ6Mi4xNi44NDAuMS4xMTM4ODMuNi40My4xJwoKY29udGV4dCBQYXRpZW50CgoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUklNQVJZX0RJQUdOT1NJU19OT19TT1JUX1NUUkFUSUZJRVIKREtUS19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1JFUExBQ0VfU1BFQ0lNRU5fU1RSQVRJRklFUmlmIEluSW5pdGlhbFBvcHVsYXRpb24gdGhlbiBbU3BlY2ltZW5dIGVsc2Uge30gYXMgTGlzdDxTcGVjaW1lbj4KREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKCiAgREtUS19SRVBMQUNFX0hJU1RPTE9HWV9TVFJBVElGSUVSCiBpZiBoaXN0by5jb2RlLmNvZGluZy53aGVyZShjb2RlID0gJzU5ODQ3LTQnKS5jb2RlLmZpcnN0KCkgaXMgbnVsbCB0aGVuIDAgZWxzZSAxCkRLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTihleGlzdHMgW0NvbmRpdGlvbjogQ29kZSAnQzYxJyBmcm9tIGljZDEwXSkgYW5kIAooKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQwLzMnKSBvciAKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQ3LzMnKSBvciAKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4NDgwLzMnKSBvciAKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4NTAwLzMnKSk=
 ORGANOID_DASHBOARD_PUBLIC
--- a/ccp/vars
+++ b/ccp/vars
@ -12,13 +12,9 @@ OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
 OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
 OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
 OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
-# Use "test-realm-01" for testing
+OIDC_URL="https://login.verbis.dkfz.de/realms/test-realm-01"
 OIDC_REALM="${OIDC_REALM:-master}"
 OIDC_URL="https://login.verbis.dkfz.de"
 OIDC_ISSUER_URL="${OIDC_URL}/realms/${OIDC_REALM}"
 OIDC_GROUP_CLAIM="groups"
 source versions
 for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
@ -28,4 +24,12 @@ done
 idManagementSetup
 mtbaSetup
 obds2fhirRestSetup
-blazeSecondarySetup
+blazeSecondarySetup
 for module in modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
 transfairSetup
--- a/dhki/docker-compose.yml
+++ b/dhki/docker-compose.yml
@ -33,13 +33,13 @@ services:
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
    volumes:
-      - /srv/docker/bridgehead/dhki/queries_to_cache.conf:/queries_to_cache.conf
+      - /srv/docker/bridgehead/dhki/queries_to_cache.conf:/queries_to_cache.conf:ro
    depends_on:
      - "beam-proxy"
      - "blaze"
  beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
    container_name: bridgehead-beam-proxy
    environment:
      BROKER_URL: ${BROKER_URL}
--- a/dhki/vars
+++ b/dhki/vars
@ -8,7 +8,6 @@ PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 source versions
 for module in ccp/modules/*.sh
 do
    log DEBUG "sourcing $module"
@ -16,4 +15,12 @@ do
 done
 idManagementSetup
-obds2fhirRestSetup
+obds2fhirRestSetup
 for module in modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
 transfairSetup
--- a/docs/update-access-token.md
+++ b/docs/update-access-token.md
@ -0,0 +1,42 @@
 ## How to Change Config Access Token
 ### 1. Generate a New Access Token
 1. Go to your Git configuration repository provider, it might be either [git.verbis.dkfz.de](https://git.verbis.dkfz.de) or [gitlab.bbmri-eric.eu](https://gitlab.bbmri-eric.eu).  
 2. Navigate to the configuration repository for your site.  
 3. Go to **Settings → Access Tokens** to check if your Access Token is valid or expired.  
   - **If expired**, create a new Access Token.  
 4. Configure the new Access Token with the following settings:  
   - **Expiration date**: One year from today, minus one day.  
   - **Role**: Developer.  
   - **Scope**: Only `read_repository`.  
 5. Save the newly generated Access Token in a secure location.  
 ---
 ### 2. Replace the Old Access Token
 1. Navigate to `/etc/bridgehead` in your system.  
 2. Run the following command to retrieve the current Git remote URL:  
   ```bash
   git remote get-url origin
   ```
   Example output:  
   ```
   https://name40dkfz-heidelberg.de:<old_access_token>@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git
   ```
 3. Replace `<old_access_token>` with your new Access Token in the URL.  
 4. Set the updated URL using the following command:  
   ```bash
   git remote set-url origin https://name40dkfz-heidelberg.de:<new_access_token>@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git
   ```
 5. Start the Bridgehead update service by running:  
   ```bash
   systemctl start bridgehead-update@<project>
   ```
 6. View the output to ensure the update process is successful:  
   ```bash
   journalctl -u bridgehead-update@<project> -f
   ```
--- a/itcc/docker-compose.yml
+++ b/itcc/docker-compose.yml
@ -8,7 +8,8 @@ services:
      BASE_URL: "http://bridgehead-itcc-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
+      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
@ -31,6 +32,10 @@ services:
      BEAM_PROXY_URL: http://beam-proxy:8081
      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
    volumes:
      - /srv/docker/bridgehead/itcc/queries_to_cache.conf:/queries_to_cache.conf:ro
    depends_on:
      - "beam-proxy"
      - "blaze"
--- a/itcc/queries_to_cache.conf
+++ b/itcc/queries_to_cache.conf
@ -0,0 +1,2 @@
 bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CkRLVEtfU1RSQVRfR0VOREVSX1NUUkFUSUZJRVIKICBES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCiAgSVRDQ19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgogIERLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgp0cnVl
 bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIG1vbGVjdWxhck1hcmtlcjogJ2h0dHA6Ly93d3cuZ2VuZW5hbWVzLm9yZycKCmNvbnRleHQgUGF0aWVudApES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCiAgREtUS19TVFJBVF9ESUFHTk9TSVNfU1RSQVRJRklFUgogIElUQ0NfU1RSQVRfQUdFX0NMQVNTX1NUUkFUSUZJRVIKICBES1RLX1NUUkFUX0RFRl9JTl9JTklUSUFMX1BPUFVMQVRJT04KKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNjk1NDgtNicgZnJvbSBsb2luY10gTwp3aGVyZSBPLmNvbXBvbmVudC53aGVyZShjb2RlLmNvZGluZyBjb250YWlucyBDb2RlICc0ODAxOC02JyBmcm9tIGxvaW5jKS52YWx1ZS5jb2RpbmcgY29udGFpbnMgQ29kZSAnQlJBRicgZnJvbSBtb2xlY3VsYXJNYXJrZXIp
--- a/itcc/vars
+++ b/itcc/vars
@ -7,7 +7,6 @@ SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 source versions
 for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
--- a/kr/docker-compose.yml
+++ b/kr/docker-compose.yml
@ -40,7 +40,7 @@ services:
      - "blaze"
  beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
    container_name: bridgehead-beam-proxy
    environment:
      BROKER_URL: ${BROKER_URL}
--- a/kr/modules/exporter.md
+++ b/kr/modules/exporter.md
@ -0,0 +1,15 @@
 # Exporter and Reporter
 ## Exporter
 The exporter is a REST API that exports the data of the different databases of the bridgehead in a set of tables.
 It can accept different output formats as CSV, Excel, JSON or XML. It can also export data into Opal.
 ## Exporter-DB
 It is a database to save queries for its execution in the exporter. 
 The exporter manages also the different executions of the same query in through the database.
 ## Reporter
 This component is a plugin of the exporter that allows to create more complex Excel reports described in templates.
 It is compatible with different template engines as Groovy, Thymeleaf,...
 It is perfect to generate a document as our traditional CCP quality report.
--- a/kr/modules/obds2fhir-rest-compose.yml
+++ b/kr/modules/obds2fhir-rest-compose.yml
@ -10,7 +10,6 @@ services:
      SALT: ${LOCAL_SALT}
      KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false}
      MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist}
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)"
--- a/kr/modules/teiler-compose.yml
+++ b/kr/modules/teiler-compose.yml
@ -31,8 +31,8 @@ services:
    environment:
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
      OIDC_URL: "${OIDC_URL}"
      OIDC_REALM: "${OIDC_REALM}"
      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
      TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
@ -41,7 +41,6 @@ services:
      TEILER_PROJECT: "${PROJECT}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
      TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
      TEILER_USER: "${OIDC_USER_GROUP}"
      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
@ -69,7 +68,6 @@ services:
      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
      TEILER_DASHBOARD_DE_URL: "https://${HOST}/ccp-teiler-dashboard/de"
      TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en"
      CENTRAX_URL: "${CENTRAXX_URL}"
      HTTP_PROXY: "http://forward_proxy:3128"
      ENABLE_MTBA: "${ENABLE_MTBA}"
      ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
--- a/kr/modules/teiler.md
+++ b/kr/modules/teiler.md
@ -0,0 +1,19 @@
 # Teiler
 This module orchestrates the different microfrontends of the bridgehead as a single page application.  
 ## Teiler Orchestrator
 Single SPA component that consists on the root HTML site of the single page application and a javascript code that
 gets the information about the microfrontend calling the teiler backend and is responsible for registering them. With the
 resulting mapping, it can initialize, mount and unmount the required microfrontends on the fly. 
 The microfrontends run independently in different containers and can be based on different frameworks (Angular, Vue, React,...)
 This microfrontends can run as single alone but need an extension with Single-SPA (https://single-spa.js.org/docs/ecosystem).
 There are also available three templates (Angular, Vue, React) to be directly extended to be used directly in the teiler.
 ## Teiler Dashboard
 It consists on the main dashboard and a set of embedded services.
 ### Login
 user and password in ccp.local.conf
 ## Teiler Backend
 In this component, the microfrontends are configured.
--- a/kr/vars
+++ b/kr/vars
@ -7,7 +7,6 @@ SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 source versions
 for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
--- a/lib/functions.sh
+++ b/lib/functions.sh
@ -116,7 +116,7 @@ assertVarsNotEmpty() {
 	MISSING_VARS=""
 	for VAR in $@; do
-	if [ -z "${!VAR}" ]; then
+		if [ -z "${!VAR}" ]; then
 			MISSING_VARS+="$VAR "
 		fi
 	done
@ -170,11 +170,11 @@ optimizeBlazeMemoryUsage() {
 		available_system_memory_chunks=$((BLAZE_MEMORY_CAP / 1000))
 		if [ $available_system_memory_chunks -eq 0 ]; then
 			log WARN "Only ${BLAZE_MEMORY_CAP} system memory available for Blaze. If your Blaze stores more than 128000 fhir ressources it will run significally slower."
-			export BLAZE_RESOURCE_CACHE_CAP=128000
+			export BLAZE_RESOURCE_CACHE_CAP=128000;
-			export BLAZE_CQL_CACHE_CAP=32
+			export BLAZE_CQL_CACHE_CAP=32;
 		else
 			export BLAZE_RESOURCE_CACHE_CAP=$((available_system_memory_chunks * 312500))
-			export BLAZE_CQL_CACHE_CAP=$((($system_memory_in_mb/4)/16))
+			export BLAZE_CQL_CACHE_CAP=$((($system_memory_in_mb/4)/16));
 		fi
 	fi
 }
@ -313,15 +313,82 @@ function sync_secrets() {
        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
        -e PROXY_ID=$PROXY_ID \
        -e BROKER_URL=$BROKER_URL \
-        -e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
+        -e OIDC_PROVIDER=secret-sync-central.central-secret-sync.$BROKER_ID \
        -e SECRET_DEFINITIONS=$secret_sync_args \
        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
    set -a # Export variables as environment variables
-    source /var/cache/bridgehead/secrets/*
+    source /var/cache/bridgehead/secrets/oidc
    set +a # Export variables in the regular way
 }
 function secret_sync_gitlab_token() {
    # Map the origin of the git repository /etc/bridgehead to the prefix recognized by Secret Sync
    local gitlab
    case "$(git -C /etc/bridgehead remote get-url origin)" in
        *git.verbis.dkfz.de*) gitlab=verbis;;
        *gitlab.bbmri-eric.eu*) gitlab=bbmri;;
        *)
            log "WARN" "Not running Secret Sync because the git repository /etc/bridgehead has unknown origin"
            return
            ;;
    esac
    if [ "$PROJECT" == "bbmri" ]; then
        # If the project is BBMRI, use the BBMRI-ERIC broker and not the GBN broker
        proxy_id=$ERIC_PROXY_ID
        broker_url=$ERIC_BROKER_URL
        broker_id=$ERIC_BROKER_ID
        root_crt_file="/srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem"
    else
        proxy_id=$PROXY_ID
        broker_url=$BROKER_URL
        broker_id=$BROKER_ID
        root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem"
    fi
    # Create a temporary directory for Secret Sync that is valid per boot
    secret_sync_tempdir="/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)"
    mkdir -p $secret_sync_tempdir
    # Use Secret Sync to validate the GitLab token in $secret_sync_tempdir/cache.
    # If it is missing or expired, Secret Sync will create a new token and write it to the file.
    # The git credential helper reads the token from the file during git pull.
    log "INFO" "Running Secret Sync for the GitLab token (gitlab=$gitlab)"
    docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
    docker run --rm \
        -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
        -v $root_crt_file:/run/secrets/root.crt.pem:ro \
        -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
        -v $secret_sync_tempdir:/secret-sync/ \
        -e CACHE_PATH=/secret-sync/gitlab-token \
        -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
        -e NO_PROXY=localhost,127.0.0.1 \
        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
        -e PROXY_ID=$proxy_id \
        -e BROKER_URL=$broker_url \
        -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.central-secret-sync.$broker_id \
        -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN:$gitlab \
        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
    if [ $? -eq 0 ]; then
        log "INFO" "Secret Sync was successful"
        # In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
        CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
        git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
        # Set the git credential helper
        git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
    else
        log "WARN" "Secret Sync failed"
        # Remove the git credential helper
        git -C /etc/bridgehead config --unset credential.helper
    fi
    # In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
    # Let's remove it to avoid confusion. This line can be removed at some point the future when we
    # believe that it was removed on all/most production servers.
    git -C /srv/docker/bridgehead config --unset credential.helper
 }
 capitalize_first_letter() {
    input="$1"
    capitalized="$(tr '[:lower:]' '[:upper:]' <<< ${input:0:1})${input:1}"
--- a/lib/gitlab-token-helper.sh
+++ b/lib/gitlab-token-helper.sh
@ -0,0 +1,11 @@
 #!/bin/bash
 [ "$1" = "get" ] || exit
 source "/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)/gitlab-token"
 # Any non-empty username works, only the token matters
 cat << EOF
 username=bk
 password=$BRIDGEHEAD_CONFIG_REPO_TOKEN
 EOF
--- a/lib/gitpassword.sh
+++ b/lib/gitpassword.sh
@ -1,41 +0,0 @@
 #!/bin/bash
 if [ "$1" != "get" ]; then
 	echo "Usage: $0 get"
 	exit 1
 fi
 baseDir() {
 	# see https://stackoverflow.com/questions/59895
 	SOURCE=${BASH_SOURCE[0]}
 	while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
 		DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
 		SOURCE=$(readlink "$SOURCE")
 		[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
        done
        DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
        echo $DIR
 }
 BASE=$(baseDir)
 cd $BASE
 source lib/functions.sh
 assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
 PARAMS="$(cat)"
 GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
 fetchVarsFromVault GIT_PASSWORD
 if [ -z "${GIT_PASSWORD}" ]; then
 	fail_and_report 1 "gitpassword.sh failed: Git password not found."
 fi
 cat <<EOF
 protocol=https
 host=$GITHOST
 username=bk-${SITE_ID}
 password=${GIT_PASSWORD}
 EOF
--- a/lib/install-bridgehead.sh
+++ b/lib/install-bridgehead.sh
@ -41,6 +41,20 @@ if [ ! -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then
  add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT
 fi
 if [ -z "$TRANSFAIR_AUTH" ]; then
  if [[ -n "$TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
    log "INFO" "Now generating basic auth user for transfair API (see adduser in bridgehead for more information). "
    generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
    add_basic_auth_user "transfair" $generated_passwd "TRANSFAIR_AUTH" $PROJECT
  fi
 fi
 if [ "$ENABLE_EXPORTER" == "true" ] && [ -z "$EXPORTER_USER" ]; then
  log "INFO" "Now generating basic auth for the exporter and reporter (see adduser in bridgehead for more information)."
  generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
  add_basic_auth_user $PROJECT $generated_passwd "EXPORTER_USER" $PROJECT
 fi
 log "INFO" "Registering system units for bridgehead and bridgehead-update"
 cp -v \
    lib/systemd/bridgehead\@.service \
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@ -57,9 +57,9 @@ case "$PROJECT" in
 		;;
 	itcc)
 		site_configuration_repository_middle="git.verbis.dkfz.de/itcc-sites/"
-    ;;
+        ;;
-  dhki)
+    dhki)
-    site_configuration_repository_middle="git.verbis.dkfz.de/dhki/"
+        site_configuration_repository_middle="git.verbis.dkfz.de/dhki/"
 		;;
 	kr)
 		site_configuration_repository_middle="git.verbis.dkfz.de/krebsregister-sites/"
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@ -67,7 +67,7 @@ fi
 log INFO "Checking network access ($BROKER_URL_FOR_PREREQ) ..."
 source "${CONFIG_DIR}${PROJECT}".conf
-source ${PROJECT}/vars vars
+source ${PROJECT}/vars
 if [ "${PROJECT}" != "minimal" ]; then
  set +e
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@ -19,7 +19,7 @@ fi
 hc_send log "Checking for bridgehead updates ..."
-CONFFILE=/etc/bridgehead/$1.conf
+CONFFILE=/etc/bridgehead/$PROJECT.conf
 if [ ! -e $CONFFILE ]; then
  fail_and_report 1 "Configuration file $CONFFILE not found."
@ -33,7 +33,7 @@ export SITE_ID
 checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
 checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
-CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
+secret_sync_gitlab_token
 CHANGES=""
@ -45,10 +45,6 @@ for DIR in /etc/bridgehead $(pwd); do
  if [ -n "$OUT" ]; then
    report_error log "The working directory $DIR is modified. Changed files: $OUT"
  fi
  if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
    log "INFO" "Configuring repo to use bridgehead git credential helper."
    git -C $DIR config credential.helper "$CREDHELPER"
  fi
  old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
  if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
    log "INFO" "Git is using no proxy!"
@ -58,7 +54,8 @@ for DIR in /etc/bridgehead $(pwd); do
    OUT=$(retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1)
  fi
  if [ $? -ne 0 ]; then
-    report_error log "Unable to update git $DIR: $OUT"
+    OUT_SAN=$(echo $OUT | sed -E 's|://[^:]+:[^@]+@|://credentials@|g')
    report_error log "Unable to update git $DIR: $OUT_SAN"
  fi
  new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
--- a/minimal/docker-compose.yml
+++ b/minimal/docker-compose.yml
@ -16,7 +16,7 @@ services:
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard/`)"
+      - "traefik.http.routers.dashboard.rule=PathPrefix(`/dashboard/`)"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.tls=true"
--- a/minimal/modules/dnpm-central-targets.json
+++ b/minimal/modules/dnpm-central-targets.json
@ -0,0 +1,142 @@
 {
    "sites": [
        {
            "id": "UKFR",
            "name": "Freiburg",
            "virtualhost": "ukfr.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKHD",
            "name": "Heidelberg",
            "virtualhost": "ukhd.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKT",
            "name": "Tübingen",
            "virtualhost": "ukt.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKU",
            "name": "Ulm",
            "virtualhost": "uku.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UM",
            "name": "Mainz",
            "virtualhost": "um.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKMR",
            "name": "Marburg",
            "virtualhost": "ukmr.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKE",
            "name": "Hamburg",
            "virtualhost": "uke.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKA",
            "name": "Aachen",
            "virtualhost": "uka.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "Charite",
            "name": "Berlin",
            "virtualhost": "charite.dnpm.de",
            "beamconnect": "dnpm-connect.berlin-test.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "MRI",
            "name": "Muenchen-tum",
            "virtualhost": "mri.dnpm.de",
            "beamconnect": "dnpm-connect.muenchen-tum.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "KUM",
            "name": "Muenchen-lmu",
            "virtualhost": "kum.dnpm.de",
            "beamconnect": "dnpm-connect.muenchen-lmu.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "MHH",
            "name": "Hannover",
            "virtualhost": "mhh.dnpm.de",
            "beamconnect": "dnpm-connect.hannover.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKDD",
            "name": "dresden-dnpm",
            "virtualhost": "ukdd.dnpm.de",
            "beamconnect": "dnpm-connect.dresden-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKB",
            "name": "Bonn",
            "virtualhost": "ukb.dnpm.de",
            "beamconnect": "dnpm-connect.bonn-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKD",
            "name": "Duesseldorf",
            "virtualhost": "ukd.dnpm.de",
            "beamconnect": "dnpm-connect.duesseldorf-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKK",
            "name": "Koeln",
            "virtualhost": "ukk.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UME",
            "name": "Essen",
            "virtualhost": "ume.dnpm.de",
            "beamconnect": "dnpm-connect.essen.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKM",
            "name": "Muenster",
            "virtualhost": "ukm.dnpm.de",
            "beamconnect": "dnpm-connect.muenster-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKF",
            "name": "Frankfurt",
            "virtualhost": "ukf.dnpm.de",
            "beamconnect": "dnpm-connect.frankfurt.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UMG",
            "name": "Goettingen",
            "virtualhost": "umg.dnpm.de",
            "beamconnect": "dnpm-connect.goettingen.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKW",
            "name": "Würzburg",
            "virtualhost": "ukw.dnpm.de",
            "beamconnect": "dnpm-connect.wuerzburg-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKSH",
            "name": "Schleswig-Holstein",
            "virtualhost": "uksh.dnpm.de",
            "beamconnect": "dnpm-connect.uksh-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "TKT",
            "name": "Test",
            "virtualhost": "tkt.dnpm.de",
            "beamconnect": "dnpm-connect.tobias-develop.broker.ccp-it.dktk.dkfz.de"
        }
    ]
 }
--- a/minimal/modules/dnpm-compose.yml
+++ b/minimal/modules/dnpm-compose.yml
@ -29,7 +29,7 @@ services:
      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
      APP_ID: dnpm-connect.${DNPM_PROXY_ID}
      DISCOVERY_URL: "./conf/central_targets.json"
-      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
+      LOCAL_TARGETS_FILE: "/conf/connect_targets.json"
      HTTP_PROXY: http://forward_proxy:3128
      HTTPS_PROXY: http://forward_proxy:3128
      NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
@ -41,7 +41,7 @@ services:
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
+      - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
--- a/minimal/modules/dnpm-node-compose.yml
+++ b/minimal/modules/dnpm-node-compose.yml
@ -1,34 +1,99 @@
 version: "3.7"
 services:
-  dnpm-backend:
+  dnpm-mysql:
-    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
+    image: mysql:9
-    container_name: bridgehead-dnpm-backend
+    healthcheck:
      test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ]
      interval: 3s
      timeout: 5s
      retries: 5
    environment:
-      - ZPM_SITE=${ZPM_SITE}
+      MYSQL_ROOT_HOST: "%"
-      - N_RANDOM_FILES=${DNPM_SYNTH_NUM}
+      MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD}
    volumes:
-      - /etc/bridgehead/dnpm:/bwhc_config:ro
+      - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql
      - ${DNPM_DATA_DIR}:/bwhc_data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
      - "traefik.http.routers.bwhc-backend.tls=true"
-  dnpm-frontend:
+  dnpm-authup:
-    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
+    image: authup/authup:latest
-    container_name: bridgehead-dnpm-frontend
+    container_name: bridgehead-dnpm-authup
-    links:
+    volumes:
-      - dnpm-backend
+      - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable
    depends_on:
      dnpm-mysql:
        condition: service_healthy
    command: server/core start
    environment:
-      - NUXT_HOST=0.0.0.0
+      - PUBLIC_URL=https://${HOST}/auth/
-      - NUXT_PORT=8080
+      - AUTHORIZE_REDIRECT_URL=https://${HOST}
-      - BACKEND_PROTOCOL=https
+      - ROBOT_ADMIN_ENABLED=true
-      - BACKEND_HOSTNAME=$HOST
+      - ROBOT_ADMIN_SECRET=${DNPM_AUTHUP_SECRET}
-      - BACKEND_PORT=443
+      - ROBOT_ADMIN_SECRET_RESET=true
      - DB_TYPE=mysql
      - DB_HOST=dnpm-mysql
      - DB_USERNAME=root
      - DB_PASSWORD=${DNPM_MYSQL_ROOT_PASSWORD}
      - DB_DATABASE=auth
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
+      - "traefik.http.middlewares.authup-strip.stripprefix.prefixes=/auth/"
-      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
+      - "traefik.http.routers.dnpm-auth.middlewares=authup-strip"
-      - "traefik.http.routers.bwhc-frontend.tls=true"
+      - "traefik.http.routers.dnpm-auth.rule=PathPrefix(`/auth`)"
      - "traefik.http.services.dnpm-auth.loadbalancer.server.port=3000"
      - "traefik.http.routers.dnpm-auth.tls=true"
  dnpm-portal:
    image: ghcr.io/dnpm-dip/portal:latest
    container_name: bridgehead-dnpm-portal
    environment:
      - NUXT_API_URL=http://dnpm-backend:9000/
      - NUXT_PUBLIC_API_URL=https://${HOST}/api/
      - NUXT_AUTHUP_URL=http://dnpm-authup:3000/
      - NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)"
      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
      - "traefik.http.routers.dnpm-frontend.tls=true"
  dnpm-backend:
    container_name: bridgehead-dnpm-backend
    image: ghcr.io/dnpm-dip/backend:latest
    environment:
      - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME}   # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
      - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
      - MTB_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
      - HATEOAS_HOST=https://${HOST}
      - CONNECTOR_TYPE=broker
      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
    volumes:
      - /etc/bridgehead/dnpm/config:/dnpm_config
      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
    depends_on:
      dnpm-authup:
        condition: service_healthy
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
      # expose everything
      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
      - "traefik.http.routers.dnpm-backend.tls=true"
      - "traefik.http.routers.dnpm-backend.service=dnpm-backend"
      # except ETL
      - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
      - "traefik.http.routers.dnpm-backend-etl.tls=true"
      - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
      # this needs an ETL processor with support for basic auth
      - "traefik.http.routers.dnpm-backend-etl.middlewares=auth"
      # except peer-to-peer
      - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
      - "traefik.http.routers.dnpm-backend-peer.tls=true"
      - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
      - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
      # this effectively denies all requests
      # this is okay, because requests from peers don't go through Traefik
      - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
  landing:
    labels:
      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"
--- a/minimal/modules/dnpm-node-setup.sh
+++ b/minimal/modules/dnpm-node-setup.sh
@ -1,28 +1,16 @@
 #!/bin/bash
 if [ -n "${ENABLE_DNPM_NODE}" ]; then
-	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
+	log INFO "DNPM setup detected -- will start DNPM:DIP node."
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
 	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	if [ -z "${ZPM_SITE+x}" ]; then
 		log ERROR "Mandatory variable ZPM_SITE not defined!"
 		exit 1
 	fi
-	if [ -z "${DNPM_DATA_DIR+x}" ]; then
+    mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions."
-		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
+    DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1}
-		exit 1
+    DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')"
-	fi
+    DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')"
 	DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
 	if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
 		echo "Override of landing page url already in place"
 	else
 		echo "Adding override of landing page url"
 		if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
 			echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
 		else
 			echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
 		fi
 	fi
 fi
--- a/minimal/modules/nngm-compose.yml
+++ b/minimal/modules/nngm-compose.yml
@ -11,7 +11,6 @@ services:
      CTS_API_KEY: ${NNGM_CTS_APIKEY}
      CRYPT_KEY: ${NNGM_CRYPTKEY}
      #CTS_MAGICPL_SITE: ${SITE_ID}TODO
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)"
--- a/minimal/vars
+++ b/minimal/vars
@ -1,5 +1,3 @@
 source versions
 for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
--- a/modules/ssh-tunnel-compose.yml
+++ b/modules/ssh-tunnel-compose.yml
@ -0,0 +1,17 @@
 version: "3.7"
 services:
  ssh-tunnel:
    image: docker.verbis.dkfz.de/cache/samply/ssh-tunnel
    container_name: bridgehead-ccp-ssh-tunnel
    environment:
      SSH_TUNNEL_USERNAME: "${SSH_TUNNEL_USERNAME}"
      SSH_TUNNEL_HOST: "${SSH_TUNNEL_HOST}"
      SSH_TUNNEL_PORT: "${SSH_TUNNEL_PORT:-22}"
    volumes:
      - "/etc/bridgehead/ssh-tunnel.conf:/ssh-tunnel.conf:ro"
    secrets:
      - privkey
 secrets:
  privkey:
    file: /etc/bridgehead/pki/ssh-tunnel.priv.pem
--- a/modules/ssh-tunnel-setup.sh
+++ b/modules/ssh-tunnel-setup.sh
@ -0,0 +1,6 @@
 #!/bin/bash
 if [ -n "$ENABLE_SSH_TUNNEL" ]; then
 	log INFO "SSH Tunnel setup detected -- will start SSH Tunnel."
 	OVERRIDE+=" -f ./modules/ssh-tunnel-compose.yml"
 fi
--- a/modules/ssh-tunnel.md
+++ b/modules/ssh-tunnel.md
@ -0,0 +1,19 @@
 # SSH Tunnel Module
 This module enables SSH tunneling capabilities for the Bridgehead installation.
 The primary use case for this is to connect bridgehead components that are hosted externally due to security concerns.
 To connect the new components to the locally running bridgehead infra one is supposed to write a docker-compose.override.yml changing the urls to point to the corresponding forwarded port of the ssh-tunnel container.
 ## Configuration Variables
 - `ENABLE_SSH_TUNNEL`: Required to enable the module
 - `SSH_TUNNEL_USERNAME`: Username for SSH connection
 - `SSH_TUNNEL_HOST`: Target host for SSH tunnel
 - `SSH_TUNNEL_PORT`: SSH port (defaults to 22)
 ## Configuration Files
 The module requires the following files to be present:
 - `/etc/bridgehead/ssh-tunnel.conf`: SSH tunnel configuration file. Detailed information can be found [here](https://github.com/samply/ssh-tunnel?tab=readme-ov-file#configuration).
 - `/etc/bridgehead/pki/ssh-tunnel.priv.pem`: The SSH private key used to connect to the `SSH_TUNNEL_HOST`. **Passphrases for the key are not supported!**
--- a/modules/transfair-compose.yml
+++ b/modules/transfair-compose.yml
@ -0,0 +1,86 @@
 services:
  transfair:
    image: docker.verbis.dkfz.de/cache/samply/transfair:latest
    container_name: bridgehead-transfair
    environment:
      # NOTE: Those 3 variables need only to be passed if their set, otherwise transfair will complain about empty url values
      - TTP_URL
      - TTP_ML_API_KEY
      - TTP_GW_SOURCE
      - TTP_GW_EPIX_DOMAIN
      - TTP_GW_GPAS_DOMAIN
      - TTP_TYPE
      - TTP_AUTH
      - PROJECT_ID_SYSTEM
      - FHIR_REQUEST_URL=${FHIR_REQUEST_URL}
      - FHIR_INPUT_URL=${FHIR_INPUT_URL}
      - FHIR_OUTPUT_URL=${FHIR_OUTPUT_URL:-http://blaze:8080}
      - FHIR_REQUEST_CREDENTIALS=${FHIR_REQUEST_CREDENTIALS}
      - FHIR_INPUT_CREDENTIALS=${FHIR_INPUT_CREDENTIALS}
      - FHIR_OUTPUT_CREDENTIALS=${FHIR_OUTPUT_CREDENTIALS}
      - EXCHANGE_ID_SYSTEM=${EXCHANGE_ID_SYSTEM:-SESSION_ID}
      - DATABASE_URL=sqlite://transfair/data_requests.sql?mode=rwc
      - RUST_LOG=${RUST_LOG:-info}
      - TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs
      - TLS_DISABLE=${TRANSFAIR_TLS_DISABLE:-false}
      - NO_PROXY=${TRANSFAIR_NO_PROXIES}
      - ALL_PROXY=http://forward_proxy:3128
    volumes:
      - /var/cache/bridgehead/${PROJECT}/transfair:/transfair
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.transfair-strip.stripprefix.prefixes=/transfair"
      - "traefik.http.routers.transfair.middlewares=transfair-strip,transfair-auth"
      - "traefik.http.routers.transfair.rule=PathPrefix(`/transfair`)"
      - "traefik.http.services.transfair.loadbalancer.server.port=8080"
      - "traefik.http.routers.transfair.tls=true"
  traefik:
    labels:
      - "traefik.http.middlewares.transfair-auth.basicauth.users=${TRANSFAIR_AUTH}"
  transfair-input-blaze:
    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
    container_name: bridgehead-transfair-input-blaze
    environment:
      BASE_URL: "http://bridgehead-transfair-input-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx1024m"
      DB_BLOCK_CACHE_SIZE: 1024
      CQL_EXPR_CACHE_SIZE: 8
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "transfair-input-blaze-data:/app/data"
    profiles: ["transfair-input-blaze"]
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.transfair-input-blaze.rule=PathPrefix(`/data-delivery`)"
      - "traefik.http.middlewares.transfair-input-strip.stripprefix.prefixes=/data-delivery"
      - "traefik.http.services.transfair-input-blaze.loadbalancer.server.port=8080"
      - "traefik.http.routers.transfair-input-blaze.middlewares=transfair-input-strip,transfair-auth"
      - "traefik.http.routers.transfair-input-blaze.tls=true"
  transfair-request-blaze:
    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
    container_name: bridgehead-transfair-request-blaze
    environment:
      BASE_URL: "http://bridgehead-transfair-request-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx1024m"
      DB_BLOCK_CACHE_SIZE: 1024
      CQL_EXPR_CACHE_SIZE: 8
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "transfair-request-blaze-data:/app/data"
    profiles: ["transfair-request-blaze"]
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.transfair-request-blaze.rule=PathPrefix(`/data-requests`)"
      - "traefik.http.middlewares.transfair-request-strip.stripprefix.prefixes=/data-requests"
      - "traefik.http.services.transfair-request-blaze.loadbalancer.server.port=8080"
      - "traefik.http.routers.transfair-request-blaze.middlewares=transfair-request-strip,transfair-auth"
      - "traefik.http.routers.transfair-request-blaze.tls=true"
 volumes:
  transfair-input-blaze-data:
  transfair-request-blaze-data:
--- a/modules/transfair-setup.sh
+++ b/modules/transfair-setup.sh
@ -0,0 +1,35 @@
 #!/bin/bash -e
 function transfairSetup() {
    if [[ -n "$TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
        echo "Starting transfair."
 	    OVERRIDE+=" -f ./modules/transfair-compose.yml"
 	    if [ -n "$FHIR_INPUT_URL" ]; then
 		    log INFO "TransFAIR input fhir store set to external $FHIR_INPUT_URL"
 	    else
 		    log INFO "TransFAIR input fhir store not set writing to internal blaze"
 		    FHIR_INPUT_URL="http://transfair-input-blaze:8080"
 		    OVERRIDE+=" --profile transfair-input-blaze"
 	    fi
 	    if [ -n "$FHIR_REQUEST_URL" ]; then
 		    log INFO "TransFAIR request fhir store set to external $FHIR_REQUEST_URL"
 	    else
 		    log INFO "TransFAIR request fhir store not set writing to internal blaze"
 		    FHIR_REQUEST_URL="http://transfair-request-blaze:8080"
 		    OVERRIDE+=" --profile transfair-request-blaze"
 	    fi
 	    if [ -n "$TTP_GW_SOURCE" ]; then
 		    log INFO "TransFAIR configured with greifswald as ttp"
 		    TTP_TYPE="greifswald"
 	    elif [ -n "$TTP_ML_API_KEY" ]; then
 		    log INFO "TransFAIR configured with mainzelliste as ttp"
 		    TTP_TYPE="mainzelliste"
        else
 		    log INFO "TransFAIR configured without ttp"
 	    fi
        TRANSFAIR_NO_PROXIES="transfair-input-blaze,blaze,transfair-requests-blaze"
        if [ -n "${TRANSFAIR_NO_PROXY}" ]; then
            TRANSFAIR_NO_PROXIES+=",${TRANSFAIR_NO_PROXY}"
        fi
    fi
 }
--- a/2
+++ b/2
@ -1,2 +0,0 @@
 BLAZE_TAG=0.28
 POSTGRES_TAG=15.6-alpine
--- a/versions/acceptance
+++ b/versions/acceptance
@ -0,0 +1,4 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
 BLAZE_TAG=main
 POSTGRES_TAG=15.13-alpine
--- a/versions/prod
+++ b/versions/prod
@ -0,0 +1,4 @@
 FOCUS_TAG=main
 BEAM_TAG=main
 BLAZE_TAG=0.32
 POSTGRES_TAG=15.13-alpine
--- a/versions/test
+++ b/versions/test
@ -0,0 +1,4 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
 BLAZE_TAG=main
 POSTGRES_TAG=15.13-alpine
Author	SHA1	Message	Date
Jan	66fe90ff98	Merge pull request #314 from samply/develop	2025-06-11 11:29:09 +02:00
djuarezgf	c33fbfc8bc	fix: Create Exporter User only if Exporter is enabled (#317 )	2025-06-11 09:34:41 +02:00
Enola Knezevic	faa8abd4ee	chore: update eric.acc.root.crt.pem (#316 )	2025-06-10 16:48:22 +02:00
djuarezgf	7693289d4d	docs: add Teiler and Exporter to the main README.md (#315 ) Co-authored-by: Tobias Kussel <TKussel@users.noreply.github.com>	2025-06-10 11:03:18 +02:00
djuarezgf	d482324361	feat: add Teiler and Exporter in BBMRI (#312 ) Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>	2025-06-05 16:55:03 +02:00
Martin Lablans	b7a42f3d3b	chore: externalize POSTGRES_TAG and bump postgres to 15.13 (#313 )	2025-06-04 14:22:34 +02:00
Tim Schumacher	fd013232f5	Cache public organoid dashboard SQL query (#309 )	2025-05-23 15:26:59 +02:00
DavidCroftDKFZ	eb52554892	docs: add faq (#288 )	2025-05-22 18:10:40 +02:00
DavidCroftDKFZ	08c695e960	docs: Control import from Directory, improve README (#297 )	2025-05-22 18:03:01 +02:00
DavidCroftDKFZ	1513fe1c6c	Added section relating to clearing data from Blaze (#303 )	2025-05-22 18:01:43 +02:00
Jan	03b520bfcc	Merge pull request #308 from samply/develop	2025-05-21 15:45:39 +02:00
djuarezgf	af08a9fb08	chore: change some teiler variables (#307 )	2025-05-20 16:24:24 +02:00
Jan	4082292f99	Merge pull request #306 from samply/develop	2025-05-20 11:52:02 +02:00
djuarezgf	b95f0efbe7	fix: add own url to teiler dashboard to make it offline compatible (#305 )	2025-05-20 09:39:14 +02:00
Torben Brenner	99567e2b40	fix: Ensure transfair can properly communicate with the fhir server for requests (#304 )	2025-05-19 17:01:37 +02:00
Jan	96ff6043a1	feat: allow transfair to talk to services behind the proxy (#296 )	2025-05-09 13:52:33 +02:00
Jan	844ce3386e	chore(transfair): update transfair config (#298 )	2025-05-09 11:30:26 +02:00
Martin Lablans	e22ac4b066	Merge pull request #300 from samply/develop Merge develop into main	2025-05-09 09:31:47 +02:00
Martin Lablans	9782bf66b6	Code review: Move to /tmp/bridgehead/...	2025-05-08 09:18:02 +02:00
Tim Schumacher	87f0e8ad7f	Use temp directory for secret sync cache	2025-05-08 09:18:02 +02:00
Jan	7365be3e7b	chore(transfair): add option to disable tls verification (#295 )	2025-04-17 12:01:45 +02:00
Enola Knezevic	c5d08c50a4	chore: add BBMRI ERIC acceptance env (#294 )	2025-04-16 15:37:55 +02:00
Jan	72ecaadba8	fix: ssh-tunnel-setup.sh (#293 )	2025-04-15 11:36:20 +02:00
Jan	cd38957dd7	Merge pull request #289 from samply/develop Merge develop into main	2025-04-15 10:17:11 +02:00
Jan	2ddd535794	feat: ssh tunnel (#292 ) * Added ccp module for a ssh tunnel Usage details under https://github.com/samply/ssh-tunnel * chore: update ssh-tunnel image to harbor * feat: ssh tunnel support diffrent port * chore: fix indentation * chore: move to top level modules * docs: add ssh-tunnel docs --------- Co-authored-by: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>	2025-04-14 10:45:15 +02:00
Jan	973547c322	chore(transfair): add new gw option (#291 )	2025-04-11 08:37:31 +02:00
Jan	6b649c9233	feat: expose transfair via traefik (#290 ) Note: Requires a bridgehead install to generate the basic auth user	2025-04-09 13:19:52 +02:00
Tim Schumacher	3144ee5214	Fix GitLab token syncing for BBMRI	2025-03-31 11:08:59 +02:00
janskiba	68804dc71b	feat: add transfair setup to ccp	2025-03-26 13:11:43 +01:00
janskiba	e5aebfe382	chore!: update transfair config	2025-03-26 13:11:43 +01:00
Jan	4ef585bfc5	Merge pull request #281 from samply/develop Merge develop into main	2025-03-17 10:02:58 +01:00
Torben Brenner	6f3aba1eaa	feat: support self-signed cert on ttp (#283 )	2025-03-12 15:45:55 +01:00
Jan	82ced89b33	chore: unify blaze versioning and upgrade to 0.32 (#277 )	2025-03-12 12:52:00 +01:00
Martin Lablans	5d94bac0e2	Mount queries_to_cache.conf readonly (#282 )	2025-03-10 16:03:05 +01:00
Tim Schumacher	83555540f5	chore: update central Secret Sync proxy ID (#280 )	2025-03-10 12:08:19 +01:00
Pierre Delpy	e396e00178	Fix/ccp cql cache (#279 ) * fix: adapt focus caching to new cql and add focus caching for cce and itcc --------- Co-authored-by: p.delpy@dkfz-heidelberg.de <p.delpy@dkfz-heidelberg.de>	2025-03-07 12:20:38 +01:00
Tim Schumacher	ecb29830e4	Send the origin of /etc/bridgehead repo to Secret Sync This is to anticipate an upcoming change in Secret Sync that will allow it to support multiple GitLab servers, e.g. verbis GitLab and BBMRI GitLab.	2025-03-05 11:04:22 +01:00
Torben Brenner	98121c17e8	Make Codeowners Rule apply to all Files in Repo	2025-02-20 17:28:38 +01:00
Torben Brenner	e38511e118	Add Codeowners File	2025-02-20 17:20:54 +01:00
Torben Brenner	6ca67ca082	Merge pull request #270 from samply/develop	2025-02-20 15:46:40 +01:00
Pierre Delpy	8334fac84d	fix: use correct obds2fhir-rest image --------- Co-authored-by: Pierre Delpy <p.delpy@dkfz-heidelberg.de>	2025-02-20 13:48:10 +01:00
Torben Brenner	8000356b57	docs: explicitly clone main branch (#269 )	2025-02-07 11:21:43 +01:00
Torben Brenner	74d8e68d96	Merge pull request #258 from samply/feat/routine-connector feat: transFAIR	2025-02-07 10:39:54 +01:00
Torben Brenner	c568a56651	refactor: set transfair log to info	2025-02-07 10:30:43 +01:00
Torben Brenner	8384143387	fix: make transfair reach the internal blaze stores	2025-02-07 09:17:17 +01:00
Torben Brenner	8fe73a8123	fix: support mode without ttp	2025-02-07 09:17:07 +01:00
Torben Brenner	bca63e82a9	fix: don't use return in transfairSetup For some reason the return not only exits transfairSetup, but also the bridgehead script	2025-02-06 15:43:37 +01:00
Jan	721627a78f	feat: migrate to new dnpm:dip node (#251 ) * feat: migrate to new dnpm:dip node * hardcode dnpm connector type to broker * use `SITE_NAME` for dnpm `LOCAL_SITE` * host central targets in git * dnpm: add goettingen to central targets * dnpm: add uksh to central targets * dnpm: replace named volumes with fs volumes * chore: change dnpm images * chore: pin mysql * dnpm: Secure endpoints for ETL and p2p communications (#254) * fix authup redirect (#262) When a OIDC provider is configured, you'll get redirected to authup by Keycloak which redirects you to the DNPM:DIP. Currently the url looks like this: https://myserver/authup//someurl and produces an error. Manually removing the additional / fixes the issue. * Whitespace formatting --------- Co-authored-by: Niklas <niklas@ytvwld.de> Co-authored-by: Niklas Reimer <niklas@backbord.net> Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com>	2025-02-05 13:24:28 +01:00
Jan	e08ff92401	Merge pull request #268 from samply/main Main backport	2025-02-05 08:45:35 +01:00
Jan	e3553370b6	feat: unify version handeling (#265 )	2025-01-29 13:17:59 +01:00
Jan	1ad73d8f82	fix: properly load oidc secrets (#267 )	2025-01-29 10:59:27 +01:00
Tobias Kussel	0b6fa439ba	Merge pull request #266 from samply/fix/docker-hub-link Fixed Docker Hub URL list link	2025-01-29 09:52:26 +01:00
Martin Lablans	615990b92a	Use secret-sync for gitpassword (#257 ) --------- Co-authored-by: Tim Schumacher <tim@tschumacher.net> Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> Co-authored-by: Tim Schumacher <tim.schumacher@dkfz-heidelberg.de>	2025-01-28 14:53:49 +01:00
Tobias Kussel	db950d6d87	Fixed Docker Hub URL list link	2025-01-28 08:59:57 +00:00
patrickskowronekdkfz	6a71da3dd1	docs: documentation for changing your configuration repository access token (#256 )	2025-01-27 10:49:10 +01:00
patrickskowronekdkfz	138a1fa5f1	fix: changed ccp_ppi to use IDMANAGEMENT_FRIENDLY_ID instead of SITE_NAME (#259 )	2025-01-27 10:49:10 +01:00
patrickskowronekdkfz	39a87bcf61	Update: Blaze to version 0.31 (#260 )	2025-01-27 10:49:10 +01:00
Jan	655d0d24c7	fix: remove `restart: always` in compose files (#261 )	2025-01-27 10:49:10 +01:00
janskiba	fa0d9fb8b4	restrict additional blaze memory usage	2025-01-24 09:23:08 +00:00
janskiba	139fcecabe	redo transfair setup	2025-01-23 13:27:42 +00:00
janskiba	2058a7a5c9	update image url	2025-01-23 12:06:43 +00:00
janskiba	47364f999e	wip: routine connector	2025-01-21 13:55:08 +00:00
patrickskowronekdkfz	910289079b	docs: documentation for changing your configuration repository access token (#256 )	2025-01-21 09:35:25 +01:00
patrickskowronekdkfz	1003cd73cf	fix: changed ccp_ppi to use IDMANAGEMENT_FRIENDLY_ID instead of SITE_NAME (#259 )	2025-01-21 09:30:20 +01:00
patrickskowronekdkfz	3d1105b97c	Update: Blaze to version 0.31 (#260 )	2025-01-21 09:28:47 +01:00
Jan	5c28e704d2	fix: remove `restart: always` in compose files (#261 )	2025-01-21 09:27:27 +01:00
Tobias Kussel	df1ec21848	Merge pull request #246 from samply/develop set environment variables needed for the focus blaze-and-sql endpoint to work when fhir2sql is enabled	2024-12-11 10:53:27 +01:00
patrickskowronekdkfz	e3510363ad	fix: remove credentials from git remote, if update fails (#253 ) Signed-off-by: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>	2024-12-10 17:18:07 +01:00
Enola Knezevic	45aefd24e5	renamed exporter API key to EXPORTER_API_KEY (#252 )	2024-12-06 11:27:38 +01:00
patrickskowronekdkfz	122ff16bb1	fix: use verbis cache image instead of docker-hub (#250 )	2024-11-12 09:58:17 +01:00
djuarezgf	967e45624e	Add exporter configuration to focus (#249 )	2024-11-05 15:46:00 +01:00
Tobias Kussel	8cd5b93b95	Merge pull request #237 from samply/feat/ccp-ppi Feat/ccp ppi	2024-11-05 13:59:01 +01:00
Jan	52c24ee6fa	fix(fhir2sql): add the postgres connection string to focus (#245 )	2024-11-05 13:34:36 +01:00
davidmscholz	26712d3567	feat: add and set FOCUS_ENDPOINT_TYPE to support fhir2sql (#244 ) * add and set FOCUS_ENDPOINT_TYPE Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> --------- Co-authored-by: davidmscholz <david.scholz@dkfz-heidelberg.de> Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>	2024-10-30 15:21:15 +01:00
Pierre Delpy	a4e292dd18	Merge pull request #241 from samply/develop feat: add focus tags in ccp and bbmri (#240)	2024-10-23 07:24:06 +02:00
Enola Knezevic	eea17c3478	fix: remove invalid beam-proxy tag and add it to focus instead (#242 )	2024-10-22 16:48:48 +02:00
Pierre Delpy	cf5230963c	feat: add focus tags in ccp and bbmri (#240 ) Co-authored-by: p.delpy@dkfz-heidelberg.de <p.delpy@dkfz-heidelberg.de>	2024-10-21 11:00:01 +02:00
Pierre Delpy	75089ab428	Merge pull request #221 from samply/develop Keep develop in sync with main	2024-10-15 14:30:15 +02:00
Pierre Delpy	7aaee5e7d5	feat: add auto archiving action (#238 ) * feat: add auto archiving action --------- Co-authored-by: p.delpy@dkfz-heidelberg.de <p.delpy@dkfz-heidelberg.de> Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com>	2024-10-15 13:03:42 +02:00
Patrick Skowronek	23981062bb	Move ppi to id-management	2024-10-10 13:27:24 +02:00
Patrick Skowronek	8e7fe6851e	fix: use correct mainzelliste api key	2024-10-10 13:11:43 +02:00
Patrick Skowronek	760d599b7c	Add CCP-PPI	2024-10-10 12:56:36 +02:00
		`@ -0,0 +1,2 @@`
							bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0FHRV9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OCnRydWU=
							bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIGljZDEwOiAnaHR0cDovL2ZoaXIuZGUvQ29kZVN5c3RlbS9iZmFybS9pY2QtMTAtZ20nCmNvZGVzeXN0ZW0gbW9ycGg6ICd1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjYuNDMuMScKCmNvbnRleHQgUGF0aWVudAoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9BR0VfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCkRLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgooKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDNjEnIGZyb20gaWNkMTBdKSBhbmQKKChleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODE0MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQ3LzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0ODAvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODUwMC8zJykpKQ==
		`@ -0,0 +1,2 @@`
							`bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CkRLVEtfU1RSQVRfR0VOREVSX1NUUkFUSUZJRVIKICBES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCiAgSVRDQ19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgogIERLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgp0cnVl`
							bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIG1vbGVjdWxhck1hcmtlcjogJ2h0dHA6Ly93d3cuZ2VuZW5hbWVzLm9yZycKCmNvbnRleHQgUGF0aWVudApES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCiAgREtUS19TVFJBVF9ESUFHTk9TSVNfU1RSQVRJRklFUgogIElUQ0NfU1RSQVRfQUdFX0NMQVNTX1NUUkFUSUZJRVIKICBES1RLX1NUUkFUX0RFRl9JTl9JTklUSUFMX1BPUFVMQVRJT04KKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNjk1NDgtNicgZnJvbSBsb2luY10gTwp3aGVyZSBPLmNvbXBvbmVudC53aGVyZShjb2RlLmNvZGluZyBjb250YWlucyBDb2RlICc0ODAxOC02JyBmcm9tIGxvaW5jKS52YWx1ZS5jb2RpbmcgY29udGFpbnMgQ29kZSAnQlJBRicgZnJvbSBtb2xlY3VsYXJNYXJrZXIp