Added root cert

.gitignore

@@ -1,6 +1,6 @@
 ##Ignore site configuration
 .gitmodules
 site-config/*
-.idea
+
 ## Ignore site configuration
 */docker-compose.override.yml

README.md

@@ -139,15 +139,6 @@ Your Bridgehead will automatically and regularly check for updates. Whenever som
 
 If you would like to understand what happens exactly and when, please check the systemd units deployed during the [installation](#base-installation) via `systemctl cat bridgehead-update@<PROJECT>.service` and `systemctl cat bridgehead-update@<PROJECT.timer`.
 
-### Auto-Backups
-Some of the components in the bridgehead will store persistent data. For those components, we integrated an automated backup solution in the bridgehead updates. It will automatically save the backup in multiple files
-
-1) Last-XX, were XX represents a weekday to allow re-import of at least one version of the database for each of the past seven days.
-2) Year-KW-XX, were XX represents the calendar week to allow re-import of at least one version per calendar week
-3) Year-Month, to allow re-import of at least one version per month
-
-To enable the Auto-Backup feature, please set the Variable `BACKUP_DIRECTORY` in your sites configuration.
-
 ### Monitoring
 
 To keep all Bridgeheads up and working and detect any errors before a user does, a central monitoring 

bbmri/docker-compose.yml

@@ -85,7 +85,7 @@ services:
       - "blaze"
 
   beam-proxy:
-    image: samply/beam-proxy:main
+    image: "samply/beam-proxy:develop"
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}

bridgehead

@@ -32,6 +32,9 @@ case "$PROJECT" in
 	bbmri)
 		#nothing extra to do
 		;;
+	snap)
+		#nothing extra to do
+		;;
 	*)
 		printUsage
 		exit 1

ccp/docker-compose.yml

@@ -85,7 +85,7 @@ services:
       - "blaze"
 
   beam-proxy:
-    image: samply/beam-proxy:main
+    image: "samply/beam-proxy:develop"
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}

ccp/exliquid-setup.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+function exliquidSetup() {
+	case ${SITE_ID} in
+		berlin|dresden|essen|frankfurt|freiburg|luebeck|mainz|muenchen-lmu|muenchen-tu|mannheim|tuebingen)
+			EXLIQUID=1
+			;;
+		dktk-test)
+			EXLIQUID=1
+			;;
+		*)
+			EXLIQUID=0
+			;;
+	esac
+	if [[ $EXLIQUID -eq 1 ]]; then
+		log INFO "EXLIQUID setup detected -- will start Report-Hub."
+		OVERRIDE+=" -f ./$PROJECT/exliquid-compose.yml"
+	fi
+}

ccp/modules/exliquid-setup.sh

@@ -1,17 +0,0 @@
-#!/bin/bash
-
-case ${SITE_ID} in
-  berlin|dresden|essen|frankfurt|freiburg|luebeck|mainz|muenchen-lmu|muenchen-tu|mannheim|tuebingen)
-    EXLIQUID=1
-    ;;
-  dktk-test)
-    EXLIQUID=1
-    ;;
-  *)
-    EXLIQUID=0
-    ;;
-esac
-if [[ $EXLIQUID -eq 1 ]]; then
-  log INFO "EXLIQUID setup detected -- will start Report-Hub."
-  OVERRIDE+=" -f ./$PROJECT/modules/exliquid-compose.yml"
-fi

ccp/modules/exporter-compose.yml

@@ -1,42 +0,0 @@
-version: "3.7"
-
-services:
-  exporter:
-    image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
-    container_name: bridgehead-ccp-exporter
-    environment:
-      LOG_LEVEL: "INFO"
-      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
-      CROSS_ORIGINS: "https://${HOST}/ccp-teiler-root-config"
-      EXPORTER_DB_USER: "exporter"
-      EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
-      EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
-      CLEAN_TEMP_FILES_CRON_EXPRESSION: "0 0 1 * * *"
-      TEMP_FILES_LIFETIME_IN_DAYS: "1"
-      CLEAN_WRITE_FILES_CRON_EXPRESSION: "0 0 2 * * *"
-      WRITE_FILES_LIFETIME_IN_DAYS: "30"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"
-      - "traefik.http.services.exporter_ccp.loadbalancer.server.port=8092"
-      - "traefik.http.routers.exporter_ccp.tls=true"
-      - "traefik.http.routers.exporter_ccp.middlewares=auth"
-    volumes:
-      - "exporter:/app/exporter-files"
-
-  exporter-db:
-    image: postgres:15.1-alpine
-    container_name: bridgehead-ccp-exporter-db
-    environment:
-      POSTGRES_USER: "exporter"
-      POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
-      POSTGRES_DB: "exporter"
-    volumes:
-      - "exporter-db:/var/lib/postgresql/data"
-
-
-volumes:
-  exporter-db:
-    name: "exporter-db"
-  exporter:
-    name: "exporter"

ccp/modules/exporter-setup.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-
-if [ -n "$ENABLE_EXPORTER" ];then
-  log INFO "Exporter setup detected -- will start Exporter service."
-  OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
-fi
-# TODO: Generate password in another way so that not all passwords are the same?
-EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"

ccp/modules/id-management-compose.yml

@@ -1,57 +0,0 @@
-version: "3.7"
-services:
-  id-manager:
-    image: docker.verbis.dkfz.de/bridgehead/magicpl
-    container_name: bridgehead-id-manager
-    environment:
-      TOMCAT_REVERSEPROXY_FQDN: ${HOST}
-      MAGICPL_SITE: ${IDMANAGEMENT_FRIENDLY_ID}
-      MAGICPL_ALLOWED_ORIGINS: https://${HOST}
-      MAGICPL_LOCAL_PATIENTLIST_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
-      MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_UPLOAD_APIKEY}
-      MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY}
-      MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
-      MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
-      MAGICPL_OIDC_CLIENT_ID: ${IDMANAGER_AUTH_CLIENT_ID}
-      MAGICPL_OIDC_CLIENT_SECRET: ${IDMANAGER_AUTH_CLIENT_SECRET}
-    depends_on:
-      - patientlist
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)"
-      - "traefik.http.services.id-manager.loadbalancer.server.port=8080"
-      - "traefik.http.routers.id-manager.tls=true"
-
-  patientlist:
-    image: docker.verbis.dkfz.de/bridgehead/mainzelliste
-    container_name: bridgehead-patientlist
-    environment:
-      - TOMCAT_REVERSEPROXY_FQDN=${HOST}
-      - ML_SITE=${IDMANAGEMENT_FRIENDLY_ID}
-      - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
-      - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
-      - ML_UPLOAD_API_KEY=${IDMANAGER_UPLOAD_APIKEY}
-      # Add Variables from /etc/patientlist-id-generators.env
-      - PATIENTLIST_SEEDS_TRANSFORMED
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.patientlist.rule=PathPrefix(`/patientlist`)"
-      - "traefik.http.services.patientlist.loadbalancer.server.port=8080"
-      - "traefik.http.routers.patientlist.tls=true"
-    depends_on:
-      - patientlist-db
-
-  patientlist-db:
-    image: postgres:15.1-alpine
-    container_name: bridgehead-patientlist-db
-    environment:
-      POSTGRES_USER: "mainzelliste"
-      POSTGRES_DB: "mainzelliste"
-      POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD}
-    volumes:
-      - "patientlist-db-data:/var/lib/postgresql/data"
-      # NOTE: Add backups here. This is only imported if /var/lib/bridgehead/data/patientlist/ is empty!!!
-      - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"
-
-volumes:
-  patientlist-db-data:

ccp/modules/id-management-setup.sh

@@ -1,51 +0,0 @@
-#!/bin/bash
-
-
-# Transform into single string array, e.g. 'dktk-test' to 'dktk test'
-# Usage: transformToSingleStringArray 'dktk-test' -> 'dktk test'
-function transformToSingleStringArray() {
-	echo "${1//-/ }";
-}
-
-# Ensure all Words are Uppercase
-# Usage: transformToUppercase 'dktk test' -> 'Dktk Test'
-function transformToUppercase() {
-	result="";
-	for word in $1; do
-		result+=" ${word^}";
-	done
-	echo "$result";
-}
-
-# Handle all execeptions from the norm (e.g LMU, TUM)
-# Usage: applySpecialCases 'Muenchen Lmu Test' -> 'Muenchen LMU Test'
-function applySpecialCases() {
-	result="$1";
-	result="${result/Lmu/LMU}";
-	result="${result/Tum/TUM}";
-	echo "$result";
-}
-
-# Transform current siteids to legacy version
-# Usage: legacyIdMapping "dktk-test" -> "DktkTest"
-function legacyIdMapping() {
-	single_string_array=$(transformToSingleStringArray "$1");
-	uppercase_string=$(transformToUppercase "$single_string_array");
-	normalized_string=$(applySpecialCases "$uppercase_string");
-	echo "$normalized_string" | tr -d ' '
-}
-
-if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
-  log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)."
-  OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml"
-
-  # Auto Generate local Passwords
-  PATIENTLIST_POSTGRES_PASSWORD="$(echo \"id-management-module-db-password-salt\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  IDMANAGER_LOCAL_PATIENTLIST_APIKEY="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-
-  # Transform Seeds Configuration to pass it to the Mainzelliste Container
-  PATIENTLIST_SEEDS_TRANSFORMED="$(declare -p PATIENTLIST_SEEDS | tr -d '\"' | sed 's/\[/\[\"/g' | sed 's/\]/\"\]/g')"
-
-  # Ensure old ids are working !!!
-  export IDMANAGEMENT_FRIENDLY_ID=$(legacyIdMapping "$SITE_ID")
-fi

ccp/modules/id-management.md

@@ -1,66 +0,0 @@
-# Module: Id-Management
-This module provides integration with the CCP-Pseudonymiziation Service. To learn more on the backgrounds of this service, you can refer to the [CCP Data Protection Concept](https://dktk.dkfz.de/klinische-plattformen/documents-download).
-
-## Getting Started
-The following configuration variables are added to your sites-configuration repository:
-
-```
-IDMANAGER_UPLOAD_APIKEY="<random-string>"
-IDMANAGER_READ_APIKEY="<random-string>"
-IDMANAGER_CENTRAL_PATIENTLIST_APIKEY="<given-to-you-by-ccp-it>"
-IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY="<given-to-you-by-ccp-it>"
-IDMANAGER_AUTH_CLIENT_ID="<given-to-you-by-ccp-it>"
-IDMANAGER_AUTH_CLIENT_SECRET="<given-to-you-by-ccp-it>"
-
-IDMANAGER_SEEDS_BK="<three-numbers>"
-IDMANAGER_SEEDS_MDS="<three-numbers>"
-IDMANAGER_SEEDS_DKTK000001985="<three-numbers>"
-```
-> NOTE: Additionally, the CCP-IT adds lines declaring the `PATIENTLIST_SEEDS` array in your site configuration. This will contain the seeds for the different id-generators used in all projects.
-
-Once your Bridgehead is updated and restarted, you're all set!
-
-## Additional information you may want to know
-
-### Services
-
-Upon configuration, the Bridgehead will spawn the following services:
-
-- The `bridgehead-id-manager` at https://bridgehead.local/id-manager, provides a common interface for creating pseudonyms in the bridgehead.
-- The `bridgehead-patientlist` at https://bridgehead.local/patientlist is a local instance of the open-source software [Mainzelliste](https://mainzelliste.de). This service's primary task is to map patients IDAT to pseudonyms identifying them along the different CCP projects.
-- The `bridgehead-patientlist-db` is only accessible within the Bridgehead itself. This is a local postgresql instance storing the database for `bridgehead-patientlist`. The data is persisted as a named volume `patientlist-db-data`.
-
-### How to import an existing database (e.g from Legacy Windows or from Backups)
-First you must shutdown your local bridgehead instance:
-```
-systemctl stop bridgehead@ccp
-```
-
-Next you need to remove the current patientlist database:
-```
-docker volume rm patientlist-db-data;
-```
-
-Third, you need to place your postgres dump in the import directory `/tmp/bridgehead/patientlist/some-dump.sql`. This will only be imported, then the volume `patientlist-db-data` was removed previously. 
-> NOTE: Please create the postgres dump with the options "--no-owner" and "--no-privileges". Additionally ensure the dump is created in the plain format (SQL).
-
-After this, you can restart your bridgehead and the dump will be imported:
-```
-systemctl start bridgehead@ccp
-```
-
-### How to connect your local data-management
-Typically, the sites connect their local data-management for the pseudonym creation with the id-management in the bridgehead. In the following two sections, you can read where you can change the configuration:
-#### Sites using CentraXX
-On your CentraXX Server, you need to change following settings in the "centraxx-dev.properties" file.
-```
-dktk.idmanagement.url=https://<your-linux-bk-host>/id-manager/translator/getId
-dktk.idmanagement.apiKey=<your-setting-for-IDMANAGER_UPLOAD_APIKEY>
-```
-They typically already exist, but need to be changed to the new values!
-#### Sites using ADT2FHIR
-@Pierre
-
-
-### How to connect the legacy windows bridgehead
-You need to change the configuration file "..." of your Windows Bridgehead. TODO... 

ccp/modules/mtba-compose.yml

@@ -1,36 +0,0 @@
-version: "3.7"
-
-services:
-  mtba:
-    image: samply/mtba:develop
-    container_name: bridgehead-mtba
-    environment:
-      BLAZE_STORE_URL: http://blaze:8080
-      # NOTE: Aktuell Berechtigungen wie MagicPL!!!
-      # TODO: Add separate ApiKey to MagicPL only for MTBA!
-      ID_MANAGER_API_KEY: ${IDMANAGER_UPLOAD_APIKEY}
-      ID_MANAGER_PSEUDONYM_ID_TYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
-      ID_MANAGER_URL: http://id-manager:8080/id-manager
-      PATIENT_CSV_FIRST_NAME_HEADER: ${MTBA_PATIENT_CSV_FIRST_NAME_HEADER}
-      PATIENT_CSV_LAST_NAME_HEADER: ${MTBA_PATIENT_CSV_LAST_NAME_HEADER}
-      PATIENT_CSV_GENDER_HEADER: ${MTBA_PATIENT_CSV_GENDER_HEADER}
-      PATIENT_CSV_BIRTHDAY_HEADER: ${MTBA_PATIENT_CSV_BIRTHDAY_HEADER}
-      CBIOPORTAL_URL:  http://cbioportal:8080
-      FILE_CHARSET: ${MTBA_FILE_CHARSET}
-      FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE}
-      CSV_DELIMITER: ${MTBA_CSV_DELIMITER}
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.mtba.rule=PathPrefix(`/`)"
-      - "traefik.http.services.mtba.loadbalancer.server.port=80"
-      - "traefik.http.routers.mtba.tls=true"
-    volumes:
-      - /tmp/bridgehead/mtba/input:/app/input
-      - /tmp/bridgehead/mtba/persist:/app/persist
-
-  # TODO: Include CBioPortal in Deployment ...
-  # NOTE: CBioPortal can't load data while the system is running. So after import of data bridgehead needs to be restarted!
-  # TODO: Find a trigger to let mtba signal a restart for CBioPortal
-
-volumes:
-  mtba-data:

ccp/modules/mtba-setup.sh

@@ -1,10 +0,0 @@
-#!/bin/bash
-
-if [ -n "$ENABLE_MTBA" ];then
-  log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal."
-  if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
-    log ERROR "Detected MTBA Module configuration but ID-Management Module seems not to be configured!"
-    exit 1;
-  fi
-  OVERRIDE+=" -f ./$PROJECT/modules/mtba-compose.yml"
-fi

ccp/modules/nngm-setup.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-if [ -n "$NNGM_CTS_APIKEY" ]; then
-  log INFO "nNGM setup detected -- will start nNGM Connector."
-  OVERRIDE+=" -f ./$PROJECT/modules/nngm-compose.yml"
-fi
-CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"

ccp/modules/opal-compose.yml

@@ -1,79 +0,0 @@
-version: "3.7"
-
-services:
-
-  ############################################ DataSHIELD Client (Rocker R-Studio)
-  rstudio:
-    image: docker.verbis.dkfz.de/dktk/bridgehead-rstudio:latest
-    container_name: bridgehead-rstudio
-    #TODO: Connect with Keycloak: https://rocker-project.org/images/versioned/rstudio.html
-    environment:
-      USER: "ruser"
-      PASSWORD: "${RSTUDIO_PASSWORD}"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.login.rule=PathPrefix(`/rstudio`)"
-      - "traefik.http.services.login.loadbalancer.server.port=8787"
-      - "traefik.http.routers.login.tls=true"
-    volumes:
-      - "rstudio-config:/home/rstudio/.config/rstudio"
-      - "rstudio-workspace:/home/rstudio/workspace"
-      - "rstudio-user-files:/home/user-files"
-
-  ############################################ DataSHIELD Server (Opal)
-  opal:
-    image: obiba/opal:4.5
-    container_name: bridgehead-opal
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.login.rule=PathPrefix(`/opal`)"
-      - "traefik.http.services.login.loadbalancer.server.port=8080" #TODO: HTTPS -> 8443
-      - "traefik.http.routers.login.tls=true"
-    links:
-      - opal-rserver
-      - opal-mongo
-      - opal-db
-    environment:
-      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
-      # OPAL_ADMINISTRATOR_USER: "administrator"
-      OPAL_ADMINISTRATOR_PASSWORD: "${OPAL_ADMINISTRATOR_PASSWORD}"
-      MONGO_HOST: "opal-mongo"
-      MONGO_PORT: "27017"
-      POSTGRESDATA_HOST: "opal-db"
-      POSTGRESDATA_DATABASE: "opal"
-      POSTGRESDATA_USER: "opal"
-      POSTGRESDATA_PASSWORD: "${OPAL_DB_PASSWORD}"
-
-      ROCK_HOSTS: "opal-rserver:8085"
-    volumes:
-      - "opal:/srv"
-
-  opal-mongo: # IDs
-    image: mongo:4.2 # TODO: Update mongo:6.0.4
-    container_name: bridgehead-opal-mongo
-
-  opal-db: # Data
-    image: postgres:15.1
-    container_name: bridgehead-opal-db
-    environment:
-      POSTGRES_PASSWORD: "${OPAL_DB_PASSWORD}"
-      POSTGRES_USER: "opal"
-      POSTGRES_DB: "opal"
-    volumes:
-      - "opal-db:/var/lib/postgresql/data"
-
-  opal-rserver:
-    image: datashield/rock-base:6.2-R4.2  # https://datashield.discourse.group/t/ds-aggregate-method-error/416/4
-    container_name: bridgehead-opal-rserver
-
-volumes:
-  rstudio-config:
-    name: "rstudio-config"
-  rstudio-workspace:
-    name: "rstudio-workspace"
-  rstudio-user-files:
-    name: "rstudio-user-files"
-  opal-db:
-    name: "opal-db"
-  opal:
-    name: "opal"

ccp/modules/opal-setup.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-if [ "$ENABLE_OPAL" == true ];then
-  log INFO "Opal setup detected -- will start Opal services."
-  OVERRIDE+=" -f ./$PROJECT/modules/opal-compose.yml"
-fi
-OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"

ccp/modules/teiler-ui-compose.yml

@@ -1,267 +0,0 @@
-version: "3.7"
-
-services:
-  ############################################ Keycloak
-  login-db:
-    image: "postgres:15.1"
-    container_name: bridgehead-login-db
-    environment:
-      POSTGRES_USER: "keycloak"
-      POSTGRES_PASSWORD: "${KEYCLOAK_DB_PASSWORD}" # Set in teiler-setup.sh
-      POSTGRES_DB: "keycloak"
-    volumes:
-      - "login-db:/var/lib/postgresql/data"
-
-  login:
-    #image: "jboss/keycloak:16.1.1"
-    image: docker.verbis.dkfz.de/ccp/dktk-keycloak:latest
-    container_name: bridgehead-login
-    environment:
-      KEYCLOAK_ADMIN: "admin"
-      KEYCLOAK_ADMIN_PASSWORD: "${KEYCLOAK_ADMIN_PASSWORD}"
-      KC_DB_PASSWORD: "${KEYCLOAK_DB_PASSWORD}" # Set in teiler-setup.sh
-      KC_HOSTNAME_URL: "https://${HOST}/login"
-      KC_HOSTNAME_STRICT: "false"
-      KC_PROXY_ADDRESS_FORWARDING: "true"
-      TEILER_ROOT_CONFIG_EXTERN_URL: "https://${HOST}/ccp-teiler"
-    command:
-      - start-dev --import-realm --proxy edge --http-relative-path=/login
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.login.rule=PathPrefix(`/login`)"
-      - "traefik.http.services.login.loadbalancer.server.port=8080"
-      - "traefik.http.routers.login.tls=true"
-    depends_on:
-      - login-db
-
-  ############################################ Teiler-UI
-  teiler-root-config:
-    image: samply/teiler-root-config:developer
-    container_name: bridgehead-teiler-root-config
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.teiler_root_config_ccp.rule=PathPrefix(`/ccp-teiler`)"
-      - "traefik.http.services.teiler_root_config_ccp.loadbalancer.server.port=9000"
-      - "traefik.http.routers.teiler_root_config_ccp.tls=true"
-    environment:
-      TEILER_CORE_URL: "https://${HOST}/ccp-teiler-core"
-      TEILER_UI_URL: "https://${HOST}/ccp-teiler-ui"
-      DEFAULT_LANGUAGE: "de"
-
-  teiler-ui:
-    image: samply/teiler-ui:developer
-    container_name: bridgehead-teiler-ui
-    #  ports:
-    #    - 4200:80
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.teiler_ui_ccp.rule=PathPrefix(`/ccp-teiler-ui`)"
-      - "traefik.http.services.teiler_ui_ccp.loadbalancer.server.port=80"
-      - "traefik.http.routers.teiler_ui_ccp.tls=true"
-    environment:
-      DEFAULT_LANGUAGE: "DE"
-      TEILER_CORE_URL: "https://${HOST}/ccp-teiler-core"
-      KEYCLOAK_URL: "https://${HOST}/login"
-      KEYCLOAK_REALM: "teiler-ui"
-      KEYCLOAK_CLIENT_ID: "teiler-ui"
-      TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
-      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
-      TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
-      TEILER_PROJECT: "${PROJECT}"
-
-  teiler-core:
-    image: samply/teiler-core:developer
-    container_name: bridgehead-teiler-core
-    volumes:
-      - "/etc/bridgehead/ccp.conf:/app/ccp.conf"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.teiler_core_ccp.rule=PathPrefix(`/ccp-teiler-core`)"
-      - "traefik.http.services.teiler_core_ccp.loadbalancer.server.port=8085"
-      - "traefik.http.routers.teiler_core_ccp.tls=true"
-    environment:
-      LOG_LEVEL: "INFO"
-      APPLICATION_PORT: "8085"
-      DEFAULT_LANGUAGE: "DE"
-      CONFIG_ENV_VAR_PATH: "/app/ccp.conf"
-      TEILER_CONFIG_UPDATER_CRON: "0 1 * * * *"
-      TEILER_ROOT_CONFIG_URL: "https://${HOST}/ccp-teiler"
-      TEILER_UI_DE_URL: "https://${HOST}/ccp-teiler-ui/de"
-      TEILER_UI_EN_URL: "https://${HOST}/ccp-teiler-ui/en"
-      TEILER_APP1_NAME: "config"
-      #    TEILER_APP2_NAME: "quality-report"
-      TEILER_APP3_NAME: "keycloak"
-      TEILER_APP3_TITLE: "Keycloak"
-      TEILER_APP4_DESCRIPTION_EN: "Authentication site"
-      TEILER_APP4_DESCRIPTION_DE: "Authentifizierungsseite"
-      TEILER_APP4_SOURCEURL: "https://${HOST}/login/auth/"
-      TEILER_APP4_ROLES: "TEILER_ADMIN"
-      TEILER_APP4_ISACTIVATED: "true"
-      TEILER_APP4_ICONSOURCEURL: "https://upload.wikimedia.org/wikipedia/commons/2/29/Keycloak_Logo.png"
-      TEILER_APP4_ORDER: "5"
-      TEILER_APP4_ISEXTERNALLINK: "true"
-      TEILER_APP4_ISLOCAL: "true"
-      #    TEILER_APP5_NAME: "pgadmin"
-      #    TEILER_APP5_TITLE: "PgAdmin"
-      #    TEILER_APP5_DESCRIPTION: "Database Management"
-      #    TEILER_APP5_SOURCEURL: "http://localhost:5000"
-      #    TEILER_APP5_ROLES: "TEILER_ADMIN"
-      #    TEILER_APP5_ISACTIVATED: "true"
-      #    TEILER_APP5_ICONSOURCEURL: "https://user-images.githubusercontent.com/24623425/36042969-f87531d4-0d8a-11e8-9dee-e87ab8c6a9e3.png"
-      #    TEILER_APP5_ORDER: "6"
-      #    TEILER_APP5_ISEXTERNALLINK: "true"
-      #    TEILER_APP5_ISLOCAL: "true"
-      TEILER_APP6_NAME: "ldm"
-      TEILER_APP6_TITLE_EN: "Local data management"
-      TEILER_APP6_TITLE_DE: "Lokales Datenmanagement"
-      TEILER_APP6_DESCRIPTION_EN: "Local Data Management"
-      TEILER_APP6_DESCRIPTION_DE: "Lokales Datenmanagement"
-      TEILER_APP6_SOURCEURL: "${CENTRAXX_URL}"
-      TEILER_APP6_ROLES: "TEILER_PUBLIC"
-      TEILER_APP6_ISACTIVATED: "${IS_DKTK_SITE}"
-      TEILER_APP6_ICONCLASS: "bi bi-server"
-      TEILER_APP6_ORDER: "7"
-      TEILER_APP6_ISEXTERNALLINK: "true"
-      TEILER_APP6_ISLOCAL: "true"
-      TEILER_APP7_NAME: "id-manager"
-      TEILER_APP7_TITLE: "ID-Manager"
-      TEILER_APP7_DESCRIPTION: "ID Manager"
-      TEILER_APP7_SOURCEURL: "https://${HOST}/id-manager/index.html"
-      TEILER_APP7_ROLES: "TEILER_PUBLIC"
-      TEILER_APP7_ISACTIVATED: "true"
-      TEILER_APP7_ICONCLASS: "bi bi-person-bounding-box"
-      TEILER_APP7_ORDER: "8"
-      TEILER_APP7_ISEXTERNALLINK: "true"
-      TEILER_APP7_ISLOCAL: "true"
-      TEILER_APP8_NAME: "patient-list"
-      TEILER_APP8_TITLE_EN: "Patient List"
-      TEILER_APP8_TITLE_DE: "Patientenliste"
-      TEILER_APP8_DESCRIPTION_EN: "Patient List"
-      TEILER_APP8_DESCRIPTION_DE: "Patientenliste"
-      TEILER_APP8_SOURCEURL: "https://${HOST}/patientlist"
-      TEILER_APP8_ROLES: "TEILER_PUBLIC"
-      TEILER_APP8_ISACTIVATED: "true"
-      TEILER_APP8_ICONCLASS: "bi bi-person-rolodex"
-      TEILER_APP8_ORDER: "9"
-      TEILER_APP8_ISEXTERNALLINK: "true"
-      TEILER_APP8_ISLOCAL: "true"
-      TEILER_APP9_NAME: "project-pseudonymisation"
-      TEILER_APP9_TITLE_EN: "Project Pseudonymisation"
-      TEILER_APP9_TITLE_DE: "Projectpseudonymisierung"
-      TEILER_APP9_DESCRIPTION_EN: "Project Pseudonymisation"
-      TEILER_APP9_DESCRIPTION_DE: "Projectpseudonymisierung"
-      TEILER_APP9_SOURCEURL: "https://${HOST}/id-manager/html/projectSelection.html"
-      TEILER_APP9_ROLES: "TEILER_PUBLIC"
-      TEILER_APP9_ISACTIVATED: "true"
-      TEILER_APP9_ICONCLASS: "bi bi-person-lines-fill"
-      TEILER_APP9_ORDER: "10"
-      TEILER_APP9_ISEXTERNALLINK: "true"
-      TEILER_APP9_ISLOCAL: "true"
-      TEILER_APP10_NAME: "federated-search"
-      TEILER_APP10_TITLE: "Lens"
-      TEILER_APP10_DESCRIPTION_EN: "Federated Search"
-      TEILER_APP10_DESCRIPTION_DE: "Föderierte Suche"
-      TEILER_APP10_SOURCEURL: "https://demo.lens.samply.de/"
-      TEILER_APP10_ROLES: "TEILER_PUBLIC"
-      TEILER_APP10_ISACTIVATED: "true"
-      TEILER_APP10_ICONCLASS: "bi bi-search"
-      TEILER_APP10_ORDER: "13"
-      TEILER_APP10_ISEXTERNALLINK: "true"
-      TEILER_APP10_ISLOCAL: "false"
-      TEILER_APP11_NAME: "central-patient-list"
-      TEILER_APP11_TITLE_EN: "Central Patient List"
-      TEILER_APP11_TITLE_DE: "Zentrale Patientenliste"
-      TEILER_APP11_DESCRIPTION_EN: "Central Patient List"
-      TEILER_APP11_DESCRIPTION_DE: "Zentrale Patientenliste"
-      TEILER_APP11_SOURCEURL: "https://patientlist.ccp-it.dktk.dkfz.de/"
-      TEILER_APP11_ROLES: "TEILER_PUBLIC"
-      TEILER_APP11_ISACTIVATED: "true"
-      TEILER_APP11_ICONCLASS: "bi bi-person-rolodex"
-      TEILER_APP11_ORDER: "14"
-      TEILER_APP11_ISEXTERNALLINK: "true"
-      TEILER_APP11_ISLOCAL: "false"
-      TEILER_APP12_NAME: "central id-manager"
-      TEILER_APP12_TITLE_EN: "Central ID-Manager"
-      TEILER_APP12_TITLE_DE: "Zentraler ID-Manager"
-      TEILER_APP12_DESCRIPTION_EN: "Central ID Manager"
-      TEILER_APP12_DESCRIPTION_DE: "Zentraler ID-Manager"
-      TEILER_APP12_SOURCEURL: "https://dktk-kne.kgu.de/"
-      TEILER_APP12_ROLES: "TEILER_PUBLIC"
-      TEILER_APP12_ISACTIVATED: "true"
-      TEILER_APP12_ICONCLASS: "bi bi-person-bounding-box"
-      TEILER_APP12_ORDER: "15"
-      TEILER_APP12_ISEXTERNALLINK: "true"
-      TEILER_APP12_ISLOCAL: "false"
-      # TODO: Icinga to be replaced by Zabbix
-      TEILER_APP13_NAME: "monitoring"
-      TEILER_APP13_TITLE: "Icinga"
-      TEILER_APP13_DESCRIPTION: "Icinga Monitoring"
-      TEILER_APP13_SOURCEURL: "https://monitor.vmitro.de/icingaweb2/dashboard"
-      TEILER_APP13_ROLES: "TEILER_ADMIN"
-      TEILER_APP13_ISACTIVATED: "true"
-      TEILER_APP13_ICONSOURCEURL: "https://images.ctfassets.net/o7xu9whrs0u9/QmL67mCGdRQ8PBcuKHGnF/858c0aee95762f59d67b25073f9483c2/icinga-logo.png"
-      TEILER_APP13_ORDER: "16"
-      TEILER_APP13_ISEXTERNALLINK: "true"
-      TEILER_APP13_ISLOCAL: "false"
-      #    TEILER_APP14_NAME: "function-tests"
-      #    TEILER_APP15_NAME: "event-log"
-      TEILER_APP16_NAME: "active-inquiries"
-      TEILER_APP16_BACKENDURL: "https://${HOST}/ccp-exporter"
-      TEILER_APP17_NAME: "archived-inquiries"
-      TEILER_APP17_BACKENDURL: "https://${HOST}/ccp-exporter"
-      TEILER_APP18_NAME: "failed-inquiries"
-      TEILER_APP18_BACKENDURL: "https://${HOST}/ccp-exporter"
-      TEILER_APP19_NAME: "inquiry"
-      TEILER_APP19_INMENU: "false"
-      #    TEILER_APP20_NAME: "cbioportal"
-      #    TEILER_APP20_TITLE: "cBioportal"
-      #    TEILER_APP20_DESCRIPTION: "Interactive exploration of multidimensional cancer genomics data sets"
-      #    TEILER_APP20_SOURCEURL: "http://localhost:8082"
-      #    TEILER_APP20_ROLES: "TEILER_USER"
-      #    TEILER_APP20_ISACTIVATED: "true"
-      #    TEILER_APP20_ICONSOURCEURL: "https://docs.cbioportal.org/images/cbio-logo.png"
-      #    TEILER_APP20_ORDER: "17"
-      #    TEILER_APP20_ISEXTERNALLINK: "true"
-      #    TEILER_APP20_ISLOCAL: "true"
-      #    TEILER_APP21_NAME: "mtba-bp"
-      #    TEILER_APP21_TITLE: "MTBA-BP"
-      #    TEILER_APP21_DESCRIPTION: "MTBA Camunda Business Process"
-      #    TEILER_APP21_SOURCEURL: "http://localhost:8480"
-      #    TEILER_APP21_ROLES: "TEILER_ADMIN"
-      #    TEILER_APP21_ISACTIVATED: "true"
-      #    TEILER_APP21_ICONSOURCEURL: "https://camunda.com/wp-content/uploads/2020/05/logo-camunda-black.svg"
-      #    TEILER_APP21_ORDER: "18"
-      #    TEILER_APP21_ISEXTERNALLINK: "true"
-      #    TEILER_APP21_ISLOCAL: "true"
-      TEILER_APP22_NAME: "dialog-quali"
-      TEILER_APP22_INMENU: "false"
-      TEILER_APP23_NAME: "dialog-uploads"
-      TEILER_APP23_INMENU: "false"
-      TEILER_APP24_NAME: "inquiry-dialog"
-      TEILER_APP24_INMENU: "false"
-      TEILER_APP25_NAME: "dialog-tests"
-      TEILER_APP25_INMENU: "false"
-      TEILER_APP26_NAME: "opal"
-      TEILER_APP26_TITLE: "Opal"
-      TEILER_APP26_DESCRIPTION: "Opal is OBiBa’s core database application for biobanks."
-      TEILER_APP26_SOURCEURL: "https://${HOST}/opal"
-      TEILER_APP26_ROLES: "TEILER_USER"
-      TEILER_APP26_ISACTIVATED: "true"
-      TEILER_APP26_ICONSOURCEURL: "https://www.obiba.org/assets/themes/bootstrap/img/obiba-logo-small.png"
-      TEILER_APP26_ORDER: "19"
-      TEILER_APP26_ISEXTERNALLINK: "true"
-      TEILER_APP26_ISLOCAL: "true"
-      TEILER_APP27_NAME: "rstudio"
-      TEILER_APP27_TITLE: "R Studio"
-      TEILER_APP27_DESCRIPTION: "RStudio is an integrated development environment (IDE) for R and Python."
-      TEILER_APP27_SOURCEURL: "https://${HOST}/rstudio"
-      TEILER_APP27_ROLES: "TEILER_USER"
-      TEILER_APP27_ISACTIVATED: "true"
-      TEILER_APP27_ICONSOURCEURL: "https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png"
-      TEILER_APP27_ORDER: "20"
-      TEILER_APP27_ISEXTERNALLINK: "true"
-      TEILER_APP27_ISLOCAL: "true"
-
-volumes:
-  login-db:
-    name: "login-db"

ccp/modules/teiler-ui-setup.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-if [ "$ENABLE_TEILER" == true ];then
-  log INFO "Teiler-UI setup detected -- will start Teiler-UI services."
-  OVERRIDE+=" -f ./$PROJECT/modules/teiler-ui-compose.yml"
-fi
-KEYCLOAK_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"

ccp/nngm-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   connector:
-    container_name: bridgehead-nngm-connector
+    container_name: bridgehead-connector
     image: docker.verbis.dkfz.de/ccp/connector:bk2
     environment:
       POSTGRES_PASSWORD: ${CONNECTOR_POSTGRES_PASSWORD}
@@ -19,7 +19,7 @@ services:
 
   connector_db:
     image: postgres:9.5-alpine
-    container_name: bridgehead-nngm-connector-db
+    container_name: bridgehead-ccp-connector-db
     volumes:
       - "connector_db_data:/var/lib/postgresql/data"
     environment:

ccp/nngm-setup.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+function nngmSetup() {
+	if [ -n "$NNGM_CTS_APIKEY" ]; then
+		log INFO "nNGM setup detected -- will start nNGM Connector."
+		OVERRIDE+=" -f ./$PROJECT/nngm-compose.yml"
+	fi
+	CONNECTOR_POSTGRES_PASSWORD="$(echo \"This is a salt string to generate one consistent password. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+}

ccp/vars

@@ -8,8 +8,8 @@ REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRE
 SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 
-for module in $PROJECT/modules/*.sh
-do
-    log INFO "sourcing $module"
-    source $module
-done
+# This will load nngm setup. Effective only if nngm configuration is defined.
+source $PROJECT/nngm-setup.sh
+nngmSetup
+source $PROJECT/exliquid-setup.sh
+exliquidSetup

lib/functions.sh

@@ -131,22 +131,11 @@ fail_and_report() {
 
 setHostname() {
 	if [ -z "$HOST" ]; then
-		export HOST=$(hostname -f | tr "[:upper:]" "[:lower:]")
+		export HOST=$(hostname -f)
 		log DEBUG "Using auto-detected hostname $HOST."
 	fi
 }
 
-# Takes 1) The Backup Directory Path 2) The name of the Service to be backuped
-# Creates 3 Backups: 1) For the past seven days 2) For the current month and 3) for each calendar week
-createEncryptedPostgresBackup(){
-  docker exec "$2" bash -c 'pg_dump -U $POSTGRES_USER $POSTGRES_DB --format=p --no-owner --no-privileges' | \
-      # TODO: Encrypt using /etc/bridgehead/pki/${SITE_ID}.priv.pem | \
-      tee "$1/$2/$(date +Last-%A).sql" | \
-      tee "$1/$2/$(date +%Y-%m).sql" > \
-      "$1/$2/$(date +%Y-KW%V).sql"
-}
-
-
 # from: https://gist.github.com/sj26/88e1c6584397bb7c13bd11108a579746
 # ex. use: retry 5 /bin/false
 function retry {

lib/install-bridgehead.sh

@@ -63,4 +63,4 @@ else
   STR="Success. Next, enroll into the $PROJECT broker by creating a cryptographic certificate. To do so, run\n\n            /srv/docker/bridgehead/bridgehead enroll $PROJECT\n\nThen, you may start the bridgehead by running$STR"
 fi
 
-log "INFO" "$STR"
+log "INFO" "$STR"

lib/prepare-system.sh

@@ -36,6 +36,9 @@ case "$PROJECT" in
 	bbmri)
 		site_configuration_repository_middle="git.verbis.dkfz.de/bbmri-bridgehead-configs/"
 		;;
+	snap)
+		site_configuration_repository_middle="git.verbis.dkfz.de/bridgehead-configurations/bridgehead-config-"
+		;;
 	*)
 		log ERROR "Internal error, this should not happen."
         exit 1

lib/update-bridgehead.sh

@@ -81,7 +81,7 @@ done
 # Check docker updates
 log "INFO" "Checking for updates to running docker images ..."
 docker_updated="false"
-for IMAGE in $(cat $PROJECT/docker-compose.yml ${OVERRIDE//-f/} | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
+for IMAGE in $(cat $PROJECT/docker-compose.yml | grep -v "^#" | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
     CHANGE="Image $IMAGE updated."
@@ -103,37 +103,6 @@ else
   hc_send log "$RES"
 fi
 
-if [ -n "${BACKUP_DIRECTORY}" ]; then
-  if [ ! -d "$BACKUP_DIRECTORY" ]; then
-    message="Performing automatic maintenance: Attempting to create backup directory $BACKUP_DIRECTORY."
-    hc_send log "$message"
-    log INFO "$message"
-    mkdir -p "$BACKUP_DIRECTORY"
-    chown -R "$BACKUP_DIRECTORY" bridgehead;
-  fi
-  checkOwner "$BACKUP_DIRECTORY" bridgehead || fail_and_report 1 "Automatic maintenance failed: Wrong permissions for backup directory $(pwd)"
-  # Collect all container names that contain '-db'
-  BACKUP_SERVICES="$(docker ps --filter name=-db --format "{{.Names}}" | tr "\n" "\ ")"
-  log INFO "Performing automatic maintenance: Creating Backups for $BACKUP_SERVICES";
-  for service in $BACKUP_SERVICES; do
-    if [ ! -d "$BACKUP_DIRECTORY/$service" ]; then
-      message="Performing automatic maintenance: Attempting to create backup directory for $service in $BACKUP_DIRECTORY."
-      hc_send log "$message"
-      log INFO "$message"
-      mkdir -p "$BACKUP_DIRECTORY/$service"
-    fi
-    if createEncryptedPostgresBackup "$BACKUP_DIRECTORY" "$service"; then
-      message="Performing automatic maintenance: Stored encrypted backup for $service in $BACKUP_DIRECTORY."
-      hc_send log "$message"
-      log INFO "$message"
-    else
-      fail_and_report 5 "Failed to create encrypted update for $service"
-    fi
-  done
-else
-  log WARN "Automated backups are disabled (variable AUTO_BACKUPS != \"true\")"
-fi
-
 exit 0
 
 # TODO: Print last commit explicit

snap/docker-compose.yml

@@ -0,0 +1,83 @@
+version: "3.7"
+
+services:
+  traefik:
+    container_name: bridgehead-traefik
+    image: traefik:latest
+    command:
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --providers.file.directory=/configuration/
+      - --api.dashboard=true
+      - --accesslog=true
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+      - "traefik.http.routers.dashboard.entrypoints=websecure"
+      - "traefik.http.routers.dashboard.service=api@internal"
+      - "traefik.http.routers.dashboard.tls=true"
+      - "traefik.http.routers.dashboard.middlewares=auth"
+      - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}"
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - /etc/bridgehead/traefik-tls:/certs:ro
+      - ../lib/traefik-configuration/:/configuration:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+  forward_proxy:
+    container_name: bridgehead-forward-proxy
+    image: samply/bridgehead-forward-proxy:latest
+    environment:
+      HTTPS_PROXY: ${HTTPS_PROXY_URL}
+      USERNAME: ${HTTPS_PROXY_USERNAME}
+      PASSWORD: ${HTTPS_PROXY_PASSWORD}
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
+
+  spot:
+    image: docker.verbis.dkfz.de/ccp-private/aql-local-spot
+    container_name: bridgehead-spot
+    environment:
+      SECRET: ${SPOT_BEAM_SECRET_LONG}
+      APPID: spot
+      PROXY_ID: ${PROXY_ID}
+      LDM_URL: ${LDM_URL}
+      AUTH_USER: ${AUTH_USER}
+      AUTH_PW: ${AUTH_PW}
+      BEAM_PROXY: http://beam-proxy:8081
+    depends_on:
+      - "beam-proxy"
+
+  beam-proxy:
+    image: "samply/beam-proxy:develop"
+    container_name: bridgehead-beam-proxy
+    environment:
+      BROKER_URL: ${BROKER_URL}
+      PROXY_ID: ${PROXY_ID}
+      APP_0_ID: snap
+      APP_0_KEY: ${SPOT_BEAM_SECRET_SHORT}
+      PRIVKEY_FILE: /run/secrets/proxy.pem
+      ALL_PROXY: http://forward_proxy:3128
+      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
+      ROOTCERT_FILE: /conf/root.crt.pem
+    secrets:
+      - proxy.pem
+    depends_on:
+      - "forward_proxy"
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
+      - ./root.crt.pem:/conf/root.crt.pem:ro
+
+
+volumes:
+  blaze-data:
+
+secrets:
+  proxy.pem:
+    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

snap/root.crt.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUMeGRSrNPhRdQ1tU7uK5+lUa4f38wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjIwOTI5MTQxMjU1WhcNMzIw
+OTI2MTQxMzI1WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMYyroOUeb27mYzClOrjCmgIceLalsFA0aVCh5mZ
+KtP8+1U3oq/7exP30gXiJojxW7xoerfyQY9s0Sz5YYbxYbuskFOYEtyAILB/pxgd
++k+J3tlZKolpfmo7WT5tZiHxH/zjrtAYGnuB2xPHRMCWh/tHYrELgXQuilNol24y
+GBa1plTlARy0aKEDUHp87WLhD2qH7B8sFlLgo0+gunE1UtR2HMSPF45w3VXszyG6
+fJNrAj0yPnKy3Dm1BMO3jDO2e0A9lCQ71a4j4TeKePfCk1xCArSu6PpiwiacKplF
+c6CRR6KrWVm2g+8Y2hFcOBG/Py2xusm3PWbpylGq6vtFRkkCAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEFxD6BQwQO5
+xsJ+3cvZypsnh6dDMB8GA1UdIwQYMBaAFEFxD6BQwQO5xsJ+3cvZypsnh6dDMBYG
+A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQB5zTeIhV/3
+3Am6O144EFtnIeaZ2w0D6aEHqHAZp50vJv3+uQfOliCOzgw7VDxI4Zz2JALjlR/i
+uOYHsu3YIRMIOmPOjqrdDJa6auB0ufL4oUPfCRln7Fh0f3JVlz3BUoHsSDt949p4
+g0nnsciL2JHuzlqjn7Jyt3L7dAHrlFKulCcuidG5D3cqXrRCbF83f+k3TC/HRiNd
+25oMi7I4MP/SOCdfQGUGIsHIf/0hSm3pNjDOrC/XuI/8gh2f5io+Y8V+hMwMBcm4
+JbH8bdyBB+EIhsNbTwf2MWntD5bmg47sf7hh23aNvKXI67Li1pTI2t1CqiGnFR0U
+fCEpeaEAHs0k
+-----END CERTIFICATE-----

snap/vars

@@ -0,0 +1,9 @@
+BROKER_ID=broker.dev.ccp-it.dktk.dkfz.de
+BROKER_URL=https://${BROKER_ID}
+PROXY_ID=${SITE_ID}.${BROKER_ID}
+SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
+REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"
+SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem