fix: cce

Merge remote-tracking branch 'origin/hotfix/itcc' into hotfix/itcc
deactivate secret sync (which never worked for itcc/cce)
2026-04-17 18:30:14 +02:00 · 2025-10-28 09:23:58 +01:00 · 2025-10-28 09:20:58 +01:00 · 2025-10-28 09:19:34 +01:00 · 2025-10-28 09:19:08 +01:00 · 2025-10-28 09:19:08 +01:00
42 changed files with 70 additions and 658 deletions
--- a/README.md
+++ b/README.md
@@ -27,7 +27,6 @@ This repository is the starting point for any information and tools you will nee
    - [Teiler (Frontend)](#teiler-frontend)
    - [Data Exporter Service](#data-exporter-service)
      - [Data Quality Report](#data-quality-report)
    - [Data Quality Agent](#data-quality-agent)
 4. [Things you should know](#things-you-should-know)
    - [Auto-Updates](#auto-updates)
    - [Auto-Backups](#auto-backups)
@@ -319,12 +318,6 @@ To enable it, you will need to explicitly set the username and password variable
 DS_DIRECTORY_USER_NAME=your_directory_username
 DS_DIRECTORY_USER_PASS=your_directory_password
 ```
 Alternatively, if you have obtained a token from the Directory, you can insert the following into the configuration file:
 ```
 DS_DIRECTORY_USER_TOKEN=your_directory_token
 ```
 If you don't supply any authentification information (either login credentials or a token), Directory sync will not start.
 Please contact your National Node or Directory support (directory-dev@helpdesk.bbmri-eric.eu) to obtain these credentials.
 The following environment variables can be used from within your config file to control the behavior of Directory sync:
@@ -332,13 +325,12 @@ The following environment variables can be used from within your config file to
 | Variable                           | Purpose                                                                                                                                                              | Default if not specified               |
 |:-----------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------|
 | DS_DIRECTORY_URL                   | Base URL of the Directory                                                                                                                                            | https://directory-backend.molgenis.net |
-| DS_DIRECTORY_USER_NAME             | User name for logging in to Directory                                                                                                                                |                                        |
+| DS_DIRECTORY_USER_NAME             | User name for logging in to Directory **Mandatory**                                                                                                                  |                                        |
-| DS_DIRECTORY_USER_PASS             | Password for logging in to Directory                                                                                                                                 |                                        |
+| DS_DIRECTORY_USER_PASS             | Password for logging in to Directory **Mandatory**                                                                                                                   |                                        |
 | DS_DIRECTORY_USER_TOKEN            | Token for logging in to Directory                                                                                                                                    |                                        |
 | DS_DIRECTORY_DEFAULT_COLLECTION_ID | ID of collection to be used if not in samples                                                                                                                        |                                        |
 | DS_DIRECTORY_ALLOW_STAR_MODEL      | Set to 'True' to send star model info to Directory                                                                                                                   | True                                  |
 | DS_FHIR_STORE_URL                  | URL for FHIR store                                                                                                                                                   | http://bridgehead-bbmri-blaze:8080     |
-| DS_TIMER_CRON                      | Execution interval for Directory sync, [cron](https://crontab.guru) format                                                                                           | 30 22 * * *                            |
+| DS_TIMER_CRON                      | Execution interval for Directory sync, [cron](https://crontab.guru) format                                                                                           | 0 22 * * *                             |
 | DS_IMPORT_BIOBANKS                 | Set to 'True' to import biobank metadata from Directory                                                                                                              | True                                  |
 | DS_IMPORT_COLLECTIONS              | Set to 'True' to import collection metadata from Directory                                                                                                           | True                                  |
@@ -425,32 +417,6 @@ ENABLE_EXPORTER=true
 ```
 [For further information](docs/exporter.md)  
 ### Data Quality Agent
 The Data Quality Agent is an optional module that periodically evaluates the quality of FHIR data stored in Blaze. It generates local data quality reports accessible via the Bridgehead web interface.
 To enable the service, set the following variable in your `<PROJECT>.conf` file:
 ```bash
 ENABLE_DATA_QUALITY_AGENT=true
 ```
 #### Sharing Data Quality Reports (recommended)
 We encourage sharing your data quality reports with the central BBMRI-ERIC quality dashboard. The reports contain only aggregated, non-patient-identifiable statistics and help the network to monitor and improve overall data quality. However, quality reporting is completely optional and opt-in.
 To opt in, additionally set the following variables in your `<PROJECT>.conf` file:
 ```bash
 DATA_QUALITY_SERVER_URL=https://quality-dashboard.bbmri-eric.eu
 DATA_QUALITY_SERVER_NAME=Central Data Quality Server of BBMRI
 ```
 If these variables are not set, the Data Quality Agent will still run and generate local reports, but no data will be shared externally.
 Reports are accessible at `https://<your-host>/bbmri-data-quality-agent` (default credentials are admin:admin, please change it after first login!!).
 [Official documentation](https://fdqf.bbmri-eric.eu/user/deployment.html)
 ## Things you should know
 ### Auto-Updates
--- a/bbmri/modules/data-quality-agent-compose.yml
+++ b/bbmri/modules/data-quality-agent-compose.yml
@@ -1,23 +0,0 @@
 version: "3.7"
 services:
  data-quality-agent:
    image: ghcr.io/bbmri-cz/data-quality-server:${DATA_QUALITY_AGENT_TAG}
    container_name: bridgehead-bbmri-data-quality-agent
    environment:
      APP_SETTING_FHIR_URL: http://bridgehead-bbmri-blaze:8080/fhir
      REPORTING_SERVER_URL: ${DATA_QUALITY_SERVER_URL}
      REPORTING_SERVER_NAME: ${DATA_QUALITY_SERVER_NAME}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.data_quality_agent_bbmri.rule=PathPrefix(`/bbmri-data-quality-agent`)"
      - "traefik.http.services.data_quality_agent_bbmri.loadbalancer.server.port=8082"
      - "traefik.http.routers.data_quality_agent_bbmri.tls=true"
      - "traefik.http.middlewares.data_quality_agent_bbmri_strip.stripprefix.prefixes=/bbmri-data-quality-agent"
      - "traefik.http.routers.data_quality_agent_bbmri.middlewares=data_quality_agent_bbmri_strip,auth"
    depends_on:
      - "blaze"
    volumes:
      - /var/cache/bridgehead/bbmri/agent-db:/app/data
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
--- a/bbmri/modules/data-quality-agent-setup.sh
+++ b/bbmri/modules/data-quality-agent-setup.sh
@@ -1,7 +0,0 @@
 #!/bin/bash
 if [ "$ENABLE_DATA_QUALITY_AGENT" == "true" ]; then
    log INFO "Data Quality Agent setup detected -- will start data-quality-agent service."
    OVERRIDE+=" -f ./$PROJECT/modules/data-quality-agent-compose.yml"
 fi
--- a/bbmri/modules/directory-sync-compose.yml
+++ b/bbmri/modules/directory-sync-compose.yml
@@ -7,8 +7,7 @@ services:
      DS_DIRECTORY_URL: ${DS_DIRECTORY_URL:-https://directory.bbmri-eric.eu}
      DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}
      DS_DIRECTORY_USER_PASS: ${DS_DIRECTORY_USER_PASS}
-      DS_DIRECTORY_USER_TOKEN: ${DS_DIRECTORY_USER_TOKEN}
+      DS_TIMER_CRON: ${DS_TIMER_CRON:-0 22 * * *}
      DS_TIMER_CRON: ${DS_TIMER_CRON:-30 22 * * *}
      DS_DIRECTORY_ALLOW_STAR_MODEL: ${DS_DIRECTORY_ALLOW_STAR_MODEL:-true}
      DS_DIRECTORY_MOCK: ${DS_DIRECTORY_MOCK}
      DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID}
@@ -17,6 +16,3 @@ services:
      DS_IMPORT_COLLECTIONS: ${DS_IMPORT_COLLECTIONS:-true}
    depends_on:
      - "blaze"
    volumes:
      - /etc/localtime:/etc/localtime:ro # inherit host timezone
      - /etc/timezone:/etc/timezone:ro   # inherit host timezone name
--- a/bbmri/modules/directory-sync.sh
+++ b/bbmri/modules/directory-sync.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
-if [ -n "${DS_DIRECTORY_USER_NAME}" ] || [ -n "${DS_DIRECTORY_USER_TOKEN}" ]; then
+if [ -n "${DS_DIRECTORY_USER_NAME}" ]; then
 	log INFO "Directory sync setup detected -- will start directory sync service."
 	OVERRIDE+=" -f ./$PROJECT/modules/directory-sync-compose.yml"
 fi
--- a/bbmri/modules/eric-compose.yml
+++ b/bbmri/modules/eric-compose.yml
@@ -11,7 +11,6 @@ services:
      BLAZE_URL: "http://blaze:8080/fhir/"
      BEAM_PROXY_URL: http://beam-proxy-eric:8081
      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
      OBFUSCATE_BBMRI_ERIC_WAY: "true"
    depends_on:
      - "beam-proxy-eric"
      - "blaze"
--- a/6
+++ b/6
@@ -35,9 +35,6 @@ case "$PROJECT" in
 	cce)
 		#nothing extra to do
 		;;
 	pscc)
 		#nothing extra to do
 		;;
 	itcc)
 		#nothing extra to do
 		;;
@@ -47,9 +44,6 @@ case "$PROJECT" in
 	dhki)
 		#nothing extra to do
 		;;
 	nngm)
 		#nothing extra to do
 		;;
 	minimal)
 		#nothing extra to do
 		;;
--- a/cce/docker-compose.yml
+++ b/cce/docker-compose.yml
@@ -22,7 +22,7 @@ services:
      - "traefik.http.routers.blaze_cce.tls=true"
  focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-dktk
    container_name: bridgehead-focus
    environment:
      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
@@ -34,6 +34,7 @@ services:
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
      CQL_PROJECTS_ENABLED: "cce"
    volumes:
      - /srv/docker/bridgehead/cce/queries_to_cache.conf:/queries_to_cache.conf:ro
    depends_on:
--- a/cce/modules/lens-compose.yml
+++ b/cce/modules/lens-compose.yml
@@ -1,46 +1,33 @@
 version: "3.7"
 services:
-  lens:
+  landing:
    container_name: lens_federated-search
-    image: samply/cce-explorer:main
+    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
    environment:
      PUBLIC_SPOT_URL: https://${HOST}/prod
    labels:
      - "traefik.http.services.lens.loadbalancer.server.port=3000"
      - "traefik.enable=true"
-      - "traefik.http.routers.lens.rule=Host(`${HOST}`)"
+      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.routers.lens.tls=true"
+      - "traefik.http.services.landing.loadbalancer.server.port=80"
      - "traefik.http.routers.landing.tls=true"
  spot:
-    image: samply/rustyspot:latest
+    image: docker.verbis.dkfz.de/ccp-private/central-spot
    environment:
      HTTP_PROXY: ${HTTP_PROXY_URL}
      HTTPS_PROXY: ${HTTPS_PROXY_URL}
      NO_PROXY: beam-proxy
      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
-      BEAM_PROXY_URL: http://beam-proxy:8081
+      BEAM_URL: http://beam-proxy:8081
-      BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
+      BEAM_PROXY_ID: ${SITE_ID}
-      CORS_ORIGIN: "https://${HOST}"
+      BEAM_BROKER_ID: ${BROKER_ID}
-      SITES: ${SITES}
+      BEAM_APP_ID: "focus"
-      TRANSFORM: LENS
+      PROJECT_METADATA: "cce"
      PROJECT: cce
      BIND_ADDR: 0.0.0.0:8055
    depends_on:
      - "beam-proxy"
    labels:
      - "traefik.enable=true"
-      - "traefik.http.services.spot.loadbalancer.server.port=8055"
+      - "traefik.http.services.spot.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
-      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
+      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
-      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
+      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
      - "traefik.http.routers.spot.tls=true"
      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
  beam-proxy:
    environment:
      APP_spot_KEY: ${FOCUS_BEAM_SECRET_SHORT}
--- a/cce/modules/osiris2fhir-setup.sh
+++ b/cce/modules/osiris2fhir-setup.sh
@@ -1,6 +0,0 @@
 #!/bin/bash
 if [ -n "$ENABLE_OSIRIS2FHIR" ]; then
  log INFO "OSIRIS2FHIR-REST setup detected -- will start osiris2fhir module."
  OVERRIDE+=" -f ./pscc/modules/osiris2fhir-compose.yml"
  LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 fi
--- a/cce/vars
+++ b/cce/vars
@@ -11,4 +11,4 @@ for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
-done
+done
--- a/ccp/modules/dnpm-node-compose.yml
+++ b/ccp/modules/dnpm-node-compose.yml
@@ -66,7 +66,6 @@ services:
      - HATEOAS_HOST=https://${HOST}
      - CONNECTOR_TYPE=broker
      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
      - TZ=Europe/Berlin
    volumes:
      - /etc/bridgehead/dnpm/config:/dnpm_config
      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
--- a/itcc/docker-compose.yml
+++ b/itcc/docker-compose.yml
@@ -15,14 +15,14 @@ services:
      - "blaze-data:/app/data"
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.blaze_itcc.rule=Host(`${HOST}`) && PathPrefix(`/itcc-localdatamanagement`)"
+      - "traefik.http.routers.blaze_itcc.rule=PathPrefix(`/itcc-localdatamanagement`)"
      - "traefik.http.middlewares.itcc_b_strip.stripprefix.prefixes=/itcc-localdatamanagement"
      - "traefik.http.services.blaze_itcc.loadbalancer.server.port=8080"
      - "traefik.http.routers.blaze_itcc.middlewares=itcc_b_strip,auth"
      - "traefik.http.routers.blaze_itcc.tls=true"
  focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-dktk
    container_name: bridgehead-focus
    environment:
      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
@@ -34,6 +34,7 @@ services:
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
      CQL_PROJECTS_ENABLED: "itcc"
    volumes:
      - /srv/docker/bridgehead/itcc/queries_to_cache.conf:/queries_to_cache.conf:ro
    depends_on:
--- a/itcc/modules/itcc-omics-ingest.sh
+++ b/itcc/modules/itcc-omics-ingest.sh
@@ -1,6 +0,0 @@
 #!/bin/bash
 if [ -n "$ENABLE_OMICS" ];then
  OVERRIDE+=" -f ./$PROJECT/modules/itcc-omics-ingest.yaml"
  GENERATE_API_KEY="$(generate_simple_password 'omics')"
 fi
--- a/itcc/modules/itcc-omics-ingest.yaml
+++ b/itcc/modules/itcc-omics-ingest.yaml
@@ -1,14 +0,0 @@
 services:
  omics-endpoint:
    image: ghcr.io/samply/itcc-omics-ingest:main
    environment:
      - API_KEY=${GENERATE_API_KEY}
    volumes:
      - /var/cache/bridgehead/omics/data:/data/uploads
    labels:
      - "traefik.http.routers.omics.rule=Host(`${HOST}`) && PathPrefix(`/api/omics`)"
      - "traefik.enable=true"
      - "traefik.http.services.omics.loadbalancer.server.port=6080"
      - "traefik.http.routers.omics.tls=true"
      - "traefik.http.middlewares.omics-stripprefix.stripprefix.prefixes=/api"
      - "traefik.http.routers.omics.middlewares=omics-stripprefix"
--- a/itcc/modules/lens-compose.yml
+++ b/itcc/modules/lens-compose.yml
@@ -1,47 +1,33 @@
 version: "3.7"
 services:
-  itcc-explorer:
+  landing:
-    container_name: lens_itcc_explorer
+    container_name: lens_federated-search
-    image: samply/itcc-explorer:main
+    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
    environment:
      HOST: "0.0.0.0"
      BIND_ADDR: "0.0.0.0:3000"
      PUBLIC_ENVIRONMENT: ${PUBLIC_ENVIRONMENT}
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.itcc.rule=Host(`${HOST}`) && PathPrefix(`/`)"
+      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.routers.itcc.entrypoints=websecure"
+      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.services.itcc.loadbalancer.server.port=3000"
+      - "traefik.http.routers.landing.tls=true"
      - "traefik.http.routers.itcc.tls=true"
  spot:
-    image: samply/rustyspot:latest
+    image: docker.verbis.dkfz.de/ccp-private/central-spot
    environment:
      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
-      BEAM_PROXY_URL: http://beam-proxy:8081
+      BEAM_URL: http://beam-proxy:8081
      BEAM_PROXY_ID: ${SITE_ID}
      BEAM_BROKER_ID: ${BROKER_ID}
-      BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
+      BEAM_APP_ID: "focus"
-      CORS_ORIGIN: "https://${HOST}"
+      PROJECT_METADATA: "itcc"
      SITES: ${SITES}
      TRANSFORM: LENS
      PROJECT: "itcc"
      BIND_ADDR: 0.0.0.0:8055
    depends_on:
      - "beam-proxy"
    labels:
      - "traefik.enable=true"
-      - "traefik.http.services.spot.loadbalancer.server.port=8055"
+      - "traefik.http.services.spot.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
-      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
+      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
-      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
+      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
      - "traefik.http.routers.spot.tls=true"
      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
  beam-proxy:
    environment:
      APP_spot_KEY: ${FOCUS_BEAM_SECRET_SHORT}
--- a/itcc/vars
+++ b/itcc/vars
@@ -6,7 +6,6 @@ FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 PUBLIC_ENVIRONMENT=prod
 for module in $PROJECT/modules/*.sh
 do
--- a/kr/docker-compose.yml
+++ b/kr/docker-compose.yml
@@ -12,8 +12,7 @@ services:
      BASE_URL: "http://bridgehead-kr-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
--- a/kr/modules/export-and-qb.curl-templates
+++ b/kr/modules/export-and-qb.curl-templates
@@ -0,0 +1,6 @@
 # Full Excel Export
 curl --location --request POST 'https://${HOST}/ccp-exporter/request?query=Patient&query-format=FHIR_PATH&template-id=ccp&output-format=EXCEL' \
 --header 'x-api-key: ${EXPORT_API_KEY}'
 # QB
 curl --location --request POST 'https://${HOST}/ccp-reporter/generate?template-id=ccp'
--- a/kr/modules/lens-compose.yml
+++ b/kr/modules/lens-compose.yml
@@ -4,41 +4,32 @@ services:
    deploy:
      replicas: 1 #reactivate if lens is in use
    container_name: lens_federated-search
-    image: docker.verbis.dkfz.de/ccp/kr-explorer:main
+    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
    environment:
      PUBLIC_SPOT_URL: https://${HOST}/prod
    labels:
      - "traefik.http.services.lens.loadbalancer.server.port=3000"
      - "traefik.enable=true"
-      - "traefik.http.routers.lens.rule=Host(`${HOST}`)"
+      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.routers.lens.tls=true"
+      - "traefik.http.services.landing.loadbalancer.server.port=80"
      - "traefik.http.routers.landing.tls=true"
  spot:
-    image: samply/rustyspot:latest
+    image: docker.verbis.dkfz.de/ccp-private/central-spot
    environment:
      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
-      BEAM_PROXY_URL: http://beam-proxy:8081
+      BEAM_URL: http://beam-proxy:8081
-      BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
+      BEAM_PROXY_ID: ${SITE_ID}
-      CORS_ORIGIN: "https://${HOST}"
+      BEAM_BROKER_ID: ${BROKER_ID}
-      SITES: ${SITES}
+      BEAM_APP_ID: "focus"
-      TRANSFORM: LENS
+      PROJECT_METADATA: "kr_supervisors"
      PROJECT: kr
      BIND_ADDR: 0.0.0.0:8055
    depends_on:
      - "beam-proxy"
    labels:
      - "traefik.enable=true"
-      - "traefik.http.services.spot.loadbalancer.server.port=8055"
+      - "traefik.http.services.spot.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
-      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
+      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
-      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
+      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
      - "traefik.http.routers.spot.tls=true"
-      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
+      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot"
  beam-proxy:
    environment:
      APP_spot_KEY: ${FOCUS_BEAM_SECRET_SHORT}
--- a/kr/modules/obds2fhir-rest-compose.yml
+++ b/kr/modules/obds2fhir-rest-compose.yml
@@ -3,7 +3,7 @@ version: "3.7"
 services:
  obds2fhir-rest:
    container_name: bridgehead-obds2fhir-rest
-    image: docker.verbis.dkfz.de/samply/obds2fhir-rest:main
+    image: docker.verbis.dkfz.de/ccp/obds2fhir-rest:main
    environment:
      IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
--- a/kr/vars
+++ b/kr/vars
@@ -3,7 +3,7 @@ BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
-SUPPORT_EMAIL=p.delpy@dkfz-heidelberg.de
+SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -54,7 +54,7 @@ checkOwner(){
 printUsage() {
 	echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|check|install|uninstall|adduser|enroll PROJECTNAME"
-	echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc|kr|dhki|nngm"
+	echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc|kr|dhki"
 }
 checkRequirements() {
@@ -327,7 +327,7 @@ function sync_secrets() {
        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
        -e PROXY_ID=$proxy_id \
        -e BROKER_URL=$broker_url \
-        -e OIDC_PROVIDER=secret-sync-central.central-secret-sync.$broker_id \
+        -e OIDC_PROVIDER=secret-sync-central.test-secret-sync.$broker_id \
        -e SECRET_DEFINITIONS=$secret_sync_args \
        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
@@ -337,8 +337,7 @@ function sync_secrets() {
 }
 function secret_sync_gitlab_token() {
-    if [[ "$PROJECT" != "ccp" && "$PROJECT" != "bbmri" ]]; then
+    if [[ "$PROJECT" != "dktk" && "$PROJECT" != "bbmri" ]]; then
        log "INFO" "Not running Secret Sync for project minimal"
        return
    fi
    # Map the origin of the git repository /etc/bridgehead to the prefix recognized by Secret Sync
@@ -398,7 +397,7 @@ function secret_sync_gitlab_token() {
    else
        log "WARN" "Secret Sync failed"
        # Remove the git credential helper
-        git -C /etc/bridgehead config --unset credential.helper
+        git -C /etc/bridgehead config --unset credential.helpera
    fi
    # In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@@ -55,9 +55,6 @@ case "$PROJECT" in
 	cce)
 		site_configuration_repository_middle="git.verbis.dkfz.de/cce-sites/"
 		;;
 	pscc)
 		site_configuration_repository_middle="git.verbis.dkfz.de/pscc-sites/"
 		;;
 	itcc)
 		site_configuration_repository_middle="git.verbis.dkfz.de/itcc-sites/"
        ;;
@@ -70,9 +67,6 @@ case "$PROJECT" in
 	dhki)
 		site_configuration_repository_middle="git.verbis.dkfz.de/dhki/"
 		;;
 	nngm)
 		site_configuration_repository_middle="git.verbis.dkfz.de/nngm/"
 		;;
 	minimal)
 		site_configuration_repository_middle="git.verbis.dkfz.de/minimal-bridgehead-configs/"
 		;;
--- a/minimal/modules/dnpm-node-compose.yml
+++ b/minimal/modules/dnpm-node-compose.yml
@@ -66,7 +66,6 @@ services:
      - HATEOAS_HOST=https://${HOST}
      - CONNECTOR_TYPE=broker
      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
      - TZ=Europe/Berlin
    volumes:
      - /etc/bridgehead/dnpm/config:/dnpm_config
      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
--- a/nngm/docker-compose.yml
+++ b/nngm/docker-compose.yml
@@ -1,65 +0,0 @@
 version: "3.7"
 services:
  blaze:
    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
    container_name: bridgehead-nngm-blaze
    environment:
      BASE_URL: "http://bridgehead-nngm-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.blaze_nngm.rule=PathPrefix(`/nngm-localdatamanagement`)"
      - "traefik.http.middlewares.nngm_b_strip.stripprefix.prefixes=/nngm-localdatamanagement"
      - "traefik.http.services.blaze_nngm.loadbalancer.server.port=8080"
      - "traefik.http.routers.blaze_nngm.middlewares=nngm_b_strip,auth"
      - "traefik.http.routers.blaze_nngm.tls=true"
  focus:
    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
    container_name: bridgehead-focus
    environment:
    - API_KEY=${FOCUS_BEAM_SECRET_SHORT}
    - BEAM_APP_ID_LONG=focus.${PROXY_ID}
    - PROXY_ID=${PROXY_ID}
    - BLAZE_URL=http://bridgehead-nngm-blaze:8080/fhir/
    - BEAM_PROXY_URL=http://beam-proxy:8081
    - RETRY_COUNT=${FOCUS_RETRY_COUNT}
    - EPSILON=0.28
    - ENDPOINT_TYPE=${FOCUS_ENDPOINT_TYPE:-blaze}
    - CQL_PROJECTS_ENABLED
    depends_on:
      - "beam-proxy"
      - "blaze"
  beam-proxy:
    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
    container_name: bridgehead-beam-proxy
    environment:
      BROKER_URL: ${BROKER_URL}
      PROXY_ID: ${PROXY_ID}
      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
      PRIVKEY_FILE: /run/secrets/proxy.pem
      ALL_PROXY: http://forward_proxy:3128
      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
      ROOTCERT_FILE: /conf/root.crt.pem
    secrets:
      - proxy.pem
    depends_on:
      - "forward_proxy"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /srv/docker/bridgehead/nngm/root.crt.pem:/conf/root.crt.pem:ro
 volumes:
  blaze-data:
 secrets:
  proxy.pem:
    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/nngm/modules/exporter-compose.yml
+++ b/nngm/modules/exporter-compose.yml
@@ -1,72 +0,0 @@
 version: "3.7"
 services:
  exporter:
    image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
    container_name: bridgehead-nngm-exporter
    environment:
      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
      LOG_LEVEL: "INFO"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
      CROSS_ORIGINS: "https://${HOST}"
      EXPORTER_DB_USER: "exporter"
      EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
      EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
      HTTP_RELATIVE_PATH: "/nngm-exporter"
      SITE: "${SITE_ID}"
      HTTP_SERVLET_REQUEST_SCHEME: "https"
      OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.exporter_nngm.rule=PathPrefix(`/nngm-exporter`)"
      - "traefik.http.services.exporter_nngm.loadbalancer.server.port=8092"
      - "traefik.http.routers.exporter_nngm.tls=true"
      - "traefik.http.middlewares.exporter_nngm_strip.stripprefix.prefixes=/nngm-exporter"
      - "traefik.http.routers.exporter_nngm.middlewares=exporter_nngm_strip"
    volumes:
      - "/var/cache/bridgehead/nngm/exporter-files:/app/exporter-files/output"
  exporter-db:
    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
    container_name: bridgehead-nngm-exporter-db
    environment:
      POSTGRES_USER: "exporter"
      POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
      POSTGRES_DB: "exporter"
    volumes:
      # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
      - "/var/cache/bridgehead/nngm/exporter-db:/var/lib/postgresql/data"
  reporter:
    image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
    container_name: bridgehead-nngm-reporter
    environment:
      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
      LOG_LEVEL: "INFO"
      CROSS_ORIGINS: "https://${HOST}"
      HTTP_RELATIVE_PATH: "/nngm-reporter"
      SITE: "${SITE_ID}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
      EXPORTER_URL: "http://exporter:8092"
      LOG_FHIR_VALIDATION: "false"
      HTTP_SERVLET_REQUEST_SCHEME: "https"
    # In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
    # However, in the first executions in the CCP sites, this volume seems to be very important. A report is
    # a process that can take several hours, because it depends on the exporter.
    # There is a risk that the bridgehead restarts, losing the already created export.
    volumes:
      - "/var/cache/bridgehead/nngm/reporter-files:/app/reports"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.reporter_nngm.rule=PathPrefix(`/nngm-reporter`)"
      - "traefik.http.services.reporter_nngm.loadbalancer.server.port=8095"
      - "traefik.http.routers.reporter_nngm.tls=true"
      - "traefik.http.middlewares.reporter_nngm_strip.stripprefix.prefixes=/nngm-reporter"
      - "traefik.http.routers.reporter_nngm.middlewares=reporter_nngm_strip"
  focus:
    environment:
      EXPORTER_URL: "http://exporter:8092"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
--- a/nngm/modules/exporter-setup.sh
+++ b/nngm/modules/exporter-setup.sh
@@ -1,8 +0,0 @@
 #!/bin/bash -e
 if [ "$ENABLE_EXPORTER" == true ]; then
  log INFO "Exporter setup detected -- will start Exporter service."
  OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
 fi
--- a/nngm/modules/teiler-compose.yml
+++ b/nngm/modules/teiler-compose.yml
@@ -1,73 +0,0 @@
 version: "3.7"
 services:
  teiler-orchestrator:
    image: docker.verbis.dkfz.de/cache/samply/teiler-orchestrator:latest
    container_name: bridgehead-teiler-orchestrator
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_orchestrator_nngm.rule=PathPrefix(`/nngm-teiler`)"
      - "traefik.http.services.teiler_orchestrator_nngm.loadbalancer.server.port=9000"
      - "traefik.http.routers.teiler_orchestrator_nngm.tls=true"
      - "traefik.http.middlewares.teiler_orchestrator_nngm_strip.stripprefix.prefixes=/nngm-teiler"
      - "traefik.http.routers.teiler_orchestrator_nngm.middlewares=teiler_orchestrator_nngm_strip"
    environment:
      TEILER_BACKEND_URL: "/nngm-teiler-backend"
      TEILER_DASHBOARD_URL: "/nngm-teiler-dashboard"
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
      HTTP_RELATIVE_PATH: "/nngm-teiler"
  teiler-dashboard:
    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:${TEILER_DASHBOARD_TAG}
    container_name: bridgehead-teiler-dashboard
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_dashboard_nngm.rule=PathPrefix(`/nngm-teiler-dashboard`)"
      - "traefik.http.services.teiler_dashboard_nngm.loadbalancer.server.port=80"
      - "traefik.http.routers.teiler_dashboard_nngm.tls=true"
      - "traefik.http.middlewares.teiler_dashboard_nngm_strip.stripprefix.prefixes=/nngm-teiler-dashboard"
      - "traefik.http.routers.teiler_dashboard_nngm.middlewares=teiler_dashboard_nngm_strip"
    environment:
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      TEILER_BACKEND_URL: "/nngm-teiler-backend"
      TEILER_DASHBOARD_URL: "/nngm-teiler-dashboard"
      OIDC_URL: "${OIDC_URL}"
      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
      TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
      TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
      TEILER_PROJECT: "${PROJECT}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
      TEILER_ORCHESTRATOR_URL: "/nngm-teiler"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/nngm-teiler"
      TEILER_USER: "${OIDC_USER_GROUP}"
      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
      REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
      EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"
 # TODO: Replace dktk-teiler-backend with nngm-teiler-backend
  teiler-backend:
    image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
    container_name: bridgehead-teiler-backend
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_backend_nngm.rule=PathPrefix(`/nngm-teiler-backend`)"
      - "traefik.http.services.teiler_backend_nngm.loadbalancer.server.port=8085"
      - "traefik.http.routers.teiler_backend_nngm.tls=true"
      - "traefik.http.middlewares.teiler_backend_nngm_strip.stripprefix.prefixes=/nngm-teiler-backend"
      - "traefik.http.routers.teiler_backend_nngm.middlewares=teiler_backend_nngm_strip"
    environment:
      LOG_LEVEL: "INFO"
      APPLICATION_PORT: "8085"
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/nngm-teiler"
      TEILER_ORCHESTRATOR_URL: "/nngm-teiler"
      TEILER_DASHBOARD_DE_URL: "/nngm-teiler-dashboard/de"
      TEILER_DASHBOARD_EN_URL: "/nngm-teiler-dashboard/en"
      HTTP_PROXY: "http://forward_proxy:3128"
      ENABLE_MTBA: "${ENABLE_MTBA}"
      ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
      IDMANAGER_UPLOAD_APIKEY: "${IDMANAGER_UPLOAD_APIKEY}" # Only used to check if the ID Manager is active
--- a/nngm/modules/teiler-setup.sh
+++ b/nngm/modules/teiler-setup.sh
@@ -1,8 +0,0 @@
 #!/bin/bash -e
 if [ "$ENABLE_TEILER" == true ];then
  log INFO "Teiler setup detected -- will start Teiler services."
  OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
  TEILER_DEFAULT_LANGUAGE=DE
  TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
 fi
--- a/nngm/root.crt.pem
+++ b/nngm/root.crt.pem
@@ -1,20 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDNTCCAh2gAwIBAgIUWHMDQFPJR5y8RKZ5FC72iOOla4kwDQYJKoZIhvcNAQEL
 BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjUxMDI3MTQwMjU1WhcNMzUx
 MDI1MTQwMzI1WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
 AQEBBQADggEPADCCAQoCggEBAKoghRqAo6s9xjDao+ZC9HpZDBgzOgRMRHrl352k
 Y0Gti1p3m8ldwVQV+nlBE6g/Dowo+iaOwUBiHMHOI2BK7vqkGNp0tZ63ZKR4cyOD
 hCDOl71lWxjYD5XmF7l/SbrLFfET0EEorhLDDOMuWrNpxKFfKdvhld6K5BZ3oSfH
 /5W5y5jWRFWEYRzddzil2GOiU2vzAygA0I1nr5oHCgZoteDDXztAYHJ5vnPA9RNQ
 YFoe/5fVOiJo869zYyBwMuY/dV5ff7eIe/HRKzFLZ6iJEOJcBFWx/aWEvj5gSWxS
 x4OzkwoHsZOkRN9wSTXvdO5kPFzmPq8Nq7Hmw4tLVzP1eRECAwEAAaN7MHkwDgYD
 VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP9BHa86rz94
 nvMj2JhM5V3L3TWCMB8GA1UdIwQYMBaAFP9BHa86rz94nvMj2JhM5V3L3TWCMBYG
 A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCkWBXRUGx5
 XFWEEAVbAMcEuXAr6+HtSs+NTORQ01LhNST8Z9HhOaAjfH/dJiLvOjHvOuiOK9y9
 ZGkIIwqkkbhlv1ZcfQBWXh+xDNbq9Q2MaIWY3ZzPTKFgNkxFcEF43MMB+o5pK1Bf
 jJIiSxuEfM0yHg9o+jc3V3XRhU9leXNPkfJezTGfVuWr/B/kTmnQ8zrOCapB+NnX
 vuu1ayNyXflDkj8Gg0X4TarxGhSP6Dpxd9ViEQD9DFG8q42bH0mYveHcAIUN0FJX
 4F2NChiL7dCSFFe6xKdRFDtNe12JrHRjU1rMAcxhYjBRbqt2o2HfDPajSJrhRheY
 T35rRWxDupkP
 -----END CERTIFICATE-----
--- a/nngm/vars
+++ b/nngm/vars
@@ -1,32 +0,0 @@
 BROKER_ID=broker.nngm.dkfz.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 # TODO: Add real nNGM-Support email
 SUPPORT_EMAIL=support-nngm@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 # TODO: Replace with nNGM OIDC Server
 OIDC_USER_GROUP="NNGM_$(capitalize_first_letter ${SITE_ID})"
 OIDC_ADMIN_GROUP="NNGM_$(capitalize_first_letter ${SITE_ID})_Verwalter"
 OIDC_PSP_GROUP="NNGM_$(capitalize_first_letter ${SITE_ID})_PSP"
 OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
 OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
 OIDC_URL="https://sso.verbis.dkfz.de/application/o/${OIDC_PUBLIC_CLIENT_ID}/"
 OIDC_PRIVATE_URL="https://sso.verbis.dkfz.de/application/o/${OIDC_PRIVATE_CLIENT_ID}/"
 OIDC_GROUP_CLAIM="groups"
 for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
 for module in modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
--- a/pscc/docker-compose.yml
+++ b/pscc/docker-compose.yml
@@ -1,67 +0,0 @@
 version: "3.7"
 services:
  blaze:
    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
    container_name: bridgehead-pscc-blaze
    environment:
      BASE_URL: "http://bridgehead-pscc-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.blaze_pscc.rule=PathPrefix(`/pscc-localdatamanagement`)"
      - "traefik.http.middlewares.pscc_b_strip.stripprefix.prefixes=/pscc-localdatamanagement"
      - "traefik.http.services.blaze_pscc.loadbalancer.server.port=8080"
      - "traefik.http.routers.blaze_pscc.middlewares=pscc_b_strip,auth"
      - "traefik.http.routers.blaze_pscc.tls=true"
  focus:
    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
    container_name: bridgehead-focus
    environment:
      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
      BEAM_APP_ID_LONG: focus.${PROXY_ID}
      PROXY_ID: ${PROXY_ID}
      BLAZE_URL: "http://bridgehead-pscc-blaze:8080/fhir/"
      BEAM_PROXY_URL: http://beam-proxy:8081
      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
      EPSILON: 0.28
      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
    depends_on:
      - "beam-proxy"
      - "blaze"
  beam-proxy:
    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
    container_name: bridgehead-beam-proxy
    environment:
      BROKER_URL: ${BROKER_URL}
      PROXY_ID: ${PROXY_ID}
      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
      PRIVKEY_FILE: /run/secrets/proxy.pem
      ALL_PROXY: http://forward_proxy:3128
      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
      ROOTCERT_FILE: /conf/root.crt.pem
    secrets:
      - proxy.pem
    depends_on:
      - "forward_proxy"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /srv/docker/bridgehead/pscc/root.crt.pem:/conf/root.crt.pem:ro
  landing:
    profiles: [deactivated]
 volumes:
  blaze-data:
 secrets:
  proxy.pem:
    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/pscc/modules/lens-compose.yml
+++ b/pscc/modules/lens-compose.yml
@@ -1,40 +0,0 @@
 version: "3.7"
 services:
  lens:
    container_name: lens-federated-search
    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
    labels:
      - "traefik.http.services.lens.loadbalancer.server.port=3000"
      - "traefik.enable=true"
      - "traefik.http.routers.lens.rule=Host(`${HOST}`)"
      - "traefik.http.routers.lens.tls=true"
  spot:
    image: samply/rustyspot:latest
    platform: linux/amd64
    environment:
      HTTP_PROXY: ${HTTP_PROXY_URL}
      HTTPS_PROXY: ${HTTPS_PROXY_URL}
      NO_PROXY: beam-proxy
      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
      BEAM_PROXY_URL: http://beam-proxy:8081
      BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
      CORS_ORIGIN: "https://${HOST}"
      SITES: ${SITES}
      TRANSFORM: LENS
      PROJECT: pscc
      BIND_ADDR: 0.0.0.0:8055
    depends_on:
      - "beam-proxy"
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.spot.loadbalancer.server.port=8055"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
      - "traefik.http.routers.spot.tls=true"
      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
--- a/pscc/modules/lens-setup.sh
+++ b/pscc/modules/lens-setup.sh
@@ -1,5 +0,0 @@
 #!/bin/bash
 if [ -n "$ENABLE_LENS" ];then
  OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml"
 fi
--- a/pscc/modules/osiris2fhir-compose.yml
+++ b/pscc/modules/osiris2fhir-compose.yml
@@ -1,15 +0,0 @@
 services:
  osiris2fhir:
    container_name: bridgehead-osiris2fhir
    image: docker.verbis.dkfz.de/ccp/osiris2fhir
    environment:
      FHIR_PROFILE: ${PROJECT:-pscc}
      LOG_LEVEL: ${LOG_LEVEL:-INFO}
      SALT: ${LOCAL_SALT}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.osiris2fhir.rule=PathPrefix(`/osiris2fhir`)"
      - "traefik.http.middlewares.osiris2fhir_strip.stripprefix.prefixes=/osiris2fhir"
      - "traefik.http.services.osiris2fhir.loadbalancer.server.port=8080"
      - "traefik.http.routers.osiris2fhir.tls=true"
      - "traefik.http.routers.osiris2fhir.middlewares=osiris2fhir_strip,auth"
--- a/pscc/modules/osiris2fhir-setup.sh
+++ b/pscc/modules/osiris2fhir-setup.sh
@@ -1,6 +0,0 @@
 #!/bin/bash
 if [ -n "$ENABLE_OSIRIS2FHIR" ]; then
  log INFO "OSIRIS2FHIR-REST setup detected -- will start osiris2fhir module."
  OVERRIDE+=" -f ./pscc/modules/osiris2fhir-compose.yml"
  LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 fi
--- a/pscc/root.crt.pem
+++ b/pscc/root.crt.pem
@@ -1,20 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDNTCCAh2gAwIBAgIUVC1Y1tx0q5PNR33gArAyyBm8PMQwDQYJKoZIhvcNAQEL
 BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjUxMTAzMTQxODQ5WhcNMzUx
 MTAxMTQxOTE5WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
 AQEBBQADggEPADCCAQoCggEBAMB1yd7zkh7Io/ReQYindBcAdA1b4ogdVnrdSLRN
 N3zLSh6jN5KIXgs34BdRXx0so0m96q+9xlgacTXGRBn1Tu5SKMRyXdxnCLMzHAYU
 rNKhqF5HeZCYkVyh/tsAyFfDwZDVzsdX64V+0r5+raev2X0gJnlgmF83DIKjkVUS
 2+c+3BnXa9LOdXks0qygJjvaFyi+5MA3DinLnmMLCQ3yAvaZYWyP3xCnGIoVrZFq
 a+YioMCmHrbByuXPoZsXcFY7Z85LQkCtSVt1dH4kkN2/JehXG099nqwMqO8FpLZZ
 xG7/U3P/slX1MMLs97nqRCRoW7Cha2ci1NBYLll+34ekhxMCAwEAAaN7MHkwDgYD
 VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJHTpnuyIGHw
 yvC/mmh+S/JKYVrAMB8GA1UdIwQYMBaAFJHTpnuyIGHwyvC/mmh+S/JKYVrAMBYG
 A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQAeDc/k28yb
 I5MLC/LdaA+MKsW2FWF9HT+tsbtltTaQIRnnkwfU/40Ius3gzUU5z+kPqq5+kxhy
 3T646Rbau85Zw24gdNmiVKAAG5ntKoQ7XnyR/06PYyXNGLqnb6aKvbcIPoWtU/+2
 8f5hHdQ/4271aHws7dKcBNWu9V5WmxMZ3YTfnBR5lEda+DhVwHqtmun8EpSbwthD
 aLLIOHJpetr+KWUVFHQdGbO23Qg1Else0Akcn5Gzf/sKkVCVxjHE6jeo4ZwHtstG
 KMoff+ETC+DL5kMZ4CV5VaQ4HxVK7N0qiUxmijWe+EyRZseum1c0s2OEi2L52Q9K
 P4N3yD4ed4p/
 -----END CERTIFICATE-----
--- a/pscc/vars
+++ b/pscc/vars
@@ -1,14 +0,0 @@
 BROKER_ID=broker.pscc.org
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 SUPPORT_EMAIL=denis.koether@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
--- a/versions/acceptance
+++ b/versions/acceptance
@@ -1,7 +1,6 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
-BLAZE_TAG=0.32
+BLAZE_TAG=main
 POSTGRES_TAG=15.13-alpine
 TEILER_DASHBOARD_TAG=develop
-MTBA_TAG=develop
+MTBA_TAG=develop
 DATA_QUALITY_AGENT_TAG=latest
--- a/versions/prod
+++ b/versions/prod
@@ -3,5 +3,4 @@ BEAM_TAG=main
 BLAZE_TAG=0.32
 POSTGRES_TAG=15.13-alpine
 TEILER_DASHBOARD_TAG=main
-MTBA_TAG=main
+MTBA_TAG=main
 DATA_QUALITY_AGENT_TAG=0.1
--- a/versions/test
+++ b/versions/test
@@ -1,7 +1,6 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
-BLAZE_TAG=0.32
+BLAZE_TAG=main
 POSTGRES_TAG=15.13-alpine
 TEILER_DASHBOARD_TAG=develop
-MTBA_TAG=develop
+MTBA_TAG=develop
 DATA_QUALITY_AGENT_TAG=latest
Author	SHA1	Message	Date
Pierre Delpy	372b9b0591	fix: cce	2025-10-28 09:23:58 +01:00
Pierre Delpy	3c0d4ae7c6	Merge remote-tracking branch 'origin/hotfix/itcc' into hotfix/itcc	2025-10-28 09:20:58 +01:00
Pierre Delpy	e3123f8837	deactivate secret sync (which never worked for itcc/cce)	2025-10-28 09:19:34 +01:00
Pierre Delpy	0d86100a0d	"fixed itcc param"	2025-10-28 09:19:08 +01:00
Pierre Delpy	187c6e6412	hotfix: make itcc lens 1 work again with legacy CQL	2025-10-28 09:19:08 +01:00
Pierre Delpy	3c5b8a70b1	deactivate secret sync (which never worked for itcc/cce)	2025-10-14 08:28:56 +02:00
Pierre Delpy	4a0f2e609d	"fixed itcc param"	2025-10-13 08:27:35 +02:00
Pierre Delpy	15a6000356	hotfix: make itcc lens 1 work again with legacy CQL	2025-10-10 13:51:50 +02:00