samply/bridgehead
1
0
Fork 0
mirror of https://github.com/samply/bridgehead.git synced 2025-06-16 21:50:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: samply:ovis
Branches Tags
samply:main samply:transfair-cli samply:develop samply:feature/exporter-docu samply:test/teiler-dashboard samply:feature/add-pscc samply:feature/authentik samply:feature/teiler-for-ccp-and-bbmri samply:qr-bbmri-v2 samply:prototype/beamFile samply:test/exporter-no-python samply:cherry-pick-tmp-pr samply:test/obds2fhir-batch-import samply:ovis samply:test/airgapped-blaze samply:pr-secret-sync-gitlab-bbmri samply:feature/add-qb-to-cce samply:Threated-patch-1 samply:torbrenner-patch-1 samply:feat/routine-connector-minor-fixes samply:metadata_fb samply:feat/dnpm-dip samply:bugfix/test-old-blaze samply:dnpm-etl-rewrite samply:feature/qr-basic-auth samply:refactor/logging samply:feature/opal-client-for-new-token-manager samply:test/onkofdz samply:feature/addExporterAndTeilerToEric samply:set_env_variables_needed_for_fhir2sql samply:feature/externalize-versions samply:fix/kr-deactivate-landingpage samply:refactor/datashield-auth-config samply:refactor/independent-modules samply:feature/dnpm-extra-broker samply:revert-223-feat/add-dkfz-hector-ki-project samply:ehds2_develop samply:ehds2 samply:feature/auto-pr samply:qr_bbmri samply:feature/cBioPortal samply:feat/blaze-frontend samply:feat/central-rstudio samply:pro/lemedart samply:feature/feedback-agent samply:feature/component-moniotring samply:feature/cbioportal-datashield samply:documentation/blaze_resources samply:feat/cBioPortal samply:test-switch-branch samply:feature/nngm-rest samply:feature/opal samply:feature/snap samply:feature/accessTokenFromConfiguration
..
compare: samply:refactor/independent-modules
Branches Tags
samply:transfair-cli samply:develop samply:feature/exporter-docu samply:main samply:test/teiler-dashboard samply:feature/add-pscc samply:feature/authentik samply:feature/teiler-for-ccp-and-bbmri samply:qr-bbmri-v2 samply:prototype/beamFile samply:test/exporter-no-python samply:cherry-pick-tmp-pr samply:test/obds2fhir-batch-import samply:ovis samply:test/airgapped-blaze samply:pr-secret-sync-gitlab-bbmri samply:feature/add-qb-to-cce samply:Threated-patch-1 samply:torbrenner-patch-1 samply:feat/routine-connector-minor-fixes samply:metadata_fb samply:feat/dnpm-dip samply:bugfix/test-old-blaze samply:dnpm-etl-rewrite samply:feature/qr-basic-auth samply:refactor/logging samply:feature/opal-client-for-new-token-manager samply:test/onkofdz samply:feature/addExporterAndTeilerToEric samply:set_env_variables_needed_for_fhir2sql samply:feature/externalize-versions samply:fix/kr-deactivate-landingpage samply:refactor/datashield-auth-config samply:refactor/independent-modules samply:feature/dnpm-extra-broker samply:revert-223-feat/add-dkfz-hector-ki-project samply:ehds2_develop samply:ehds2 samply:feature/auto-pr samply:qr_bbmri samply:feature/cBioPortal samply:feat/blaze-frontend samply:feat/central-rstudio samply:pro/lemedart samply:feature/feedback-agent samply:feature/component-moniotring samply:feature/cbioportal-datashield samply:documentation/blaze_resources samply:feat/cBioPortal samply:test-switch-branch samply:feature/nngm-rest samply:feature/opal samply:feature/snap samply:feature/accessTokenFromConfiguration

1 Commits
ovis ... refactor/i

Author SHA1 Message Date
p.delpy@dkfz-heidelberg.de
e740c0410e refactor: put all modules in a common directory to remove redundancy 2024-09-13 08:25:21 +02:00
82 changed files with 249 additions and 1254 deletions
Expand all files Collapse all files

39
.github/scripts/rename_inactive_branches.py vendored
View File

@ -1,39 +0,0 @@
import os
import requests
from datetime import datetime, timedelta
# Configuration
GITHUB_TOKEN = os.getenv('GITHUB_TOKEN')
REPO = 'samply/bridgehead'
HEADERS = {'Authorization': f'token {GITHUB_TOKEN}', 'Accept': 'application/vnd.github.v3+json'}
API_URL = f'https://api.github.com/repos/{REPO}/branches'
INACTIVE_DAYS = 365
CUTOFF_DATE = datetime.now() - timedelta(days=INACTIVE_DAYS)
# Fetch all branches
def get_branches():
response = requests.get(API_URL, headers=HEADERS)
response.raise_for_status()
return response.json() if response.status_code == 200 else []
# Rename inactive branches
def rename_branch(old_name, new_name):
rename_url = f'https://api.github.com/repos/{REPO}/branches/{old_name}/rename'
response = requests.post(rename_url, json={'new_name': new_name}, headers=HEADERS)
response.raise_for_status()
print(f"Renamed branch {old_name} to {new_name}" if response.status_code == 201 else f"Failed to rename {old_name}: {response.status_code}")
# Check if the branch is inactive
def is_inactive(commit_url):
last_commit_date = requests.get(commit_url, headers=HEADERS).json()['commit']['committer']['date']
return datetime.strptime(last_commit_date, '%Y-%m-%dT%H:%M:%SZ') < CUTOFF_DATE
# Rename inactive branches
def main():
for branch in get_branches():
if is_inactive(branch['commit']['url']):
#rename_branch(branch['name'], f"archived/{branch['name']}")
print(f"[LOG] Branch '{branch['name']}' is inactive and would be renamed to 'archived/{branch['name']}'")
if __name__ == "__main__":
main()

27
.github/workflows/rename-inactive-branches.yml vendored
View File

@ -1,27 +0,0 @@
name: Cleanup - Rename Inactive Branches
on:
schedule:
- cron: '0 0 * * 0' # Runs every Sunday at midnight
jobs:
archive-stale-branches:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v2
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install Libraries
run: pip install requests
- name: Run Script to Rename Inactive Branches
run: |
python .github/scripts/rename_inactive_branches.py
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

6
README.md
View File

@ -76,7 +76,7 @@ The following URLs need to be accessible (prefix with `https://`):
* git.verbis.dkfz.de
* To fetch docker images
* docker.verbis.dkfz.de
* Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/setup/allow-list/))
* Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/all))
* hub.docker.com
* registry-1.docker.io
* production.cloudflare.docker.com
@ -154,7 +154,7 @@ Pay special attention to:
Clone the bridgehead repository:
```shell
sudo mkdir -p /srv/docker/
sudo git clone -b main https://github.com/samply/bridgehead.git /srv/docker/bridgehead
sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead
```
Then, run the installation script:
@ -254,8 +254,6 @@ sh bridgehead uninstall
## Site-specific configuration
[How to Change Config Access Token](docs/update-access-token.md)
### HTTPS Access
Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de).

5
bbmri/docker-compose.yml
View File

@ -4,14 +4,13 @@ version: "3.7"
services:
blaze:
image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
container_name: bridgehead-bbmri-blaze
environment:
BASE_URL: "http://bridgehead-bbmri-blaze:8080"
JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
ENFORCE_REFERENTIAL_INTEGRITY: "false"
volumes:
- "blaze-data:/app/data"

2
bbmri/modules/eric-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.7"
services:
focus-eric:
image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-bbmri
image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
container_name: bridgehead-focus-eric
environment:
API_KEY: ${ERIC_FOCUS_BEAM_SECRET_SHORT}

2
bbmri/modules/gbn-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.7"
services:
focus-gbn:
image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-bbmri
image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
container_name: bridgehead-focus-gbn
environment:
API_KEY: ${GBN_FOCUS_BEAM_SECRET_SHORT}

49
bridgehead
View File

@ -53,44 +53,17 @@ case "$PROJECT" in
;;
esac
# Loads config variables and runs the projects setup script
loadVars() {
# Load variables from /etc/bridgehead and /srv/docker/bridgehead
set -a
# Source the project specific config file
source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
# Source the project specific local config file if present
# This file is ignored by git as oposed to the regular config file as it contains private site information like etl auth data
if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
fi
# Set execution environment on main default to prod else test
if [[ -z "${ENVIRONMENT+x}" ]]; then
if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
ENVIRONMENT="production"
else
ENVIRONMENT="test"
fi
fi
# Source the versions of the images components
case "$ENVIRONMENT" in
"production")
source ./versions/prod
;;
"test")
source ./versions/test
;;
*)
report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
source ./versions/prod
;;
esac
fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
setHostname
optimizeBlazeMemoryUsage
# Run project specific setup if it exists
# This will ususally modiy the `OVERRIDE` to include all the compose files that the project depends on
# This is also where projects specify which modules to load
[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
set +a
@ -106,6 +79,26 @@ loadVars() {
fi
detectCompose
setupProxy
# Set some project-independent default values
: ${ENVIRONMENT:=production}
export ENVIRONMENT
case "$ENVIRONMENT" in
"production")
export FOCUS_TAG=main
export BEAM_TAG=main
;;
"test")
export FOCUS_TAG=develop
export BEAM_TAG=develop
;;
*)
report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
export FOCUS_TAG=main
export BEAM_TAG=main
;;
esac
}
case "$ACTION" in

2
cce/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.7"
services:
blaze:
image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
container_name: bridgehead-cce-blaze
environment:
BASE_URL: "http://bridgehead-cce-blaze:8080"

33
cce/modules/lens-compose.yml
View File

@ -1,33 +0,0 @@
version: "3.7"
services:
landing:
container_name: lens_federated-search
image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
labels:
- "traefik.enable=true"
- "traefik.http.routers.landing.rule=PathPrefix(`/`)"
- "traefik.http.services.landing.loadbalancer.server.port=80"
- "traefik.http.routers.landing.tls=true"
spot:
image: docker.verbis.dkfz.de/ccp-private/central-spot
environment:
BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
BEAM_URL: http://beam-proxy:8081
BEAM_PROXY_ID: ${SITE_ID}
BEAM_BROKER_ID: ${BROKER_ID}
BEAM_APP_ID: "focus"
PROJECT_METADATA: "cce_supervisors"
depends_on:
- "beam-proxy"
labels:
- "traefik.enable=true"
- "traefik.http.services.spot.loadbalancer.server.port=8080"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
- "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
- "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
- "traefik.http.routers.spot.tls=true"
- "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot"

5
cce/modules/lens-setup.sh
View File

@ -1,5 +0,0 @@
#!/bin/bash
if [ -n "$ENABLE_LENS" ];then
OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml"
fi

2
cce/vars
View File

@ -7,7 +7,7 @@ SUPPORT_EMAIL=manoj.waikar@dkfz-heidelberg.de
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
BROKER_URL_FOR_PREREQ=$BROKER_URL
for module in $PROJECT/modules/*.sh
for module in common/*.sh
do
log DEBUG "sourcing $module"
source $module

9
ccp/docker-compose.yml
View File

@ -2,14 +2,13 @@ version: "3.7"
services:
blaze:
image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
container_name: bridgehead-ccp-blaze
environment:
BASE_URL: "http://bridgehead-ccp-blaze:8080"
JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
ENFORCE_REFERENTIAL_INTEGRITY: "false"
volumes:
- "blaze-data:/app/data"
@ -22,7 +21,7 @@ services:
- "traefik.http.routers.blaze_ccp.tls=true"
focus:
image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-dktk
image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
container_name: bridgehead-focus
environment:
API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
@ -33,7 +32,6 @@ services:
RETRY_COUNT: ${FOCUS_RETRY_COUNT}
EPSILON: 0.28
QUERIES_TO_CACHE: '/queries_to_cache.conf'
ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
volumes:
- /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf
depends_on:
@ -59,6 +57,7 @@ services:
- /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
- /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
volumes:
blaze-data:

99
ccp/modules/dnpm-node-compose.yml
View File

@ -1,99 +0,0 @@
version: "3.7"
services:
dnpm-mysql:
image: mysql:9
healthcheck:
test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ]
interval: 3s
timeout: 5s
retries: 5
environment:
MYSQL_ROOT_HOST: "%"
MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD}
volumes:
- /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql
dnpm-authup:
image: authup/authup:latest
container_name: bridgehead-dnpm-authup
volumes:
- /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable
depends_on:
dnpm-mysql:
condition: service_healthy
command: server/core start
environment:
- PUBLIC_URL=https://${HOST}/auth/
- AUTHORIZE_REDIRECT_URL=https://${HOST}
- ROBOT_ADMIN_ENABLED=true
- ROBOT_ADMIN_SECRET=${DNPM_AUTHUP_SECRET}
- ROBOT_ADMIN_SECRET_RESET=true
- DB_TYPE=mysql
- DB_HOST=dnpm-mysql
- DB_USERNAME=root
- DB_PASSWORD=${DNPM_MYSQL_ROOT_PASSWORD}
- DB_DATABASE=auth
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.authup-strip.stripprefix.prefixes=/auth"
- "traefik.http.routers.dnpm-auth.middlewares=authup-strip"
- "traefik.http.routers.dnpm-auth.rule=PathPrefix(`/auth`)"
- "traefik.http.services.dnpm-auth.loadbalancer.server.port=3000"
- "traefik.http.routers.dnpm-auth.tls=true"
dnpm-portal:
image: ghcr.io/dnpm-dip/portal:latest
container_name: bridgehead-dnpm-portal
environment:
- NUXT_API_URL=http://dnpm-backend:9000/
- NUXT_PUBLIC_API_URL=https://${HOST}/api/
- NUXT_AUTHUP_URL=http://dnpm-authup:3000/
- NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/
labels:
- "traefik.enable=true"
- "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)"
- "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
- "traefik.http.routers.dnpm-frontend.tls=true"
dnpm-backend:
container_name: bridgehead-dnpm-backend
image: ghcr.io/dnpm-dip/backend:latest
environment:
- LOCAL_SITE=${ZPM_SITE}:${SITE_NAME} # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
- RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
- MTB_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
- HATEOAS_HOST=https://${HOST}
- CONNECTOR_TYPE=broker
- AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
volumes:
- /etc/bridgehead/dnpm/config:/dnpm_config
- /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
depends_on:
dnpm-authup:
condition: service_healthy
labels:
- "traefik.enable=true"
- "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
# expose everything
- "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
- "traefik.http.routers.dnpm-backend.tls=true"
- "traefik.http.routers.dnpm-backend.service=dnpm-backend"
# except ETL
- "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
- "traefik.http.routers.dnpm-backend-etl.tls=true"
- "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
# this needs an ETL processor with support for basic auth
- "traefik.http.routers.dnpm-backend-etl.middlewares=auth"
# except peer-to-peer
- "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
- "traefik.http.routers.dnpm-backend-peer.tls=true"
- "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
- "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
# this effectively denies all requests
# this is okay, because requests from peers don't go through Traefik
- "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
landing:
labels:
- "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"

16
ccp/modules/dnpm-node-setup.sh
View File

@ -1,16 +0,0 @@
#!/bin/bash
if [ -n "${ENABLE_DNPM_NODE}" ]; then
log INFO "DNPM setup detected -- will start DNPM:DIP node."
OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
if [ -z "${ZPM_SITE+x}" ]; then
log ERROR "Mandatory variable ZPM_SITE not defined!"
exit 1
fi
mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions."
DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1}
DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')"
DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')"
fi

72
ccp/modules/exporter-compose.yml
View File

@ -1,72 +0,0 @@
version: "3.7"
services:
exporter:
image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
container_name: bridgehead-ccp-exporter
environment:
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
LOG_LEVEL: "INFO"
EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
CROSS_ORIGINS: "https://${HOST}"
EXPORTER_DB_USER: "exporter"
EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
HTTP_RELATIVE_PATH: "/ccp-exporter"
SITE: "${SITE_ID}"
HTTP_SERVLET_REQUEST_SCHEME: "https"
OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
labels:
- "traefik.enable=true"
- "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"
- "traefik.http.services.exporter_ccp.loadbalancer.server.port=8092"
- "traefik.http.routers.exporter_ccp.tls=true"
- "traefik.http.middlewares.exporter_ccp_strip.stripprefix.prefixes=/ccp-exporter"
- "traefik.http.routers.exporter_ccp.middlewares=exporter_ccp_strip"
volumes:
- "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output"
exporter-db:
image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
container_name: bridgehead-ccp-exporter-db
environment:
POSTGRES_USER: "exporter"
POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
POSTGRES_DB: "exporter"
volumes:
# Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
- "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data"
reporter:
image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
container_name: bridgehead-ccp-reporter
environment:
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
LOG_LEVEL: "INFO"
CROSS_ORIGINS: "https://${HOST}"
HTTP_RELATIVE_PATH: "/ccp-reporter"
SITE: "${SITE_ID}"
EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
EXPORTER_URL: "http://exporter:8092"
LOG_FHIR_VALIDATION: "false"
HTTP_SERVLET_REQUEST_SCHEME: "https"
# In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
# However, in the first executions in the CCP sites, this volume seems to be very important. A report is
# a process that can take several hours, because it depends on the exporter.
# There is a risk that the bridgehead restarts, losing the already created export.
volumes:
- "/var/cache/bridgehead/ccp/reporter-files:/app/reports"
labels:
- "traefik.enable=true"
- "traefik.http.routers.reporter_ccp.rule=PathPrefix(`/ccp-reporter`)"
- "traefik.http.services.reporter_ccp.loadbalancer.server.port=8095"
- "traefik.http.routers.reporter_ccp.tls=true"
- "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter"
- "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip"
focus:
environment:
EXPORTER_URL: "http://exporter:8092"
EXPORTER_API_KEY: "${EXPORTER_API_KEY}"

8
ccp/modules/exporter-setup.sh
View File

@ -1,8 +0,0 @@
#!/bin/bash -e
if [ "$ENABLE_EXPORTER" == true ]; then
log INFO "Exporter setup detected -- will start Exporter service."
OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
fi

112
ccp/modules/ovis-compose.yml
View File

@ -1,112 +0,0 @@
version: '3.7'
services:
ovis-traefik-forward-auth:
image: quay.io/oauth2-proxy/oauth2-proxy:latest
environment:
- http_proxy=${http_proxy:-http://forward_proxy:3128}
- https_proxy=${https_proxy:-http://forward_proxy:3128}
- OAUTH2_PROXY_PROVIDER=oidc
- OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
- OAUTH2_PROXY_OIDC_ISSUER_URL=${OAUTH_ISSUER_URL}
- OAUTH2_PROXY_CLIENT_ID=${OAUTH_CLIENT_ID}
- OAUTH2_PROXY_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
- OAUTH2_PROXY_COOKIE_SECRET=${AUTHENTICATION_SECRET}
- OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST:-localhost}
- OAUTH2_PROXY_COOKIE_REFRESH=4m
- OAUTH2_PROXY_COOKIE_EXPIRE=24h
- OAUTH2_PROXY_HTTP_ADDRESS=:4180
- OAUTH2_PROXY_REVERSE_PROXY=true
- OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST:-localhost}
- OAUTH2_PROXY_UPSTREAMS=static://202
- OAUTH2_PROXY_EMAIL_DOMAINS=*
#- OAUTH2_PROXY_ALLOWED_GROUPS=app-ovis
#- OAUTH2_PROXY_ERRORS_TO_INFO_LOG=true
- OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256
# For some reason, login.verbis.dkfz.de does not have a "groups" scope but this comes automatically through a
# scope called microprofile-jwt. Remove the following line once we have a "groups" scope.
- OAUTH2_PROXY_SCOPE=openid profile email
# Pass Authorization Header and some user information to spot
- OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
- OAUTH2_PROXY_SET_XAUTHREQUEST=true
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.ovis-traefik-forward-auth.forwardauth.address=http://ovis-traefik-forward-auth:4180"
- "traefik.http.middlewares.ovis-traefik-forward-auth.forwardauth.authResponseHeaders=Authorization, X-Forwarded-User, X-Auth-Request-User, X-Auth-Request-Email"
- "traefik.http.services.ovis-traefik-forward-auth.loadbalancer.server.port=4180"
- "traefik.http.routers.oauth2.rule=Host(`${HOST:-localhost}`) && PathPrefix(`/oauth2-ovis/`)"
- "traefik.http.routers.oauth2.tls=true"
fhir-transformer:
image: docker.verbis.dkfz.de/ovis/adt-mon-gql-fhir-transformer:latest
restart: on-failure
environment:
- FHIR_SERVER_URL=${FHIR_SERVER_URL:-http://bridgehead-ccp-blaze:8080/fhir}
- FHIR_USERNAME=${FHIR_USERNAME}
- FHIR_PASSWORD=${FHIR_PASSWORD}
volumes:
- /var/cache/bridgehead/ccp/ovis/shared_data:/app/output
mongo:
image: mongo:${MONGO_VER:-latest}
restart: always
command: mongod
- /var/cache/bridgehead/ccp/ovis/mongo/init/init.js:/docker-entrypoint-initdb.d/init.js
backend:
image: docker.verbis.dkfz.de/ovis/adt-mon-gql-backend:latest
restart: always
user: root
working_dir: /app
environment:
- APOLLO_PORT=${APOLLO_PORT:-4001}
- CREDOS_PORT=${CREDOS_PORT:-4000}
- MONGO_VER=latest
- CORS_ORIGIN=*
- DB=${DB:-onc_test}
- ADRESS=${ADRESS:-mongodb://mongo:27017}
depends_on:
- mongo
- fhir-transformer
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:${APOLLO_PORT:-4001}/health"]
interval: 5s
timeout: 3s
retries: 5
start_period: 10s
entrypoint: >
sh -c "
# First run the initialization process
while [ ! -f /shared/omock.json ]; do
echo 'Waiting for omock.json...'
sleep 5
done;
mkdir -p ./prep &&
cp /shared/omock.json ./prep/omock.json &&
node ./mgDB/prep/preprocessor.mjs &&
echo 'Processing complete' &&
exec node --watch index.js"
labels:
- "traefik.enable=true"
- "traefik.http.routers.ovis-backend.rule=Host(`${HOST:-localhost}`) && PathPrefix(`/graphql`)"
- "traefik.http.routers.ovis-backend.tls=true"
- "traefik.http.services.ovis-backend.loadbalancer.server.port=${APOLLO_PORT:-4001}"
volumes:
- /var/cache/bridgehead/ccp/ovis/shared_data:/shared
frontend:
image: docker.verbis.dkfz.de/ovis/adt-mon-gql-frontend:latest
restart: always
environment:
- PUBLIC_GRAPHQL_URL=https://${HOST:-localhost}/graphql
depends_on:
backend:
condition: service_healthy
working_dir: /app
labels:
- "traefik.enable=true"
- "traefik.http.routers.ovis-frontend.tls=true"
- "traefik.http.routers.ovis-frontend.rule=Host(`${HOST:-localhost}`)"
- "traefik.http.routers.ovis-frontend.middlewares=traefik-forward-auth"
- "traefik.http.services.ovis-frontend.loadbalancer.server.port=5173"

108
ccp/modules/ovis-setup.sh
View File

@ -1,108 +0,0 @@
#!/bin/bash -e
if [ -n "$ENABLE_OVIS" ];then
# Setup MongoDB initialization directory if it doesn't exist
mkdir -p "/var/cache/bridgehead/ccp/ovis/mongo/init"
# Generate MongoDB initialization script directly
cat > "/var/cache/bridgehead/ccp/ovis/mongo/init/init.js" << 'EOF'
db = db.getSiblingDB("test_credos");
db.createCollection("user");
db.user.insertMany([{
"_id": "OVIS-Root",
"createdAt": new Date(),
"createdBy": "system",
"role": "super-admin",
"status": "active",
"pseudonymization": false,
"darkMode": false,
"colorTheme": "CCCMunich",
"language": "de",
}]);
db = db.getSiblingDB("onc_test");
db.createCollection("user");
db.user.insertMany([{
"_id": "OVIS-Root",
"createdAt": new Date(),
"createdBy": "system",
"role": "super-admin",
"status": "active",
"pseudonymization": false,
"darkMode": false,
"colorTheme": "CCCMunich",
"language": "de",
}]);
db.ops.insertMany([
{"OPSC_4":"1-40","OPS_Gruppen_Text":"Biopsie ohne Inzision an Nervensystem und endokrinen Organen "},
{"OPSC_4":"1-44","OPS_Gruppen_Text":"Biopsie ohne Inzision an den Verdauungsorganen"},
{"OPSC_4":"1-40","OPS_Gruppen_Text":"Biopsie ohne Inzision an anderen Organen und Geweben"},
{"OPSC_4":"1-50","OPS_Gruppen_Text":"Biopsie an Haut, Mamma, Knochen und Muskeln durch Inzision"},
{"OPSC_4":"1-51","OPS_Gruppen_Text":"Biopsie an Nervengewebe, Hypophyse, Corpus pineale durch Inzision und Trepanation von Schädelknochen "},
{"OPSC_4":"1-55","OPS_Gruppen_Text":"Biopsie an anderen Verdauungsorganen, Zwerchfell und (Retro-)Peritoneum durch Inzision "},
{"OPSC_4":"1-56","OPS_Gruppen_Text":"Biopsie an Harnwegen und männlichen Geschlechtsorgannen durch Inzision"},
{"OPSC_4":"1-58","OPS_Gruppen_Text":"Biopsie an anderen Organen durch Inzision "},
{"OPSC_4":"1-63","OPS_Gruppen_Text":"Diagnostische Endoskopie des oberen Verdauungstraktes"},
{"OPSC_4":"1-65","OPS_Gruppen_Text":"Diagnostische Endoskopie des unteren Verdauungstraktes"},
{"OPSC_4":"1-69","OPS_Gruppen_Text":"Diagnostische Endoskopie durch Inzision und intraoperativ "},
{"OPSC_4":"5-01","OPS_Gruppen_Text":"Inzision (Trepanation) und Exzision an Schädel, Gehirn und Hirnhäuten"},
{"OPSC_4":"5-02","OPS_Gruppen_Text":"Andere Operationen an Schädel, Gehirn und Hirnhäuten"},
{"OPSC_4":"5-03","OPS_Gruppen_Text":"Operationen an Rückenmark, Rückenmarkhäuten und Spinalkanal"},
{"OPSC_4":"5-05","OPS_Gruppen_Text":"Andere Operationen an Nerven und Nervenganglien "},
{"OPSC_4":"5-06","OPS_Gruppen_Text":"Operationen an Schilddrüse und Nebenschilddrüse "},
{"OPSC_4":"5-07","OPS_Gruppen_Text":"Operationen an anderen endokrinen Drüsen "},
{"OPSC_4":"5-20","OPS_Gruppen_Text":"Andere Operationen an Mittel- und Innenohr "},
{"OPSC_4":"5-25","OPS_Gruppen_Text":"Operationen an der Zunge "},
{"OPSC_4":"5-31","OPS_Gruppen_Text":"Andere Larynxoperationen und Operationen an der Trachea "},
{"OPSC_4":"5-32","OPS_Gruppen_Text":"Exzision und Resektion an Lunge und Bronchus "},
{"OPSC_4":"5-33","OPS_Gruppen_Text":"Andere Operationen an Lunge und Bronchus"},
{"OPSC_4":"5-34","OPS_Gruppen_Text":"Operationen an Brustwand, Pleura, Mediastinum und Zwerchfell "},
{"OPSC_4":"5-37","OPS_Gruppen_Text":"Rhythmuschirurgie und andere Operationen an Herz und Perikard"},
{"OPSC_4":"5-38","OPS_Gruppen_Text":"Inzision, Exzision und Verschluß von Blutgefäßen "},
{"OPSC_4":"5-39","OPS_Gruppen_Text":"Andere Operationen an Blutgefäßen "},
{"OPSC_4":"5-40","OPS_Gruppen_Text":"Operationen am Lymphgewebe "},
{"OPSC_4":"5-41","OPS_Gruppen_Text":"Operationen an Milz und Knochenmark "},
{"OPSC_4":"5-42","OPS_Gruppen_Text":"Operationen am Ösophagus "},
{"OPSC_4":"5-43","OPS_Gruppen_Text":"Inzision, Exzision und Resektion am Magen "},
{"OPSC_4":"5-44","OPS_Gruppen_Text":"Erweiterte Magenresektion und andere Operationen am Magen "},
{"OPSC_4":"5-45","OPS_Gruppen_Text":"Inzision, Exzision, Resektion und Anastomose an Dünn- und Dickdarm "},
{"OPSC_4":"5-46","OPS_Gruppen_Text":"Andere Operationen an Dünn- und Dickdarm "},
{"OPSC_4":"5-47","OPS_Gruppen_Text":"Operationen an der Appendix "},
{"OPSC_4":"5-48","OPS_Gruppen_Text":"Operationen am Rektum "},
{"OPSC_4":"5-49","OPS_Gruppen_Text":"Operationen am Anus "},
{"OPSC_4":"5-50","OPS_Gruppen_Text":"Operationen an der Leber "},
{"OPSC_4":"5-51","OPS_Gruppen_Text":"Operationen an Gallenblase und Gallenwegen "},
{"OPSC_4":"5-52","OPS_Gruppen_Text":"Operationen am Pankreas "},
{"OPSC_4":"5-53","OPS_Gruppen_Text":"Verschluß abdominaler Hernien "},
{"OPSC_4":"5-54","OPS_Gruppen_Text":"Andere Operationen in der Bauchregion "},
{"OPSC_4":"5-55","OPS_Gruppen_Text":"Operationen an der Niere "},
{"OPSC_4":"5-56","OPS_Gruppen_Text":"Operationen am Ureter "},
{"OPSC_4":"5-57","OPS_Gruppen_Text":"Operationen an der Harnblase "},
{"OPSC_4":"5-59","OPS_Gruppen_Text":"Andere Operationen an den Harnorganen "},
{"OPSC_4":"5-60","OPS_Gruppen_Text":"Operationen an Prostata und Vesiculae seminales "},
{"OPSC_4":"5-61","OPS_Gruppen_Text":"Operationen an Skrotum und Tunica vaginalis testis"},
{"OPSC_4":"5-62","OPS_Gruppen_Text":"Operationen am Hoden "},
{"OPSC_4":"5-65","OPS_Gruppen_Text":"Operationen am Ovar "},
{"OPSC_4":"5-68","OPS_Gruppen_Text":"Inzision, Exzision und Exstirpation des Uterus "},
{"OPSC_4":"5-70","OPS_Gruppen_Text":"Operationen an Vagina und Douglasraum "},
{"OPSC_4":"5-71","OPS_Gruppen_Text":"Operationen an der Vulva "},
{"OPSC_4":"5-85","OPS_Gruppen_Text":"Operationen an Muskeln, Sehnen, Faszien und Schleimbeuteln"},
{"OPSC_4":"5-87","OPS_Gruppen_Text":"Exzision und Resektion der Mamma "},
{"OPSC_4":"5-89","OPS_Gruppen_Text":"Operationen an Haut und Unterhaut "},
{"OPSC_4":"5-90","OPS_Gruppen_Text":"Operative Wiederherstellung und Rekonstruktion von Haut und Unterhaut"},
{"OPSC_4":"5-91","OPS_Gruppen_Text":"Andere Operationen an Haut und Unterhaut "},
{"OPSC_4":"5-93","OPS_Gruppen_Text":"Angaben zum Transplantat und zu verwendeten Materialien"},
{"OPSC_4":"5-98","OPS_Gruppen_Text":"Spezielle Operationstechniken und Operationen bei speziellen Versorgungssituationen "},
{"OPSC_4":"8-13","OPS_Gruppen_Text":"Manipulation am Harntrakt"},
{"OPSC_4":"8-14","OPS_Gruppen_Text":"Therapeutische Kathedirisierung, Aspiration, Punktion und Spülung "},
{"OPSC_4":"8-15","OPS_Gruppen_Text":"Therapeutische Aspiration und Entleerung durch Punktion "},
{"OPSC_4":"8-17","OPS_Gruppen_Text":"Spülung (Lavage) "},
{"OPSC_4":"8-19","OPS_Gruppen_Text":"Verbände "},
{"OPSC_4":"8-77","OPS_Gruppen_Text":"Maßnahmen im Rahmen der Reanimation "},
{"OPSC_4":"8-92","OPS_Gruppen_Text":"Neurologisches Monitoring "},
])
EOF
OVERRIDE+=" -f ./$PROJECT/modules/ovis-compose.yml"
fi

9
ccp/modules/teiler-setup.sh
View File

@ -1,9 +0,0 @@
#!/bin/bash -e
if [ "$ENABLE_TEILER" == true ];then
log INFO "Teiler setup detected -- will start Teiler services."
OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
TEILER_DEFAULT_LANGUAGE=DE
TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
add_public_oidc_redirect_url "/ccp-teiler/*"
fi

2
ccp/vars
View File

@ -20,7 +20,7 @@ OIDC_GROUP_CLAIM="groups"
POSTGRES_TAG=15.6-alpine
for module in $PROJECT/modules/*.sh
for module in common/*.sh
do
log DEBUG "sourcing $module"
source $module

2
ccp/modules/blaze-secondary-compose.yml → common/blaze-secondary-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.7"
services:
blaze-secondary:
image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
container_name: bridgehead-ccp-blaze-secondary
environment:
BASE_URL: "http://bridgehead-ccp-blaze-secondary:8080"

2
ccp/modules/blaze-secondary-setup.sh → common/blaze-secondary-setup.sh
View File

@ -3,7 +3,7 @@
function blazeSecondarySetup() {
if [ -n "$ENABLE_SECONDARY_BLAZE" ]; then
log INFO "Secondary Blaze setup detected -- will start second blaze."
OVERRIDE+=" -f ./$PROJECT/modules/blaze-secondary-compose.yml"
OVERRIDE+=" -f ./common/blaze-secondary-compose.yml"
#make oBDS2FHIR ignore ID-Management and replace target Blaze
PATIENTLIST_URL=" "
STORE_PATH="http://blaze-secondary:8080/fhir"

2
ccp/modules/datashield-compose.yml → common/datashield-compose.yml
View File

@ -151,7 +151,7 @@ services:
--pass-access-token=false
labels:
- "traefik.enable=true"
- "traefik.http.routers.oauth2_proxy.rule=PathPrefix(`/oauth2`)"
- "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`)"
- "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
- "traefik.http.routers.oauth2_proxy.tls=true"
environment:

4
ccp/modules/datashield-setup.sh → common/datashield-setup.sh
View File

@ -10,7 +10,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
add_private_oidc_redirect_url "${OAUTH2_CALLBACK}"
log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
OVERRIDE+=" -f ./common/datashield-compose.yml"
EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")"
TOKEN_MANAGER_OPAL_PASSWORD="$(generate_password \"Token Manager in Opal\")"
OPAL_DB_PASSWORD="$(echo \"Opal DB\" | generate_simple_password)"
@ -23,7 +23,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE"
fi
mkdir -p /tmp/bridgehead/opal-map
sites="$(cat ./$PROJECT/modules/datashield-sites.json)"
sites="$(cat ./common/datashield-sites.json)"
echo "$sites" | docker_jq -n --args '{"sites": input | map({
"name": .,
"id": .,

15
common/datashield-sites.json Normal file
View File

@ -0,0 +1,15 @@
[
"berlin",
"muenchen-lmu",
"dresden",
"freiburg",
"muenchen-tum",
"tuebingen",
"mainz",
"frankfurt",
"essen",
"dktk-datashield-test",
"dktk-test",
"mannheim",
"central-ds-orchestrator"
]

0
ccp/modules/datashield.md → common/datashield.md
View File

4
ccp/modules/dnpm-compose.yml → common/dnpm-compose.yml
View File

@ -13,7 +13,7 @@ services:
PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
APP_ID: dnpm-connect.${PROXY_ID}
DISCOVERY_URL: "./conf/central_targets.json"
LOCAL_TARGETS_FILE: "/conf/connect_targets.json"
LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
HTTP_PROXY: "http://forward_proxy:3128"
HTTPS_PROXY: "http://forward_proxy:3128"
NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
@ -25,7 +25,7 @@ services:
volumes:
- /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
- /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
- /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro
- /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"

34
common/dnpm-node-compose.yml Normal file
View File

@ -0,0 +1,34 @@
version: "3.7"
services:
dnpm-backend:
image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
container_name: bridgehead-dnpm-backend
environment:
- ZPM_SITE=${ZPM_SITE}
- N_RANDOM_FILES=${DNPM_SYNTH_NUM}
volumes:
- /etc/bridgehead/dnpm:/bwhc_config:ro
- ${DNPM_DATA_DIR}:/bwhc_data
labels:
- "traefik.enable=true"
- "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
- "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
- "traefik.http.routers.bwhc-backend.tls=true"
dnpm-frontend:
image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
container_name: bridgehead-dnpm-frontend
links:
- dnpm-backend
environment:
- NUXT_HOST=0.0.0.0
- NUXT_PORT=8080
- BACKEND_PROTOCOL=https
- BACKEND_HOSTNAME=$HOST
- BACKEND_PORT=443
labels:
- "traefik.enable=true"
- "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
- "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
- "traefik.http.routers.bwhc-frontend.tls=true"

28
common/dnpm-node-setup.sh Normal file
View File

@ -0,0 +1,28 @@
#!/bin/bash
if [ -n "${ENABLE_DNPM_NODE}" ]; then
log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
OVERRIDE+=" -f ./common/dnpm-node-compose.yml"
# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
if [ -z "${ZPM_SITE+x}" ]; then
log ERROR "Mandatory variable ZPM_SITE not defined!"
exit 1
fi
if [ -z "${DNPM_DATA_DIR+x}" ]; then
log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
exit 1
fi
DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
echo "Override of landing page url already in place"
else
echo "Adding override of landing page url"
if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
echo -e ' landing:\n labels:\n - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
else
echo -e 'version: "3.7"\nservices:\n landing:\n labels:\n - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
fi
fi
fi

2
ccp/modules/dnpm-setup.sh → common/dnpm-setup.sh
View File

@ -2,7 +2,7 @@
if [ -n "${ENABLE_DNPM}" ]; then
log INFO "DNPM setup detected (Beam.Connect) -- will start Beam.Connect for DNPM."
OVERRIDE+=" -f ./$PROJECT/modules/dnpm-compose.yml"
OVERRIDE+=" -f ./common/dnpm-compose.yml"
# Set variables required for Beam-Connect
DNPM_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"

0
kr/modules/export-and-qb.curl-templates → common/export-and-qb.curl-templates
View File

0
kr/modules/exporter-compose.yml → common/exporter-compose.yml
View File

2
kr/modules/exporter-setup.sh → common/exporter-setup.sh
View File

@ -2,7 +2,7 @@
if [ "$ENABLE_EXPORTER" == true ]; then
log INFO "Exporter setup detected -- will start Exporter service."
OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
OVERRIDE+=" -f ./common/exporter-compose.yml"
EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
fi

0
ccp/modules/exporter.md → common/exporter.md
View File

4
ccp/modules/fhir2sql-compose.yml → common/fhir2sql-compose.yml
View File

@ -23,7 +23,3 @@ services:
POSTGRES_DB: "dashboard"
volumes:
- "/var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data"
focus:
environment:
POSTGRES_CONNECTION_STRING: "postgresql://dashboard:${DASHBOARD_DB_PASSWORD}@dashboard-db/dashboard"

3
ccp/modules/fhir2sql-setup.sh → common/fhir2sql-setup.sh
View File

@ -2,7 +2,6 @@
if [ "$ENABLE_FHIR2SQL" == true ]; then
log INFO "Dashboard setup detected -- will start Dashboard backend and FHIR2SQL service."
OVERRIDE+=" -f ./$PROJECT/modules/fhir2sql-compose.yml"
OVERRIDE+=" -f ./common/fhir2sql-compose.yml"
DASHBOARD_DB_PASSWORD="$(generate_simple_password 'fhir2sql')"
FOCUS_ENDPOINT_TYPE="blaze-and-sql"
fi

0
ccp/modules/fhir2sql.md → common/fhir2sql.md
View File

20
ccp/modules/id-management-compose.yml → common/id-management-compose.yml
View File

@ -19,18 +19,10 @@ services:
- traefik-forward-auth
labels:
- "traefik.enable=true"
# Router with Authentication
- "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)"
- "traefik.http.services.id-manager.loadbalancer.server.port=8080"
- "traefik.http.routers.id-manager.tls=true"
- "traefik.http.routers.id-manager.middlewares=traefik-forward-auth-idm"
- "traefik.http.routers.id-manager.service=id-manager-service"
# Router without Authentication
- "traefik.http.routers.id-manager-compatibility.rule=PathPrefix(`/id-manager/paths/translator/getIds`)"
- "traefik.http.routers.id-manager-compatibility.tls=true"
- "traefik.http.routers.id-manager-compatibility.service=id-manager-service"
# Definition of Service
- "traefik.http.services.id-manager-service.loadbalancer.server.port=8080"
- "traefik.http.services.id-manager-service.loadbalancer.server.scheme=http"
patientlist:
image: docker.verbis.dkfz.de/bridgehead/mainzelliste
@ -65,7 +57,7 @@ services:
- "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"
traefik-forward-auth:
image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:v7.6.0
environment:
- http_proxy=http://forward_proxy:3128
- https_proxy=http://forward_proxy:3128
@ -75,7 +67,6 @@ services:
- OAUTH2_PROXY_CLIENT_ID=bridgehead-${SITE_ID}
- OAUTH2_PROXY_CLIENT_SECRET=${IDMANAGER_AUTH_CLIENT_SECRET}
- OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
- OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_idm
- OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
- OAUTH2_PROXY_HTTP_ADDRESS=:4180
- OAUTH2_PROXY_REVERSE_PROXY=true
@ -101,12 +92,5 @@ services:
forward_proxy:
condition: service_healthy
ccp-patient-project-identificator:
image: docker.verbis.dkfz.de/cache/samply/ccp-patient-project-identificator
container_name: bridgehead-ccp-patient-project-identificator
environment:
MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
SITE_NAME: ${IDMANAGEMENT_FRIENDLY_ID}
volumes:
patientlist-db-data:

2
ccp/modules/id-management-setup.sh → common/id-management-setup.sh
View File

@ -3,7 +3,7 @@
function idManagementSetup() {
if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)."
OVERRIDE+=" -f ./ccp/modules/id-management-compose.yml"
OVERRIDE+=" -f ./common/id-management-compose.yml"
# Auto Generate local Passwords
PATIENTLIST_POSTGRES_PASSWORD="$(echo \"id-management-module-db-password-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"

0
ccp/modules/id-management.md → common/id-management.md
View File

0
itcc/modules/lens-compose.yml → common/lens-compose.yml
View File

5
common/lens-setup.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
if [ -n "$ENABLE_LENS" ];then
OVERRIDE+=" -f ./common/lens-compose.yml"
fi

0
ccp/modules/mtba-compose.yml → common/mtba-compose.yml
View File

2
ccp/modules/mtba-setup.sh → common/mtba-setup.sh
View File

@ -6,7 +6,7 @@ function mtbaSetup() {
if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
fi
OVERRIDE+=" -f ./$PROJECT/modules/mtba-compose.yml"
OVERRIDE+=" -f ./common/mtba-compose.yml"
add_private_oidc_redirect_url "/mtba/*"
fi
}

0
ccp/modules/mtba.md → common/mtba.md
View File

1
ccp/modules/nngm-compose.yml → common/nngm-compose.yml
View File

@ -12,6 +12,7 @@ services:
CTS_API_KEY: ${NNGM_CTS_APIKEY}
CRYPT_KEY: ${NNGM_CRYPTKEY}
#CTS_MAGICPL_SITE: ${SITE_ID}TODO
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)"

2
ccp/modules/nngm-setup.sh → common/nngm-setup.sh
View File

@ -2,5 +2,5 @@
if [ -n "$NNGM_CTS_APIKEY" ]; then
log INFO "nNGM setup detected -- will start nNGM Connector."
OVERRIDE+=" -f ./$PROJECT/modules/nngm-compose.yml"
OVERRIDE+=" -f ./common/nngm-compose.yml"
fi

1
ccp/modules/obds2fhir-rest-compose.yml → common/obds2fhir-rest-compose.yml
View File

@ -10,6 +10,7 @@ services:
SALT: ${LOCAL_SALT}
KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false}
MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist}
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)"

2
ccp/modules/obds2fhir-rest-setup.sh → common/obds2fhir-rest-setup.sh
View File

@ -7,7 +7,7 @@ function obds2fhirRestSetup() {
log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
PATIENTLIST_URL=" "
fi
OVERRIDE+=" -f ./ccp/modules/obds2fhir-rest-compose.yml"
OVERRIDE+=" -f ./common/obds2fhir-rest-compose.yml"
LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
fi
}

0
ccp/modules/teiler-compose.yml → common/teiler-compose.yml
View File

2
kr/modules/teiler-setup.sh → common/teiler-setup.sh
View File

@ -2,7 +2,7 @@
if [ "$ENABLE_TEILER" == true ];then
log INFO "Teiler setup detected -- will start Teiler services."
OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
OVERRIDE+=" -f ./common/teiler-compose.yml"
TEILER_DEFAULT_LANGUAGE=DE
TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
add_public_oidc_redirect_url "/ccp-teiler/*"

0
ccp/modules/teiler.md → common/teiler.md
View File

2
dhki/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.7"
services:
blaze:
image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
container_name: bridgehead-dhki-blaze
environment:
BASE_URL: "http://bridgehead-dhki-blaze:8080"

10
dhki/vars
View File

@ -10,7 +10,7 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL
POSTGRES_TAG=15.6-alpine
for module in ccp/modules/*.sh
for module in common/*.sh
do
log DEBUG "sourcing $module"
source $module
@ -18,11 +18,3 @@ done
idManagementSetup
obds2fhirRestSetup
for module in modules/*.sh
do
log DEBUG "sourcing $module"
source $module
done
transfairSetup

42
docs/update-access-token.md
View File

@ -1,42 +0,0 @@
## How to Change Config Access Token
### 1. Generate a New Access Token
1. Go to your Git configuration repository provider, it might be either [git.verbis.dkfz.de](https://git.verbis.dkfz.de) or [gitlab.bbmri-eric.eu](https://gitlab.bbmri-eric.eu).
2. Navigate to the configuration repository for your site.
3. Go to **Settings → Access Tokens** to check if your Access Token is valid or expired.
- **If expired**, create a new Access Token.
4. Configure the new Access Token with the following settings:
- **Expiration date**: One year from today, minus one day.
- **Role**: Developer.
- **Scope**: Only `read_repository`.
5. Save the newly generated Access Token in a secure location.
---
### 2. Replace the Old Access Token
1. Navigate to `/etc/bridgehead` in your system.
2. Run the following command to retrieve the current Git remote URL:
```bash
git remote get-url origin
```
Example output:
```
https://name40dkfz-heidelberg.de:<old_access_token>@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git
```
3. Replace `<old_access_token>` with your new Access Token in the URL.
4. Set the updated URL using the following command:
```bash
git remote set-url origin https://name40dkfz-heidelberg.de:<new_access_token>@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git
```
5. Start the Bridgehead update service by running:
```bash
systemctl start bridgehead-update@<project>
```
6. View the output to ensure the update process is successful:
```bash
journalctl -u bridgehead-update@<project> -f
```

2
itcc/docker-compose.yml
View File

@ -2,7 +2,7 @@ version: "3.7"
services:
blaze:
image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
container_name: bridgehead-itcc-blaze
environment:
BASE_URL: "http://bridgehead-itcc-blaze:8080"

5
itcc/modules/lens-setup.sh
View File

@ -1,5 +0,0 @@
#!/bin/bash
if [ -n "$ENABLE_LENS" ];then
OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml"
fi

2
itcc/vars
View File

@ -7,7 +7,7 @@ SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
BROKER_URL_FOR_PREREQ=$BROKER_URL
for module in $PROJECT/modules/*.sh
for module in common/*.sh
do
log DEBUG "sourcing $module"
source $module

6
kr/docker-compose.yml
View File

@ -1,12 +1,8 @@
version: "3.7"
services:
landing:
deploy:
replicas: 0 #deactivate landing page
blaze:
image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
container_name: bridgehead-kr-blaze
environment:
BASE_URL: "http://bridgehead-kr-blaze:8080"

15
kr/modules/exporter.md
View File

@ -1,15 +0,0 @@
# Exporter and Reporter
## Exporter
The exporter is a REST API that exports the data of the different databases of the bridgehead in a set of tables.
It can accept different output formats as CSV, Excel, JSON or XML. It can also export data into Opal.
## Exporter-DB
It is a database to save queries for its execution in the exporter.
The exporter manages also the different executions of the same query in through the database.
## Reporter
This component is a plugin of the exporter that allows to create more complex Excel reports described in templates.
It is compatible with different template engines as Groovy, Thymeleaf,...
It is perfect to generate a document as our traditional CCP quality report.

35
kr/modules/lens-compose.yml
View File

@ -1,35 +0,0 @@
version: "3.7"
services:
landing:
deploy:
replicas: 1 #reactivate if lens is in use
container_name: lens_federated-search
image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
labels:
- "traefik.enable=true"
- "traefik.http.routers.landing.rule=PathPrefix(`/`)"
- "traefik.http.services.landing.loadbalancer.server.port=80"
- "traefik.http.routers.landing.tls=true"
spot:
image: docker.verbis.dkfz.de/ccp-private/central-spot
environment:
BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
BEAM_URL: http://beam-proxy:8081
BEAM_PROXY_ID: ${SITE_ID}
BEAM_BROKER_ID: ${BROKER_ID}
BEAM_APP_ID: "focus"
PROJECT_METADATA: "kr_supervisors"
depends_on:
- "beam-proxy"
labels:
- "traefik.enable=true"
- "traefik.http.services.spot.loadbalancer.server.port=8080"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
- "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
- "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
- "traefik.http.routers.spot.tls=true"
- "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot"

5
kr/modules/lens-setup.sh
View File

@ -1,5 +0,0 @@
#!/bin/bash
if [ -n "$ENABLE_LENS" ];then
OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml"
fi

19
kr/modules/obds2fhir-rest-compose.yml
View File

@ -1,19 +0,0 @@
version: "3.7"
services:
obds2fhir-rest:
container_name: bridgehead-obds2fhir-rest
image: docker.verbis.dkfz.de/ccp/obds2fhir-rest:main
environment:
IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
SALT: ${LOCAL_SALT}
KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false}
MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist}
labels:
- "traefik.enable=true"
- "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)"
- "traefik.http.middlewares.obds2fhir-rest_strip.stripprefix.prefixes=/obds2fhir-rest,/adt2fhir-rest"
- "traefik.http.services.obds2fhir-rest.loadbalancer.server.port=8080"
- "traefik.http.routers.obds2fhir-rest.tls=true"
- "traefik.http.routers.obds2fhir-rest.middlewares=obds2fhir-rest_strip,auth"

13
kr/modules/obds2fhir-rest-setup.sh
View File

@ -1,13 +0,0 @@
#!/bin/bash
function obds2fhirRestSetup() {
if [ -n "$ENABLE_OBDS2FHIR_REST" ]; then
log INFO "oBDS2FHIR-REST setup detected -- will start obds2fhir-rest module."
if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then
log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:"
PATIENTLIST_URL=" "
fi
OVERRIDE+=" -f ./$PROJECT/modules/obds2fhir-rest-compose.yml"
LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
fi
}

81
kr/modules/teiler-compose.yml
View File

@ -1,81 +0,0 @@
version: "3.7"
services:
teiler-orchestrator:
image: docker.verbis.dkfz.de/cache/samply/teiler-orchestrator:latest
container_name: bridgehead-teiler-orchestrator
labels:
- "traefik.enable=true"
- "traefik.http.routers.teiler_orchestrator_ccp.rule=PathPrefix(`/ccp-teiler`)"
- "traefik.http.services.teiler_orchestrator_ccp.loadbalancer.server.port=9000"
- "traefik.http.routers.teiler_orchestrator_ccp.tls=true"
- "traefik.http.middlewares.teiler_orchestrator_ccp_strip.stripprefix.prefixes=/ccp-teiler"
- "traefik.http.routers.teiler_orchestrator_ccp.middlewares=teiler_orchestrator_ccp_strip"
environment:
TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
HTTP_RELATIVE_PATH: "/ccp-teiler"
teiler-dashboard:
image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
container_name: bridgehead-teiler-dashboard
labels:
- "traefik.enable=true"
- "traefik.http.routers.teiler_dashboard_ccp.rule=PathPrefix(`/ccp-teiler-dashboard`)"
- "traefik.http.services.teiler_dashboard_ccp.loadbalancer.server.port=80"
- "traefik.http.routers.teiler_dashboard_ccp.tls=true"
- "traefik.http.middlewares.teiler_dashboard_ccp_strip.stripprefix.prefixes=/ccp-teiler-dashboard"
- "traefik.http.routers.teiler_dashboard_ccp.middlewares=teiler_dashboard_ccp_strip"
environment:
DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
OIDC_URL: "${OIDC_URL}"
OIDC_REALM: "${OIDC_REALM}"
OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
TEILER_PROJECT: "${PROJECT}"
EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
TEILER_USER: "${OIDC_USER_GROUP}"
TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"
teiler-backend:
image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
container_name: bridgehead-teiler-backend
labels:
- "traefik.enable=true"
- "traefik.http.routers.teiler_backend_ccp.rule=PathPrefix(`/ccp-teiler-backend`)"
- "traefik.http.services.teiler_backend_ccp.loadbalancer.server.port=8085"
- "traefik.http.routers.teiler_backend_ccp.tls=true"
- "traefik.http.middlewares.teiler_backend_ccp_strip.stripprefix.prefixes=/ccp-teiler-backend"
- "traefik.http.routers.teiler_backend_ccp.middlewares=teiler_backend_ccp_strip"
environment:
LOG_LEVEL: "INFO"
APPLICATION_PORT: "8085"
APPLICATION_ADDRESS: "${HOST}"
DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf"
TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
TEILER_DASHBOARD_DE_URL: "https://${HOST}/ccp-teiler-dashboard/de"
TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en"
CENTRAX_URL: "${CENTRAXX_URL}"
HTTP_PROXY: "http://forward_proxy:3128"
ENABLE_MTBA: "${ENABLE_MTBA}"
ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
secrets:
- ccp.conf
secrets:
ccp.conf:
file: /etc/bridgehead/ccp.conf

19
kr/modules/teiler.md
View File

@ -1,19 +0,0 @@
# Teiler
This module orchestrates the different microfrontends of the bridgehead as a single page application.
## Teiler Orchestrator
Single SPA component that consists on the root HTML site of the single page application and a javascript code that
gets the information about the microfrontend calling the teiler backend and is responsible for registering them. With the
resulting mapping, it can initialize, mount and unmount the required microfrontends on the fly.
The microfrontends run independently in different containers and can be based on different frameworks (Angular, Vue, React,...)
This microfrontends can run as single alone but need an extension with Single-SPA (https://single-spa.js.org/docs/ecosystem).
There are also available three templates (Angular, Vue, React) to be directly extended to be used directly in the teiler.
## Teiler Dashboard
It consists on the main dashboard and a set of embedded services.
### Login
user and password in ccp.local.conf
## Teiler Backend
In this component, the microfrontends are configured.

2
kr/vars
View File

@ -7,7 +7,7 @@ SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
BROKER_URL_FOR_PREREQ=$BROKER_URL
for module in $PROJECT/modules/*.sh
for module in common/*.sh
do
log DEBUG "sourcing $module"
source $module

6
lib/functions.sh
View File

@ -116,7 +116,7 @@ assertVarsNotEmpty() {
MISSING_VARS=""
for VAR in $@; do
if [ -z "${!VAR}" ]; then
if [ -z "${!VAR}" ]; then
MISSING_VARS+="$VAR "
fi
done
@ -171,10 +171,8 @@ optimizeBlazeMemoryUsage() {
if [ $available_system_memory_chunks -eq 0 ]; then
log WARN "Only ${BLAZE_MEMORY_CAP} system memory available for Blaze. If your Blaze stores more than 128000 fhir ressources it will run significally slower."
export BLAZE_RESOURCE_CACHE_CAP=128000;
export BLAZE_CQL_CACHE_CAP=32;
else
export BLAZE_RESOURCE_CACHE_CAP=$((available_system_memory_chunks * 312500))
export BLAZE_CQL_CACHE_CAP=$((($system_memory_in_mb/4)/16));
fi
fi
}
@ -318,7 +316,7 @@ function sync_secrets() {
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
set -a # Export variables as environment variables
source /var/cache/bridgehead/secrets/oidc
source /var/cache/bridgehead/secrets/*
set +a # Export variables in the regular way
}

11
lib/gitlab-token-helper.sh
View File

@ -1,11 +0,0 @@
#!/bin/bash
[ "$1" = "get" ] || exit
source /var/cache/bridgehead/secrets/gitlab_token
# Any non-empty username works, only the token matters
cat << EOF
username=bk
password=$BRIDGEHEAD_CONFIG_REPO_TOKEN
EOF

41
lib/gitpassword.sh Executable file
View File

@ -0,0 +1,41 @@
#!/bin/bash
if [ "$1" != "get" ]; then
echo "Usage: $0 get"
exit 1
fi
baseDir() {
# see https://stackoverflow.com/questions/59895
SOURCE=${BASH_SOURCE[0]}
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
SOURCE=$(readlink "$SOURCE")
[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
done
DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
echo $DIR
}
BASE=$(baseDir)
cd $BASE
source lib/functions.sh
assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
PARAMS="$(cat)"
GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
fetchVarsFromVault GIT_PASSWORD
if [ -z "${GIT_PASSWORD}" ]; then
fail_and_report 1 "gitpassword.sh failed: Git password not found."
fi
cat <<EOF
protocol=https
host=$GITHOST
username=bk-${SITE_ID}
password=${GIT_PASSWORD}
EOF

31
lib/prerequisites.sh
View File

@ -3,16 +3,14 @@
source lib/functions.sh
detectCompose
CONFIG_DIR="/etc/bridgehead/"
COMPONENT_DIR="/srv/docker/bridgehead/"
if ! id "bridgehead" &>/dev/null; then
log ERROR "User bridgehead does not exist. Please run bridgehead install $PROJECT"
exit 1
fi
checkOwner "${CONFIG_DIR}" bridgehead || exit 1
checkOwner "${COMPONENT_DIR}" bridgehead || exit 1
checkOwner /srv/docker/bridgehead bridgehead || exit 1
checkOwner /etc/bridgehead bridgehead || exit 1
## Check if user is a su
log INFO "Checking if all prerequisites are met ..."
@ -34,31 +32,31 @@ fi
log INFO "Checking configuration ..."
## Download submodule
if [ ! -d "${CONFIG_DIR}" ]; then
fail_and_report 1 "Please set up the config folder at ${CONFIG_DIR}. Instruction are in the readme."
if [ ! -d "/etc/bridgehead/" ]; then
fail_and_report 1 "Please set up the config folder at /etc/bridgehead. Instruction are in the readme."
fi
# TODO: Check all required variables here in a generic loop
#check if project env is present
if [ -d "${CONFIG_DIR}${PROJECT}.conf" ]; then
fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under ${CONFIG_DIR}${PROJECT}.conf."
if [ -d "/etc/bridgehead/${PROJECT}.conf" ]; then
fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under /etc/bridgehead-config/${PROJECT}.conf."
fi
# TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
log INFO "Checking ssl cert for accessing bridgehead via https"
if [ ! -d "${CONFIG_DIR}traefik-tls" ]; then
if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
log WARN "TLS certs for accessing bridgehead via https missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...) and put into /etc/bridgehead/traefik-tls"
mkdir -p /etc/bridgehead/traefik-tls
fi
if [ ! -e "${CONFIG_DIR}traefik-tls/fullchain.pem" ]; then
if [ ! -e "/etc/bridgehead/traefik-tls/fullchain.pem" ]; then
openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/privkey.pem -out /etc/bridgehead/traefik-tls/fullchain.pem -days 3650 -subj "/CN=$HOST"
fi
if [ -e "${CONFIG_DIR}"vault.conf ]; then
if [ -e /etc/bridgehead/vault.conf ]; then
if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
fi
@ -66,7 +64,7 @@ fi
log INFO "Checking network access ($BROKER_URL_FOR_PREREQ) ..."
source "${CONFIG_DIR}${PROJECT}".conf
source /etc/bridgehead/${PROJECT}.conf
source ${PROJECT}/vars
if [ "${PROJECT}" != "minimal" ]; then
@ -94,10 +92,10 @@ if [ "${PROJECT}" != "minimal" ]; then
fi
fi
checkPrivKey() {
if [ -e "${CONFIG_DIR}pki/${SITE_ID}.priv.pem" ]; then
if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
log INFO "Success - private key found."
else
log ERROR "Unable to find private key at ${CONFIG_DIR}pki/${SITE_ID}.priv.pem. To fix, please run\n bridgehead enroll ${PROJECT}\nand follow the instructions."
log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run\n bridgehead enroll ${PROJECT}\nand follow the instructions."
return 1
fi
return 0
@ -109,11 +107,6 @@ else
checkPrivKey || exit 1
fi
for dir in "${CONFIG_DIR}" "${COMPONENT_DIR}"; do
log INFO "Checking branch: $(cd $dir && echo "$dir $(git branch --show-current)")"
hc_send log "Checking branch: $(cd $dir && echo "$dir $(git branch --show-current)")"
done
log INFO "Success - all prerequisites are met!"
hc_send log "Success - all prerequisites are met!"

47
lib/update-bridgehead.sh
View File

@ -19,7 +19,7 @@ fi
hc_send log "Checking for bridgehead updates ..."
CONFFILE=/etc/bridgehead/$PROJECT.conf
CONFFILE=/etc/bridgehead/$1.conf
if [ ! -e $CONFFILE ]; then
fail_and_report 1 "Configuration file $CONFFILE not found."
@ -33,43 +33,7 @@ export SITE_ID
checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
# Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
# If it is missing or expired, Secret Sync will create a new token and write it to the file.
# The git credential helper reads the token from the file during git pull.
mkdir -p /var/cache/bridgehead/secrets
touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
log "INFO" "Running Secret Sync for the GitLab token"
docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
docker run --rm \
-v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
-v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
-v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
-e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-e NO_PROXY=localhost,127.0.0.1 \
-e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
-e PROXY_ID=$PROXY_ID \
-e BROKER_URL=$BROKER_URL \
-e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
-e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN: \
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
if [ $? -eq 0 ]; then
log "INFO" "Secret Sync was successful"
# In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
# Set the git credential helper
git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
else
log "WARN" "Secret Sync failed"
# Remove the git credential helper
git -C /etc/bridgehead config --unset credential.helper
fi
# In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
# Let's remove it to avoid confusion. This line can be removed at some point the future when we
# believe that it was removed on all/most production servers.
git -C /srv/docker/bridgehead config --unset credential.helper
CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
CHANGES=""
@ -81,6 +45,10 @@ for DIR in /etc/bridgehead $(pwd); do
if [ -n "$OUT" ]; then
report_error log "The working directory $DIR is modified. Changed files: $OUT"
fi
if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
log "INFO" "Configuring repo to use bridgehead git credential helper."
git -C $DIR config credential.helper "$CREDHELPER"
fi
old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
log "INFO" "Git is using no proxy!"
@ -90,8 +58,7 @@ for DIR in /etc/bridgehead $(pwd); do
OUT=$(retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1)
fi
if [ $? -ne 0 ]; then
OUT_SAN=$(echo $OUT | sed -E 's|://[^:]+:[^@]+@|://credentials@|g')
report_error log "Unable to update git $DIR: $OUT_SAN"
report_error log "Unable to update git $DIR: $OUT"
fi
new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"

4
minimal/docker-compose.yml
View File

@ -10,13 +10,13 @@ services:
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.file.directory=/configuration/
- --api.dashboard=false
- --api.dashboard=true
- --accesslog=true
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=PathPrefix(`/dashboard/`)"
- "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
- "traefik.http.routers.dashboard.entrypoints=websecure"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.tls=true"

142
minimal/modules/dnpm-central-targets.json
View File

@ -1,142 +0,0 @@
{
"sites": [
{
"id": "UKFR",
"name": "Freiburg",
"virtualhost": "ukfr.dnpm.de",
"beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKHD",
"name": "Heidelberg",
"virtualhost": "ukhd.dnpm.de",
"beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKT",
"name": "Tübingen",
"virtualhost": "ukt.dnpm.de",
"beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKU",
"name": "Ulm",
"virtualhost": "uku.dnpm.de",
"beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UM",
"name": "Mainz",
"virtualhost": "um.dnpm.de",
"beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKMR",
"name": "Marburg",
"virtualhost": "ukmr.dnpm.de",
"beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKE",
"name": "Hamburg",
"virtualhost": "uke.dnpm.de",
"beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKA",
"name": "Aachen",
"virtualhost": "uka.dnpm.de",
"beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "Charite",
"name": "Berlin",
"virtualhost": "charite.dnpm.de",
"beamconnect": "dnpm-connect.berlin-test.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "MRI",
"name": "Muenchen-tum",
"virtualhost": "mri.dnpm.de",
"beamconnect": "dnpm-connect.muenchen-tum.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "KUM",
"name": "Muenchen-lmu",
"virtualhost": "kum.dnpm.de",
"beamconnect": "dnpm-connect.muenchen-lmu.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "MHH",
"name": "Hannover",
"virtualhost": "mhh.dnpm.de",
"beamconnect": "dnpm-connect.hannover.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKDD",
"name": "dresden-dnpm",
"virtualhost": "ukdd.dnpm.de",
"beamconnect": "dnpm-connect.dresden-dnpm.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKB",
"name": "Bonn",
"virtualhost": "ukb.dnpm.de",
"beamconnect": "dnpm-connect.bonn-dnpm.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKD",
"name": "Duesseldorf",
"virtualhost": "ukd.dnpm.de",
"beamconnect": "dnpm-connect.duesseldorf-dnpm.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKK",
"name": "Koeln",
"virtualhost": "ukk.dnpm.de",
"beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UME",
"name": "Essen",
"virtualhost": "ume.dnpm.de",
"beamconnect": "dnpm-connect.essen.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKM",
"name": "Muenster",
"virtualhost": "ukm.dnpm.de",
"beamconnect": "dnpm-connect.muenster-dnpm.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKF",
"name": "Frankfurt",
"virtualhost": "ukf.dnpm.de",
"beamconnect": "dnpm-connect.frankfurt.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UMG",
"name": "Goettingen",
"virtualhost": "umg.dnpm.de",
"beamconnect": "dnpm-connect.goettingen.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKW",
"name": "Würzburg",
"virtualhost": "ukw.dnpm.de",
"beamconnect": "dnpm-connect.wuerzburg-dnpm.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "UKSH",
"name": "Schleswig-Holstein",
"virtualhost": "uksh.dnpm.de",
"beamconnect": "dnpm-connect.uksh-dnpm.broker.ccp-it.dktk.dkfz.de"
},
{
"id": "TKT",
"name": "Test",
"virtualhost": "tkt.dnpm.de",
"beamconnect": "dnpm-connect.tobias-develop.broker.ccp-it.dktk.dkfz.de"
}
]
}

4
minimal/modules/dnpm-compose.yml
View File

@ -29,7 +29,7 @@ services:
PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
APP_ID: dnpm-connect.${DNPM_PROXY_ID}
DISCOVERY_URL: "./conf/central_targets.json"
LOCAL_TARGETS_FILE: "/conf/connect_targets.json"
LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
HTTP_PROXY: http://forward_proxy:3128
HTTPS_PROXY: http://forward_proxy:3128
NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
@ -41,7 +41,7 @@ services:
volumes:
- /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
- /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
- /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro
- /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"

111
minimal/modules/dnpm-node-compose.yml
View File

@ -1,99 +1,34 @@
version: "3.7"
services:
dnpm-mysql:
image: mysql:9
healthcheck:
test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ]
interval: 3s
timeout: 5s
retries: 5
environment:
MYSQL_ROOT_HOST: "%"
MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD}
volumes:
- /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql
dnpm-authup:
image: authup/authup:latest
container_name: bridgehead-dnpm-authup
volumes:
- /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable
depends_on:
dnpm-mysql:
condition: service_healthy
command: server/core start
environment:
- PUBLIC_URL=https://${HOST}/auth/
- AUTHORIZE_REDIRECT_URL=https://${HOST}
- ROBOT_ADMIN_ENABLED=true
- ROBOT_ADMIN_SECRET=${DNPM_AUTHUP_SECRET}
- ROBOT_ADMIN_SECRET_RESET=true
- DB_TYPE=mysql
- DB_HOST=dnpm-mysql
- DB_USERNAME=root
- DB_PASSWORD=${DNPM_MYSQL_ROOT_PASSWORD}
- DB_DATABASE=auth
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.authup-strip.stripprefix.prefixes=/auth/"
- "traefik.http.routers.dnpm-auth.middlewares=authup-strip"
- "traefik.http.routers.dnpm-auth.rule=PathPrefix(`/auth`)"
- "traefik.http.services.dnpm-auth.loadbalancer.server.port=3000"
- "traefik.http.routers.dnpm-auth.tls=true"
dnpm-portal:
image: ghcr.io/dnpm-dip/portal:latest
container_name: bridgehead-dnpm-portal
environment:
- NUXT_API_URL=http://dnpm-backend:9000/
- NUXT_PUBLIC_API_URL=https://${HOST}/api/
- NUXT_AUTHUP_URL=http://dnpm-authup:3000/
- NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/
labels:
- "traefik.enable=true"
- "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)"
- "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
- "traefik.http.routers.dnpm-frontend.tls=true"
dnpm-backend:
image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
container_name: bridgehead-dnpm-backend
image: ghcr.io/dnpm-dip/backend:latest
environment:
- LOCAL_SITE=${ZPM_SITE}:${SITE_NAME} # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
- RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
- MTB_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
- HATEOAS_HOST=https://${HOST}
- CONNECTOR_TYPE=broker
- AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
- ZPM_SITE=${ZPM_SITE}
- N_RANDOM_FILES=${DNPM_SYNTH_NUM}
volumes:
- /etc/bridgehead/dnpm/config:/dnpm_config
- /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
depends_on:
dnpm-authup:
condition: service_healthy
- /etc/bridgehead/dnpm:/bwhc_config:ro
- ${DNPM_DATA_DIR}:/bwhc_data
labels:
- "traefik.enable=true"
- "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
# expose everything
- "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
- "traefik.http.routers.dnpm-backend.tls=true"
- "traefik.http.routers.dnpm-backend.service=dnpm-backend"
# except ETL
- "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
- "traefik.http.routers.dnpm-backend-etl.tls=true"
- "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
# this needs an ETL processor with support for basic auth
- "traefik.http.routers.dnpm-backend-etl.middlewares=auth"
# except peer-to-peer
- "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
- "traefik.http.routers.dnpm-backend-peer.tls=true"
- "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
- "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
# this effectively denies all requests
# this is okay, because requests from peers don't go through Traefik
- "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
- "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
- "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
- "traefik.http.routers.bwhc-backend.tls=true"
landing:
dnpm-frontend:
image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
container_name: bridgehead-dnpm-frontend
links:
- dnpm-backend
environment:
- NUXT_HOST=0.0.0.0
- NUXT_PORT=8080
- BACKEND_PROTOCOL=https
- BACKEND_HOSTNAME=$HOST
- BACKEND_PORT=443
labels:
- "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"
- "traefik.enable=true"
- "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
- "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
- "traefik.http.routers.bwhc-frontend.tls=true"

22
minimal/modules/dnpm-node-setup.sh
View File

@ -1,16 +1,28 @@
#!/bin/bash
if [ -n "${ENABLE_DNPM_NODE}" ]; then
log INFO "DNPM setup detected -- will start DNPM:DIP node."
log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
if [ -z "${ZPM_SITE+x}" ]; then
log ERROR "Mandatory variable ZPM_SITE not defined!"
exit 1
fi
mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions."
DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1}
DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')"
DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')"
if [ -z "${DNPM_DATA_DIR+x}" ]; then
log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
exit 1
fi
DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
echo "Override of landing page url already in place"
else
echo "Adding override of landing page url"
if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
echo -e ' landing:\n labels:\n - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
else
echo -e 'version: "3.7"\nservices:\n landing:\n labels:\n - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
fi
fi
fi

1
minimal/modules/nngm-compose.yml
View File

@ -11,6 +11,7 @@ services:
CTS_API_KEY: ${NNGM_CTS_APIKEY}
CRYPT_KEY: ${NNGM_CRYPTKEY}
#CTS_MAGICPL_SITE: ${SITE_ID}TODO
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)"

51
modules/transfair-compose.yml
View File

@ -1,51 +0,0 @@
services:
transfair:
image: docker.verbis.dkfz.de/cache/samply/transfair:latest
container_name: bridgehead-transfair
environment:
# NOTE: Those 3 variables need only to be passed if their set, otherwise transfair will complain about empty url values
- INSTITUTE_TTP_URL
- INSTITUTE_TTP_API_KEY
- PROJECT_ID_SYSTEM
- FHIR_REQUEST_URL=${FHIR_REQUEST_URL}
- FHIR_INPUT_URL=${FHIR_INPUT_URL}
- FHIR_OUTPUT_URL=${FHIR_OUTPUT_URL:-http://blaze:8080}
- FHIR_REQUEST_CREDENTIALS=${FHIR_REQUEST_CREDENTIALS}
- FHIR_INPUT_CREDENTIALS=${FHIR_INPUT_CREDENTIALS}
- FHIR_OUTPUT_CREDENTIALS=${FHIR_OUTPUT_CREDENTIALS}
- EXCHANGE_ID_SYSTEM=${EXCHANGE_ID_SYSTEM:-SESSION_ID}
- DATABASE_URL=sqlite://transfair/data_requests.sql?mode=rwc
- RUST_LOG=${RUST_LOG:-info}
volumes:
- /var/cache/bridgehead/${PROJECT}/transfair:/transfair
transfair-input-blaze:
image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
container_name: bridgehead-transfair-input-blaze
environment:
BASE_URL: "http://bridgehead-transfair-input-blaze:8080"
JAVA_TOOL_OPTIONS: "-Xmx1024m"
DB_BLOCK_CACHE_SIZE: 1024
CQL_EXPR_CACHE_SIZE: 8
ENFORCE_REFERENTIAL_INTEGRITY: "false"
volumes:
- "transfair-input-blaze-data:/app/data"
profiles: ["transfair-input-blaze"]
transfair-request-blaze:
image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
container_name: bridgehead-transfair-requests-blaze
environment:
BASE_URL: "http://bridgehead-transfair-requests-blaze:8080"
JAVA_TOOL_OPTIONS: "-Xmx1024m"
DB_BLOCK_CACHE_SIZE: 1024
CQL_EXPR_CACHE_SIZE: 8
ENFORCE_REFERENTIAL_INTEGRITY: "false"
volumes:
- "transfair-request-blaze-data:/app/data"
profiles: ["transfair-request-blaze"]
volumes:
transfair-input-blaze-data:
transfair-request-blaze-data:

22
modules/transfair-setup.sh
View File

@ -1,22 +0,0 @@
#!/bin/bash -e
function transfairSetup() {
if [[ -n "$INSTITUTE_TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
echo "Starting transfair."
OVERRIDE+=" -f ./modules/transfair-compose.yml"
if [ -n "$FHIR_INPUT_URL" ]; then
log INFO "TransFAIR input fhir store set to external $FHIR_INPUT_URL"
else
log INFO "TransFAIR input fhir store not set writing to internal blaze"
FHIR_INPUT_URL="http://transfair-input-blaze:8080"
OVERRIDE+=" --profile transfair-input-blaze"
fi
if [ -n "$FHIR_REQUEST_URL" ]; then
log INFO "TransFAIR request fhir store set to external $FHIR_REQUEST_URL"
else
log INFO "TransFAIR request fhir store not set writing to internal blaze"
FHIR_REQUEST_URL="http://transfair-requests-blaze:8080"
OVERRIDE+=" --profile transfair-request-blaze"
fi
fi
}

2
versions/prod
View File

@ -1,2 +0,0 @@
FOCUS_TAG=main
BEAM_TAG=main

2
versions/test
View File

@ -1,2 +0,0 @@
FOCUS_TAG=develop
BEAM_TAG=develop