Use onkofdz specific broker

add correct branch for onkofdz beam proxy
Set names for onkofdz containers
2025-06-16 23:00:15 +02:00 · 2024-10-31 11:44:15 +00:00 · 2024-10-14 07:59:03 +00:00 · 2024-10-14 07:59:03 +00:00 · 2024-10-14 07:59:03 +00:00 · 2024-10-14 07:59:03 +00:00
46 changed files with 305 additions and 884 deletions
--- a/.github/scripts/rename_inactive_branches.py
+++ b/.github/scripts/rename_inactive_branches.py
@ -1,39 +0,0 @@
 import os
 import requests
 from datetime import datetime, timedelta
 # Configuration
 GITHUB_TOKEN = os.getenv('GITHUB_TOKEN')
 REPO = 'samply/bridgehead'
 HEADERS = {'Authorization': f'token {GITHUB_TOKEN}', 'Accept': 'application/vnd.github.v3+json'}
 API_URL = f'https://api.github.com/repos/{REPO}/branches'
 INACTIVE_DAYS = 365
 CUTOFF_DATE = datetime.now() - timedelta(days=INACTIVE_DAYS)
 # Fetch all branches
 def get_branches():
    response = requests.get(API_URL, headers=HEADERS)
    response.raise_for_status()
    return response.json() if response.status_code == 200 else []
 # Rename inactive branches
 def rename_branch(old_name, new_name):
    rename_url = f'https://api.github.com/repos/{REPO}/branches/{old_name}/rename'
    response = requests.post(rename_url, json={'new_name': new_name}, headers=HEADERS)
    response.raise_for_status()
    print(f"Renamed branch {old_name} to {new_name}" if response.status_code == 201 else f"Failed to rename {old_name}: {response.status_code}")
 # Check if the branch is inactive
 def is_inactive(commit_url):
    last_commit_date = requests.get(commit_url, headers=HEADERS).json()['commit']['committer']['date']
    return datetime.strptime(last_commit_date, '%Y-%m-%dT%H:%M:%SZ') < CUTOFF_DATE
 # Rename inactive branches
 def main():
    for branch in get_branches():
        if is_inactive(branch['commit']['url']):
            #rename_branch(branch['name'], f"archived/{branch['name']}")
            print(f"[LOG] Branch '{branch['name']}' is inactive and would be renamed to 'archived/{branch['name']}'")
 if __name__ == "__main__":
    main()
--- a/.github/workflows/rename-inactive-branches.yml
+++ b/.github/workflows/rename-inactive-branches.yml
@ -1,27 +0,0 @@
 name: Cleanup - Rename Inactive Branches
 on:
  schedule:
    - cron: '0 0 * * 0'  # Runs every Sunday at midnight
 jobs:
  archive-stale-branches:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v2
      - name: Set up Python
        uses: actions/setup-python@v2
        with:
          python-version: '3.x'
      - name: Install Libraries
        run: pip install requests
      - name: Run Script to Rename Inactive Branches
        run: |
          python .github/scripts/rename_inactive_branches.py
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/README.md
+++ b/README.md
@ -76,7 +76,7 @@ The following URLs need to be accessible (prefix with `https://`):
  * git.verbis.dkfz.de
 * To fetch docker images
  * docker.verbis.dkfz.de
-  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/setup/allow-list/))
+  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/all))
    * hub.docker.com
    * registry-1.docker.io
    * production.cloudflare.docker.com
@ -154,7 +154,7 @@ Pay special attention to:
 Clone the bridgehead repository:
 ```shell
 sudo mkdir -p /srv/docker/
-sudo git clone -b main https://github.com/samply/bridgehead.git /srv/docker/bridgehead
+sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead
 ```
 Then, run the installation script:
@ -254,8 +254,6 @@ sh bridgehead uninstall
 ## Site-specific configuration
 [How to Change Config Access Token](docs/update-access-token.md)
 ### HTTPS Access
 Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de).
--- a/bbmri/docker-compose.yml
+++ b/bbmri/docker-compose.yml
@ -4,14 +4,13 @@ version: "3.7"
 services:
  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
    container_name: bridgehead-bbmri-blaze
    environment:
      BASE_URL: "http://bridgehead-bbmri-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
--- a/bbmri/modules/eric-compose.yml
+++ b/bbmri/modules/eric-compose.yml
@ -2,7 +2,7 @@ version: "3.7"
 services:
  focus-eric:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-bbmri
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
    container_name: bridgehead-focus-eric
    environment:
      API_KEY: ${ERIC_FOCUS_BEAM_SECRET_SHORT}
--- a/bbmri/modules/gbn-compose.yml
+++ b/bbmri/modules/gbn-compose.yml
@ -2,7 +2,7 @@ version: "3.7"
 services:
  focus-gbn:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-bbmri
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
    container_name: bridgehead-focus-gbn
    environment:
      API_KEY: ${GBN_FOCUS_BEAM_SECRET_SHORT}
--- a/49
+++ b/49
@ -53,44 +53,17 @@ case "$PROJECT" in
 		;;
 esac
 # Loads config variables and runs the projects setup script
 loadVars() {
 	# Load variables from /etc/bridgehead and /srv/docker/bridgehead
 	set -a
 	# Source the project specific config file
 	source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
 	# Source the project specific local config file if present
 	# This file is ignored by git as oposed to the regular config file as it contains private site information like etl auth data
 	if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
 		log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
 		source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
 	fi
 	# Set execution environment on main default to prod else test
 	if [[ -z "${ENVIRONMENT+x}" ]]; then
 		if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
 			ENVIRONMENT="production"
 		else
 			ENVIRONMENT="test"
 		fi
 	fi
 	# Source the versions of the images components 
 	case "$ENVIRONMENT" in
 		"production")
 			source ./versions/prod
 			;;
 		"test")
 			source ./versions/test
 			;;
 		*)
 			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
 			source ./versions/prod
 			;;
 	esac
 	fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 	setHostname
 	optimizeBlazeMemoryUsage
 	# Run project specific setup if it exists
 	# This will ususally modiy the `OVERRIDE` to include all the compose files that the project depends on
 	# This is also where projects specify which modules to load
 	[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 	set +a
@ -106,6 +79,26 @@ loadVars() {
 	fi
 	detectCompose
 	setupProxy
 	# Set some project-independent default values
 	: ${ENVIRONMENT:=production}
 	export ENVIRONMENT
 	case "$ENVIRONMENT" in
 		"production")
 			export FOCUS_TAG=main
 			export BEAM_TAG=main
 			;;
 		"test")
 			export FOCUS_TAG=develop
 			export BEAM_TAG=develop
 			;;
 		*)
 			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
 			export FOCUS_TAG=main
 			export BEAM_TAG=main
 			;;
 	esac
 }
 case "$ACTION" in
--- a/cce/docker-compose.yml
+++ b/cce/docker-compose.yml
@ -2,7 +2,7 @@ version: "3.7"
 services:
  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
    container_name: bridgehead-cce-blaze
    environment:
      BASE_URL: "http://bridgehead-cce-blaze:8080"
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@ -2,14 +2,13 @@ version: "3.7"
 services:
  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
    container_name: bridgehead-ccp-blaze
    environment:
      BASE_URL: "http://bridgehead-ccp-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
@ -22,7 +21,7 @@ services:
      - "traefik.http.routers.blaze_ccp.tls=true"
  focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-dktk
+    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
    container_name: bridgehead-focus
    environment:
      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
@ -33,7 +32,6 @@ services:
      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
    volumes:
      - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf
    depends_on:
@ -59,6 +57,7 @@ services:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
 volumes:
  blaze-data:
--- a/ccp/modules/blaze-secondary-compose.yml
+++ b/ccp/modules/blaze-secondary-compose.yml
@ -2,7 +2,7 @@ version: "3.7"
 services:
  blaze-secondary:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
    container_name: bridgehead-ccp-blaze-secondary
    environment:
      BASE_URL: "http://bridgehead-ccp-blaze-secondary:8080"
--- a/ccp/modules/datashield-compose.yml
+++ b/ccp/modules/datashield-compose.yml
@ -151,7 +151,7 @@ services:
      --pass-access-token=false
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.oauth2_proxy.rule=PathPrefix(`/oauth2`)"
+      - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`)"
      - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
      - "traefik.http.routers.oauth2_proxy.tls=true"
    environment:
--- a/ccp/modules/dnpm-compose.yml
+++ b/ccp/modules/dnpm-compose.yml
@ -13,7 +13,7 @@ services:
      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
      APP_ID: dnpm-connect.${PROXY_ID}
      DISCOVERY_URL: "./conf/central_targets.json"
-      LOCAL_TARGETS_FILE: "/conf/connect_targets.json"
+      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
      HTTP_PROXY: "http://forward_proxy:3128"
      HTTPS_PROXY: "http://forward_proxy:3128"
      NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
@ -25,7 +25,7 @@ services:
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro
+      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
--- a/ccp/modules/dnpm-node-compose.yml
+++ b/ccp/modules/dnpm-node-compose.yml
@ -1,99 +1,34 @@
 version: "3.7"
 services:
  dnpm-mysql:
    image: mysql:9
    healthcheck:
      test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ]
      interval: 3s
      timeout: 5s
      retries: 5
    environment:
      MYSQL_ROOT_HOST: "%"
      MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD}
    volumes:
      - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql
  dnpm-authup:
    image: authup/authup:latest
    container_name: bridgehead-dnpm-authup
    volumes:
      - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable
    depends_on:
      dnpm-mysql:
        condition: service_healthy
    command: server/core start
    environment:
      - PUBLIC_URL=https://${HOST}/auth/
      - AUTHORIZE_REDIRECT_URL=https://${HOST}
      - ROBOT_ADMIN_ENABLED=true
      - ROBOT_ADMIN_SECRET=${DNPM_AUTHUP_SECRET}
      - ROBOT_ADMIN_SECRET_RESET=true
      - DB_TYPE=mysql
      - DB_HOST=dnpm-mysql
      - DB_USERNAME=root
      - DB_PASSWORD=${DNPM_MYSQL_ROOT_PASSWORD}
      - DB_DATABASE=auth
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.authup-strip.stripprefix.prefixes=/auth"
      - "traefik.http.routers.dnpm-auth.middlewares=authup-strip"
      - "traefik.http.routers.dnpm-auth.rule=PathPrefix(`/auth`)"
      - "traefik.http.services.dnpm-auth.loadbalancer.server.port=3000"
      - "traefik.http.routers.dnpm-auth.tls=true"
  dnpm-portal:
    image: ghcr.io/dnpm-dip/portal:latest
    container_name: bridgehead-dnpm-portal
    environment:
      - NUXT_API_URL=http://dnpm-backend:9000/
      - NUXT_PUBLIC_API_URL=https://${HOST}/api/
      - NUXT_AUTHUP_URL=http://dnpm-authup:3000/
      - NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)"
      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
      - "traefik.http.routers.dnpm-frontend.tls=true"
  dnpm-backend:
    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
    container_name: bridgehead-dnpm-backend
    image: ghcr.io/dnpm-dip/backend:latest
    environment:
-      - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME}   # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
+      - ZPM_SITE=${ZPM_SITE}
-      - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
+      - N_RANDOM_FILES=${DNPM_SYNTH_NUM}
      - MTB_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
      - HATEOAS_HOST=https://${HOST}
      - CONNECTOR_TYPE=broker
      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
    volumes:
-      - /etc/bridgehead/dnpm/config:/dnpm_config
+      - /etc/bridgehead/dnpm:/bwhc_config:ro
-      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
+      - ${DNPM_DATA_DIR}:/bwhc_data
    depends_on:
      dnpm-authup:
        condition: service_healthy
    labels:
      - "traefik.enable=true"
-      - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
+      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
-      # expose everything
+      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
-      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
+      - "traefik.http.routers.bwhc-backend.tls=true"
      - "traefik.http.routers.dnpm-backend.tls=true"
      - "traefik.http.routers.dnpm-backend.service=dnpm-backend"
      # except ETL
      - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
      - "traefik.http.routers.dnpm-backend-etl.tls=true"
      - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
      # this needs an ETL processor with support for basic auth
      - "traefik.http.routers.dnpm-backend-etl.middlewares=auth"
      # except peer-to-peer
      - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
      - "traefik.http.routers.dnpm-backend-peer.tls=true"
      - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
      - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
      # this effectively denies all requests
      # this is okay, because requests from peers don't go through Traefik
      - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
-  landing:
+  dnpm-frontend:
    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
    container_name: bridgehead-dnpm-frontend
    links:
      - dnpm-backend
    environment:
      - NUXT_HOST=0.0.0.0
      - NUXT_PORT=8080
      - BACKEND_PROTOCOL=https
      - BACKEND_HOSTNAME=$HOST
      - BACKEND_PORT=443
    labels:
-      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"
+      - "traefik.enable=true"
      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
      - "traefik.http.routers.bwhc-frontend.tls=true"
--- a/ccp/modules/dnpm-node-setup.sh
+++ b/ccp/modules/dnpm-node-setup.sh
@ -1,16 +1,28 @@
 #!/bin/bash
 if [ -n "${ENABLE_DNPM_NODE}" ]; then
-	log INFO "DNPM setup detected -- will start DNPM:DIP node."
+	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
 	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	if [ -z "${ZPM_SITE+x}" ]; then
 		log ERROR "Mandatory variable ZPM_SITE not defined!"
 		exit 1
 	fi
-    mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions."
+	if [ -z "${DNPM_DATA_DIR+x}" ]; then
-    DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1}
+		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
-    DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')"
+		exit 1
-    DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')"
+	fi
 	DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
 	if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
 		echo "Override of landing page url already in place"
 	else
 		echo "Adding override of landing page url"
 		if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
 			echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
 		else
 			echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
 		fi
 	fi
 fi
--- a/ccp/modules/exporter-compose.yml
+++ b/ccp/modules/exporter-compose.yml
@ -65,8 +65,3 @@ services:
      - "traefik.http.routers.reporter_ccp.tls=true"
      - "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter"
      - "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip"
  focus:
    environment:
      EXPORTER_URL: "http://exporter:8092"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
--- a/ccp/modules/fhir2sql-compose.yml
+++ b/ccp/modules/fhir2sql-compose.yml
@ -23,7 +23,3 @@ services:
      POSTGRES_DB: "dashboard"
    volumes:
      - "/var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data"
  focus:
    environment:
      POSTGRES_CONNECTION_STRING: "postgresql://dashboard:${DASHBOARD_DB_PASSWORD}@dashboard-db/dashboard"
--- a/ccp/modules/fhir2sql-setup.sh
+++ b/ccp/modules/fhir2sql-setup.sh
@ -4,5 +4,4 @@ if [ "$ENABLE_FHIR2SQL" == true ]; then
  log INFO "Dashboard setup detected -- will start Dashboard backend and FHIR2SQL service."
  OVERRIDE+=" -f ./$PROJECT/modules/fhir2sql-compose.yml"
  DASHBOARD_DB_PASSWORD="$(generate_simple_password 'fhir2sql')"
  FOCUS_ENDPOINT_TYPE="blaze-and-sql"
 fi
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@ -19,18 +19,10 @@ services:
      - traefik-forward-auth
    labels:
      - "traefik.enable=true"
      # Router with Authentication
      - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)"
      - "traefik.http.services.id-manager.loadbalancer.server.port=8080"
      - "traefik.http.routers.id-manager.tls=true"
      - "traefik.http.routers.id-manager.middlewares=traefik-forward-auth-idm"
      - "traefik.http.routers.id-manager.service=id-manager-service"
      # Router without Authentication
      - "traefik.http.routers.id-manager-compatibility.rule=PathPrefix(`/id-manager/paths/translator/getIds`)"
      - "traefik.http.routers.id-manager-compatibility.tls=true"
      - "traefik.http.routers.id-manager-compatibility.service=id-manager-service"
      # Definition of Service
      - "traefik.http.services.id-manager-service.loadbalancer.server.port=8080"
      - "traefik.http.services.id-manager-service.loadbalancer.server.scheme=http"
  patientlist:
    image: docker.verbis.dkfz.de/bridgehead/mainzelliste
@ -65,7 +57,7 @@ services:
      - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"
  traefik-forward-auth:
-    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
+    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:v7.6.0
    environment:
      - http_proxy=http://forward_proxy:3128
      - https_proxy=http://forward_proxy:3128
@ -75,7 +67,6 @@ services:
      - OAUTH2_PROXY_CLIENT_ID=bridgehead-${SITE_ID}
      - OAUTH2_PROXY_CLIENT_SECRET=${IDMANAGER_AUTH_CLIENT_SECRET}
      - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
      - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_idm
      - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
      - OAUTH2_PROXY_HTTP_ADDRESS=:4180
      - OAUTH2_PROXY_REVERSE_PROXY=true
@ -101,12 +92,5 @@ services:
      forward_proxy:
        condition: service_healthy
  ccp-patient-project-identificator:
    image: docker.verbis.dkfz.de/cache/samply/ccp-patient-project-identificator
    container_name: bridgehead-ccp-patient-project-identificator
    environment:
      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
      SITE_NAME: ${IDMANAGEMENT_FRIENDLY_ID}
 volumes:
  patientlist-db-data:
--- a/ccp/modules/nngm-compose.yml
+++ b/ccp/modules/nngm-compose.yml
@ -12,6 +12,7 @@ services:
      CTS_API_KEY: ${NNGM_CTS_APIKEY}
      CRYPT_KEY: ${NNGM_CRYPTKEY}
      #CTS_MAGICPL_SITE: ${SITE_ID}TODO
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)"
--- a/ccp/modules/obds2fhir-rest-compose.yml
+++ b/ccp/modules/obds2fhir-rest-compose.yml
@ -10,6 +10,7 @@ services:
      SALT: ${LOCAL_SALT}
      KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false}
      MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist}
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)"
--- a/ccp/modules/ovis-compose.yml
+++ b/ccp/modules/ovis-compose.yml
@ -1,112 +0,0 @@
 version: '3.7'
 services:
  ovis-traefik-forward-auth:
      image: quay.io/oauth2-proxy/oauth2-proxy:latest
      environment:
        - http_proxy=${http_proxy:-http://forward_proxy:3128}
        - https_proxy=${https_proxy:-http://forward_proxy:3128}
        - OAUTH2_PROXY_PROVIDER=oidc
        - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
        - OAUTH2_PROXY_OIDC_ISSUER_URL=${OAUTH_ISSUER_URL}
        - OAUTH2_PROXY_CLIENT_ID=${OAUTH_CLIENT_ID}
        - OAUTH2_PROXY_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
        - OAUTH2_PROXY_COOKIE_SECRET=${AUTHENTICATION_SECRET}
        - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST:-localhost}
        - OAUTH2_PROXY_COOKIE_REFRESH=4m
        - OAUTH2_PROXY_COOKIE_EXPIRE=24h
        - OAUTH2_PROXY_HTTP_ADDRESS=:4180
        - OAUTH2_PROXY_REVERSE_PROXY=true
        - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST:-localhost}
        - OAUTH2_PROXY_UPSTREAMS=static://202
        - OAUTH2_PROXY_EMAIL_DOMAINS=*
        #- OAUTH2_PROXY_ALLOWED_GROUPS=app-ovis
        #- OAUTH2_PROXY_ERRORS_TO_INFO_LOG=true
        - OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256
        # For some reason, login.verbis.dkfz.de does not have a "groups" scope but this comes automatically through a
        # scope called microprofile-jwt. Remove the following line once we have a "groups" scope.
        - OAUTH2_PROXY_SCOPE=openid profile email
        # Pass Authorization Header and some user information to spot
        - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
        - OAUTH2_PROXY_SET_XAUTHREQUEST=true
      labels:
        - "traefik.enable=true"
        - "traefik.http.middlewares.ovis-traefik-forward-auth.forwardauth.address=http://ovis-traefik-forward-auth:4180"
        - "traefik.http.middlewares.ovis-traefik-forward-auth.forwardauth.authResponseHeaders=Authorization, X-Forwarded-User, X-Auth-Request-User, X-Auth-Request-Email"
        - "traefik.http.services.ovis-traefik-forward-auth.loadbalancer.server.port=4180"
        - "traefik.http.routers.oauth2.rule=Host(`${HOST:-localhost}`) && PathPrefix(`/oauth2-ovis/`)"
        - "traefik.http.routers.oauth2.tls=true"
  fhir-transformer:
    image: docker.verbis.dkfz.de/ovis/adt-mon-gql-fhir-transformer:latest
    restart: on-failure
    environment:
      - FHIR_SERVER_URL=${FHIR_SERVER_URL:-http://bridgehead-ccp-blaze:8080/fhir}
      - FHIR_USERNAME=${FHIR_USERNAME}
      - FHIR_PASSWORD=${FHIR_PASSWORD}
    volumes:
      - /var/cache/bridgehead/ccp/ovis/shared_data:/app/output
  mongo:
    image: mongo:${MONGO_VER:-latest}
    restart: always
    command: mongod
      - /var/cache/bridgehead/ccp/ovis/mongo/init/init.js:/docker-entrypoint-initdb.d/init.js
  backend:
    image: docker.verbis.dkfz.de/ovis/adt-mon-gql-backend:latest
    restart: always
    user: root
    working_dir: /app
    environment:
      - APOLLO_PORT=${APOLLO_PORT:-4001}
      - CREDOS_PORT=${CREDOS_PORT:-4000}
      - MONGO_VER=latest
      - CORS_ORIGIN=*
      - DB=${DB:-onc_test}
      - ADRESS=${ADRESS:-mongodb://mongo:27017}
    depends_on:
      - mongo
      - fhir-transformer
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:${APOLLO_PORT:-4001}/health"]
      interval: 5s
      timeout: 3s
      retries: 5
      start_period: 10s
    entrypoint: >
      sh -c "
        # First run the initialization process
        while [ ! -f /shared/omock.json ]; do
          echo 'Waiting for omock.json...'
          sleep 5
        done;
        mkdir -p ./prep &&
        cp /shared/omock.json ./prep/omock.json &&
        node ./mgDB/prep/preprocessor.mjs &&
        echo 'Processing complete' &&
        exec node --watch index.js"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ovis-backend.rule=Host(`${HOST:-localhost}`) && PathPrefix(`/graphql`)"
      - "traefik.http.routers.ovis-backend.tls=true"
      - "traefik.http.services.ovis-backend.loadbalancer.server.port=${APOLLO_PORT:-4001}"
    volumes:
      - /var/cache/bridgehead/ccp/ovis/shared_data:/shared
  frontend:
    image: docker.verbis.dkfz.de/ovis/adt-mon-gql-frontend:latest
    restart: always
    environment:
      - PUBLIC_GRAPHQL_URL=https://${HOST:-localhost}/graphql
    depends_on:
      backend:
        condition: service_healthy
    working_dir: /app
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ovis-frontend.tls=true"
      - "traefik.http.routers.ovis-frontend.rule=Host(`${HOST:-localhost}`)"
      - "traefik.http.routers.ovis-frontend.middlewares=traefik-forward-auth"
      - "traefik.http.services.ovis-frontend.loadbalancer.server.port=5173"
--- a/ccp/modules/ovis-setup.sh
+++ b/ccp/modules/ovis-setup.sh
@ -1,108 +0,0 @@
 #!/bin/bash -e
 if [ -n "$ENABLE_OVIS" ];then
    # Setup MongoDB initialization directory if it doesn't exist
    mkdir -p "/var/cache/bridgehead/ccp/ovis/mongo/init"
    # Generate MongoDB initialization script directly
    cat > "/var/cache/bridgehead/ccp/ovis/mongo/init/init.js" << 'EOF'
 db = db.getSiblingDB("test_credos");
 db.createCollection("user");
 db.user.insertMany([{
    "_id": "OVIS-Root",
    "createdAt": new Date(),
    "createdBy": "system",
    "role": "super-admin",
    "status": "active",
    "pseudonymization": false,
    "darkMode": false,
    "colorTheme": "CCCMunich",
    "language":  "de",
 }]);
 db = db.getSiblingDB("onc_test");
 db.createCollection("user");
 db.user.insertMany([{
    "_id": "OVIS-Root",
    "createdAt": new Date(),
    "createdBy": "system",
    "role": "super-admin",
    "status": "active",
    "pseudonymization": false,
    "darkMode": false,
    "colorTheme": "CCCMunich",
    "language":  "de",
 }]);
 db.ops.insertMany([
    {"OPSC_4":"1-40","OPS_Gruppen_Text":"Biopsie ohne Inzision an Nervensystem und endokrinen Organen "},
    {"OPSC_4":"1-44","OPS_Gruppen_Text":"Biopsie ohne Inzision an den Verdauungsorganen"},
    {"OPSC_4":"1-40","OPS_Gruppen_Text":"Biopsie ohne Inzision an anderen Organen und Geweben"},
    {"OPSC_4":"1-50","OPS_Gruppen_Text":"Biopsie an Haut, Mamma, Knochen und Muskeln durch Inzision"},
    {"OPSC_4":"1-51","OPS_Gruppen_Text":"Biopsie an Nervengewebe, Hypophyse, Corpus pineale durch Inzision und Trepanation von Schädelknochen "},
    {"OPSC_4":"1-55","OPS_Gruppen_Text":"Biopsie an anderen Verdauungsorganen, Zwerchfell und (Retro-)Peritoneum durch Inzision "},
    {"OPSC_4":"1-56","OPS_Gruppen_Text":"Biopsie an Harnwegen und männlichen Geschlechtsorgannen durch Inzision"},
    {"OPSC_4":"1-58","OPS_Gruppen_Text":"Biopsie an anderen Organen durch Inzision "},
    {"OPSC_4":"1-63","OPS_Gruppen_Text":"Diagnostische Endoskopie des oberen Verdauungstraktes"},
    {"OPSC_4":"1-65","OPS_Gruppen_Text":"Diagnostische Endoskopie des unteren Verdauungstraktes"},
    {"OPSC_4":"1-69","OPS_Gruppen_Text":"Diagnostische Endoskopie durch Inzision und intraoperativ "},
    {"OPSC_4":"5-01","OPS_Gruppen_Text":"Inzision (Trepanation) und Exzision an Schädel, Gehirn und Hirnhäuten"},
    {"OPSC_4":"5-02","OPS_Gruppen_Text":"Andere Operationen  an Schädel, Gehirn und Hirnhäuten"},
    {"OPSC_4":"5-03","OPS_Gruppen_Text":"Operationen an Rückenmark, Rückenmarkhäuten und Spinalkanal"},
    {"OPSC_4":"5-05","OPS_Gruppen_Text":"Andere Operationen an Nerven und Nervenganglien "},
    {"OPSC_4":"5-06","OPS_Gruppen_Text":"Operationen an Schilddrüse und Nebenschilddrüse "},
    {"OPSC_4":"5-07","OPS_Gruppen_Text":"Operationen an anderen endokrinen Drüsen "},
    {"OPSC_4":"5-20","OPS_Gruppen_Text":"Andere Operationen an Mittel- und Innenohr "},
    {"OPSC_4":"5-25","OPS_Gruppen_Text":"Operationen an der Zunge "},
    {"OPSC_4":"5-31","OPS_Gruppen_Text":"Andere Larynxoperationen und Operationen an der Trachea "},
    {"OPSC_4":"5-32","OPS_Gruppen_Text":"Exzision und Resektion an Lunge und Bronchus "},
    {"OPSC_4":"5-33","OPS_Gruppen_Text":"Andere Operationen an Lunge und Bronchus"},
    {"OPSC_4":"5-34","OPS_Gruppen_Text":"Operationen an Brustwand, Pleura, Mediastinum und Zwerchfell "},
    {"OPSC_4":"5-37","OPS_Gruppen_Text":"Rhythmuschirurgie und andere Operationen an Herz und Perikard"},
    {"OPSC_4":"5-38","OPS_Gruppen_Text":"Inzision, Exzision und Verschluß von Blutgefäßen "},
    {"OPSC_4":"5-39","OPS_Gruppen_Text":"Andere Operationen an Blutgefäßen "},
    {"OPSC_4":"5-40","OPS_Gruppen_Text":"Operationen am Lymphgewebe "},
    {"OPSC_4":"5-41","OPS_Gruppen_Text":"Operationen an Milz und Knochenmark "},
    {"OPSC_4":"5-42","OPS_Gruppen_Text":"Operationen am Ösophagus "},
    {"OPSC_4":"5-43","OPS_Gruppen_Text":"Inzision, Exzision und Resektion am Magen "},
    {"OPSC_4":"5-44","OPS_Gruppen_Text":"Erweiterte Magenresektion und andere Operationen am Magen "},
    {"OPSC_4":"5-45","OPS_Gruppen_Text":"Inzision, Exzision, Resektion und Anastomose an Dünn- und Dickdarm "},
    {"OPSC_4":"5-46","OPS_Gruppen_Text":"Andere Operationen an Dünn- und Dickdarm "},
    {"OPSC_4":"5-47","OPS_Gruppen_Text":"Operationen an der Appendix "},
    {"OPSC_4":"5-48","OPS_Gruppen_Text":"Operationen am Rektum "},
    {"OPSC_4":"5-49","OPS_Gruppen_Text":"Operationen am Anus "},
    {"OPSC_4":"5-50","OPS_Gruppen_Text":"Operationen an der Leber "},
    {"OPSC_4":"5-51","OPS_Gruppen_Text":"Operationen an Gallenblase und Gallenwegen "},
    {"OPSC_4":"5-52","OPS_Gruppen_Text":"Operationen am Pankreas "},
    {"OPSC_4":"5-53","OPS_Gruppen_Text":"Verschluß abdominaler Hernien "},
    {"OPSC_4":"5-54","OPS_Gruppen_Text":"Andere Operationen in der Bauchregion "},
    {"OPSC_4":"5-55","OPS_Gruppen_Text":"Operationen an der Niere "},
    {"OPSC_4":"5-56","OPS_Gruppen_Text":"Operationen am Ureter "},
    {"OPSC_4":"5-57","OPS_Gruppen_Text":"Operationen an der Harnblase "},
    {"OPSC_4":"5-59","OPS_Gruppen_Text":"Andere Operationen an den Harnorganen "},
    {"OPSC_4":"5-60","OPS_Gruppen_Text":"Operationen an Prostata und Vesiculae seminales "},
    {"OPSC_4":"5-61","OPS_Gruppen_Text":"Operationen an Skrotum und Tunica vaginalis testis"},
    {"OPSC_4":"5-62","OPS_Gruppen_Text":"Operationen am Hoden "},
    {"OPSC_4":"5-65","OPS_Gruppen_Text":"Operationen am Ovar "},
    {"OPSC_4":"5-68","OPS_Gruppen_Text":"Inzision, Exzision und Exstirpation des Uterus "},
    {"OPSC_4":"5-70","OPS_Gruppen_Text":"Operationen an Vagina und Douglasraum "},
    {"OPSC_4":"5-71","OPS_Gruppen_Text":"Operationen an der Vulva "},
    {"OPSC_4":"5-85","OPS_Gruppen_Text":"Operationen an Muskeln, Sehnen, Faszien und Schleimbeuteln"},
    {"OPSC_4":"5-87","OPS_Gruppen_Text":"Exzision und Resektion der Mamma "},
    {"OPSC_4":"5-89","OPS_Gruppen_Text":"Operationen an Haut und Unterhaut "},
    {"OPSC_4":"5-90","OPS_Gruppen_Text":"Operative Wiederherstellung und Rekonstruktion von Haut und Unterhaut"},
    {"OPSC_4":"5-91","OPS_Gruppen_Text":"Andere Operationen an Haut und Unterhaut "},
    {"OPSC_4":"5-93","OPS_Gruppen_Text":"Angaben zum Transplantat und zu verwendeten Materialien"},
    {"OPSC_4":"5-98","OPS_Gruppen_Text":"Spezielle Operationstechniken und Operationen bei speziellen Versorgungssituationen "},
    {"OPSC_4":"8-13","OPS_Gruppen_Text":"Manipulation am Harntrakt"},
    {"OPSC_4":"8-14","OPS_Gruppen_Text":"Therapeutische Kathedirisierung, Aspiration, Punktion und Spülung "},
    {"OPSC_4":"8-15","OPS_Gruppen_Text":"Therapeutische Aspiration und Entleerung durch Punktion "},
    {"OPSC_4":"8-17","OPS_Gruppen_Text":"Spülung (Lavage) "},
    {"OPSC_4":"8-19","OPS_Gruppen_Text":"Verbände "},
    {"OPSC_4":"8-77","OPS_Gruppen_Text":"Maßnahmen im Rahmen der Reanimation "},
    {"OPSC_4":"8-92","OPS_Gruppen_Text":"Neurologisches Monitoring "},
 ])
 EOF
    OVERRIDE+=" -f ./$PROJECT/modules/ovis-compose.yml"
 fi
--- a/dhki/docker-compose.yml
+++ b/dhki/docker-compose.yml
@ -2,7 +2,7 @@ version: "3.7"
 services:
  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
    container_name: bridgehead-dhki-blaze
    environment:
      BASE_URL: "http://bridgehead-dhki-blaze:8080"
--- a/dhki/vars
+++ b/dhki/vars
@ -17,12 +17,4 @@ do
 done
 idManagementSetup
-obds2fhirRestSetup
+obds2fhirRestSetup
 for module in modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
 transfairSetup
--- a/docs/update-access-token.md
+++ b/docs/update-access-token.md
@ -1,42 +0,0 @@
 ## How to Change Config Access Token
 ### 1. Generate a New Access Token
 1. Go to your Git configuration repository provider, it might be either [git.verbis.dkfz.de](https://git.verbis.dkfz.de) or [gitlab.bbmri-eric.eu](https://gitlab.bbmri-eric.eu).  
 2. Navigate to the configuration repository for your site.  
 3. Go to **Settings → Access Tokens** to check if your Access Token is valid or expired.  
   - **If expired**, create a new Access Token.  
 4. Configure the new Access Token with the following settings:  
   - **Expiration date**: One year from today, minus one day.  
   - **Role**: Developer.  
   - **Scope**: Only `read_repository`.  
 5. Save the newly generated Access Token in a secure location.  
 ---
 ### 2. Replace the Old Access Token
 1. Navigate to `/etc/bridgehead` in your system.  
 2. Run the following command to retrieve the current Git remote URL:  
   ```bash
   git remote get-url origin
   ```
   Example output:  
   ```
   https://name40dkfz-heidelberg.de:<old_access_token>@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git
   ```
 3. Replace `<old_access_token>` with your new Access Token in the URL.  
 4. Set the updated URL using the following command:  
   ```bash
   git remote set-url origin https://name40dkfz-heidelberg.de:<new_access_token>@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git
   ```
 5. Start the Bridgehead update service by running:  
   ```bash
   systemctl start bridgehead-update@<project>
   ```
 6. View the output to ensure the update process is successful:  
   ```bash
   journalctl -u bridgehead-update@<project> -f
   ```
--- a/itcc/docker-compose.yml
+++ b/itcc/docker-compose.yml
@ -2,7 +2,7 @@ version: "3.7"
 services:
  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
    container_name: bridgehead-itcc-blaze
    environment:
      BASE_URL: "http://bridgehead-itcc-blaze:8080"
--- a/kr/docker-compose.yml
+++ b/kr/docker-compose.yml
@ -1,12 +1,8 @@
 version: "3.7"
 services:
  landing:
    deploy:
      replicas: 0 #deactivate landing page
  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
    container_name: bridgehead-kr-blaze
    environment:
      BASE_URL: "http://bridgehead-kr-blaze:8080"
--- a/kr/modules/lens-compose.yml
+++ b/kr/modules/lens-compose.yml
@ -1,8 +1,6 @@
 version: "3.7"
 services:
  landing:
    deploy:
      replicas: 1 #reactivate if lens is in use
    container_name: lens_federated-search
    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
    labels:
--- a/kr/modules/obds2fhir-rest-compose.yml
+++ b/kr/modules/obds2fhir-rest-compose.yml
@ -10,6 +10,7 @@ services:
      SALT: ${LOCAL_SALT}
      KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false}
      MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist}
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)"
--- a/lib/functions.sh
+++ b/lib/functions.sh
@ -116,7 +116,7 @@ assertVarsNotEmpty() {
 	MISSING_VARS=""
 	for VAR in $@; do
-		if [ -z "${!VAR}" ]; then
+	if [ -z "${!VAR}" ]; then
 			MISSING_VARS+="$VAR "
 		fi
 	done
@ -171,10 +171,8 @@ optimizeBlazeMemoryUsage() {
 		if [ $available_system_memory_chunks -eq 0 ]; then
 			log WARN "Only ${BLAZE_MEMORY_CAP} system memory available for Blaze. If your Blaze stores more than 128000 fhir ressources it will run significally slower."
 			export BLAZE_RESOURCE_CACHE_CAP=128000;
 			export BLAZE_CQL_CACHE_CAP=32;
 		else
 			export BLAZE_RESOURCE_CACHE_CAP=$((available_system_memory_chunks * 312500))
 			export BLAZE_CQL_CACHE_CAP=$((($system_memory_in_mb/4)/16));
 		fi
 	fi
 }
@ -318,7 +316,7 @@ function sync_secrets() {
        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
    set -a # Export variables as environment variables
-    source /var/cache/bridgehead/secrets/oidc
+    source /var/cache/bridgehead/secrets/*
    set +a # Export variables in the regular way
 }
--- a/lib/gitlab-token-helper.sh
+++ b/lib/gitlab-token-helper.sh
@ -1,11 +0,0 @@
 #!/bin/bash
 [ "$1" = "get" ] || exit
 source /var/cache/bridgehead/secrets/gitlab_token
 # Any non-empty username works, only the token matters
 cat << EOF
 username=bk
 password=$BRIDGEHEAD_CONFIG_REPO_TOKEN
 EOF
--- a/lib/gitpassword.sh
+++ b/lib/gitpassword.sh
@ -0,0 +1,41 @@
 #!/bin/bash
 if [ "$1" != "get" ]; then
 	echo "Usage: $0 get"
 	exit 1
 fi
 baseDir() {
 	# see https://stackoverflow.com/questions/59895
 	SOURCE=${BASH_SOURCE[0]}
 	while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
 		DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
 		SOURCE=$(readlink "$SOURCE")
 		[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
        done
        DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
        echo $DIR
 }
 BASE=$(baseDir)
 cd $BASE
 source lib/functions.sh
 assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
 PARAMS="$(cat)"
 GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
 fetchVarsFromVault GIT_PASSWORD
 if [ -z "${GIT_PASSWORD}" ]; then
 	fail_and_report 1 "gitpassword.sh failed: Git password not found."
 fi
 cat <<EOF
 protocol=https
 host=$GITHOST
 username=bk-${SITE_ID}
 password=${GIT_PASSWORD}
 EOF
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@ -19,7 +19,7 @@ fi
 hc_send log "Checking for bridgehead updates ..."
-CONFFILE=/etc/bridgehead/$PROJECT.conf
+CONFFILE=/etc/bridgehead/$1.conf
 if [ ! -e $CONFFILE ]; then
  fail_and_report 1 "Configuration file $CONFFILE not found."
@ -33,43 +33,7 @@ export SITE_ID
 checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
 checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
-# Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
+CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 # If it is missing or expired, Secret Sync will create a new token and write it to the file.
 # The git credential helper reads the token from the file during git pull.
 mkdir -p /var/cache/bridgehead/secrets
 touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
 log "INFO" "Running Secret Sync for the GitLab token"
 docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
 docker run --rm \
  -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
  -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
  -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
  -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
  -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
  -e NO_PROXY=localhost,127.0.0.1 \
  -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
  -e PROXY_ID=$PROXY_ID \
  -e BROKER_URL=$BROKER_URL \
  -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
  -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN: \
  docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
 if [ $? -eq 0 ]; then
  log "INFO" "Secret Sync was successful"
  # In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
  CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
  git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
  # Set the git credential helper
  git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
 else
  log "WARN" "Secret Sync failed"
  # Remove the git credential helper
  git -C /etc/bridgehead config --unset credential.helper
 fi
 # In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
 # Let's remove it to avoid confusion. This line can be removed at some point the future when we
 # believe that it was removed on all/most production servers.
 git -C /srv/docker/bridgehead config --unset credential.helper
 CHANGES=""
@ -81,6 +45,10 @@ for DIR in /etc/bridgehead $(pwd); do
  if [ -n "$OUT" ]; then
    report_error log "The working directory $DIR is modified. Changed files: $OUT"
  fi
  if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
    log "INFO" "Configuring repo to use bridgehead git credential helper."
    git -C $DIR config credential.helper "$CREDHELPER"
  fi
  old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
  if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
    log "INFO" "Git is using no proxy!"
@ -90,8 +58,7 @@ for DIR in /etc/bridgehead $(pwd); do
    OUT=$(retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1)
  fi
  if [ $? -ne 0 ]; then
-    OUT_SAN=$(echo $OUT | sed -E 's|://[^:]+:[^@]+@|://credentials@|g')
+    report_error log "Unable to update git $DIR: $OUT"
    report_error log "Unable to update git $DIR: $OUT_SAN"
  fi
  new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
--- a/minimal/docker-compose.yml
+++ b/minimal/docker-compose.yml
@ -16,7 +16,7 @@ services:
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.dashboard.rule=PathPrefix(`/dashboard/`)"
+      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard/`)"
      - "traefik.http.routers.dashboard.entrypoints=websecure"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.tls=true"
--- a/minimal/modules/dnpm-central-targets.json
+++ b/minimal/modules/dnpm-central-targets.json
@ -1,142 +0,0 @@
 {
    "sites": [
        {
            "id": "UKFR",
            "name": "Freiburg",
            "virtualhost": "ukfr.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKHD",
            "name": "Heidelberg",
            "virtualhost": "ukhd.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKT",
            "name": "Tübingen",
            "virtualhost": "ukt.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKU",
            "name": "Ulm",
            "virtualhost": "uku.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UM",
            "name": "Mainz",
            "virtualhost": "um.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKMR",
            "name": "Marburg",
            "virtualhost": "ukmr.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKE",
            "name": "Hamburg",
            "virtualhost": "uke.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKA",
            "name": "Aachen",
            "virtualhost": "uka.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "Charite",
            "name": "Berlin",
            "virtualhost": "charite.dnpm.de",
            "beamconnect": "dnpm-connect.berlin-test.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "MRI",
            "name": "Muenchen-tum",
            "virtualhost": "mri.dnpm.de",
            "beamconnect": "dnpm-connect.muenchen-tum.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "KUM",
            "name": "Muenchen-lmu",
            "virtualhost": "kum.dnpm.de",
            "beamconnect": "dnpm-connect.muenchen-lmu.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "MHH",
            "name": "Hannover",
            "virtualhost": "mhh.dnpm.de",
            "beamconnect": "dnpm-connect.hannover.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKDD",
            "name": "dresden-dnpm",
            "virtualhost": "ukdd.dnpm.de",
            "beamconnect": "dnpm-connect.dresden-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKB",
            "name": "Bonn",
            "virtualhost": "ukb.dnpm.de",
            "beamconnect": "dnpm-connect.bonn-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKD",
            "name": "Duesseldorf",
            "virtualhost": "ukd.dnpm.de",
            "beamconnect": "dnpm-connect.duesseldorf-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKK",
            "name": "Koeln",
            "virtualhost": "ukk.dnpm.de",
            "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UME",
            "name": "Essen",
            "virtualhost": "ume.dnpm.de",
            "beamconnect": "dnpm-connect.essen.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKM",
            "name": "Muenster",
            "virtualhost": "ukm.dnpm.de",
            "beamconnect": "dnpm-connect.muenster-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKF",
            "name": "Frankfurt",
            "virtualhost": "ukf.dnpm.de",
            "beamconnect": "dnpm-connect.frankfurt.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UMG",
            "name": "Goettingen",
            "virtualhost": "umg.dnpm.de",
            "beamconnect": "dnpm-connect.goettingen.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKW",
            "name": "Würzburg",
            "virtualhost": "ukw.dnpm.de",
            "beamconnect": "dnpm-connect.wuerzburg-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "UKSH",
            "name": "Schleswig-Holstein",
            "virtualhost": "uksh.dnpm.de",
            "beamconnect": "dnpm-connect.uksh-dnpm.broker.ccp-it.dktk.dkfz.de"
        },
        {
            "id": "TKT",
            "name": "Test",
            "virtualhost": "tkt.dnpm.de",
            "beamconnect": "dnpm-connect.tobias-develop.broker.ccp-it.dktk.dkfz.de"
        }
    ]
 }
--- a/minimal/modules/dnpm-compose.yml
+++ b/minimal/modules/dnpm-compose.yml
@ -29,7 +29,7 @@ services:
      PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT}
      APP_ID: dnpm-connect.${DNPM_PROXY_ID}
      DISCOVERY_URL: "./conf/central_targets.json"
-      LOCAL_TARGETS_FILE: "/conf/connect_targets.json"
+      LOCAL_TARGETS_FILE: "./conf/connect_targets.json"
      HTTP_PROXY: http://forward_proxy:3128
      HTTPS_PROXY: http://forward_proxy:3128
      NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
@ -41,7 +41,7 @@ services:
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro
-      - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro
+      - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)"
--- a/minimal/modules/dnpm-node-compose.yml
+++ b/minimal/modules/dnpm-node-compose.yml
@ -1,99 +1,34 @@
 version: "3.7"
 services:
  dnpm-mysql:
    image: mysql:9
    healthcheck:
      test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ]
      interval: 3s
      timeout: 5s
      retries: 5
    environment:
      MYSQL_ROOT_HOST: "%"
      MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD}
    volumes:
      - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql
  dnpm-authup:
    image: authup/authup:latest
    container_name: bridgehead-dnpm-authup
    volumes:
      - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable
    depends_on:
      dnpm-mysql:
        condition: service_healthy
    command: server/core start
    environment:
      - PUBLIC_URL=https://${HOST}/auth/
      - AUTHORIZE_REDIRECT_URL=https://${HOST}
      - ROBOT_ADMIN_ENABLED=true
      - ROBOT_ADMIN_SECRET=${DNPM_AUTHUP_SECRET}
      - ROBOT_ADMIN_SECRET_RESET=true
      - DB_TYPE=mysql
      - DB_HOST=dnpm-mysql
      - DB_USERNAME=root
      - DB_PASSWORD=${DNPM_MYSQL_ROOT_PASSWORD}
      - DB_DATABASE=auth
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.authup-strip.stripprefix.prefixes=/auth/"
      - "traefik.http.routers.dnpm-auth.middlewares=authup-strip"
      - "traefik.http.routers.dnpm-auth.rule=PathPrefix(`/auth`)"
      - "traefik.http.services.dnpm-auth.loadbalancer.server.port=3000"
      - "traefik.http.routers.dnpm-auth.tls=true"
  dnpm-portal:
    image: ghcr.io/dnpm-dip/portal:latest
    container_name: bridgehead-dnpm-portal
    environment:
      - NUXT_API_URL=http://dnpm-backend:9000/
      - NUXT_PUBLIC_API_URL=https://${HOST}/api/
      - NUXT_AUTHUP_URL=http://dnpm-authup:3000/
      - NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)"
      - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000"
      - "traefik.http.routers.dnpm-frontend.tls=true"
  dnpm-backend:
    image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector
    container_name: bridgehead-dnpm-backend
    image: ghcr.io/dnpm-dip/backend:latest
    environment:
-      - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME}   # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
+      - ZPM_SITE=${ZPM_SITE}
-      - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
+      - N_RANDOM_FILES=${DNPM_SYNTH_NUM}
      - MTB_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
      - HATEOAS_HOST=https://${HOST}
      - CONNECTOR_TYPE=broker
      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
    volumes:
-      - /etc/bridgehead/dnpm/config:/dnpm_config
+      - /etc/bridgehead/dnpm:/bwhc_config:ro
-      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
+      - ${DNPM_DATA_DIR}:/bwhc_data
    depends_on:
      dnpm-authup:
        condition: service_healthy
    labels:
      - "traefik.enable=true"
-      - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000"
+      - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)"
-      # expose everything
+      - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000"
-      - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)"
+      - "traefik.http.routers.bwhc-backend.tls=true"
      - "traefik.http.routers.dnpm-backend.tls=true"
      - "traefik.http.routers.dnpm-backend.service=dnpm-backend"
      # except ETL
      - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
      - "traefik.http.routers.dnpm-backend-etl.tls=true"
      - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
      # this needs an ETL processor with support for basic auth
      - "traefik.http.routers.dnpm-backend-etl.middlewares=auth"
      # except peer-to-peer
      - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)"
      - "traefik.http.routers.dnpm-backend-peer.tls=true"
      - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend"
      - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer"
      # this effectively denies all requests
      # this is okay, because requests from peers don't go through Traefik
      - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32"
-  landing:
+  dnpm-frontend:
    image: ghcr.io/kohlbacherlab/bwhc-frontend:2209
    container_name: bridgehead-dnpm-frontend
    links:
      - dnpm-backend
    environment:
      - NUXT_HOST=0.0.0.0
      - NUXT_PORT=8080
      - BACKEND_PROTOCOL=https
      - BACKEND_HOSTNAME=$HOST
      - BACKEND_PORT=443
    labels:
-      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"
+      - "traefik.enable=true"
      - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)"
      - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080"
      - "traefik.http.routers.bwhc-frontend.tls=true"
--- a/minimal/modules/dnpm-node-setup.sh
+++ b/minimal/modules/dnpm-node-setup.sh
@ -1,16 +1,28 @@
 #!/bin/bash
 if [ -n "${ENABLE_DNPM_NODE}" ]; then
-	log INFO "DNPM setup detected -- will start DNPM:DIP node."
+	log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node."
 	OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml"
 	# Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/<project>.conf
 	DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
 	if [ -z "${ZPM_SITE+x}" ]; then
 		log ERROR "Mandatory variable ZPM_SITE not defined!"
 		exit 1
 	fi
-    mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions."
+	if [ -z "${DNPM_DATA_DIR+x}" ]; then
-    DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1}
+		log ERROR "Mandatory variable DNPM_DATA_DIR not defined!"
-    DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')"
+		exit 1
-    DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')"
+	fi
 	DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0}
 	if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then
 		echo "Override of landing page url already in place"
 	else
 		echo "Adding override of landing page url"
 		if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then
 			echo -e '  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
 		else
 			echo -e 'version: "3.7"\nservices:\n  landing:\n    labels:\n      - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml
 		fi
 	fi
 fi
--- a/minimal/modules/nngm-compose.yml
+++ b/minimal/modules/nngm-compose.yml
@ -11,6 +11,7 @@ services:
      CTS_API_KEY: ${NNGM_CTS_APIKEY}
      CRYPT_KEY: ${NNGM_CRYPTKEY}
      #CTS_MAGICPL_SITE: ${SITE_ID}TODO
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)"
--- a/minimal/modules/onko.root.pem
+++ b/minimal/modules/onko.root.pem
@ -0,0 +1,20 @@
 -----BEGIN CERTIFICATE-----
 MIIDNTCCAh2gAwIBAgIUcGXxIZMxUOoI2kf8FArsOvQfvwwwDQYJKoZIhvcNAQEL
 BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQxMDMxMDkxOTUwWhcNMzQx
 MDI5MDkyMDIwWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
 AQEBBQADggEPADCCAQoCggEBALX+8X4r2mWki4HLs2E5dXR9oGL+8Zos1s9Rmeaz
 FgxnpKf6wlop4ZlJd01Pgi3HNFo7XPFi76zalRsHS+rWN3tOy6r5KIjCYiqPb3AY
 luZuy7jAQOBGHKODVfJH1QCRqsvEwRbOU6nNFAkMcjSxt5+PmwB1U7+Kvmly4sYI
 i4t/gyVvcfEsiZ5LYQ7IpEf+or2Ugpb6j4KlTn+gKFzSfgl+yRhE0bnFEf0eBa+r
 HLLpq4hL16+pb6/WZ4DfM9QDioX6Tj2Hje9Va4RJ2dROENuq5sJugdE28hH9qEwE
 2bmKh6qvblgwkI3rJFkYH+scBtLEUH0KJY+SZ1iYHkoEaCkCAwEAAaN7MHkwDgYD
 VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOe/txl3B7Sd
 NFE+615Z3rfzqBR4MB8GA1UdIwQYMBaAFOe/txl3B7SdNFE+615Z3rfzqBR4MBYG
 A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQA3kVJlBOHn
 Tscsk1FKLYNWE/fr3oUNPUYzXi4lln+UNdRHSdXUPzBp4B5oIi3uymdYg2Rzq9Su
 /xjE7++thgQJ37l/DpCm/TUmUFfH5ZqcaMPA+L21mw9G129teCP1nVuXjtYhwnBk
 fRiz1tzpO1rZCxC+vxIhcPeYSKbaAQTywtJu0MpduGFrfIwLtrxa4GLRQFD06KPx
 Ijq6Pt6kC2abcYtKCMCWmpzttQAq4csWbmWINKkD6GMkuJVpzEx3csg8rCyPCaX0
 HedLiKRqaSOzDRnIWfD2CQX6qMg8TNtnxFnZTlc9honxnwcGaeLZKNEg+1oPA40V
 NOffBIMF4DAV
 -----END CERTIFICATE-----
--- a/minimal/modules/onkofdz-compose.yml
+++ b/minimal/modules/onkofdz-compose.yml
@ -0,0 +1,91 @@
 version: "3.7"
 services:
  beam-proxy:
    image: samply/beam-proxy:develop-sockets
    container_name: bridgehead-beam-proxy
    environment:
      BROKER_URL: ${BROKER_URL}
      PROXY_ID: ${PROXY_ID}
      PRIVKEY_FILE: /run/secrets/proxy.pem
      ALL_PROXY: http://forward_proxy:3128
      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
      ROOTCERT_FILE: /conf/root.crt.pem
      APP_beamsel_KEY: ${BEAMSEL_SECRET}
    secrets:
      - proxy.pem
    depends_on:
      - "forward_proxy"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /srv/docker/bridgehead/minimal/modules/onko.root.pem:/conf/root.crt.pem:ro
  postgres:
    image: postgres:9.5-alpine
    container_name: bridgehead-onkofdz-postgres
    environment:
      POSTGRES_DB: mainzelliste-sel
      POSTGRES_USER: mainzelliste-sel
      POSTGRES_PASSWORD: ${MAINZELLISTE_DB_PASSWORD}
    volumes:
      # - ./postgres-logs:/var/log/postgresql
      - ml-data:/var/lib/postgresql/data
    depends_on:
      - secureepilinker
  mainzelliste:
    image: medicalinformatics/mainzelliste:secureepilinker-alpha
    container_name: bridgehead-onkofdz-mainzelliste
    environment:
      ML_API_KEY: ${LOCAL_SEL_API_KEY}
      ML_DB_HOST: postgres
      ML_DB_PORT: 5432
      ML_DB_USER: mainzelliste-sel
      ML_DB_NAME: mainzelliste-sel
      ML_DB_PASS: ${MAINZELLISTE_DB_PASSWORD}
      ML_LOCAL_ID: ${SITE_ID}
      ML_LOCAL_SEL_URL: http://secureepilinker:8161
      ML_LOCAL_CALLBACK_LINK_URL: http://mainzelliste:8080/Communicator/linkCallback
      ML_LOCAL_CALLBACK_MATCH_URL: http://mainzelliste:8080/Communicator/matchCallback/${REMOTE_SEL_SITE}
      ML_LOCAL_DATA_SERVICE_URL: http://mainzelliste:8080/Communicator/getAllRecords
      ML_LOCAL_AUTHENTICATION_TYPE: apiKey
      ML_LOCAL_API_KEY: ${LOCAL_SEL_API_KEY}
      ML_SERVER_0_REMOTEID: ${REMOTE_SEL_SITE}
      ML_SERVER_0_IDTYPE: link-${SITE_ID}-${REMOTE_SEL_SITE}
      ML_SERVER_0_REMOTE_SEL_URL: http://beamsel:8080
      ML_SERVER_0_APIKEY: ${REMOTE_SEL_API_KEY}
      ### Linkage Service not used for matching
      ML_SERVER_0_LINKAGE_SERVICE_BASE_URL: ${LS_SEL_URL}
      ML_SERVER_0_LINKAGE_SERVICE_AUTH_TYPE: apiKey
      ML_SERVER_0_LINKAGE_SERVICE_SHARED_KEY: ${LS_SEL_SHARED_KEY}
      ML_LOG_MODE: stdout #stdout=stdout everything else =logging in mainzelliste.log
      ML_LOG_LEVEL: INFO
      no_proxy: "localhost,secureepilinker"
    volumes:
      # - ./logs:/usr/local/tomcat/logs/
      - /etc/bridgehead/onkofdz/config/mainzelliste.conf.docker:/run/secrets/mainzelliste.docker.conf
      - /etc/bridgehead/onkofdz/config/sel.conf.docker:/run/secrets/sel.docker.conf
    depends_on:
      - postgres
      - secureepilinker
  secureepilinker:
    image: docker.verbis.dkfz.de/onkofdz/secureepilinker:beamsel
    container_name: bridgehead-onkofdz-secureepilinker
    environment:
      no_proxy: "mainzelliste,beamsel"
    volumes:
      - "/etc/bridgehead/onkofdz/config/epilinker.serverconf.json:/data/serverconf.json"
    command: '-vvvv'
  beamsel:
    image: docker.verbis.dkfz.de/onkofdz/beam-sel
    container_name: bridgehead-onkofdz-beamsel
    environment:
      BEAM_URL: "http://beam-proxy:8081"
      BEAM_SECRET: ${BEAMSEL_SECRET}
      BEAM_ID: beamsel.${PROXY_ID}
      SEL_ADDR: "secureepilinker:8161"
    depends_on:
      - secureepilinker
 volumes:
  ml-data:
 secrets:
  proxy.pem:
    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/minimal/modules/onkofdz-setup.sh
+++ b/minimal/modules/onkofdz-setup.sh
@ -0,0 +1,15 @@
 #!/bin/bash
 if [ -n "${ENABLE_ONKOFDZ}" ]; then
  BROKER_ID=test.broker.onkofdz.samply.de
  BROKER_URL=https://${BROKER_ID}
  PROXY_ID=${SITE_ID}.${BROKER_ID}
  BEAMSEL_SECRET="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
  SUPPORT_EMAIL=tobias.kussel@dkfz-heidelberg.de
  PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
  BROKER_URL_FOR_PREREQ=$BROKER_URL
  log INFO "Loading OnkoFDZ module"
  OVERRIDE+=" -f ./$PROJECT/modules/onkofdz-compose.yml"
 fi
--- a/modules/transfair-compose.yml
+++ b/modules/transfair-compose.yml
@ -1,51 +0,0 @@
 services:
  transfair:
    image: docker.verbis.dkfz.de/cache/samply/transfair:latest
    container_name: bridgehead-transfair
    environment:
      # NOTE: Those 3 variables need only to be passed if their set, otherwise transfair will complain about empty url values
      - INSTITUTE_TTP_URL
      - INSTITUTE_TTP_API_KEY
      - PROJECT_ID_SYSTEM
      - FHIR_REQUEST_URL=${FHIR_REQUEST_URL}
      - FHIR_INPUT_URL=${FHIR_INPUT_URL}
      - FHIR_OUTPUT_URL=${FHIR_OUTPUT_URL:-http://blaze:8080}
      - FHIR_REQUEST_CREDENTIALS=${FHIR_REQUEST_CREDENTIALS}
      - FHIR_INPUT_CREDENTIALS=${FHIR_INPUT_CREDENTIALS}
      - FHIR_OUTPUT_CREDENTIALS=${FHIR_OUTPUT_CREDENTIALS}
      - EXCHANGE_ID_SYSTEM=${EXCHANGE_ID_SYSTEM:-SESSION_ID}
      - DATABASE_URL=sqlite://transfair/data_requests.sql?mode=rwc
      - RUST_LOG=${RUST_LOG:-info}
    volumes:
      - /var/cache/bridgehead/${PROJECT}/transfair:/transfair
  transfair-input-blaze:
    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
    container_name: bridgehead-transfair-input-blaze
    environment:
      BASE_URL: "http://bridgehead-transfair-input-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx1024m"
      DB_BLOCK_CACHE_SIZE: 1024
      CQL_EXPR_CACHE_SIZE: 8
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "transfair-input-blaze-data:/app/data"
    profiles: ["transfair-input-blaze"]
  transfair-request-blaze:
    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
    container_name: bridgehead-transfair-requests-blaze
    environment:
      BASE_URL: "http://bridgehead-transfair-requests-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx1024m"
      DB_BLOCK_CACHE_SIZE: 1024
      CQL_EXPR_CACHE_SIZE: 8
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "transfair-request-blaze-data:/app/data"
    profiles: ["transfair-request-blaze"]
 volumes:
  transfair-input-blaze-data:
  transfair-request-blaze-data:
--- a/modules/transfair-setup.sh
+++ b/modules/transfair-setup.sh
@ -1,22 +0,0 @@
 #!/bin/bash -e
 function transfairSetup() {
    if [[ -n "$INSTITUTE_TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
        echo "Starting transfair."
 	    OVERRIDE+=" -f ./modules/transfair-compose.yml"
 	    if [ -n "$FHIR_INPUT_URL" ]; then
 		    log INFO "TransFAIR input fhir store set to external $FHIR_INPUT_URL"
 	    else
 		    log INFO "TransFAIR input fhir store not set writing to internal blaze"
 		    FHIR_INPUT_URL="http://transfair-input-blaze:8080"
 		    OVERRIDE+=" --profile transfair-input-blaze"
 	    fi
 	    if [ -n "$FHIR_REQUEST_URL" ]; then
 		    log INFO "TransFAIR request fhir store set to external $FHIR_REQUEST_URL"
 	    else
 		    log INFO "TransFAIR request fhir store not set writing to internal blaze"
 		    FHIR_REQUEST_URL="http://transfair-requests-blaze:8080"
 		    OVERRIDE+=" --profile transfair-request-blaze"
 	    fi
    fi
 }
--- a/versions/prod
+++ b/versions/prod
@ -1,2 +0,0 @@
 FOCUS_TAG=main
 BEAM_TAG=main
--- a/versions/test
+++ b/versions/test
@ -1,2 +0,0 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
Author	SHA1	Message	Date
Tobias Kussel	2aad2ca9bf	Use onkofdz specific broker	2024-10-31 11:44:15 +00:00
Tobias Kussel	0c5298b2a3	add correct branch for onkofdz beam proxy	2024-10-14 07:59:03 +00:00
Tobias Kussel	4537bcf235	Set names for onkofdz containers	2024-10-14 07:59:03 +00:00
Tobias Kussel	f7b6dad0d2	fix onkofdz root cert path	2024-10-14 07:59:03 +00:00
Tobias Kussel	1e513113fe	fix typo in beamsel registration	2024-10-14 07:59:03 +00:00
Tobias Kussel	e433a234f7	add beamsel to onkofdz docker compose	2024-10-14 07:59:03 +00:00
Patrick Skowronek	4969360e49	Added onkofdz with test broker	2024-10-14 07:59:03 +00:00