From 03f3f5ed94c00bf8c17ac17bbdd846e9a923ec55 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <patrick.skowronek@dkfz-heidelberg.de>
Date: Thu, 24 Mar 2022 09:57:31 +0100
Subject: [PATCH 1/3] Added new script for user bridgehead

---
 configure-bridgehead.sh | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 configure-bridgehead.sh

diff --git a/configure-bridgehead.sh b/configure-bridgehead.sh
new file mode 100644
index 0000000..e20dca9
--- /dev/null
+++ b/configure-bridgehead.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+useradd --home-dir /srv/docker/bridgehead -g docker -N -u 317 -s /sbin/nologin
\ No newline at end of file

From 5bacdf02fb786a126899745490247c57e6d258e0 Mon Sep 17 00:00:00 2001
From: root <root@e260-serv-05.inet.dkfz-heidelberg.de>
Date: Fri, 25 Mar 2022 10:41:15 +0100
Subject: [PATCH 2/3] Added user bridgehead and made changes to run bridghead
 as this user

---
 .gitignore                      |  8 ++-
 auth/dktk                       |  2 +
 dktk-fed/docker-compose.yml     | 15 ++++--
 landing/index.html              | 64 +++++++++++++++++++++++
 lib/generate.sh                 | 92 +++++++++++++++++++++------------
 lib/setup-bridgehead-units.sh   |  6 +--
 lib/systemd/bridgehead@.service |  8 +--
 7 files changed, 152 insertions(+), 43 deletions(-)

diff --git a/.gitignore b/.gitignore
index 8960758..c7b00ec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,4 +7,10 @@ config/**/*
 !config/**/*.default
 docker-compose.override.yml
 site.conf
-
+.bash_logout
+.bash_profile
+.bashrc
+.bash_history
+.rnd
+.pki/*
+.viminfo
\ No newline at end of file
diff --git a/auth/dktk b/auth/dktk
index e69de29..3bbeb89 100644
--- a/auth/dktk
+++ b/auth/dktk
@@ -0,0 +1,2 @@
+patrick:$2y$05$9tYlNuZEfCi1FrSUMYM0iOz8FEsHjg3QiPpr3ZfChL81rZ8IrZ0gK
+
diff --git a/dktk-fed/docker-compose.yml b/dktk-fed/docker-compose.yml
index 92cc932..f9148b8 100644
--- a/dktk-fed/docker-compose.yml
+++ b/dktk-fed/docker-compose.yml
@@ -1,5 +1,4 @@
 version: "3.7"
-
 services:
   traefik:
     container_name: bridgehead_traefik
@@ -7,13 +6,19 @@ services:
     command:
       - --api.insecure=true
       - --entrypoints.web.address=:80
-      - --entrypoints.web-secure.address=:443
+      - --entrypoints.websecure.address=:443
       - --providers.docker=true
+      - --providers.file.directory=/configuration/
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
+      - --providers.file.watch=true
     ports:
       - 80:80
       - 443:443
       - 8080:8080
     volumes:
+      - ../certs:/tools/certs
+      - ../tools/traefik/:/configuration/
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ../auth/:/auth
     extra_hosts:
@@ -28,9 +33,10 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
       - "traefik.http.services.landing.loadbalancer.server.port=80"
+      - "traefik.http.routers.landing.tls=true"
 
   blaze:
-    image: "samply/blaze:0.15"
+    image: "samply/blaze:0.16"
     container_name: bridgehead_dktk_blaze
     environment:
       BASE_URL: "http://blaze:8080"
@@ -46,7 +52,8 @@ services:
       - "traefik.http.middlewares.dktk_b_strip.stripprefix.prefixes=/dktk-localdatamanagement"
       - "traefik.http.services.blaze_dktk.loadbalancer.server.port=8080"
       - "traefik.http.routers.blaze_dktk.middlewares=dktk_b_strip,test-auth"
-  
+      - "traefik.http.routers.blaze_dktk.tls=true"
+   
   # dktk-fed-search-share:
   #   image: "ghcr.io/samply/dktk-fed-search-share:pr-1"
   #   container_name: bridgehead_dktk_share
diff --git a/landing/index.html b/landing/index.html
index e69de29..c652299 100644
--- a/landing/index.html
+++ b/landing/index.html
@@ -0,0 +1,64 @@
+<html lang="en">
+
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta name="description" content="">
+  <title>Bridgehead Overview</title>
+  <!-- Bootstrap core CSS -->
+  <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet"
+    integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
+  <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"
+    integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p"
+    crossorigin="anonymous"></script>
+
+</head>
+
+<body class="d-flex flex-column min-vh-100">
+
+  <nav class="navbar navbar-light" style="background-color: #aad7f6;">
+    <h2 class="pb-2 border-bottom">Bridgehead </h2>
+  </nav>
+  <div class="container px-4 py-5" id="featured-3">
+    <div>
+      <h2>Components</h2>
+      <h3>Central</h3>
+      <table class="table">
+        <thead class="thead-dark">
+          <tr>
+            <th style="width: 50%">Group</th>
+            <th style="width: 50%">Service</th>
+          </tr>
+        </thead>
+        <tbody>
+                    <tr>
+            <td>CCP-IT</td>
+            <td><a href="https://monitor.vmitro.de/icingaweb2/dashboard">Monitoring Service</td>
+          </tr>
+        </tbody>
+      </table>
+    </div>
+
+    <div>
+      <h3>Local</h3>
+      <table class="table">
+        <thead class="thead-dark">
+          <tr>
+            <th style="width: 50%">Project</th>
+            <th style="width: 50%">Services</th>
+          </tr>
+        </thead>
+        <tbody>
+                    <tr>
+            <td>Bridgehead</td>
+            <td>Reverse Proxy <a href="http://:8080/">Traefik</a></td>
+          </tr>
+        </tbody>
+      </table>
+    </div>
+    <footer class="footer mt-auto py-3">
+     <a href="https://dktk.dkfz.de/"><img src="https://www.oncoray.de/fileadmin/files/bilder_gruppen/DKTK/Logo_DKTK_neu_2016.jpg" style="max-width: 30%; height: auto;"></a> DKTK 2022<span style="float: right;"><a href="https://github.com/samply/bridgehead"><button type="button" class="btn btn-primary">Documentaion</button></a></span>
+    </footer>
+</body>
+
+</html>
diff --git a/lib/generate.sh b/lib/generate.sh
index aed7704..9673055 100755
--- a/lib/generate.sh
+++ b/lib/generate.sh
@@ -1,6 +1,60 @@
 #!/bin/bash
 
-cat > ../landing/index.html <<EOL
+if [ ! -d ./landing ]
+then 
+  mkdir landing
+fi
+
+if [ ! -f ./landing/index.html ]
+then
+  touch index.html
+fi
+
+CENTRAL_SERVICES="          <tr>
+            <td>CCP-IT</td>
+            <td><a href=\"https://monitor.vmitro.de/icingaweb2/dashboard\">Monitoring Service</td>
+          </tr>"
+
+LOCAL_SERVICES="          <tr>
+            <td>Bridgehead</td>
+            <td>Reverse Proxy <a href=\"http://${HOST}:8080/\">Traefik</a></td>
+          </tr>"
+
+if [ "$project" = "dktk" ] || [ "$project" = "c4" ] || [ "$project" = "dktk-fed" ]
+then
+    CENTRAL_SERVICES+="          <tr>
+            <td>CCP-IT</td>
+            <td><a href=\"https://patientlist.ccp-it.dktk.dkfz.de\">Zentrale Patientenliste</td>
+          </tr>
+          <tr>
+            <td>CCP-IT</td>
+            <td><a href=\"https://decentralsearch.ccp-it.dktk.dkfz.de\">Dezentrale Suche</td>
+          </tr>
+          <tr>
+            <td>CCP-IT</td>
+            <td><a href=\"https://centralsearch.ccp-it.dktk.dkfz.de\">Zentrale Suche</td>
+          </tr>
+          <tr>
+            <td>CCP-IT</td>
+            <td><a href=\"https://deployment.ccp-it.dktk.dkfz.de\">Deployment-Server</td>
+          </tr>
+          <tr>
+            <td>CCP-IT</td>
+            <td><a href=\"https://dktk-kne.kgu.de\">Zentraler Kontrollnummernerzeuger</td>
+          </tr>
+          "
+fi
+
+if [ "$project" = "dktk-fed" ]
+then 
+    LOCAL_SERVICES+="         <tr>
+            <td>DKTK</td>
+            <td><a href=\"https://${HOST}/dktk-localdatamanagement/fhir/\">Blaze</a></td>
+          </tr>
+          "
+fi
+
+cat > ./landing/index.html <<EOL
 <html lang="en">
 
 <head>
@@ -17,7 +71,7 @@ cat > ../landing/index.html <<EOL
 
 </head>
 
-<body>
+<body class="d-flex flex-column min-vh-100">
 
   <nav class="navbar navbar-light" style="background-color: #aad7f6;">
     <h2 class="pb-2 border-bottom">Bridgehead ${site_name}</h2>
@@ -34,26 +88,7 @@ cat > ../landing/index.html <<EOL
           </tr>
         </thead>
         <tbody>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href="https://patientlist.ccp-it.dktk.dkfz.de">Zentrale Patientenliste</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href="https://decentralsearch.ccp-it.dktk.dkfz.de">Dezentrale Suche</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href="https://centralsearch.ccp-it.dktk.dkfz.de">Zentrale Suche</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href="https://deployment.ccp-it.dktk.dkfz.de">Deployment-Server</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href="https://dktk-kne.kgu.de">Zentraler Kontrollnummernerzeuger</td>
-          </tr>
+          ${CENTRAL_SERVICES}
         </tbody>
       </table>
     </div>
@@ -68,19 +103,12 @@ cat > ../landing/index.html <<EOL
           </tr>
         </thead>
         <tbody>
-          <tr>
-            <td>Bridgehead</td>
-            <td>Reverse Proxy <a href="http://e260-serv-05:8080/">Traefik</a></td>
-          </tr>
-          <tr>
-            <td>DKTK</td>
-            <td><a href="http://e260-serv-05/dktk-localdatamanagement/fhir/">Blaze</a></td>
-          </tr>
+          ${LOCAL_SERVICES}
         </tbody>
       </table>
     </div>
-    <footer class="footer mt-auto py-3 ">
-     <a href="https://dktk.dkfz.de/"><img src="https://www.oncoray.de/fileadmin/files/bilder_gruppen/DKTK/Logo_DKTK_neu_2016.jpg" height="10%" width="30%"></a> DKTK 2022
+    <footer class="footer mt-auto py-3">
+     <a href="https://dktk.dkfz.de/"><img src="https://www.oncoray.de/fileadmin/files/bilder_gruppen/DKTK/Logo_DKTK_neu_2016.jpg" style="max-width: 30%; height: auto;"></a> DKTK 2022<span style="float: right;"><a href="https://github.com/samply/bridgehead"><button type="button" class="btn btn-primary">Documentaion</button></a></span>
     </footer>
 </body>
 
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index 7a6793c..a29599f 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -3,9 +3,7 @@
 
 source lib/functions.sh
 
-exitIfNotRoot
-
-if ! ./lib/prerequisites.sh; then
+if ! su bridgehead ./lib/prerequisites.sh; then
     log "Prerequisites failed, exiting"
     exit 1
 fi
@@ -20,6 +18,8 @@ cp -v \
 
 systemctl daemon-reload
 
+su bridgehead source ./lib/generate.sh
+
 echo
 
 if ! systemctl is-active --quiet bridgehead@"${project}"; then
diff --git a/lib/systemd/bridgehead@.service b/lib/systemd/bridgehead@.service
index 8563e4f..f1d9f6c 100644
--- a/lib/systemd/bridgehead@.service
+++ b/lib/systemd/bridgehead@.service
@@ -2,14 +2,16 @@
 Description=Bridgehead (%i) Service
 
 [Service]
+User=bridgehead
 Restart=always
 RestartSec=30
 
 WorkingDirectory=/srv/docker/bridgehead/
 
-ExecStartPre=/bin/bash -c '`which docker-compose` -f %i/docker-compose.yml --env-file site-config/%i.env down'
-ExecStart=/bin/bash -c '`which docker-compose` -f %i/docker-compose.yml --env-file site-config/%i.env up'
-ExecStop=/bin/bash -c '`which docker-compose` -f %i/docker-compose.yml --env-file site-config/%i.env down'
+ExecStartPre=/srv/docker/bridgehead/stop-bridgehead.sh %i
+ExecStart=/srv/docker/bridgehead/start-bridgehead.sh %i
+RemainAfterExit=true
+ExecStop=/srv/docker/bridgehead/stop-bridgehead.sh %i
 
 [Install]
 WantedBy=multi-user.target

From 26c9fc0cffd83d7e913c0974feeaeed7a0b9afc5 Mon Sep 17 00:00:00 2001
From: root <root@e260-serv-05.inet.dkfz-heidelberg.de>
Date: Wed, 4 May 2022 09:14:32 +0200
Subject: [PATCH 3/3] Moved all systemd untis to user bridgehead

---
 README.md                              | 15 +++++++++++++++
 lib/generate.sh                        |  5 -----
 lib/prerequisites.sh                   |  2 +-
 lib/setup-bridgehead-units.sh          |  4 +---
 lib/systemd/bridgehead-update@.service |  4 +++-
 lib/systemd/bridgehead@.service        |  1 -
 6 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 3464964..1cf4540 100644
--- a/README.md
+++ b/README.md
@@ -70,6 +70,11 @@ sudo mkdir /srv/docker/;
 sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead;
 ```
 
+adduser --no-create-home --disabled-login --ingroup docker --gecos "" bridgehead
+ useradd -M -g docker -N -s /sbin/nologin bridgehead
+chown bridghead /srv/docker/bridgehead/ -R
+
+
 Next, you need to configure a set of variables, specific for your site with not so high security concerns. You can visit the configuration template at [GitHub](https://github.com/samply/bridgehead-config). You can download the repositories contents and add them to the "bridgehead-config" directory.
 
 ``` shell
@@ -98,6 +103,16 @@ sudo ./lib/setup-bridgehead-units.sh
 
 Finally, you need to configure your sites secrets. These are places as configuration for each bridgeheads system unit. Refer to the section for your specific project:
 
+### For Any Project you need to set the proxy in Update too
+
+``` conf
+[Service]
+Environment=http_proxy=
+Environment=https_proxy=
+```
+
+
+
 ### DKTK/C4
 You can create the site specific configuration with: 
 
diff --git a/lib/generate.sh b/lib/generate.sh
index 9673055..2d877d3 100755
--- a/lib/generate.sh
+++ b/lib/generate.sh
@@ -5,11 +5,6 @@ then
   mkdir landing
 fi
 
-if [ ! -f ./landing/index.html ]
-then
-  touch index.html
-fi
-
 CENTRAL_SERVICES="          <tr>
             <td>CCP-IT</td>
             <td><a href=\"https://monitor.vmitro.de/icingaweb2/dashboard\">Monitoring Service</td>
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 05a4c59..65ec9e6 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -4,7 +4,7 @@
 ## Check if user is a su
 echo "Welcome to the starting a bridgehead. We will get your instance up and running in no time"
 echo "First we will check if all prerequisites are met ..."
-prerequisites="git docker docker-compose cat"
+prerequisites="git docker docker-compose"
 for prerequisite in $prerequisites; do
   $prerequisite --version 2>&1
   is_available=$?
diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh
index a29599f..9b784ea 100755
--- a/lib/setup-bridgehead-units.sh
+++ b/lib/setup-bridgehead-units.sh
@@ -3,7 +3,7 @@
 
 source lib/functions.sh
 
-if ! su bridgehead ./lib/prerequisites.sh; then
+if ! ./lib/prerequisites.sh; then
     log "Prerequisites failed, exiting"
     exit 1
 fi
@@ -18,8 +18,6 @@ cp -v \
 
 systemctl daemon-reload
 
-su bridgehead source ./lib/generate.sh
-
 echo
 
 if ! systemctl is-active --quiet bridgehead@"${project}"; then
diff --git a/lib/systemd/bridgehead-update@.service b/lib/systemd/bridgehead-update@.service
index b568076..2948557 100644
--- a/lib/systemd/bridgehead-update@.service
+++ b/lib/systemd/bridgehead-update@.service
@@ -3,8 +3,10 @@ Description=Bridgehead (%i) Update Service
 
 [Service]
 Type=oneshot
+User=bridgehead
 WorkingDirectory=/srv/docker/bridgehead/
-ExecStart=/bin/bash -c "/srv/docker/bridgehead/update-bridgehead.sh %i"
+
+ExecStart=/srv/docker/bridgehead/update-bridgehead.sh %i
 
 [Install]
 WantedBy=multi-user.target
diff --git a/lib/systemd/bridgehead@.service b/lib/systemd/bridgehead@.service
index f1d9f6c..db14ecf 100644
--- a/lib/systemd/bridgehead@.service
+++ b/lib/systemd/bridgehead@.service
@@ -8,7 +8,6 @@ RestartSec=30
 
 WorkingDirectory=/srv/docker/bridgehead/
 
-ExecStartPre=/srv/docker/bridgehead/stop-bridgehead.sh %i
 ExecStart=/srv/docker/bridgehead/start-bridgehead.sh %i
 RemainAfterExit=true
 ExecStop=/srv/docker/bridgehead/stop-bridgehead.sh %i