From e273e97d9cfa1fb351743ae4db4227e2ee6a368d Mon Sep 17 00:00:00 2001
From: Martin Lablans <6804500+lablans@users.noreply.github.com>
Date: Mon, 17 Oct 2022 14:38:34 +0200
Subject: [PATCH 1/7] Certificate enrollment (#24)

---
 bridgehead           |  8 ++++++++
 ccp/vars             |  2 ++
 lib/functions.sh     |  2 +-
 lib/prerequisites.sh | 11 ++++++++++-
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/bridgehead b/bridgehead
index 5c7d121..5548a7d 100755
--- a/bridgehead
+++ b/bridgehead
@@ -77,6 +77,14 @@ case "$ACTION" in
 	uninstall)
 		exec ./lib/remove-bridgehead-units.sh $PROJECT
 		;;
+	enroll)
+		if [ -e $PRIVATEKEYFILENAME ]; then
+			echo "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed."
+			exit 1
+		fi
+		docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $PROXY_ID --admin-email $SUPPORT_EMAIL
+		chmod 600 $PRIVATEKEYFILENAME
+		;;
 	preRun | preUpdate)
 		fixPermissions
 		;;
diff --git a/ccp/vars b/ccp/vars
index 4152fa4..ce12d1a 100644
--- a/ccp/vars
+++ b/ccp/vars
@@ -5,3 +5,5 @@ SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | he
 SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
 REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"
+SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
diff --git a/lib/functions.sh b/lib/functions.sh
index ded0cd9..5059829 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -19,7 +19,7 @@ checkOwner(){
 }
 
 printUsage() {
-	echo "Usage: bridgehead start|stop|update|install|uninstall PROJECTNAME"
+	echo "Usage: bridgehead start|stop|update|install|uninstall|enroll PROJECTNAME"
 	echo "PROJECTNAME should be one of ccp|nngm|gbn"
 }
 
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index f4fd3be..2709a6f 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -43,7 +43,7 @@ fi
 
 # TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
 
-log INFO "Checking ssl cert"
+log INFO "Checking ssl cert for accessing bridgehead via https"
 
 if [ ! -d "certs" ]; then
   log WARN "TLS cert missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...)"
@@ -60,6 +60,15 @@ if [ -e /etc/bridgehead/vault.conf ]; then
 	fi
 fi
 
+log INFO "Checking your beam proxy private key"
+
+if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
+	log INFO "Success - private key found."
+else
+	log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
+	exit 1
+fi
+
 log INFO "Success - all prerequisites are met!"
 hc_send log "Success - all prerequisites are met!"
 

From f8b9aed7f52b1c0774b94afbbac20d23aad612eb Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 15:09:18 +0200
Subject: [PATCH 2/7] Cleaning

---
 .gitignore             |   8 +--
 ccp/docker-compose.yml |   4 +-
 lib/generate.sh        | 116 -----------------------------------------
 lib/log.sh             |   0
 lib/prerequisites.sh   |  20 +++----
 site.dev.conf          |  11 ----
 6 files changed, 13 insertions(+), 146 deletions(-)
 delete mode 100755 lib/generate.sh
 mode change 100644 => 100755 lib/log.sh
 delete mode 100644 site.dev.conf

diff --git a/.gitignore b/.gitignore
index d6c86b5..2c4c7ec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,10 +3,4 @@
 site-config/*
 
 ## Ignore site configuration
-config/**/*
-!config/**/*.default
-landing/*
-docker-compose.override.yml
-site.conf
-auth/*
-certs/*
+*/docker-compose.override.yml
diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 65343d6..2539d8e 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -25,8 +25,8 @@ services:
       - 80:80
       - 443:443
     volumes:
-      - ../certs:/tools/certs
-      - ../lib/traefik-configuration/:/configuration
+      - /etc/bridgehead/traefik-tls:/tools/certs:ro
+      - ../lib/traefik-configuration/:/configuration:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
 
   forward_proxy:
diff --git a/lib/generate.sh b/lib/generate.sh
deleted file mode 100755
index 9673055..0000000
--- a/lib/generate.sh
+++ /dev/null
@@ -1,116 +0,0 @@
-#!/bin/bash
-
-if [ ! -d ./landing ]
-then 
-  mkdir landing
-fi
-
-if [ ! -f ./landing/index.html ]
-then
-  touch index.html
-fi
-
-CENTRAL_SERVICES="          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://monitor.vmitro.de/icingaweb2/dashboard\">Monitoring Service</td>
-          </tr>"
-
-LOCAL_SERVICES="          <tr>
-            <td>Bridgehead</td>
-            <td>Reverse Proxy <a href=\"http://${HOST}:8080/\">Traefik</a></td>
-          </tr>"
-
-if [ "$project" = "dktk" ] || [ "$project" = "c4" ] || [ "$project" = "dktk-fed" ]
-then
-    CENTRAL_SERVICES+="          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://patientlist.ccp-it.dktk.dkfz.de\">Zentrale Patientenliste</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://decentralsearch.ccp-it.dktk.dkfz.de\">Dezentrale Suche</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://centralsearch.ccp-it.dktk.dkfz.de\">Zentrale Suche</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://deployment.ccp-it.dktk.dkfz.de\">Deployment-Server</td>
-          </tr>
-          <tr>
-            <td>CCP-IT</td>
-            <td><a href=\"https://dktk-kne.kgu.de\">Zentraler Kontrollnummernerzeuger</td>
-          </tr>
-          "
-fi
-
-if [ "$project" = "dktk-fed" ]
-then 
-    LOCAL_SERVICES+="         <tr>
-            <td>DKTK</td>
-            <td><a href=\"https://${HOST}/dktk-localdatamanagement/fhir/\">Blaze</a></td>
-          </tr>
-          "
-fi
-
-cat > ./landing/index.html <<EOL
-<html lang="en">
-
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <meta name="description" content="">
-  <title>Bridgehead Overview</title>
-  <!-- Bootstrap core CSS -->
-  <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet"
-    integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
-  <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"
-    integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p"
-    crossorigin="anonymous"></script>
-
-</head>
-
-<body class="d-flex flex-column min-vh-100">
-
-  <nav class="navbar navbar-light" style="background-color: #aad7f6;">
-    <h2 class="pb-2 border-bottom">Bridgehead ${site_name}</h2>
-  </nav>
-  <div class="container px-4 py-5" id="featured-3">
-    <div>
-      <h2>Components</h2>
-      <h3>Central</h3>
-      <table class="table">
-        <thead class="thead-dark">
-          <tr>
-            <th style="width: 50%">Group</th>
-            <th style="width: 50%">Service</th>
-          </tr>
-        </thead>
-        <tbody>
-          ${CENTRAL_SERVICES}
-        </tbody>
-      </table>
-    </div>
-
-    <div>
-      <h3>Local</h3>
-      <table class="table">
-        <thead class="thead-dark">
-          <tr>
-            <th style="width: 50%">Project</th>
-            <th style="width: 50%">Services</th>
-          </tr>
-        </thead>
-        <tbody>
-          ${LOCAL_SERVICES}
-        </tbody>
-      </table>
-    </div>
-    <footer class="footer mt-auto py-3">
-     <a href="https://dktk.dkfz.de/"><img src="https://www.oncoray.de/fileadmin/files/bilder_gruppen/DKTK/Logo_DKTK_neu_2016.jpg" style="max-width: 30%; height: auto;"></a> DKTK 2022<span style="float: right;"><a href="https://github.com/samply/bridgehead"><button type="button" class="btn btn-primary">Documentaion</button></a></span>
-    </footer>
-</body>
-
-</html>
-EOL
\ No newline at end of file
diff --git a/lib/log.sh b/lib/log.sh
old mode 100644
new mode 100755
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 2709a6f..689f383 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -45,28 +45,28 @@ fi
 
 log INFO "Checking ssl cert for accessing bridgehead via https"
 
-if [ ! -d "certs" ]; then
-  log WARN "TLS cert missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...)"
-  mkdir -p certs
+if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
+  log WARN "TLS certs for accessing bridgehead via https missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...) and put into /etc/bridgehead/traefik-tls"
+  mkdir -p /etc/bridgehead/traefik-tls
 fi
 
-if [ ! -e "certs/traefik.crt" ]; then
-  openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST"
+if [ ! -e "/etc/bridgehead/traefik-tls/traefik.crt" ]; then
+  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/traefik.key -out /etc/bridgehead/traefik-tls/traefik.crt -days 3650 -subj "/CN=$HOST"
 fi
 
 if [ -e /etc/bridgehead/vault.conf ]; then
-	if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
+  if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
     fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
-	fi
+  fi
 fi
 
 log INFO "Checking your beam proxy private key"
 
 if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
-	log INFO "Success - private key found."
+  log INFO "Success - private key found."
 else
-	log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
-	exit 1
+  log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
+  exit 1
 fi
 
 log INFO "Success - all prerequisites are met!"
diff --git a/site.dev.conf b/site.dev.conf
deleted file mode 100644
index 94e315d..0000000
--- a/site.dev.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-### This is the configuration file for secrets, only your site should know
-
-##Setting Network properties
-export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
-export HOST=
-
-export site_name=
-### Write the Project you want to start with the brigdehead
-##Exmaple project=dktk-fed
-export project=

From 9658f6ed2e36a6c5aa0abcda95adfbec637bc702 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 15:21:12 +0200
Subject: [PATCH 3/7] Fix traefik cert

---
 ccp/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml
index 2539d8e..3116eac 100644
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@@ -25,7 +25,7 @@ services:
       - 80:80
       - 443:443
     volumes:
-      - /etc/bridgehead/traefik-tls:/tools/certs:ro
+      - /etc/bridgehead/traefik-tls:/certs:ro
       - ../lib/traefik-configuration/:/configuration:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
 

From a8a33291a75527f8f6ecef0a47eacada2d7a75f4 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 15:30:43 +0200
Subject: [PATCH 4/7] Rename traefik certificate/key

---
 lib/prerequisites.sh                        | 4 ++--
 lib/traefik-configuration/certificates.yaml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 689f383..2738620 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -50,8 +50,8 @@ if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
   mkdir -p /etc/bridgehead/traefik-tls
 fi
 
-if [ ! -e "/etc/bridgehead/traefik-tls/traefik.crt" ]; then
-  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/traefik.key -out /etc/bridgehead/traefik-tls/traefik.crt -days 3650 -subj "/CN=$HOST"
+if [ ! -e "/etc/bridgehead/traefik-tls/fullchain.pem" ]; then
+  openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/privkey.pem -out /etc/bridgehead/traefik-tls/fullchain.pem -days 3650 -subj "/CN=$HOST"
 fi
 
 if [ -e /etc/bridgehead/vault.conf ]; then
diff --git a/lib/traefik-configuration/certificates.yaml b/lib/traefik-configuration/certificates.yaml
index eb9809a..2644333 100644
--- a/lib/traefik-configuration/certificates.yaml
+++ b/lib/traefik-configuration/certificates.yaml
@@ -1,4 +1,4 @@
 tls:
   certificates:
-    - certFile: /certs/traefik.crt
-      keyFile: /certs/traefik.key
+    - certFile: /certs/fullchain.pem
+      keyFile: /certs/privkey.pem

From f72a185dbba6cdd618f3e3e065b805d32e1b5555 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 16:07:25 +0200
Subject: [PATCH 5/7] Be more specific about what changed on an update

---
 lib/update-bridgehead.sh | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index ef07590..eefa38a 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -19,6 +19,8 @@ checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong
 
 CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 
+CHANGES=""
+
 # Check git updates
 for DIR in /etc/bridgehead $(pwd); do
   log "INFO" "Checking for updates to git repo $DIR ..."
@@ -39,7 +41,9 @@ for DIR in /etc/bridgehead $(pwd); do
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   git_updated="false"
   if [ "$old_git_hash" != "$new_git_hash" ]; then
-    log "INFO" "Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
+    CHANGE="Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
+    CHANGES+="$CHANGE\n"
+    log "INFO" "$CHANGE"
     # NOTE: Link generation doesn't work on repositories placed at an self-hosted instance of bitbucket.
     # See: https://community.atlassian.com/t5/Bitbucket-questions/BitBucket-4-14-diff-between-any-two-commits/qaq-p/632974
     git_repository_url="$(git -C $DIR remote get-url origin)"
@@ -63,14 +67,16 @@ docker_updated="false"
 for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
-    log "INFO" "$IMAGE updated."
+    CHANGE="Image $IMAGE updated."
+    CHANGES+="$CHANGE\n"
+    log "INFO" "$CHANGE"
     docker_updated="true"
   fi
 done
 
 # If anything is updated, restart service
 if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
-  RES="Update detected, now restarting bridgehead"
+  RES="Updates detected, now restarting bridgehead:\n$CHANGES"
   log "INFO" "$RES"
   hc_send log "$RES"
   sudo /bin/systemctl restart bridgehead@*.service

From 17c6a2b0e0d2225393836dee2f666650cc887624 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Mon, 17 Oct 2022 16:11:34 +0200
Subject: [PATCH 6/7] Fix git update detection

---
 lib/update-bridgehead.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index eefa38a..dc108f5 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -22,6 +22,7 @@ CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 CHANGES=""
 
 # Check git updates
+git_updated="false"
 for DIR in /etc/bridgehead $(pwd); do
   log "INFO" "Checking for updates to git repo $DIR ..."
   if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
@@ -39,10 +40,9 @@ for DIR in /etc/bridgehead $(pwd); do
     git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1
   fi
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
-  git_updated="false"
   if [ "$old_git_hash" != "$new_git_hash" ]; then
     CHANGE="Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
-    CHANGES+="$CHANGE\n"
+    CHANGES+="- $CHANGE\n"
     log "INFO" "$CHANGE"
     # NOTE: Link generation doesn't work on repositories placed at an self-hosted instance of bitbucket.
     # See: https://community.atlassian.com/t5/Bitbucket-questions/BitBucket-4-14-diff-between-any-two-commits/qaq-p/632974
@@ -68,7 +68,7 @@ for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*im
   log "INFO" "Checking for Updates of Image: $IMAGE"
   if docker pull $IMAGE | grep "Downloaded newer image"; then
     CHANGE="Image $IMAGE updated."
-    CHANGES+="$CHANGE\n"
+    CHANGES+="- $CHANGE\n"
     log "INFO" "$CHANGE"
     docker_updated="true"
   fi

From 2b788358728a786a0739f412e51dfc15b4b8bad7 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Thu, 20 Oct 2022 16:55:05 +0200
Subject: [PATCH 7/7] Add housekeeping task (docker image cleanup)

---
 lib/update-bridgehead.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index dc108f5..e64abd6 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -1,6 +1,17 @@
 #!/bin/bash
 source lib/functions.sh
 
+AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true}
+
+if [ "$AUTO_HOUSEKEEPING" == "true" ]; then
+	A="Performing automatic maintenance: Cleaning docker images."
+	hc_send log "$A"
+	log INFO "$A"
+	docker system prune -a -f
+else
+	log WARN "Automatic housekeeping disabled (variable AUTO_HOUSEKEEPING != \"true\")"
+fi
+
 hc_send log "Checking for bridgehead updates ..."
 
 CONFFILE=/etc/bridgehead/$1.conf