add DSF v2.0.0-RC1 basis documentation

Author: schwzr

docs/src/.vuepress/layouts/PageLayout.vue

@@ -55,6 +55,7 @@ function navigateToNewVersion() {
       <div class="version-selector" v-if="route.path.startsWith('/operations/')">
         <label class="vp-sidebar-header" for="version-select"><strong>Version:</strong> </label>
         <select id="version-select" class="vp-sidebar-header" v-model="version" @change="navigateToNewVersion">
+        <option value="v2.0.0-RC1">2.0.0-RC1</option>
         <option value="v1.9.0">latest (1.9.0)</option>
         <option value="v1.8.0">1.8.0</option>
         <option value="v1.7.1">1.7.1</option>
@@ -70,7 +71,6 @@ function navigateToNewVersion() {
         <option value="v1.2.0">1.2.0</option>
         <option value="v1.1.0">1.1.0</option>
         <option value="v1.0.0">1.0.0</option>
-        <option value="v2.0.0-M4">2.0.0-M4</option>
       </select></div>
     </template>
     <PageContent id="main-content" class="vp-page"/>

docs/src/.vuepress/sidebar/operations-v1.ts

@@ -1,3 +1,76 @@
+export function generate_v2_latest_sidebar() {
+    return [
+      
+      {
+        text: "Get Started",
+        icon: "tool",
+        link: "./",
+      },
+      "release-notes", "install", "upgrade-from-1", "allowList-mgm", "root-certificates", "passwords-secrets", {
+        text: "FHIR Reverse Proxy",
+        icon: "module",
+        children: [
+          {
+            icon: "config",
+            text: "Configuration",
+            link: "fhir-reverse-proxy/configuration",
+          }
+        ]},
+        {
+          text: "FHIR Server",
+          icon: "module",
+          prefix: "fhir/",
+          link: "fhir/",
+          children: [{
+  			icon: "config", 
+  			text: "Configuration",
+  			link: "configuration"
+  		}, {
+  			icon: "config",
+  			text: "Access Control",
+  			link: "access-control"
+  		}, {
+  			icon: "config",
+  			text: "OpenID Connect",
+  			link: "oidc"
+  			}]
+        }, {
+          text: "BPE Reverse Proxy",
+          icon: "module",
+          children: [
+            {
+              icon: "config",
+              text: "Configuration",
+              link: "bpe-reverse-proxy/configuration",
+            }
+          ]
+        }, {
+          text: "BPE Server",
+          icon: "module",
+          prefix: "bpe/",
+          link: "bpe/",
+          children: [{
+  			icon: "config", 
+  			text: "Configuration",
+  			link: "configuration"
+  		}, {
+  			icon: "config",
+  			text: "Access Control",
+  			link: "access-control"
+  		}, {
+  			icon: "config",
+  			text: "OpenID Connect",
+  			link: "oidc"
+  			}]
+        },
+        {
+          text: "Install Plugins",
+          icon: "plugin",
+          link: "install-plugins"
+      }]
+}
+
+
 export function generate_v1_latest_sidebar() {
     return [
 

docs/src/.vuepress/theme.ts

@@ -1,6 +1,6 @@
 import { slimsearchPlugin } from "@vuepress/plugin-slimsearch";
 import { hopeTheme } from "vuepress-theme-hope";
-import { generate_v1_latest_sidebar, generate_v1_gt_eq_1_7_0_sidebar, generate_v1_gt_eq_1_5_0_sidebar, generate_v1_gt_eq_1_0_0_sidebar } from "./sidebar/operations-v1";
+import { generate_v1_latest_sidebar, generate_v1_gt_eq_1_7_0_sidebar, generate_v1_gt_eq_1_5_0_sidebar, generate_v1_gt_eq_1_0_0_sidebar, generate_v2_latest_sidebar } from "./sidebar/operations-v1";
 
 export default hopeTheme({
   author: {
@@ -114,8 +114,7 @@ export default hopeTheme({
     "/operations/old-versions": [],
     "/operations/latest/": generate_v1_latest_sidebar(),
     "/operations/next/": [],
-    "/operations/v2.0.0-M4/": [],
-    "/operations/v2.0.0-M3/": [],
+    "/operations/v2.0.0-RC1/": generate_v2_latest_sidebar(),
     "/operations/v1.9.0/": generate_v1_latest_sidebar(),
     "/operations/v1.8.0/": generate_v1_gt_eq_1_7_0_sidebar(),
     "/operations/v1.7.1/": generate_v1_gt_eq_1_7_0_sidebar(),

docs/src/index.md

@@ -48,7 +48,7 @@ The Data Sharing Framework is entering an exciting new phase. With the upcoming
 ---
 
 **DSF 2.0 Announcement**
-We’re excited to announce that the next major release, DSF 2.0, is currently in development! This update brings significant improvements and new features designed to enhance performance and usability. In this article is a  summary of what to expect in the upcoming release. Upcomming datails will be available under [Operations](operations/v2.0.0-M3/index.md)
+We’re excited to announce that the next major release, DSF 2.0, is currently in development! This update brings significant improvements and new features designed to enhance performance and usability. In this article is a  summary of what to expect in the upcoming release. Upcoming datails will be available under [Operations](operations/v2.0.0-RC1/index.md)
 [Read more](/posts/2025-07-28-dsfv2-announcement)
 
 ---

docs/src/operations/v2.0.0-M3/index.md

@@ -0,0 +1,34 @@
+---
+title: Allow List Management
+icon: share
+---
+You can read all about the concept of Allow Lists [in our introduction](/explore/concepts/allow-list.md).
+
+## Overview
+To simplify the DSF Allow List Management we have built a portal for administration. The portal is managed by the GECKO Institute at Heilbronn University. You as an DSF administrator can create or update your Allow List information. The information you provide on this portal will be transferred to us and will be used to built Allow List bundles that get distributed to the communication partners of the distributed processes. 
+
+The DSF Allow List management tool uses client certificates for authentication. You can either use a personal client certificate or the client certificate from your DSF BPE, which needs to be added to your web-browsers certificate store.
+
+
+## Prerequisites
+1. Deployed DSF instance (test or production infrastructure)
+    1.1  If none exists yet, read [the installation guide](install)
+2. Certificate 
+    2.1  If none exists yet, read [the certificate requirements](install#client-server-certificates)
+3. Organization identifier, shortest FQDN of your organizations website, e.g. `my-hospital.de`
+4. FHIR endpoint URL, e.g. `https://dsf.my-hospital.de/fhir`
+5. Contact details from a responsible person of your organization
+6. Access to the E-Mail address from your organization for verification 
+ 
+
+## Start here
+When you have fulfilled all the prerequisites, you can start managing your Allow Lists via the environment specific Allow List Management Tool:
+
+- [**Test** infrastructure](https://allowlist-test.gecko.hs-heilbronn.de)
+- [**Production** infrastructure](https://allowlist.gecko.hs-heilbronn.de)
+
+We use different highlight colors for the DSF Allow List Management Tool: Green for the **Test** environment and blue for the **Production** infrastructure. To access the site, you have to authenticate yourself with a client certificate. Your web-browser will show a dialog to choose a valid certificate.
+
+::: tip Ideas for improvement?
+Have you found an error or is something unclear to you? Then please feel free to contact us on the <a href="https://mii.zulipchat.com/#narrow/stream/392426-Data-Sharing-Framework-.28DSF.29">MII-Zulip Channel</a> or write us at <a href="mailto:[email protected]">[email protected]</a>. Thank you very much!
+:::

docs/src/operations/v2.0.0-M4/index.md

@@ -0,0 +1,6 @@
+---
+title: BPE Reverse Proxy
+icon: module
+---
+## Overview
+- [Configuration Parameters](configuration)

docs/src/operations/v2.0.0-RC1/allowList-mgm.md

@@ -0,0 +1,99 @@
+---
+title: Configuration Parameters
+icon: config
+---
+
+### APP_SERVER_IP
+- **Required:** Yes
+- **Description:** Hostname or IP-Address of the DSF BPE server application container, the reverse proxy target
+- **Example:** `app`, `172.28.1.3`
+
+
+### HTTPS_SERVER_NAME_PORT
+- **Required:** Yes
+- **Description:** FQDN of your DSF BPE server with port, typically `443`
+- **Example:** `my-external.fqdn:443`
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_CONNECTION_TIMEOUT_WS
+- **Required:** No
+- **Description:** Connection timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a connection to be established
+- **Default:** `30` seconds
+
+
+### PROXY_PASS_TIMEOUT_HTTP
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server http connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### PROXY_PASS_TIMEOUT_WS
+- **Required:** No
+- **Description:** Timeout (seconds) for reverse proxy to app server ws connection, time the proxy waits for a reply
+- **Default:** `60` seconds
+
+
+### SERVER_CONTEXT_PATH
+- **Required:** No
+- **Description:** Reverse proxy context path that delegates to the app server, `/` character at start, no `/` character at end, use `''` (empty string) to configure root as context path
+- **Default:** `/bpe`
+
+
+### SSL_CA_CERTIFICATE_FILE
+- **Required:** No
+- **Description:** Certificate chain file including all issuing, intermediate and root certificates used to validate client certificates, PEM encoded, sets the apache httpd parameter `SSLCACertificateFile`
+- **Recommendation:** Use docker secret file to configure
+- **Default:** `ca/client_cert_ca_chains.pem`
+
+
+### SSL_CA_DN_REQUEST_FILE
+- **Required:** No
+- **Description:** File containing all signing certificates excepted, will be used to specify the `Acceptable client certificate CA names` send to the client, during TLS handshake, sets the apache httpd parameter `SSLCADNRequestFile`; if omitted all entries from `SSL_CA_CERTIFICATE_FILE` are used
+- **Recommendation:** Use docker secret file to configure
+- **Default:** `ca/client_cert_issuing_cas.pem`
+
+
+### SSL_CERTIFICATE_CHAIN_FILE
+- **Required:** No
+- **Description:** Certificate chain file, PEM encoded, must contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate), sets the apache httpd parameter `SSLCertificateChainFile`; can be omitted if either no chain is needed (self signed server certificate) or the file specified via `SSL_CERTIFICATE_FILE` contains the certificate chain
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_chain_file.pem`
+
+
+### SSL_CERTIFICATE_FILE
+- **Required:** Yes
+- **Description:** Server certificate file, PEM encoded, sets the apache httpd parameter `SSLCertificateFile`, may contain all certificates between the server certificate and the root ca certificate (excluding the root ca certificate). Omit `SSL_CERTIFICATE_CHAIN_FILE` if chain included
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_file.pem`
+
+
+### SSL_CERTIFICATE_KEY_FILE
+- **Required:** Yes
+- **Description:** Server certificate private key file, PEM encoded, unencrypted, sets the apache httpd parameter `SSLCertificateKeyFile`
+- **Recommendation:** Use docker secret file to configure
+- **Example:** `/run/secrets/ssl_certificate_key_file.pem`
+
+
+### SSL_EXPECTED_CLIENT_S_DN_C_VALUES
+- **Required:** No
+- **Description:** Expected client certificate subject DN country `C` values, must be a comma-separated list of strings in single quotation marks, e.g. `'DE', 'FR'`. If a client certificate with a not configured subject country `C` value is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'DE'`
+
+
+### SSL_EXPECTED_CLIENT_I_DN_CN_VALUES
+- **Required:** No
+- **Description:** Expected client certificate issuer DN common-name `CN` values, must be a comma-separated list of strings in single quotation marks. If a client certificate from a not configured issuing ca common-name is used, the server answers with a `403 Forbidden` status code
+- **Default:** `'GEANT TLS ECC 1', 'HARICA OV TLS ECC', 'GEANT TLS RSA 1', 'HARICA OV TLS RSA', 'GEANT S/MIME ECC 1', 'HARICA S/MIME ECC', 'GEANT S/MIME RSA 1', 'HARICA S/MIME RSA', 'DFN-Verein Global Issuing CA', 'Fraunhofer User CA - G02', 'D-TRUST SSL Class 3 CA 1 2009', 'Sectigo RSA Organization Validation Secure Server CA', 'GEANT OV RSA CA 4', 'GEANT Personal CA 4', 'GEANT eScience Personal CA 4', 'Sectigo ECC Organization Validation Secure Server CA', 'GEANT OV ECC CA 4', 'GEANT Personal ECC CA 4', 'GEANT eScience Personal ECC CA 4', 'D-TRUST Limited Basic CA 1-2 2019', 'D-TRUST Limited Basic CA 1-3 2019'`
+
+
+### SSL_VERIFY_CLIENT
+- **Required:** No
+- **Description:** Modifies the apache mod_ssl config parameter `SSLVerifyClient`
+- **Recommendation:** Set to `optional` when using OIDC authentication
+- **Default:** `require`

docs/src/operations/v2.0.0-RC1/bpe-reverse-proxy/README.md

@@ -0,0 +1,8 @@
+---
+title: BPE Server
+icon: module
+---
+## Overview
+- [Configuration Parameters](configuration)
+- [Access Control](access-control)
+- [OpenID Connect](oidc)