Create dependabot.yml

Merge pull request #390 from ClusterCockpit/dependabot/go_modules/golang.org/x/net-0.38.0
Bump golang.org/x/net from 0.36.0 to 0.38.0
2025-08-01 17:00:35 +02:00 · 2025-07-03 14:46:04 +02:00 · 2025-05-13 14:12:44 +02:00 · 2025-05-13 12:10:40 +00:00 · 2025-04-28 10:18:44 +02:00 · 2025-04-28 09:54:22 +02:00
312 changed files with 43586 additions and 19890 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "npm"
+    directory: "/web/frontend"
+    schedule:
+      interval: "weekly"
--- a/.github/workflows/Release.yml
+++ b/.github/workflows/Release.yml
@@ -1,331 +0,0 @@
-# See: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
-
-# Workflow name
-name: Release
-
-# Run on tag push
-on:
- push:
-  tags:
-  - '**'
-
-jobs:
-
-  #
-  # Build on AlmaLinux 8.5 using golang-1.18.2
-  #
-  AlmaLinux-RPM-build:
-    runs-on: ubuntu-latest
-    # See: https://hub.docker.com/_/almalinux
-    container: almalinux:8.5
-    # The job outputs link to the outputs of the 'rpmrename' step
-    # Only job outputs can be used in child jobs
-    outputs:
-      rpm : ${{steps.rpmrename.outputs.RPM}}
-      srpm : ${{steps.rpmrename.outputs.SRPM}}
-    steps:
-
-    # Use dnf to install development packages
-    - name: Install development packages
-      run: |
-          dnf --assumeyes group install "Development Tools" "RPM Development Tools"
-          dnf --assumeyes install wget openssl-devel diffutils delve which npm
-          dnf --assumeyes install 'dnf-command(builddep)'
-
-    # Checkout git repository and submodules
-    # fetch-depth must be 0 to use git describe
-    # See: https://github.com/marketplace/actions/checkout
-    - name: Checkout
-      uses: actions/checkout@v2
-      with:
-        submodules: recursive
-        fetch-depth: 0
-
-    # Use dnf to install build dependencies
-    - name: Install build dependencies
-      run: |
-          wget -q http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/golang-1.18.2-1.module_el8.7.0+1173+5d37c0fd.x86_64.rpm \
-                  http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/golang-bin-1.18.2-1.module_el8.7.0+1173+5d37c0fd.x86_64.rpm \
-                  http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/golang-src-1.18.2-1.module_el8.7.0+1173+5d37c0fd.noarch.rpm \
-                  http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/go-toolset-1.18.2-1.module_el8.7.0+1173+5d37c0fd.x86_64.rpm
-          rpm -i go*.rpm
-          npm install --global yarn rollup svelte rollup-plugin-svelte
-          #dnf --assumeyes builddep build/package/cc-backend.spec
-
-    - name: RPM build ClusterCockpit
-      id: rpmbuild
-      run: make RPM
-
-    # AlmaLinux 8.5 is a derivate of RedHat Enterprise Linux 8 (UBI8),
-    # so the created RPM both contain the substring 'el8' in the RPM file names
-    # This step replaces the substring 'el8' to 'alma85'. It uses the move operation
-    # because it is unclear whether the default AlmaLinux 8.5 container contains the 
-    # 'rename' command. This way we also get the new names for output.
-    - name: Rename RPMs (s/el8/alma85/)
-      id: rpmrename
-      run: |
-        OLD_RPM="${{steps.rpmbuild.outputs.RPM}}"
-        OLD_SRPM="${{steps.rpmbuild.outputs.SRPM}}"
-        NEW_RPM="${OLD_RPM/el8/alma85}"
-        NEW_SRPM=${OLD_SRPM/el8/alma85}
-        mv "${OLD_RPM}" "${NEW_RPM}"
-        mv "${OLD_SRPM}" "${NEW_SRPM}"
-        echo "::set-output name=SRPM::${NEW_SRPM}"
-        echo "::set-output name=RPM::${NEW_RPM}"
-
-    # See: https://github.com/actions/upload-artifact
-    - name: Save RPM as artifact
-      uses: actions/upload-artifact@v2
-      with:
-        name: cc-backend RPM for AlmaLinux 8.5
-        path: ${{ steps.rpmrename.outputs.RPM }}
-    - name: Save SRPM as artifact
-      uses: actions/upload-artifact@v2
-      with:
-        name: cc-backend SRPM for AlmaLinux 8.5
-        path: ${{ steps.rpmrename.outputs.SRPM }}
-
-  #
-  # Build on UBI 8 using golang-1.18.2
-  #
-  UBI-8-RPM-build:
-    runs-on: ubuntu-latest
-    # See: https://catalog.redhat.com/software/containers/ubi8/ubi/5c359854d70cc534b3a3784e?container-tabs=gti
-    container: registry.access.redhat.com/ubi8/ubi:8.5-226.1645809065
-    # The job outputs link to the outputs of the 'rpmbuild' step
-    outputs:
-      rpm : ${{steps.rpmbuild.outputs.RPM}}
-      srpm : ${{steps.rpmbuild.outputs.SRPM}}
-    steps:
-
-    # Use dnf to install development packages
-    - name: Install development packages
-      run: dnf --assumeyes --disableplugin=subscription-manager install rpm-build go-srpm-macros rpm-build-libs rpm-libs gcc make python38 git wget openssl-devel diffutils delve which
-
-    # Checkout git repository and submodules
-    # fetch-depth must be 0 to use git describe
-    # See: https://github.com/marketplace/actions/checkout
-    - name: Checkout
-      uses: actions/checkout@v2
-      with:
-        submodules: recursive
-        fetch-depth: 0
-
-    # Use dnf to install build dependencies
-    - name: Install build dependencies
-      run: |
-          wget -q http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/golang-1.18.2-1.module_el8.7.0+1173+5d37c0fd.x86_64.rpm \
-                  http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/golang-bin-1.18.2-1.module_el8.7.0+1173+5d37c0fd.x86_64.rpm \
-                  http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/golang-src-1.18.2-1.module_el8.7.0+1173+5d37c0fd.noarch.rpm \
-                  http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/go-toolset-1.18.2-1.module_el8.7.0+1173+5d37c0fd.x86_64.rpm
-          rpm -i go*.rpm
-          dnf --assumeyes --disableplugin=subscription-manager install npm
-          npm install --global yarn rollup svelte rollup-plugin-svelte
-          #dnf --assumeyes builddep build/package/cc-backend.spec
-
-    - name: RPM build ClusterCockpit
-      id: rpmbuild
-      run: make RPM
-
-    # See: https://github.com/actions/upload-artifact
-    - name: Save RPM as artifact
-      uses: actions/upload-artifact@v2
-      with:
-        name: cc-backend RPM for UBI 8
-        path: ${{ steps.rpmbuild.outputs.RPM }}
-    - name: Save SRPM as artifact
-      uses: actions/upload-artifact@v2
-      with:
-        name: cc-backend SRPM for UBI 8
-        path: ${{ steps.rpmbuild.outputs.SRPM }}
-
-  #
-  # Build on Ubuntu 20.04 using official go 1.19.1 package
-  #
-  Ubuntu-focal-build:
-    runs-on: ubuntu-latest
-    container: ubuntu:20.04
-    # The job outputs link to the outputs of the 'debrename' step
-    # Only job outputs can be used in child jobs
-    outputs:
-      deb : ${{steps.debrename.outputs.DEB}}
-    steps:
-    # Use apt to install development packages
-    - name: Install development packages
-      run: |
-          apt update && apt --assume-yes upgrade
-          apt --assume-yes install build-essential sed git wget bash
-          apt --assume-yes install npm
-          npm install --global yarn rollup svelte rollup-plugin-svelte
-    # Checkout git repository and submodules
-    # fetch-depth must be 0 to use git describe
-    # See: https://github.com/marketplace/actions/checkout
-    - name: Checkout
-      uses: actions/checkout@v2
-      with:
-        submodules: recursive
-        fetch-depth: 0
-    # Use official golang package
-    - name: Install Golang
-      run: |
-          wget -q https://go.dev/dl/go1.19.1.linux-amd64.tar.gz
-          tar -C /usr/local -xzf go1.19.1.linux-amd64.tar.gz
-          export PATH=/usr/local/go/bin:/usr/local/go/pkg/tool/linux_amd64:$PATH
-          go version
-    - name: DEB build ClusterCockpit
-      id: dpkg-build
-      run: |
-          ls -la
-          pwd
-          env
-          export PATH=/usr/local/go/bin:/usr/local/go/pkg/tool/linux_amd64:$PATH
-          git config --global --add safe.directory $(pwd)
-          make DEB
-    - name: Rename DEB (add '_ubuntu20.04')
-      id: debrename
-      run: |
-        OLD_DEB_NAME=$(echo "${{steps.dpkg-build.outputs.DEB}}" | rev | cut -d '.' -f 2- | rev)
-        NEW_DEB_FILE="${OLD_DEB_NAME}_ubuntu20.04.deb"
-        mv "${{steps.dpkg-build.outputs.DEB}}" "${NEW_DEB_FILE}"
-        echo "::set-output name=DEB::${NEW_DEB_FILE}"
-    # See: https://github.com/actions/upload-artifact
-    - name: Save DEB as artifact
-      uses: actions/upload-artifact@v2
-      with:
-        name: cc-backend DEB for Ubuntu 20.04
-        path: ${{ steps.debrename.outputs.DEB }}
-
-  #
-  # Build on Ubuntu 20.04 using official go 1.19.1 package
-  #
-  Ubuntu-jammy-build:
-    runs-on: ubuntu-latest
-    container: ubuntu:22.04
-    # The job outputs link to the outputs of the 'debrename' step
-    # Only job outputs can be used in child jobs
-    outputs:
-      deb : ${{steps.debrename.outputs.DEB}}
-    steps:
-    # Use apt to install development packages
-    - name: Install development packages
-      run: |
-          apt update && apt --assume-yes upgrade
-          apt --assume-yes install build-essential sed git wget bash npm
-          npm install --global yarn rollup svelte rollup-plugin-svelte
-    # Checkout git repository and submodules
-    # fetch-depth must be 0 to use git describe
-    # See: https://github.com/marketplace/actions/checkout
-    - name: Checkout
-      uses: actions/checkout@v2
-      with:
-        submodules: recursive
-        fetch-depth: 0
-    # Use official golang package
-    - name: Install Golang
-      run: |
-          wget -q https://go.dev/dl/go1.19.1.linux-amd64.tar.gz
-          tar -C /usr/local -xzf go1.19.1.linux-amd64.tar.gz
-          export PATH=/usr/local/go/bin:/usr/local/go/pkg/tool/linux_amd64:$PATH
-          go version
-    - name: DEB build ClusterCockpit
-      id: dpkg-build
-      run: |
-          ls -la
-          pwd
-          env
-          export PATH=/usr/local/go/bin:/usr/local/go/pkg/tool/linux_amd64:$PATH
-          git config --global --add safe.directory $(pwd)
-          make DEB
-    - name: Rename DEB (add '_ubuntu22.04')
-      id: debrename
-      run: |
-        OLD_DEB_NAME=$(echo "${{steps.dpkg-build.outputs.DEB}}" | rev | cut -d '.' -f 2- | rev)
-        NEW_DEB_FILE="${OLD_DEB_NAME}_ubuntu22.04.deb"
-        mv "${{steps.dpkg-build.outputs.DEB}}" "${NEW_DEB_FILE}"
-        echo "::set-output name=DEB::${NEW_DEB_FILE}"
-    # See: https://github.com/actions/upload-artifact
-    - name: Save DEB as artifact
-      uses: actions/upload-artifact@v2
-      with:
-        name: cc-backend DEB for Ubuntu 22.04
-        path: ${{ steps.debrename.outputs.DEB }}
-
-  #
-  # Create release with fresh RPMs
-  #
-  Release:
-    runs-on: ubuntu-latest
-    # We need the RPMs, so add dependency
-    needs: [AlmaLinux-RPM-build, UBI-8-RPM-build, Ubuntu-focal-build, Ubuntu-jammy-build]
-
-    steps:
-    # See: https://github.com/actions/download-artifact
-    - name: Download AlmaLinux 8.5 RPM
-      uses: actions/download-artifact@v2
-      with:
-        name: cc-backend RPM for AlmaLinux 8.5
-    - name: Download AlmaLinux 8.5 SRPM
-      uses: actions/download-artifact@v2
-      with:
-        name: cc-backend SRPM for AlmaLinux 8.5
-    
-    - name: Download UBI 8 RPM
-      uses: actions/download-artifact@v2
-      with:
-        name: cc-backend RPM for UBI 8
-    - name: Download UBI 8 SRPM
-      uses: actions/download-artifact@v2
-      with:
-        name: cc-backend SRPM for UBI 8
-
-    - name: Download Ubuntu 20.04 DEB
-      uses: actions/download-artifact@v2
-      with:
-        name: cc-backend DEB for Ubuntu 20.04
-
-    - name: Download Ubuntu 22.04 DEB
-      uses: actions/download-artifact@v2
-      with:
-        name: cc-backend DEB for Ubuntu 22.04
-
-    # The download actions do not publish the name of the downloaded file,
-    # so we re-use the job outputs of the parent jobs. The files are all
-    # downloaded to the current folder.
-    # The gh-release action afterwards does not accept file lists but all
-    # files have to be listed at 'files'. The step creates one output per
-    # RPM package (2 per distro)
-    - name: Set RPM variables
-      id: files
-      run: |
-        ALMA_85_RPM=$(basename "${{ needs.AlmaLinux-RPM-build.outputs.rpm}}")
-        ALMA_85_SRPM=$(basename "${{ needs.AlmaLinux-RPM-build.outputs.srpm}}")
-        UBI_8_RPM=$(basename "${{ needs.UBI-8-RPM-build.outputs.rpm}}")
-        UBI_8_SRPM=$(basename "${{ needs.UBI-8-RPM-build.outputs.srpm}}")
-        U_2004_DEB=$(basename "${{ needs.Ubuntu-focal-build.outputs.deb}}")
-        U_2204_DEB=$(basename "${{ needs.Ubuntu-jammy-build.outputs.deb}}")
-        echo "ALMA_85_RPM::${ALMA_85_RPM}"
-        echo "ALMA_85_SRPM::${ALMA_85_SRPM}"
-        echo "UBI_8_RPM::${UBI_8_RPM}"
-        echo "UBI_8_SRPM::${UBI_8_SRPM}"
-        echo "U_2004_DEB::${U_2004_DEB}"
-        echo "U_2204_DEB::${U_2204_DEB}"
-        echo "::set-output name=ALMA_85_RPM::${ALMA_85_RPM}"
-        echo "::set-output name=ALMA_85_SRPM::${ALMA_85_SRPM}"
-        echo "::set-output name=UBI_8_RPM::${UBI_8_RPM}"
-        echo "::set-output name=UBI_8_SRPM::${UBI_8_SRPM}"
-        echo "::set-output name=U_2004_DEB::${U_2004_DEB}"
-        echo "::set-output name=U_2204_DEB::${U_2204_DEB}"
-
-    # See: https://github.com/softprops/action-gh-release
-    - name: Release
-      uses: softprops/action-gh-release@v1
-      if: startsWith(github.ref, 'refs/tags/')
-      with:
-        name: cc-backend-${{github.ref_name}}
-        files: |
-         ${{ steps.files.outputs.ALMA_85_RPM }}
-         ${{ steps.files.outputs.ALMA_85_SRPM }}
-         ${{ steps.files.outputs.UBI_8_RPM }}
-         ${{ steps.files.outputs.UBI_8_SRPM }}
-         ${{ steps.files.outputs.U_2004_DEB }}
-         ${{ steps.files.outputs.U_2204_DEB }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,7 +7,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v4
        with:
-          go-version: 1.19.x
+          go-version: 1.24.x
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Build, Vet & Test
--- a/.gitignore
+++ b/.gitignore
@@ -1,16 +1,23 @@
 /cc-backend
-
-/var/job-archive
-/var/*.db
-/var/machine-state
-
 /.env
 /config.json

+/var/job-archive
+/var/machine-state
+/var/job.db-shm
+/var/job.db-wal
+/var/*.db
+/var/*.txt
+
 /web/frontend/public/build
 /web/frontend/node_modules
-/.vscode/*
+
 /archive-migration
 /archive-manager
-var/job.db-shm
-var/job.db-wal
+
+/internal/repository/testdata/job.db-shm
+/internal/repository/testdata/job.db-wal
+
+/.vscode/*
+dist/
+*.db
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -0,0 +1,93 @@
+before:
+  hooks:
+    - go mod tidy
+builds:
+  - env:
+      - CGO_ENABLED=1
+    goos:
+      - linux
+    goarch:
+      - amd64
+    goamd64:
+      - v3
+    id: "cc-backend"
+    binary: cc-backend
+    main: ./cmd/cc-backend
+    ldflags:
+      - -s -w -X main.version={{.Version}}
+      - -X main.commit={{.Commit}} -X main.date={{.Date}}
+      - -linkmode external -extldflags -static
+    tags:
+      - static_build
+    hooks:
+      pre: make frontend
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+    goamd64:
+      - v3
+    id: "archive-manager"
+    binary: archive-manager
+    main: ./tools/archive-manager
+    tags:
+      - static_build
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+    goamd64:
+      - v3
+    id: "gen-keypair"
+    binary: gen-keypair
+    main: ./tools/gen-keypair
+    tags:
+      - static_build
+archives:
+  - format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of uname.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+checksum:
+  name_template: "checksums.txt"
+snapshot:
+  name_template: "{{ incpatch .Version }}-next"
+changelog:
+  sort: asc
+  filters:
+    include:
+      - "^feat:"
+      - "^fix:"
+      - "^sec:"
+      - "^docs:"
+  groups:
+    - title: "Dependency updates"
+      regexp: '^.*?(feat|fix)\(deps\)!?:.+$'
+      order: 300
+    - title: "New Features"
+      regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
+      order: 100
+    - title: "Security updates"
+      regexp: '^.*?sec(\([[:word:]]+\))??!?:.+$'
+      order: 150
+    - title: "Bug fixes"
+      regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$'
+      order: 200
+    - title: "Documentation updates"
+      regexp: ^.*?doc(\([[:word:]]+\))??!?:.+$
+      order: 400
+release:
+  draft: false
+  footer: |
+    Supports job archive version 2 and database version 8.
+    Please check out the [Release Notes](https://github.com/ClusterCockpit/cc-backend/blob/master/ReleaseNotes.md) for further details on breaking changes.
+
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 MIT License

-Copyright (c) 2022 NHR@FAU, University Erlangen-Nuremberg
+Copyright (c) NHR@FAU, University Erlangen-Nuremberg

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/124
+++ b/124
@@ -2,10 +2,10 @@ TARGET = ./cc-backend
 VAR = ./var
 CFG = config.json .env
 FRONTEND = ./web/frontend
-VERSION = 1.0.0
+VERSION = 1.4.4
 GIT_HASH := $(shell git rev-parse --short HEAD || echo 'development')
 CURRENT_TIME = $(shell date +"%Y-%m-%d:T%H:%M:%S")
-LD_FLAGS = '-s -X main.buildTime=${CURRENT_TIME} -X main.version=${VERSION} -X main.hash=${GIT_HASH}'
+LD_FLAGS = '-s -X main.date=${CURRENT_TIME} -X main.version=${VERSION} -X main.commit=${GIT_HASH}'

 EXECUTABLES = go npm
 K := $(foreach exec,$(EXECUTABLES),\
@@ -24,11 +24,21 @@ SVELTE_COMPONENTS = status   \
 SVELTE_TARGETS = $(addprefix $(FRONTEND)/public/build/,$(addsuffix .js, $(SVELTE_COMPONENTS)))
 SVELTE_SRC = $(wildcard $(FRONTEND)/src/*.svelte)                 \
 			 $(wildcard $(FRONTEND)/src/*.js)                     \
-			 $(wildcard $(FRONTEND)/src/filters/*.svelte) \
-			 $(wildcard $(FRONTEND)/src/plots/*.svelte)   \
-			 $(wildcard $(FRONTEND)/src/joblist/*.svelte)
+			 $(wildcard $(FRONTEND)/src/analysis/*.svelte)        \
+			 $(wildcard $(FRONTEND)/src/config/*.svelte)          \
+			 $(wildcard $(FRONTEND)/src/config/admin/*.svelte)    \
+			 $(wildcard $(FRONTEND)/src/config/user/*.svelte)     \
+			 $(wildcard $(FRONTEND)/src/generic/*.js)             \
+			 $(wildcard $(FRONTEND)/src/generic/*.svelte)         \
+			 $(wildcard $(FRONTEND)/src/generic/filters/*.svelte) \
+			 $(wildcard $(FRONTEND)/src/generic/plots/*.svelte)   \
+			 $(wildcard $(FRONTEND)/src/generic/joblist/*.svelte) \
+			 $(wildcard $(FRONTEND)/src/generic/helper/*.svelte)  \
+			 $(wildcard $(FRONTEND)/src/generic/select/*.svelte)  \
+			 $(wildcard $(FRONTEND)/src/header/*.svelte)          \
+			 $(wildcard $(FRONTEND)/src/job/*.svelte)

-.PHONY: clean test tags $(TARGET)
+.PHONY: clean distclean test tags frontend swagger graphql $(TARGET)

 .NOTPARALLEL:

@@ -36,6 +46,19 @@ $(TARGET): $(VAR) $(CFG) $(SVELTE_TARGETS)
 	$(info ===>  BUILD cc-backend)
 	@go build -ldflags=${LD_FLAGS} ./cmd/cc-backend

+frontend:
+	$(info ===>  BUILD frontend)
+	cd web/frontend && npm install && npm run build
+
+swagger:
+	$(info ===>  GENERATE swagger)
+	@go run github.com/swaggo/swag/cmd/swag init -d ./internal/api,./pkg/schema -g rest.go -o ./api
+	@mv ./api/docs.go ./internal/api/docs.go
+
+graphql:
+	$(info ===>  GENERATE graphql)
+	@go run github.com/99designs/gqlgen
+
 clean:
 	$(info ===>  CLEAN)
 	@go clean
@@ -59,7 +82,7 @@ tags:
 	@ctags -R

 $(VAR):
-	@mkdir $(VAR)
+	@mkdir -p $(VAR)

 config.json:
 	$(info ===>  Initialize config.json file)
@@ -72,90 +95,3 @@ config.json:
 $(SVELTE_TARGETS): $(SVELTE_SRC)
 	$(info ===>  BUILD frontend)
 	cd web/frontend && npm install && npm run build
-
-install: $(TARGET)
-	@WORKSPACE=$(PREFIX)
-	@if [ -z "$${WORKSPACE}" ]; then exit 1; fi
-	@mkdir --parents --verbose $${WORKSPACE}/usr/$(BINDIR)
-	@install -Dpm 755 $(TARGET) $${WORKSPACE}/usr/$(BINDIR)/$(TARGET)
-	@install -Dpm 600 configs/config.json $${WORKSPACE}/etc/$(TARGET)/$(TARGET).json
-
-.ONESHELL:
-.PHONY: RPM
-RPM: build/package/cc-backend.spec
-	@WORKSPACE="$${PWD}"
-	@SPECFILE="$${WORKSPACE}/build/package/cc-backend.spec"
-	# Setup RPM build tree
-	@eval $$(rpm --eval "ARCH='%{_arch}' RPMDIR='%{_rpmdir}' SOURCEDIR='%{_sourcedir}' SPECDIR='%{_specdir}' SRPMDIR='%{_srcrpmdir}' BUILDDIR='%{_builddir}'")
-	@mkdir --parents --verbose "$${RPMDIR}" "$${SOURCEDIR}" "$${SPECDIR}" "$${SRPMDIR}" "$${BUILDDIR}"
-	# Create source tarball
-	@COMMITISH="HEAD"
-	@VERS=$$(git describe --tags $${COMMITISH})
-	@VERS=$${VERS#v}
-	@VERS=$$(echo $$VERS | sed -e s+'-'+'_'+g)
-	@if [ "$${VERS}" = "" ]; then VERS="$(VERSION)"; fi
-	@eval $$(rpmspec --query --queryformat "NAME='%{name}' VERSION='%{version}' RELEASE='%{release}' NVR='%{NVR}' NVRA='%{NVRA}'" --define="VERS $${VERS}" "$${SPECFILE}")
-	@PREFIX="$${NAME}-$${VERSION}"
-	@FORMAT="tar.gz"
-	@SRCFILE="$${SOURCEDIR}/$${PREFIX}.$${FORMAT}"
-	@git archive --verbose --format "$${FORMAT}" --prefix="$${PREFIX}/" --output="$${SRCFILE}" $${COMMITISH}
-	# Build RPM and SRPM
-	@rpmbuild -ba --define="VERS $${VERS}" --rmsource --clean "$${SPECFILE}"
-	# Report RPMs and SRPMs when in GitHub Workflow
-	@if [ "$${GITHUB_ACTIONS}" = true ]; then
-	@     RPMFILE="$${RPMDIR}/$${ARCH}/$${NVRA}.rpm"
-	@     SRPMFILE="$${SRPMDIR}/$${NVR}.src.rpm"
-	@     echo "RPM: $${RPMFILE}"
-	@     echo "SRPM: $${SRPMFILE}"
-	@     echo "::set-output name=SRPM::$${SRPMFILE}"
-	@     echo "::set-output name=RPM::$${RPMFILE}"
-	@fi
-
-.ONESHELL:
-.PHONY: DEB
-DEB: build/package/cc-backend.deb.control
-	@BASEDIR=$${PWD}
-	@WORKSPACE=$${PWD}/.dpkgbuild
-	@DEBIANDIR=$${WORKSPACE}/debian
-	@DEBIANBINDIR=$${WORKSPACE}/DEBIAN
-	@mkdir --parents --verbose $$WORKSPACE $$DEBIANBINDIR
-	#@mkdir --parents --verbose $$DEBIANDIR
-	@CONTROLFILE="$${BASEDIR}/build/package/cc-backend.deb.control"
-	@COMMITISH="HEAD"
-	@VERS=$$(git describe --tags --abbrev=0 $${COMMITISH})
-	@VERS=$${VERS#v}
-	@VERS=$$(echo $$VERS | sed -e s+'-'+'_'+g)
-	@if [ "$${VERS}" = "" ]; then VERS="$(VERSION)"; fi
-	@ARCH=$$(uname -m)
-	@ARCH=$$(echo $$ARCH | sed -e s+'_'+'-'+g)
-	@if [ "$${ARCH}" = "x86-64" ]; then ARCH=amd64; fi
-	@PREFIX="$${NAME}-$${VERSION}_$${ARCH}"
-	@SIZE_BYTES=$$(du -bcs --exclude=.dpkgbuild "$${WORKSPACE}"/ | awk '{print $$1}' | head -1 | sed -e 's/^0\+//')
-	@SIZE="$$(awk -v size="$$SIZE_BYTES" 'BEGIN {print (size/1024)+1}' | awk '{print int($$0)}')"
-	#@sed -e s+"{VERSION}"+"$$VERS"+g -e s+"{INSTALLED_SIZE}"+"$$SIZE"+g -e s+"{ARCH}"+"$$ARCH"+g $$CONTROLFILE > $${DEBIANDIR}/control
-	@sed -e s+"{VERSION}"+"$$VERS"+g -e s+"{INSTALLED_SIZE}"+"$$SIZE"+g -e s+"{ARCH}"+"$$ARCH"+g $$CONTROLFILE > $${DEBIANBINDIR}/control
-	@mkdir --parents --verbose "$${WORKSPACE}"/$(VAR)
-	@touch "$${WORKSPACE}"/$(VAR)/job.db
-	@cd web/frontend && yarn install && yarn build && cd -
-	@go build -ldflags=${LD_FLAGS} ./cmd/cc-backend
-	@mkdir --parents --verbose $${WORKSPACE}/usr/$(BINDIR)
-	@cp $(TARGET) $${WORKSPACE}/usr/$(BINDIR)/$(TARGET)
-	@chmod 0755 $${WORKSPACE}/usr/$(BINDIR)/$(TARGET)
-	@mkdir --parents --verbose $${WORKSPACE}/etc/$(TARGET)
-	@cp configs/config.json $${WORKSPACE}/etc/$(TARGET)/$(TARGET).json
-	@chmod 0600 $${WORKSPACE}/etc/$(TARGET)/$(TARGET).json
-	@mkdir --parents --verbose $${WORKSPACE}/usr/lib/systemd/system
-	@cp build/package/$(TARGET).service $${WORKSPACE}/usr/lib/systemd/system/$(TARGET).service
-	@chmod 0644 $${WORKSPACE}/usr/lib/systemd/system/$(TARGET).service
-	@mkdir --parents --verbose $${WORKSPACE}/etc/default
-	@cp build/package/$(TARGET).config $${WORKSPACE}/etc/default/$(TARGET)
-	@chmod 0600 $${WORKSPACE}/etc/default/$(TARGET)
-	@mkdir --parents --verbose $${WORKSPACE}/usr/lib/sysusers.d
-	@cp build/package/$(TARGET).sysusers $${WORKSPACE}/usr/lib/sysusers.d/$(TARGET).conf
-	@chmod 0644 $${WORKSPACE}/usr/lib/sysusers.d/$(TARGET).conf
-	@DEB_FILE="cc-metric-store_$${VERS}_$${ARCH}.deb"
-	@dpkg-deb -b $${WORKSPACE} "$$DEB_FILE"
-	@rm -r "$${WORKSPACE}"
-	@if [ "$${GITHUB_ACTIONS}" = "true" ]; then
-	@     echo "::set-output name=DEB::$${DEB_FILE}"
-	@fi
--- a/README.md
+++ b/README.md
@@ -1,67 +1,101 @@
+# NOTE
+
+Please have a look at the [Release
+Notes](https://github.com/ClusterCockpit/cc-backend/blob/master/ReleaseNotes.md)
+for breaking changes!
+
 # ClusterCockpit REST and GraphQL API backend

 [![Build](https://github.com/ClusterCockpit/cc-backend/actions/workflows/test.yml/badge.svg)](https://github.com/ClusterCockpit/cc-backend/actions/workflows/test.yml)

-This is a Golang backend implementation for a REST and GraphQL API according to the [ClusterCockpit specifications](https://github.com/ClusterCockpit/cc-specifications).
-It also includes a web interface for ClusterCockpit.
-While there is a backend for the InfluxDB timeseries database, the only tested and supported setup is using cc-metric-store as a mtric data backend.
-We will add documentation how to integrate ClusterCockpit with other timeseries databases in the future.
-This implementation replaces the previous PHP Symfony based ClusterCockpit web-interface.
-[Here](https://github.com/ClusterCockpit/ClusterCockpit/wiki/Why-we-switched-from-PHP-Symfony-to-a-Golang-based-solution) is a discussion of the reasons why we switched from PHP Symfony to a Golang based solution.
+This is a Golang backend implementation for a REST and GraphQL API according to
+the [ClusterCockpit
+specifications](https://github.com/ClusterCockpit/cc-specifications). It also
+includes a web interface for ClusterCockpit. This implementation replaces the
+previous PHP Symfony based ClusterCockpit web interface. The reasons for
+switching from PHP Symfony to a Golang based solution are explained
+[here](https://github.com/ClusterCockpit/ClusterCockpit/wiki/Why-we-switched-from-PHP-Symfony-to-a-Golang-based-solution).

 ## Overview

-This is a golang web backend for the ClusterCockpit job-specific performance monitoring framework.
-It provides a REST API for integrating ClusterCockpit with a HPC cluster batch system and external analysis scripts.
-Data exchange between the web frontend and backend is based on a GraphQL API.
-The web frontend is also served by the backend using [Svelte](https://svelte.dev/) components.
-Layout and styling is based on [Bootstrap 5](https://getbootstrap.com/) using [Bootstrap Icons](https://icons.getbootstrap.com/).
-The backend uses [SQLite 3](https://sqlite.org/) as relational SQL database by default.
-It can optionally use a MySQL/MariaDB database server.
-Finished batch jobs are stored in a file-based job archive following [this specification](https://github.com/ClusterCockpit/cc-specifications/tree/master/job-archive).
-The backend supports authentication using local accounts or an external LDAP directory.
-Authorization for APIs is implemented using [JWT](https://jwt.io/) tokens created with public/private key encryption.
+This is a Golang web backend for the ClusterCockpit job-specific performance
+monitoring framework. It provides a REST API for integrating ClusterCockpit with
+an HPC cluster batch system and external analysis scripts. Data exchange between
+the web front-end and the back-end is based on a GraphQL API. The web frontend
+is also served by the backend using [Svelte](https://svelte.dev/) components.
+Layout and styling are based on [Bootstrap 5](https://getbootstrap.com/) using
+[Bootstrap Icons](https://icons.getbootstrap.com/).

-You find more detailed information here:
-* `./configs/README.md`: Infos about configuration and setup of cc-backend.
-* `./init/README.md`: Infos on how to setup cc-backend as systemd service on Linux.
-* `./tools/README.md`: Infos on the JWT authorizatin token workflows in ClusterCockpit.
-* `./docs`: You can find further documentation here. There is also a Hands-on tutorial that is recommended to get familiar with the ClusterCockpit setup.
+The backend uses [SQLite 3](https://sqlite.org/) as a relational SQL database by
+default. Optionally it can use a MySQL/MariaDB database server. While there are
+metric data  backends for the InfluxDB and Prometheus time series databases, the
+only tested and supported setup is to use cc-metric-store as the metric data
+backend. Documentation on how to integrate ClusterCockpit with other time series
+databases will be added in the future.

-**NOTICE**
+Completed batch jobs are stored in a file-based job archive according to
+[this specification](https://github.com/ClusterCockpit/cc-specifications/tree/master/job-archive).
+The backend supports authentication via local accounts, an external LDAP
+directory, and JWT tokens. Authorization for APIs is implemented with
+[JWT](https://jwt.io/) tokens created with public/private key encryption.

-ClusterCockpit requires a recent version of the golang toolchain and node.js.
-You can check in `go.mod` what is the current minimal golang version required.
-Homebrew and Archlinux usually have up to date golang versions. For other Linux
-distros this often means you have to install the golang compiler yourself.
-Fortunatly this is easy with golang. Since a lot of functionality is based on
-the go standard library it is crucial for security and performance to use a
-recent golang version. Also an old golang tool chain may restrict the supported
-versions of third party packages.
+You find a detailed documentation on the [ClusterCockpit
+Webpage](https://clustercockpit.org).

-## Demo Setup
+## Build requirements

-We provide a shell skript that downloads demo data and automatically builds and
-starts cc-backend. You need `wget`, `go`, `node`, `npm` in your path to start
-the demo. The demo will download 32MB of data (223MB on disk).
+ClusterCockpit requires a current version of the golang toolchain and node.js.
+You can check `go.mod` to see what is the current minimal golang version needed.
+Homebrew and Archlinux usually have current golang versions. For other Linux
+distros this often means that you have to install the golang compiler yourself.
+Fortunately, this is easy with golang. Since much of the functionality is based
+on the Go standard library, it is crucial for security and performance to use a
+current version of golang. In addition, an old golang toolchain may limit the supported
+versions of third-party packages.
+
+## How to try ClusterCockpit with a demo setup
+
+We provide a shell script that downloads demo data and automatically starts the
+cc-backend. You will need `wget`, `go`, `node`, `npm` in your path to
+start the demo. The demo downloads 32MB of data (223MB on disk).

 ```sh
 git clone https://github.com/ClusterCockpit/cc-backend.git
 cd ./cc-backend
 ./startDemo.sh
 ```
-You can access the web interface at http://localhost:8080.
-Credentials for login: `demo:demo`.
-Please note that some views do not work without a metric backend (e.g., the Systems and Status view).

-## Howto Build and Run
+You can also try the demo using the latest release binary.
+Create a folder and put the release binary `cc-backend` into this folder.
+Execute the following steps:

-There is a Makefile to automate the build of cc-backend. The Makefile supports the following targets:
-* `$ make`: Initialize `var` directory and build svelte frontend and backend binary. Please note that there is no proper prerequesite handling. Any change of frontend source files will trigger a complete rebuild.
-* `$ make clean`: Clean go build cache and remove binary
-* `$ make test`: Run the tests that are also run in the GitHub workflow setup.
+``` shell
+./cc-backend -init
+vim config.json (Add a second cluster entry and name the clusters alex and fritz)
+wget https://hpc-mover.rrze.uni-erlangen.de/HPC-Data/0x7b58aefb/eig7ahyo6fo2bais0ephuf2aitohv1ai/job-archive-demo.tar
+tar xf job-archive-demo.tar
+./cc-backend -init-db -add-user demo:admin:demo -loglevel info
+./cc-backend -server -dev -loglevel info
+```
+
+You can access the web interface at [http://localhost:8080](http://localhost:8080).
+Credentials for login are `demo:demo`.
+Please note that some views do not work without a metric backend (e.g., the
+Analysis, Systems and Status views).
+
+## How to build and run
+
+There is a Makefile to automate the build of cc-backend. The Makefile supports
+the following targets:
+
+* `make`: Initialize `var` directory and build svelte frontend and backend
+binary. Note that there is no proper prerequisite handling. Any change of
+frontend source files will result in a complete rebuild.
+* `make clean`: Clean go build cache and remove binary.
+* `make test`: Run the tests that are also run in the GitHub workflow setup.
+
+A common workflow for setting up cc-backend from scratch is:

-A common workflow to setup cc-backend fron scratch is:
 ```sh
 git clone https://github.com/ClusterCockpit/cc-backend.git

@@ -72,87 +106,63 @@ make
 # EDIT THE .env FILE BEFORE YOU DEPLOY (Change the secrets)!
 # If authentication is disabled, it can be empty.
 cp configs/env-template.txt  .env
-vim ./.env
+vim .env

-cp configs/config.json ./
-vim ./config.json
+cp configs/config.json .
+vim config.json

 #Optional: Link an existing job archive:
 ln -s <your-existing-job-archive> ./var/job-archive

 # This will first initialize the job.db database by traversing all
-# `meta.json` files in the job-archive and add a new user. `--no-server` will cause the
-# executable to stop once it has done that instead of starting a server.
-./cc-backend --init-db --add-user <your-username>:admin:<your-password>
+# `meta.json` files in the job-archive and add a new user.
+./cc-backend -init-db -add-user <your-username>:admin:<your-password>

-# Start a HTTP server (HTTPS can be enabled, the default port is 8080).
+# Start a HTTP server (HTTPS can be enabled in the configuration, the default port is 8080).
 # The --dev flag enables GraphQL Playground (http://localhost:8080/playground) and Swagger UI (http://localhost:8080/swagger).
-./cc-backend --server  --dev
+./cc-backend -server  -dev

 # Show other options:
-./cc-backend --help
+./cc-backend -help
 ```
-### Run as systemd daemon

-In order to run this program as a daemon, cc-backend ships with an [example systemd setup](./init/README.md).
+## Project file structure

-## Configuration and Setup
-
-cc-backend can be used as a local web-interface for an existing job archive or as a general web-interface server for a live ClusterCockpit Monitoring framework.
-
-Create your job-archive according to [this specification](https://github.com/ClusterCockpit/cc-specifications/tree/master/job-archive).
-At least one cluster with a valid `cluster.json` file is required.
-Having no jobs in the job-archive at all is fine.
-
-### Configuration
-
-A config file in the JSON format has to be provided using `--config` to override the defaults.
-By default, if there is a `config.json` file in the current directory of the `cc-backend` process, it will be loaded even without the `--config` flag.
-You find documentation of all supported configuration and command line options [here](./configs/README.md).
-
-## Database initialization and migration
-
-Every cc-backend version supports a specific database version.
-On startup the version of the sqlite database is validated and cc-backend will terminate if the version does not match.
-cc-backend supports to migrate the database schema up to the required version using the `--migrate-db` command line option.
-In case the database file does not yet exist it is created and initialized by the `--migrate-db` command line option.
-In case you want to use a newer database version with an older version of cc-backend you can downgrade a database using the external [migrate](https://github.com/golang-migrate/migrate) tool.
-In this case you have to provide the path to the migration files in a recent source tree: `./internal/repository/migrations/`.
-
-## Development
-In case the REST or GraphQL API is changed the according code generators have to be used.
-
-### Update GraphQL schema
-
-This project uses [gqlgen](https://github.com/99designs/gqlgen) for the GraphQL API.
-The schema can be found in `./api/schema.graphqls`.
-After changing it, you need to run `go run github.com/99designs/gqlgen` which will update `./internal/graph/model`.
-In case new resolvers are needed, they will be inserted into `./internal/graph/schema.resolvers.go`, where you will need to implement them.
-If you start cc-backend with flag `--dev` the GraphQL Playground UI is available at http://localhost:8080/playground .
-
-### Update Swagger UI
-
-This project integrates [swagger ui](https://swagger.io/tools/swagger-ui/) to document and test its REST API.
-The swagger doc files can be found in `./api/`.
-You can generate the configuration of swagger-ui by running `go run github.com/swaggo/swag/cmd/swag init -d ./internal/api,./pkg/schema  -g rest.go -o ./api `.
-You need to move the generated `./api/doc.go` to `./internal/api/doc.go`.
-If you start cc-backend with flag `--dev` the Swagger UI is available at http://localhost:8080/swagger/ .
-You have to enter a JWT key for a user with role API.
-
-**NOTICE** The user owning the JWT token must not be logged in the same browser (have a running session), otherwise Swagger requests will not work. It is recommended to create a separate user that has just the API role.
-
-## Project Structure
-
- `api/` contains the API schema files for the REST and GraphQL APIs. The REST API is documented in the OpenAPI 3.0 format in [./api/openapi.yaml](./api/openapi.yaml).
- `cmd/cc-backend` contains `main.go` for the main application.
- `cmd/gen-keypair` contains is a small application to generate a compatible JWT keypair includin a README about JWT setup in ClusterCockpit.
- `configs/` contains documentation about configuration and command line options and required environment variables. An example configuration file is provided.
- `init/` contains an example systemd setup for production use.
- `internal/` contains library source code that is not intended to be used by others.
- `pkg/` contains go packages that can also be used by other projects.
- `test/` Test apps and test data.
- `web/` Server side templates and frontend related files:
-   - `templates` Serverside go templates
-   - `frontend` Svelte components and static assets for frontend UI
- `gqlgen.yml` configures the behaviour and generation of [gqlgen](https://github.com/99designs/gqlgen).
- `startDemo.sh` is a shell script that sets up demo data, and builds and starts cc-backend.
+* [`api/`](https://github.com/ClusterCockpit/cc-backend/tree/master/api)
+contains the API schema files for the REST and GraphQL APIs. The REST API is
+documented in the OpenAPI 3.0 format in
+[./api/openapi.yaml](./api/openapi.yaml).
+* [`cmd/cc-backend`](https://github.com/ClusterCockpit/cc-backend/tree/master/cmd/cc-backend)
+contains `main.go` for the main application.
+* [`configs/`](https://github.com/ClusterCockpit/cc-backend/tree/master/configs)
+contains documentation about configuration and command line options and required
+environment variables. A sample configuration file is provided.
+* [`docs/`](https://github.com/ClusterCockpit/cc-backend/tree/master/docs)
+contains more in-depth documentation.
+* [`init/`](https://github.com/ClusterCockpit/cc-backend/tree/master/init)
+contains an example of setting up systemd for production use.
+* [`internal/`](https://github.com/ClusterCockpit/cc-backend/tree/master/internal)
+contains library source code that is not intended for use by others.
+* [`pkg/`](https://github.com/ClusterCockpit/cc-backend/tree/master/pkg)
+contains Go packages that can be used by other projects.
+* [`tools/`](https://github.com/ClusterCockpit/cc-backend/tree/master/tools)
+Additional command line helper tools.
+  * [`archive-manager`](https://github.com/ClusterCockpit/cc-backend/tree/master/tools/archive-manager)
+  Commands for getting infos about and existing job archive.
+  * [`convert-pem-pubkey`](https://github.com/ClusterCockpit/cc-backend/tree/master/tools/convert-pem-pubkey)
+  Tool to convert external pubkey for use in `cc-backend`.
+  * [`gen-keypair`](https://github.com/ClusterCockpit/cc-backend/tree/master/tools/gen-keypair)
+  contains a small application to generate a compatible JWT keypair. You find
+  documentation on how to use it
+  [here](https://github.com/ClusterCockpit/cc-backend/blob/master/docs/JWT-Handling.md).
+* [`web/`](https://github.com/ClusterCockpit/cc-backend/tree/master/web)
+Server-side templates and frontend-related files:
+  * [`frontend`](https://github.com/ClusterCockpit/cc-backend/tree/master/web/frontend)
+  Svelte components and static assets for the frontend UI
+  * [`templates`](https://github.com/ClusterCockpit/cc-backend/tree/master/web/templates)
+  Server-side Go templates
+* [`gqlgen.yml`](https://github.com/ClusterCockpit/cc-backend/blob/master/gqlgen.yml)
+Configures the behaviour and generation of
+[gqlgen](https://github.com/99designs/gqlgen).
+* [`startDemo.sh`](https://github.com/ClusterCockpit/cc-backend/blob/master/startDemo.sh)
+is a shell script that sets up demo data, and builds and starts `cc-backend`.
--- a/ReleaseNotes.md
+++ b/ReleaseNotes.md
@@ -1,27 +1,47 @@
-# `cc-backend` version 1.0.0
+# `cc-backend` version 1.4.4

-Supports job archive version 1 and database version 4.
+Supports job archive version 2 and database version 8.

-This is the initial release of `cc-backend`, the API backend and frontend
+This is a bug fix release of `cc-backend`, the API backend and frontend
 implementation of ClusterCockpit.
+For release specific notes visit the [ClusterCockpit Documentation](https://clusterockpit.org/docs/release/).

-**Breaking changes**
+## Breaking changes

-The aggregate job statistic core hours is now computed using the job table
-column `num_hwthreads`. In a the future release this column will be renamed to
-`num_cores`. For correct display of core hours `num_hwthreads` must be correctly
-filled on job start. If your existing jobs do not provide the correct value in
-this column then you can set this with one SQL INSERT statement. This only applies
-if you have exclusive jobs, only. Please be aware that we treat this column as
-it is the number of cores. In case you have SMT enabled and `num_hwthreads`
-is not the number of cores the core hours will be too high by a factor!
+The option `apiAllowedIPs` is now a required configuration attribute in
+`config.json`. This option restricts access to the admin API.

-**Features**
-* Supports user roles admin, support, manager, user, and api.
-* Unified search bar supports job id, job name, project id, user name, and name
-* Performance improvements for sqlite db backend
-* Extended REST api supports to query job metrics
-* Better support for shared jobs
-* More flexible metric list configuration
-* Versioning and migration for database and job archive
+To retain the previous behavior that the API is per default accessible from
+everywhere set:

+```json
+  "apiAllowedIPs": [
+    "*"
+  ]
+```
+
+## Breaking changes for minor release 1.4.x
+
+- You need to perform a database migration. Depending on your database size the
+  migration might require several hours!
+- You need to adapt the `cluster.json` configuration files in the job-archive,
+  add new required attributes to the metric list and after that edit
+  `./job-archive/version.txt` to version 2. Only metrics that have the footprint
+  attribute set can be filtered and show up in the footprint UI and polar plot.
+- Continuous scrolling is default now in all job lists. You can change this back
+  to paging globally, also every user can configure to use paging or continuous
+  scrolling individually.
+- Tags have a scope now. Existing tags will get global scope in the database
+  migration.
+
+## New features
+
+- Enable to delete tags from the web interface
+
+## Known issues
+
+- Currently energy footprint metrics of type energy are ignored for calculating
+  total energy.
+- Resampling for running jobs only works with cc-metric-store
+- With energy footprint metrics of type power the unit is ignored and it is
+  assumed the metric has the unit Watt.
--- a/api/schema.graphqls
+++ b/api/schema.graphqls
@@ -18,6 +18,7 @@ type Job {
  numNodes:         Int!
  numHWThreads:     Int!
  numAcc:           Int!
+  energy:           Float!
  SMT:              Int!
  exclusive:        Int!
  partition:        String!
@@ -27,7 +28,8 @@ type Job {
  tags:             [Tag!]!
  resources:        [Resource!]!
  concurrentJobs:   JobLinkResultList
-
+  footprint:        [FootprintValue]
+  energyFootprint:  [EnergyFootprintValue]
  metaData:         Any
  userData:         User
 }
@@ -40,7 +42,6 @@ type JobLink {
 type Cluster {
  name:         String!
  partitions:   [String!]!        # Slurm partitions
-  metricConfig: [MetricConfig!]!
  subClusters:  [SubCluster!]!    # Hardware partitions/subclusters
 }

@@ -56,9 +57,24 @@ type SubCluster {
  flopRateSimd:    MetricValue!
  memoryBandwidth: MetricValue!
  topology:        Topology!
+  metricConfig:    [MetricConfig!]!
+  footprint:       [String!]!
+}
+
+type FootprintValue {
+  name: String!
+  stat: String!
+  value: Float!
+}
+
+type EnergyFootprintValue {
+  hardware: String!
+  metric: String!
+  value: Float!
 }

 type MetricValue {
+  name: String
  unit: Unit!
  value: Float!
 }
@@ -97,6 +113,7 @@ type MetricConfig {
  normal:  Float
  caution: Float!
  alert:   Float!
+  lowerIsBetter: Boolean
  subClusters: [SubClusterConfig!]!
 }

@@ -104,6 +121,7 @@ type Tag {
  id:   ID!
  type: String!
  name: String!
+  scope: String!
 }

 type Resource {
@@ -133,6 +151,30 @@ type Series {
  data:       [NullableFloat!]!
 }

+type StatsSeries {
+  mean:   [NullableFloat!]!
+  median: [NullableFloat!]!
+  min:    [NullableFloat!]!
+  max:    [NullableFloat!]!
+}
+
+type JobStatsWithScope {
+  name:   String!
+  scope:  MetricScope!
+  stats:  [ScopedStats!]!
+}
+
+type ScopedStats {
+  hostname:   String!
+  id:         String
+  data:       MetricStatistics!
+}
+
+type JobStats {
+  name:   String!
+  stats:  MetricStatistics!
+}
+
 type Unit {
  base: String!
  prefix: String
@@ -144,24 +186,24 @@ type MetricStatistics {
  max: Float!
 }

-type StatsSeries {
-  mean: [NullableFloat!]!
-  min:  [NullableFloat!]!
-  max:  [NullableFloat!]!
-}
-
 type MetricFootprints {
  metric: String!
  data:   [NullableFloat!]!
 }

 type Footprints {
-  nodehours: [NullableFloat!]!
+  timeWeights: TimeWeights!
  metrics:   [MetricFootprints!]!
 }

+type TimeWeights {
+  nodeHours: [NullableFloat!]!
+  accHours: [NullableFloat!]!
+  coreHours: [NullableFloat!]!
+}
+
 enum Aggregate { USER, PROJECT, CLUSTER }
-enum Weights { NODE_COUNT, NODE_HOURS }
+enum SortByAggregate { TOTALWALLTIME, TOTALJOBS, TOTALNODES, TOTALNODEHOURS, TOTALCORES, TOTALCOREHOURS, TOTALACCS, TOTALACCHOURS }

 type NodeMetrics {
  host:       String!
@@ -169,6 +211,28 @@ type NodeMetrics {
  metrics:    [JobMetricWithName!]!
 }

+type NodesResultList {
+  items:  [NodeMetrics!]!
+  offset: Int
+  limit:  Int
+  count:  Int
+  totalNodes: Int
+  hasNextPage: Boolean
+}
+
+type ClusterSupport {
+  cluster: String!
+  subClusters: [String!]!
+}
+
+type GlobalMetricListItem {
+  name: String!
+  unit: Unit!
+  scope: MetricScope!
+  footprint: String
+  availability: [ClusterSupport!]!
+}
+
 type Count {
  name:  String!
  count: Int!
@@ -180,37 +244,46 @@ type User {
  email:    String!
 }

+input MetricStatItem {
+  metricName: String!
+  range: FloatRange!
+}
+
 type Query {
  clusters:     [Cluster!]!   # List of all clusters
  tags:         [Tag!]!       # List of all tags
+  globalMetrics:   [GlobalMetricListItem!]!

  user(username: String!): User
  allocatedNodes(cluster: String!): [Count!]!

  job(id: ID!): Job
-  jobMetrics(id: ID!, metrics: [String!], scopes: [MetricScope!]): [JobMetricWithName!]!
+  jobMetrics(id: ID!, metrics: [String!], scopes: [MetricScope!], resolution: Int): [JobMetricWithName!]!
+  jobStats(id: ID!, metrics: [String!]): [JobStats!]!
+  scopedJobStats(id: ID!, metrics: [String!], scopes: [MetricScope!]): [JobStatsWithScope!]!
  jobsFootprints(filter: [JobFilter!], metrics: [String!]!): Footprints

  jobs(filter: [JobFilter!], page: PageRequest, order: OrderByInput): JobResultList!
-  jobsStatistics(filter: [JobFilter!], groupBy: Aggregate): [JobsStatistics!]!
-  jobsCount(filter: [JobFilter]!, groupBy: Aggregate!, weight: Weights, limit: Int): [Count!]!
+  jobsStatistics(filter: [JobFilter!], metrics: [String!], page: PageRequest, sortBy: SortByAggregate, groupBy: Aggregate, numDurationBins: String, numMetricBins: Int): [JobsStatistics!]!

  rooflineHeatmap(filter: [JobFilter!]!, rows: Int!, cols: Int!, minX: Float!, minY: Float!, maxX: Float!, maxY: Float!): [[Float!]!]!

  nodeMetrics(cluster: String!, nodes: [String!], scopes: [MetricScope!], metrics: [String!], from: Time!, to: Time!): [NodeMetrics!]!
+  nodeMetricsList(cluster: String!, subCluster: String!, nodeFilter: String!, scopes: [MetricScope!], metrics: [String!], from: Time!, to: Time!, page: PageRequest, resolution: Int): NodesResultList!
 }

 type Mutation {
-  createTag(type: String!, name: String!): Tag!
+  createTag(type: String!, name: String!, scope: String!): Tag!
  deleteTag(id: ID!): ID!
  addTagsToJob(job: ID!, tagIds: [ID!]!): [Tag!]!
  removeTagsFromJob(job: ID!, tagIds: [ID!]!): [Tag!]!
+  removeTagFromList(tagIds: [ID!]!): [Int!]!

  updateConfiguration(name: String!, value: String!): String
 }

 type IntRangeOutput { from: Int!, to: Int! }
-type TimeRangeOutput { from: Time!, to: Time! }
+type TimeRangeOutput { range: String, from: Time!, to: Time! }

 input JobFilter {
  tags:        [ID!]
@@ -222,6 +295,7 @@ input JobFilter {
  cluster:     StringInput
  partition:   StringInput
  duration:    IntRange
+  energy:      FloatRange

  minRunningFor: Int

@@ -231,20 +305,14 @@ input JobFilter {

  startTime:   TimeRange
  state:       [JobState!]
-  flopsAnyAvg: FloatRange
-  memBwAvg:    FloatRange
-  loadAvg:     FloatRange
-  memUsedMax:  FloatRange
-
+  metricStats: [MetricStatItem!]
  exclusive:     Int
-  sharedNode:    StringInput
-  selfJobId:     StringInput
-  selfStartTime: Time
-  selfDuration:  Int
+  node:    StringInput
 }

 input OrderByInput {
  field: String!
+  type: String!,
  order: SortDirectionEnum! = ASC
 }

@@ -263,17 +331,23 @@ input StringInput {
 }

 input IntRange   { from: Int!, to: Int! }
-input FloatRange { from: Float!, to: Float! }
-input TimeRange  { from: Time,   to: Time }
+input TimeRange  { range: String, from: Time, to: Time }
+
+input FloatRange {
+  from: Float!
+  to: Float!
+}

 type JobResultList {
  items:  [Job!]!
  offset: Int
  limit:  Int
  count:  Int
+  hasNextPage: Boolean
 }

 type JobLinkResultList {
+  listQuery: String
  items:  [JobLink!]!
  count:  Int
 }
@@ -283,6 +357,20 @@ type HistoPoint {
  value: Int!
 }

+type MetricHistoPoints {
+  metric: String!
+  unit: String!
+  stat: String
+  data: [MetricHistoPoint!]
+}
+
+type MetricHistoPoint {
+  bin: Int
+  count: Int!
+  min: Int
+  max: Int
+}
+
 type JobsStatistics  {
  id:             ID!            # If `groupBy` was used, ID of the user/project/cluster
  name:           String!        # if User-Statistics: Given Name of Account (ID) Owner
@@ -290,11 +378,17 @@ type JobsStatistics  {
  runningJobs:    Int!           # Number of running jobs
  shortJobs:      Int!           # Number of jobs with a duration of less than duration
  totalWalltime:  Int!           # Sum of the duration of all matched jobs in hours
+  totalNodes:     Int!           # Sum of the nodes of all matched jobs
  totalNodeHours: Int!           # Sum of the node hours of all matched jobs
+  totalCores:     Int!           # Sum of the cores of all matched jobs
  totalCoreHours: Int!           # Sum of the core hours of all matched jobs
+  totalAccs:      Int!         # Sum of the accs of all matched jobs
  totalAccHours:  Int!           # Sum of the gpu hours of all matched jobs
  histDuration:   [HistoPoint!]! # value: hour, count: number of jobs with a rounded duration of value
  histNumNodes:   [HistoPoint!]! # value: number of nodes, count: number of jobs with that number of nodes
+  histNumCores:   [HistoPoint!]! # value: number of cores, count: number of jobs with that number of cores
+  histNumAccs:    [HistoPoint!]! # value: number of accs, count: number of jobs with that number of accs
+  histMetrics:    [MetricHistoPoints!]! # metric: metricname, data array of histopoints: value: metric average bin, count: number of jobs with that metric average
 }

 input PageRequest {
--- a/api/swagger.json
+++ b/api/swagger.json
--- a/api/swagger.yaml
+++ b/api/swagger.yaml
--- a/build/package/cc-backend.config
+++ b/build/package/cc-backend.config
@@ -1,17 +0,0 @@
-CC_USER=clustercockpit
-
-CC_GROUP=clustercockpit
-
-CC_HOME=/tmp
-
-LOG_DIR=/var/log
-
-DATA_DIR=/var/run/cc-backend
-
-MAX_OPEN_FILES=10000
-
-CONF_DIR=/etc/cc-backend
-
-CONF_FILE=/etc/cc-backend/cc-backend.json
-
-RESTART_ON_UPGRADE=true
--- a/build/package/cc-backend.deb.control
+++ b/build/package/cc-backend.deb.control
@@ -1,12 +0,0 @@
-Package: cc-backend
-Version: {VERSION}
-Installed-Size: {INSTALLED_SIZE}
-Architecture: {ARCH}
-Maintainer: thomas.gruber@fau.de
-Depends: libc6 (>= 2.2.1)
-Build-Depends: debhelper-compat (= 13), git, golang-go, npm, yarn
-Description: ClusterCockpit backend and web frontend
-Homepage: https://github.com/ClusterCockpit/cc-backend
-Source: cc-backend
-Rules-Requires-Root: no
-
--- a/build/package/cc-backend.service
+++ b/build/package/cc-backend.service
@@ -1,18 +0,0 @@
-[Unit]
-Description=ClusterCockpit backend and web frontend (cc-backend)
-Documentation=https://github.com/ClusterCockpit/cc-backend
-Wants=network-online.target
-After=network-online.target
-
-[Service]
-EnvironmentFile=/etc/default/cc-backend
-Type=simple
-User=clustercockpit
-Group=clustercockpit
-Restart=on-failure
-TimeoutStopSec=100
-LimitNOFILE=infinity
-ExecStart=/usr/bin/cc-backend --config ${CONF_FILE}
-
-[Install]
-WantedBy=multi-user.target
--- a/build/package/cc-backend.spec
+++ b/build/package/cc-backend.spec
@@ -1,70 +0,0 @@
-Name:           cc-backend
-Version:        %{VERS}
-Release:        1%{?dist}
-Summary:        ClusterCockpit backend and web frontend
-
-License:        MIT
-Source0:        %{name}-%{version}.tar.gz
-
-#BuildRequires:  go-toolset
-#BuildRequires:  systemd-rpm-macros
-#BuildRequires:  npm
-
-Provides:       %{name} = %{version}
-
-%description
-ClusterCockpit backend and web frontend
-
-%global debug_package %{nil}
-
-%prep
-%autosetup
-
-
-%build
-#CURRENT_TIME=$(date +%Y-%m-%d:T%H:%M:\%S)
-#LD_FLAGS="-s -X main.buildTime=${CURRENT_TIME} -X main.version=%{VERS}"
-mkdir ./var
-touch ./var/job.db
-cd web/frontend && yarn install && yarn build && cd -
-go build -ldflags="-s -X main.version=%{VERS}" ./cmd/cc-backend
-
-
-%install
-# Install cc-backend
-#make PREFIX=%{buildroot} install
-install -Dpm 755 cc-backend %{buildroot}/%{_bindir}/%{name}
-install -Dpm 0600 configs/config.json %{buildroot}%{_sysconfdir}/%{name}/%{name}.json
-# Integrate into system
-install -Dpm 0644 build/package/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
-install -Dpm 0600 build/package/%{name}.config %{buildroot}%{_sysconfdir}/default/%{name}
-install -Dpm 0644 build/package/%{name}.sysusers %{buildroot}%{_sysusersdir}/%{name}.conf
-
-
-%check
-# go test should be here... :)
-
-%pre
-%sysusers_create_package scripts/%{name}.sysusers
-
-%post
-%systemd_post %{name}.service
-
-%preun
-%systemd_preun %{name}.service
-
-%files
-# Binary
-%attr(-,clustercockpit,clustercockpit) %{_bindir}/%{name}
-# Config
-%dir %{_sysconfdir}/%{name}
-%attr(0600,clustercockpit,clustercockpit) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.json
-# Systemd
-%{_unitdir}/%{name}.service
-%{_sysconfdir}/default/%{name}
-%{_sysusersdir}/%{name}.conf
-
-%changelog
-* Mon Mar 07 2022 Thomas Gruber - 0.1
- Initial metric store implementation
-
--- a/build/package/cc-backend.sysusers
+++ b/build/package/cc-backend.sysusers
@@ -1,2 +0,0 @@
-#Type Name           ID GECOS                     Home directory           Shell
-u     clustercockpit -  "User for ClusterCockpit" /run/cc-backend /sbin/nologin
--- a/cmd/cc-backend/cli.go
+++ b/cmd/cc-backend/cli.go
@@ -0,0 +1,33 @@
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package main
+
+import "flag"
+
+var (
+	flagReinitDB, flagInit, flagServer, flagSyncLDAP, flagGops, flagMigrateDB, flagRevertDB, flagForceDB, flagDev, flagVersion, flagLogDateTime bool
+	flagNewUser, flagDelUser, flagGenJWT, flagConfigFile, flagImportJob, flagLogLevel                                                           string
+)
+
+func cliInit() {
+	flag.BoolVar(&flagInit, "init", false, "Setup var directory, initialize sqlite database file, config.json and .env")
+	flag.BoolVar(&flagReinitDB, "init-db", false, "Go through job-archive and re-initialize the 'job', 'tag', and 'jobtag' tables (all running jobs will be lost!)")
+	flag.BoolVar(&flagSyncLDAP, "sync-ldap", false, "Sync the 'hpc_user' table with ldap")
+	flag.BoolVar(&flagServer, "server", false, "Start a server, continues listening on port after initialization and argument handling")
+	flag.BoolVar(&flagGops, "gops", false, "Listen via github.com/google/gops/agent (for debugging)")
+	flag.BoolVar(&flagDev, "dev", false, "Enable development components: GraphQL Playground and Swagger UI")
+	flag.BoolVar(&flagVersion, "version", false, "Show version information and exit")
+	flag.BoolVar(&flagMigrateDB, "migrate-db", false, "Migrate database to supported version and exit")
+	flag.BoolVar(&flagRevertDB, "revert-db", false, "Migrate database to previous version and exit")
+	flag.BoolVar(&flagForceDB, "force-db", false, "Force database version, clear dirty flag and exit")
+	flag.BoolVar(&flagLogDateTime, "logdate", false, "Set this flag to add date and time to log messages")
+	flag.StringVar(&flagConfigFile, "config", "./config.json", "Specify alternative path to `config.json`")
+	flag.StringVar(&flagNewUser, "add-user", "", "Add a new user. Argument format: <username>:[admin,support,manager,api,user]:<password>")
+	flag.StringVar(&flagDelUser, "del-user", "", "Remove a existing user. Argument format: <username>")
+	flag.StringVar(&flagGenJWT, "jwt", "", "Generate and print a JWT for the user specified by its `username`")
+	flag.StringVar(&flagImportJob, "import-job", "", "Import a job. Argument format: `<path-to-meta.json>:<path-to-data.json>,...`")
+	flag.StringVar(&flagLogLevel, "loglevel", "warn", "Sets the logging level: `[debug, info (default), warn, err, crit]`")
+	flag.Parse()
+}
--- a/cmd/cc-backend/init.go
+++ b/cmd/cc-backend/init.go
@@ -0,0 +1,95 @@
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package main
+
+import (
+	"os"
+
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
+	"github.com/ClusterCockpit/cc-backend/internal/util"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+)
+
+const envString = `
+# Base64 encoded Ed25519 keys (DO NOT USE THESE TWO IN PRODUCTION!)
+# You can generate your own keypair using the gen-keypair tool
+JWT_PUBLIC_KEY="kzfYrYy+TzpanWZHJ5qSdMj5uKUWgq74BWhQG6copP0="
+JWT_PRIVATE_KEY="dtPC/6dWJFKZK7KZ78CvWuynylOmjBFyMsUWArwmodOTN9itjL5POlqdZkcnmpJ0yPm4pRaCrvgFaFAbpyik/Q=="
+
+# Some random bytes used as secret for cookie-based sessions (DO NOT USE THIS ONE IN PRODUCTION)
+SESSION_KEY="67d829bf61dc5f87a73fd814e2c9f629"
+`
+
+const configString = `
+{
+    "addr": "127.0.0.1:8080",
+    "archive": {
+        "kind": "file",
+        "path": "./var/job-archive"
+    },
+    "jwts": {
+        "max-age": "2000h"
+    },
+    "apiAllowedIPs": [
+      "*"
+    ],
+    "enable-resampling": {
+      "trigger": 30,
+      "resolutions": [
+        600,
+        300,
+        120,
+        60
+      ]
+    },
+    "clusters": [
+        {
+            "name": "name",
+            "metricDataRepository": {
+                "kind": "cc-metric-store",
+                "url": "http://localhost:8082",
+                "token": ""
+            },
+            "filterRanges": {
+                "numNodes": {
+                    "from": 1,
+                    "to": 64
+                },
+                "duration": {
+                    "from": 0,
+                    "to": 86400
+                },
+                "startTime": {
+                    "from": "2023-01-01T00:00:00Z",
+                    "to": null
+                }
+            }
+        }
+    ]
+}
+`
+
+func initEnv() {
+	if util.CheckFileExists("var") {
+		log.Exit("Directory ./var already exists. Cautiously exiting application initialization.")
+	}
+
+	if err := os.WriteFile("config.json", []byte(configString), 0o666); err != nil {
+		log.Abortf("Could not write default ./config.json with permissions '0o666'. Application initialization failed, exited.\nError: %s\n", err.Error())
+	}
+
+	if err := os.WriteFile(".env", []byte(envString), 0o666); err != nil {
+		log.Abortf("Could not write default ./.env file with permissions '0o666'. Application initialization failed, exited.\nError: %s\n", err.Error())
+	}
+
+	if err := os.Mkdir("var", 0o777); err != nil {
+		log.Abortf("Could not create default ./var folder with permissions '0o777'. Application initialization failed, exited.\nError: %s\n", err.Error())
+	}
+
+	err := repository.MigrateDB("sqlite3", "./var/job.db")
+	if err != nil {
+		log.Abortf("Could not initialize default sqlite3 database as './var/job.db'. Application initialization failed, exited.\nError: %s\n", err.Error())
+	}
+}
--- a/cmd/cc-backend/main.go
+++ b/cmd/cc-backend/main.go
@@ -1,93 +1,58 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 package main

 import (
-	"context"
-	"crypto/tls"
-	"encoding/json"
-	"errors"
-	"flag"
 	"fmt"
-	"io"
-	"net"
-	"net/http"
 	"os"
 	"os/signal"
-	"runtime"
 	"runtime/debug"
 	"strings"
 	"sync"
 	"syscall"
-	"time"

-	"github.com/99designs/gqlgen/graphql/handler"
-	"github.com/99designs/gqlgen/graphql/playground"
-	"github.com/ClusterCockpit/cc-backend/internal/api"
+	"github.com/ClusterCockpit/cc-backend/internal/archiver"
 	"github.com/ClusterCockpit/cc-backend/internal/auth"
 	"github.com/ClusterCockpit/cc-backend/internal/config"
-	"github.com/ClusterCockpit/cc-backend/internal/graph"
-	"github.com/ClusterCockpit/cc-backend/internal/graph/generated"
 	"github.com/ClusterCockpit/cc-backend/internal/importer"
 	"github.com/ClusterCockpit/cc-backend/internal/metricdata"
 	"github.com/ClusterCockpit/cc-backend/internal/repository"
-	"github.com/ClusterCockpit/cc-backend/internal/routerConfig"
-	"github.com/ClusterCockpit/cc-backend/internal/runtimeEnv"
+	"github.com/ClusterCockpit/cc-backend/internal/taskManager"
 	"github.com/ClusterCockpit/cc-backend/pkg/archive"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/runtimeEnv"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
-	"github.com/ClusterCockpit/cc-backend/web"
-	"github.com/go-co-op/gocron"
 	"github.com/google/gops/agent"
-	"github.com/gorilla/handlers"
-	"github.com/gorilla/mux"
-	httpSwagger "github.com/swaggo/http-swagger"

 	_ "github.com/go-sql-driver/mysql"
 	_ "github.com/mattn/go-sqlite3"
 )

 const logoString = `
- ____ _           _             ____           _          _ _
+ _____ _           _             ____           _          _ _
 /  ___| |_   _ ___| |_ ___ _ __ / ___|___   ___| | ___ __ (_) |_
 | |   | | | | / __| __/ _ \ '__| |   / _ \ / __| |/ / '_ \| | __|
 | |___| | |_| \__ \ ||  __/ |  | |__| (_) | (__|   <| |_) | | |_
-\____|_|\__,_|___/\__\___|_|   \____\___/ \___|_|\_\ .__/|_|\__|
+\_____|_|\__,_|___/\__\___|_|   \____\___/ \___|_|\_\ .__/|_|\__|
                                                    |_|
 `

 var (
-	buildTime string
-	hash      string
+	date    string
+	commit  string
 	version string
 )

 func main() {
-	var flagReinitDB, flagServer, flagSyncLDAP, flagGops, flagMigrateDB, flagDev, flagVersion, flagLogDateTime bool
-	var flagNewUser, flagDelUser, flagGenJWT, flagConfigFile, flagImportJob, flagLogLevel string
-	flag.BoolVar(&flagReinitDB, "init-db", false, "Go through job-archive and re-initialize the 'job', 'tag', and 'jobtag' tables (all running jobs will be lost!)")
-	flag.BoolVar(&flagSyncLDAP, "sync-ldap", false, "Sync the 'user' table with ldap")
-	flag.BoolVar(&flagServer, "server", false, "Start a server, continues listening on port after initialization and argument handling")
-	flag.BoolVar(&flagGops, "gops", false, "Listen via github.com/google/gops/agent (for debugging)")
-	flag.BoolVar(&flagDev, "dev", false, "Enable development components: GraphQL Playground and Swagger UI")
-	flag.BoolVar(&flagVersion, "version", false, "Show version information and exit")
-	flag.BoolVar(&flagMigrateDB, "migrate-db", false, "Migrate database to supported version and exit")
-	flag.BoolVar(&flagLogDateTime, "logdate", false, "Set this flag to add date and time to log messages")
-	flag.StringVar(&flagConfigFile, "config", "./config.json", "Specify alternative path to `config.json`")
-	flag.StringVar(&flagNewUser, "add-user", "", "Add a new user. Argument format: `<username>:[admin,support,manager,api,user]:<password>`")
-	flag.StringVar(&flagDelUser, "del-user", "", "Remove user by `username`")
-	flag.StringVar(&flagGenJWT, "jwt", "", "Generate and print a JWT for the user specified by its `username`")
-	flag.StringVar(&flagImportJob, "import-job", "", "Import a job. Argument format: `<path-to-meta.json>:<path-to-data.json>,...`")
-	flag.StringVar(&flagLogLevel, "loglevel", "warn", "Sets the logging level: `[debug,info,warn (default),err,fatal,crit]`")
-	flag.Parse()
+	cliInit()

 	if flagVersion {
 		fmt.Print(logoString)
 		fmt.Printf("Version:\t%s\n", version)
-		fmt.Printf("Git hash:\t%s\n", hash)
-		fmt.Printf("Build time:\t%s\n", buildTime)
+		fmt.Printf("Git hash:\t%s\n", commit)
+		fmt.Printf("Build time:\t%s\n", date)
 		fmt.Printf("SQL db version:\t%d\n", repository.Version)
 		fmt.Printf("Job archive version:\t%d\n", archive.Version)
 		os.Exit(0)
@@ -96,15 +61,23 @@ func main() {
 	// Apply config flags for pkg/log
 	log.Init(flagLogLevel, flagLogDateTime)

+	// If init flag set, run tasks here before any file dependencies cause errors
+	if flagInit {
+		initEnv()
+		log.Exit("Successfully setup environment!\n" +
+			"Please review config.json and .env and adjust it to your needs.\n" +
+			"Add your job-archive at ./var/job-archive.")
+	}
+
 	// See https://github.com/google/gops (Runtime overhead is almost zero)
 	if flagGops {
 		if err := agent.Listen(agent.Options{}); err != nil {
-			log.Fatalf("gops/agent.Listen failed: %s", err.Error())
+			log.Abortf("Could not start gops agent with 'gops/agent.Listen(agent.Options{})'. Application startup failed, exited.\nError: %s\n", err.Error())
 		}
 	}

 	if err := runtimeEnv.LoadEnv("./.env"); err != nil && !os.IsNotExist(err) {
-		log.Fatalf("parsing './.env' file failed: %s", err.Error())
+		log.Abortf("Could not parse existing .env file at location './.env'. Application startup failed, exited.\nError: %s\n", err.Error())
 	}

 	// Initialize sub-modules and handle command line flags.
@@ -122,286 +95,134 @@ func main() {
 	if flagMigrateDB {
 		err := repository.MigrateDB(config.Keys.DBDriver, config.Keys.DB)
 		if err != nil {
-			log.Fatal(err)
+			log.Abortf("MigrateDB Failed: Could not migrate '%s' database at location '%s' to version %d.\nError: %s\n", config.Keys.DBDriver, config.Keys.DB, repository.Version, err.Error())
 		}
-		os.Exit(0)
+		log.Exitf("MigrateDB Success: Migrated '%s' database at location '%s' to version %d.\n", config.Keys.DBDriver, config.Keys.DB, repository.Version)
+	}
+
+	if flagRevertDB {
+		err := repository.RevertDB(config.Keys.DBDriver, config.Keys.DB)
+		if err != nil {
+			log.Abortf("RevertDB Failed: Could not revert '%s' database at location '%s' to version %d.\nError: %s\n", config.Keys.DBDriver, config.Keys.DB, (repository.Version - 1), err.Error())
+		}
+		log.Exitf("RevertDB Success: Reverted '%s' database at location '%s' to version %d.\n", config.Keys.DBDriver, config.Keys.DB, (repository.Version - 1))
+	}
+
+	if flagForceDB {
+		err := repository.ForceDB(config.Keys.DBDriver, config.Keys.DB)
+		if err != nil {
+			log.Abortf("ForceDB Failed: Could not force '%s' database at location '%s' to version %d.\nError: %s\n", config.Keys.DBDriver, config.Keys.DB, repository.Version, err.Error())
+		}
+		log.Exitf("ForceDB Success: Forced '%s' database at location '%s' to version %d.\n", config.Keys.DBDriver, config.Keys.DB, repository.Version)
 	}

 	repository.Connect(config.Keys.DBDriver, config.Keys.DB)
-	db := repository.GetConnection()

-	var authentication *auth.Authentication
 	if !config.Keys.DisableAuthentication {
-		var err error
-		if authentication, err = auth.Init(db.DB, map[string]interface{}{
-			"ldap": config.Keys.LdapConfig,
-			"jwt":  config.Keys.JwtConfig,
-		}); err != nil {
-			log.Fatalf("auth initialization failed: %v", err)
-		}

-		if d, err := time.ParseDuration(config.Keys.SessionMaxAge); err != nil {
-			authentication.SessionMaxAge = d
-		}
+		auth.Init()

 		if flagNewUser != "" {
 			parts := strings.SplitN(flagNewUser, ":", 3)
 			if len(parts) != 3 || len(parts[0]) == 0 {
-				log.Fatal("invalid argument format for user creation")
+				log.Abortf("Add User: Could not parse supplied argument format: No changes.\n"+
+					"Want: <username>:[admin,support,manager,api,user]:<password>\n"+
+					"Have: %s\n", flagNewUser)
 			}

-			if err := authentication.AddUser(&auth.User{
+			ur := repository.GetUserRepository()
+			if err := ur.AddUser(&schema.User{
 				Username: parts[0], Projects: make([]string, 0), Password: parts[2], Roles: strings.Split(parts[1], ","),
 			}); err != nil {
-				log.Fatalf("adding '%s' user authentication failed: %v", parts[0], err)
+				log.Abortf("Add User: Could not add new user authentication for '%s' and roles '%s'.\nError: %s\n", parts[0], parts[1], err.Error())
+			} else {
+				log.Printf("Add User: Added new user '%s' with roles '%s'.\n", parts[0], parts[1])
 			}
 		}
+
 		if flagDelUser != "" {
-			if err := authentication.DelUser(flagDelUser); err != nil {
-				log.Fatalf("deleting user failed: %v", err)
+			ur := repository.GetUserRepository()
+			if err := ur.DelUser(flagDelUser); err != nil {
+				log.Abortf("Delete User: Could not delete user '%s' from DB.\nError: %s\n", flagDelUser, err.Error())
+			} else {
+				log.Printf("Delete User: Deleted user '%s' from DB.\n", flagDelUser)
 			}
 		}

+		authHandle := auth.GetAuthInstance()
+
 		if flagSyncLDAP {
-			if authentication.LdapAuth == nil {
-				log.Fatal("cannot sync: LDAP authentication is not configured")
+			if authHandle.LdapAuth == nil {
+				log.Abort("Sync LDAP: LDAP authentication is not configured, could not synchronize. No changes, exited.")
 			}

-			if err := authentication.LdapAuth.Sync(); err != nil {
-				log.Fatalf("LDAP sync failed: %v", err)
+			if err := authHandle.LdapAuth.Sync(); err != nil {
+				log.Abortf("Sync LDAP: Could not synchronize, failed with error.\nError: %s\n", err.Error())
 			}
-			log.Info("LDAP sync successfull")
+			log.Print("Sync LDAP: LDAP synchronization successfull.")
 		}

 		if flagGenJWT != "" {
-			user, err := authentication.GetUser(flagGenJWT)
+			ur := repository.GetUserRepository()
+			user, err := ur.GetUser(flagGenJWT)
 			if err != nil {
-				log.Fatalf("could not get user from JWT: %v", err)
+				log.Abortf("JWT: Could not get supplied user '%s' from DB. No changes, exited.\nError: %s\n", flagGenJWT, err.Error())
 			}

-			if !user.HasRole(auth.RoleApi) {
-				log.Warnf("user '%s' does not have the API role", user.Username)
+			if !user.HasRole(schema.RoleApi) {
+				log.Warnf("JWT: User '%s' does not have the role 'api'. REST API endpoints will return error!\n", user.Username)
 			}

-			jwt, err := authentication.JwtAuth.ProvideJWT(user)
+			jwt, err := authHandle.JwtAuth.ProvideJWT(user)
 			if err != nil {
-				log.Fatalf("failed to provide JWT to user '%s': %v", user.Username, err)
+				log.Abortf("JWT: User '%s' found in DB, but failed to provide JWT.\nError: %s\n", user.Username, err.Error())
 			}

-			fmt.Printf("MAIN > JWT for '%s': %s\n", user.Username, jwt)
+			log.Printf("JWT: Successfully generated JWT for user '%s': %s\n", user.Username, jwt)
 		}
+
 	} else if flagNewUser != "" || flagDelUser != "" {
-		log.Fatal("arguments --add-user and --del-user can only be used if authentication is enabled")
+		log.Abort("Error: Arguments '--add-user' and '--del-user' can only be used if authentication is enabled. No changes, exited.")
 	}

 	if err := archive.Init(config.Keys.Archive, config.Keys.DisableArchive); err != nil {
-		log.Fatalf("failed to initialize archive: %s", err.Error())
+		log.Abortf("Init: Failed to initialize archive.\nError: %s\n", err.Error())
 	}

-	if err := metricdata.Init(config.Keys.DisableArchive); err != nil {
-		log.Fatalf("failed to initialize metricdata repository: %s", err.Error())
+	if err := metricdata.Init(); err != nil {
+		log.Abortf("Init: Failed to initialize metricdata repository.\nError %s\n", err.Error())
 	}

 	if flagReinitDB {
 		if err := importer.InitDB(); err != nil {
-			log.Fatalf("failed to re-initialize repository DB: %s", err.Error())
+			log.Abortf("Init DB: Failed to re-initialize repository DB.\nError: %s\n", err.Error())
+		} else {
+			log.Print("Init DB: Sucessfully re-initialized repository DB.")
 		}
 	}

 	if flagImportJob != "" {
 		if err := importer.HandleImportFlag(flagImportJob); err != nil {
-			log.Fatalf("job import failed: %s", err.Error())
+			log.Abortf("Import Job: Job import failed.\nError: %s\n", err.Error())
+		} else {
+			log.Printf("Import Job: Imported Job '%s' into DB.\n", flagImportJob)
 		}
 	}

 	if !flagServer {
-		return
+		log.Exit("No errors, server flag not set. Exiting cc-backend.")
 	}

-	// Setup the http.Handler/Router used by the server
-	jobRepo := repository.GetJobRepository()
-	resolver := &graph.Resolver{DB: db.DB, Repo: jobRepo}
-	graphQLEndpoint := handler.NewDefaultServer(generated.NewExecutableSchema(generated.Config{Resolvers: resolver}))
-	if os.Getenv("DEBUG") != "1" {
-		// Having this handler means that a error message is returned via GraphQL instead of the connection simply beeing closed.
-		// The problem with this is that then, no more stacktrace is printed to stderr.
-		graphQLEndpoint.SetRecoverFunc(func(ctx context.Context, err interface{}) error {
-			switch e := err.(type) {
-			case string:
-				return fmt.Errorf("MAIN > Panic: %s", e)
-			case error:
-				return fmt.Errorf("MAIN > Panic caused by: %w", e)
-			}
-
-			return errors.New("MAIN > Internal server error (panic)")
-		})
-	}
-
-	api := &api.RestApi{
-		JobRepository:   jobRepo,
-		Resolver:        resolver,
-		MachineStateDir: config.Keys.MachineStateDir,
-		Authentication:  authentication,
-	}
-
-	r := mux.NewRouter()
-	buildInfo := web.Build{Version: version, Hash: hash, Buildtime: buildTime}
-
-	r.HandleFunc("/login", func(rw http.ResponseWriter, r *http.Request) {
-		rw.Header().Add("Content-Type", "text/html; charset=utf-8")
-		web.RenderTemplate(rw, r, "login.tmpl", &web.Page{Title: "Login", Build: buildInfo})
-	}).Methods(http.MethodGet)
-	r.HandleFunc("/imprint", func(rw http.ResponseWriter, r *http.Request) {
-		rw.Header().Add("Content-Type", "text/html; charset=utf-8")
-		web.RenderTemplate(rw, r, "imprint.tmpl", &web.Page{Title: "Imprint", Build: buildInfo})
-	})
-	r.HandleFunc("/privacy", func(rw http.ResponseWriter, r *http.Request) {
-		rw.Header().Add("Content-Type", "text/html; charset=utf-8")
-		web.RenderTemplate(rw, r, "privacy.tmpl", &web.Page{Title: "Privacy", Build: buildInfo})
-	})
-
-	// Some routes, such as /login or /query, should only be accessible to a user that is logged in.
-	// Those should be mounted to this subrouter. If authentication is enabled, a middleware will prevent
-	// any unauthenticated accesses.
-	secured := r.PathPrefix("/").Subrouter()
-	if !config.Keys.DisableAuthentication {
-		r.Handle("/login", authentication.Login(
-			// On success:
-			http.RedirectHandler("/", http.StatusTemporaryRedirect),
-
-			// On failure:
-			func(rw http.ResponseWriter, r *http.Request, err error) {
-				rw.Header().Add("Content-Type", "text/html; charset=utf-8")
-				rw.WriteHeader(http.StatusUnauthorized)
-				web.RenderTemplate(rw, r, "login.tmpl", &web.Page{
-					Title: "Login failed - ClusterCockpit",
-					Error: err.Error(),
-					Build: buildInfo,
-				})
-			})).Methods(http.MethodPost)
-
-		r.Handle("/logout", authentication.Logout(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			rw.Header().Add("Content-Type", "text/html; charset=utf-8")
-			rw.WriteHeader(http.StatusOK)
-			web.RenderTemplate(rw, r, "login.tmpl", &web.Page{
-				Title: "Bye - ClusterCockpit",
-				Info:  "Logout sucessful",
-				Build: buildInfo,
-			})
-		}))).Methods(http.MethodPost)
-
-		secured.Use(func(next http.Handler) http.Handler {
-			return authentication.Auth(
-				// On success;
-				next,
-
-				// On failure:
-				func(rw http.ResponseWriter, r *http.Request, err error) {
-					rw.WriteHeader(http.StatusUnauthorized)
-					web.RenderTemplate(rw, r, "login.tmpl", &web.Page{
-						Title: "Authentication failed - ClusterCockpit",
-						Error: err.Error(),
-						Build: buildInfo,
-					})
-				})
-		})
-	}
-
-	if flagDev {
-		r.Handle("/playground", playground.Handler("GraphQL playground", "/query"))
-		r.PathPrefix("/swagger/").Handler(httpSwagger.Handler(
-			httpSwagger.URL("http://" + config.Keys.Addr + "/swagger/doc.json"))).Methods(http.MethodGet)
-	}
-	secured.Handle("/query", graphQLEndpoint)
-
-	// Send a searchId and then reply with a redirect to a user, or directly send query to job table for jobid and project.
-	secured.HandleFunc("/search", func(rw http.ResponseWriter, r *http.Request) {
-		routerConfig.HandleSearchBar(rw, r, api)
-	})
-
-	// Mount all /monitoring/... and /api/... routes.
-	routerConfig.SetupRoutes(secured, version, hash, buildTime)
-	api.MountRoutes(secured)
-
-	if config.Keys.EmbedStaticFiles {
-		r.PathPrefix("/").Handler(web.ServeFiles())
-	} else {
-		r.PathPrefix("/").Handler(http.FileServer(http.Dir(config.Keys.StaticFiles)))
-	}
-
-	r.Use(handlers.CompressHandler)
-	r.Use(handlers.RecoveryHandler(handlers.PrintRecoveryStack(true)))
-	r.Use(handlers.CORS(
-		handlers.AllowCredentials(),
-		handlers.AllowedHeaders([]string{"X-Requested-With", "Content-Type", "Authorization", "Origin"}),
-		handlers.AllowedMethods([]string{"GET", "POST", "HEAD", "OPTIONS"}),
-		handlers.AllowedOrigins([]string{"*"})))
-	handler := handlers.CustomLoggingHandler(io.Discard, r, func(_ io.Writer, params handlers.LogFormatterParams) {
-		if strings.HasPrefix(params.Request.RequestURI, "/api/") {
-			log.Infof("%s %s (%d, %.02fkb, %dms)",
-				params.Request.Method, params.URL.RequestURI(),
-				params.StatusCode, float32(params.Size)/1024,
-				time.Since(params.TimeStamp).Milliseconds())
-		} else {
-			log.Debugf("%s %s (%d, %.02fkb, %dms)",
-				params.Request.Method, params.URL.RequestURI(),
-				params.StatusCode, float32(params.Size)/1024,
-				time.Since(params.TimeStamp).Milliseconds())
-		}
-	})
+	archiver.Start(repository.GetJobRepository())
+	taskManager.Start()
+	serverInit()

 	var wg sync.WaitGroup
-	server := http.Server{
-		ReadTimeout:  10 * time.Second,
-		WriteTimeout: 10 * time.Second,
-		Handler:      handler,
-		Addr:         config.Keys.Addr,
-	}
-
-	// Start http or https server
-	listener, err := net.Listen("tcp", config.Keys.Addr)
-	if err != nil {
-		log.Fatalf("starting http listener failed: %v", err)
-	}
-
-	if !strings.HasSuffix(config.Keys.Addr, ":80") && config.Keys.RedirectHttpTo != "" {
-		go func() {
-			http.ListenAndServe(":80", http.RedirectHandler(config.Keys.RedirectHttpTo, http.StatusMovedPermanently))
-		}()
-	}
-
-	if config.Keys.HttpsCertFile != "" && config.Keys.HttpsKeyFile != "" {
-		cert, err := tls.LoadX509KeyPair(config.Keys.HttpsCertFile, config.Keys.HttpsKeyFile)
-		if err != nil {
-			log.Fatalf("loading X509 keypair failed: %v", err)
-		}
-		listener = tls.NewListener(listener, &tls.Config{
-			Certificates: []tls.Certificate{cert},
-			CipherSuites: []uint16{
-				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			},
-			MinVersion:               tls.VersionTLS12,
-			PreferServerCipherSuites: true,
-		})
-		fmt.Printf("HTTPS server listening at %s...", config.Keys.Addr)
-	} else {
-		fmt.Printf("HTTP server listening at %s...", config.Keys.Addr)
-	}
-
-	// Because this program will want to bind to a privileged port (like 80), the listener must
-	// be established first, then the user can be changed, and after that,
-	// the actual http server can be started.
-	if err := runtimeEnv.DropPrivileges(config.Keys.Group, config.Keys.User); err != nil {
-		log.Fatalf("error while preparing server start: %s", err.Error())
-	}

 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		if err := server.Serve(listener); err != nil && err != http.ErrServerClosed {
-			log.Fatalf("starting server failed: %v", err)
-		}
+		serverStart()
 	}()

 	wg.Add(1)
@@ -412,117 +233,15 @@ func main() {
 		<-sigs
 		runtimeEnv.SystemdNotifiy(false, "Shutting down ...")

-		// First shut down the server gracefully (waiting for all ongoing requests)
-		server.Shutdown(context.Background())
+		serverShutdown()

-		// Then, wait for any async archivings still pending...
-		api.JobRepository.WaitForArchiving()
+		taskManager.Shutdown()
 	}()

-	s := gocron.NewScheduler(time.Local)
-
-	if config.Keys.StopJobsExceedingWalltime > 0 {
-		log.Info("Register undead jobs service")
-
-		s.Every(1).Day().At("3:00").Do(func() {
-			err := jobRepo.StopJobsExceedingWalltimeBy(config.Keys.StopJobsExceedingWalltime)
-			if err != nil {
-				log.Warnf("Error while looking for jobs exceeding their walltime: %s", err.Error())
-			}
-			runtime.GC()
-		})
-	}
-
-	var cfg struct {
-		Compression int              `json:"compression"`
-		Retention   schema.Retention `json:"retention"`
-	}
-
-	cfg.Retention.IncludeDB = true
-
-	if err := json.Unmarshal(config.Keys.Archive, &cfg); err != nil {
-		log.Warn("Error while unmarshaling raw config json")
-	}
-
-	switch cfg.Retention.Policy {
-	case "delete":
-		log.Info("Register retention delete service")
-
-		s.Every(1).Day().At("4:00").Do(func() {
-			startTime := time.Now().Unix() - int64(cfg.Retention.Age*24*3600)
-			jobs, err := jobRepo.FindJobsBetween(0, startTime)
-			if err != nil {
-				log.Warnf("Error while looking for retention jobs: %s", err.Error())
-			}
-			archive.GetHandle().CleanUp(jobs)
-
-			if cfg.Retention.IncludeDB {
-				cnt, err := jobRepo.DeleteJobsBefore(startTime)
-				if err != nil {
-					log.Errorf("Error while deleting retention jobs from db: %s", err.Error())
-				} else {
-					log.Infof("Retention: Removed %d jobs from db", cnt)
-				}
-				if err = jobRepo.Optimize(); err != nil {
-					log.Errorf("Error occured in db optimization: %s", err.Error())
-				}
-			}
-		})
-	case "move":
-		log.Info("Register retention move service")
-
-		s.Every(1).Day().At("4:00").Do(func() {
-			startTime := time.Now().Unix() - int64(cfg.Retention.Age*24*3600)
-			jobs, err := jobRepo.FindJobsBetween(0, startTime)
-			if err != nil {
-				log.Warnf("Error while looking for retention jobs: %s", err.Error())
-			}
-			archive.GetHandle().Move(jobs, cfg.Retention.Location)
-
-			if cfg.Retention.IncludeDB {
-				cnt, err := jobRepo.DeleteJobsBefore(startTime)
-				if err != nil {
-					log.Errorf("Error while deleting retention jobs from db: %v", err)
-				} else {
-					log.Infof("Retention: Removed %d jobs from db", cnt)
-				}
-				if err = jobRepo.Optimize(); err != nil {
-					log.Errorf("Error occured in db optimization: %v", err)
-				}
-			}
-		})
-	}
-
-	if cfg.Compression > 0 {
-		log.Info("Register compression service")
-
-		s.Every(1).Day().At("5:00").Do(func() {
-			var jobs []*schema.Job
-
-			ar := archive.GetHandle()
-			startTime := time.Now().Unix() - int64(cfg.Compression*24*3600)
-			lastTime := ar.CompressLast(startTime)
-			if startTime == lastTime {
-				log.Info("Compression Service - Complete archive run")
-				jobs, err = jobRepo.FindJobsBetween(0, startTime)
-
-			} else {
-				jobs, err = jobRepo.FindJobsBetween(lastTime, startTime)
-			}
-
-			if err != nil {
-				log.Warnf("Error while looking for retention jobs: %v", err)
-			}
-			ar.Compress(jobs)
-		})
-	}
-
-	s.StartAsync()
-
 	if os.Getenv("GOGC") == "" {
 		debug.SetGCPercent(25)
 	}
 	runtimeEnv.SystemdNotifiy(true, "running")
 	wg.Wait()
-	log.Print("Gracefull shutdown completed!")
+	log.Print("Graceful shutdown completed!")
 }
--- a/cmd/cc-backend/server.go
+++ b/cmd/cc-backend/server.go
@@ -0,0 +1,330 @@
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/99designs/gqlgen/graphql/handler"
+	"github.com/99designs/gqlgen/graphql/handler/transport"
+	"github.com/99designs/gqlgen/graphql/playground"
+	"github.com/ClusterCockpit/cc-backend/internal/api"
+	"github.com/ClusterCockpit/cc-backend/internal/archiver"
+	"github.com/ClusterCockpit/cc-backend/internal/auth"
+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/graph"
+	"github.com/ClusterCockpit/cc-backend/internal/graph/generated"
+	"github.com/ClusterCockpit/cc-backend/internal/routerConfig"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/runtimeEnv"
+	"github.com/ClusterCockpit/cc-backend/web"
+	"github.com/gorilla/handlers"
+	"github.com/gorilla/mux"
+	httpSwagger "github.com/swaggo/http-swagger"
+)
+
+var (
+	router    *mux.Router
+	server    *http.Server
+	apiHandle *api.RestApi
+)
+
+func onFailureResponse(rw http.ResponseWriter, r *http.Request, err error) {
+	rw.Header().Add("Content-Type", "application/json")
+	rw.WriteHeader(http.StatusUnauthorized)
+	json.NewEncoder(rw).Encode(map[string]string{
+		"status": http.StatusText(http.StatusUnauthorized),
+		"error":  err.Error(),
+	})
+}
+
+func serverInit() {
+	// Setup the http.Handler/Router used by the server
+	graph.Init()
+	resolver := graph.GetResolverInstance()
+	graphQLServer := handler.New(
+		generated.NewExecutableSchema(generated.Config{Resolvers: resolver}))
+
+	// graphQLServer.AddTransport(transport.SSE{})
+	graphQLServer.AddTransport(transport.POST{})
+	// graphQLServer.AddTransport(transport.Websocket{
+	// 	KeepAlivePingInterval: 10 * time.Second,
+	// 	Upgrader: websocket.Upgrader{
+	// 		CheckOrigin: func(r *http.Request) bool {
+	// 			return true
+	// 		},
+	// 	},
+	// })
+
+	if os.Getenv("DEBUG") != "1" {
+		// Having this handler means that a error message is returned via GraphQL instead of the connection simply beeing closed.
+		// The problem with this is that then, no more stacktrace is printed to stderr.
+		graphQLServer.SetRecoverFunc(func(ctx context.Context, err any) error {
+			switch e := err.(type) {
+			case string:
+				return fmt.Errorf("MAIN > Panic: %s", e)
+			case error:
+				return fmt.Errorf("MAIN > Panic caused by: %s", e.Error())
+			}
+
+			return errors.New("MAIN > Internal server error (panic)")
+		})
+	}
+
+	authHandle := auth.GetAuthInstance()
+
+	apiHandle = api.New()
+
+	router = mux.NewRouter()
+	buildInfo := web.Build{Version: version, Hash: commit, Buildtime: date}
+
+	info := map[string]any{}
+	info["hasOpenIDConnect"] = false
+
+	if config.Keys.OpenIDConfig != nil {
+		openIDConnect := auth.NewOIDC(authHandle)
+		openIDConnect.RegisterEndpoints(router)
+		info["hasOpenIDConnect"] = true
+	}
+
+	router.HandleFunc("/login", func(rw http.ResponseWriter, r *http.Request) {
+		rw.Header().Add("Content-Type", "text/html; charset=utf-8")
+		log.Debugf("##%v##", info)
+		web.RenderTemplate(rw, "login.tmpl", &web.Page{Title: "Login", Build: buildInfo, Infos: info})
+	}).Methods(http.MethodGet)
+	router.HandleFunc("/imprint", func(rw http.ResponseWriter, r *http.Request) {
+		rw.Header().Add("Content-Type", "text/html; charset=utf-8")
+		web.RenderTemplate(rw, "imprint.tmpl", &web.Page{Title: "Imprint", Build: buildInfo})
+	})
+	router.HandleFunc("/privacy", func(rw http.ResponseWriter, r *http.Request) {
+		rw.Header().Add("Content-Type", "text/html; charset=utf-8")
+		web.RenderTemplate(rw, "privacy.tmpl", &web.Page{Title: "Privacy", Build: buildInfo})
+	})
+
+	secured := router.PathPrefix("/").Subrouter()
+	securedapi := router.PathPrefix("/api").Subrouter()
+	userapi := router.PathPrefix("/userapi").Subrouter()
+	configapi := router.PathPrefix("/config").Subrouter()
+	frontendapi := router.PathPrefix("/frontend").Subrouter()
+
+	if !config.Keys.DisableAuthentication {
+		router.Handle("/login", authHandle.Login(
+			// On success: Handled within Login()
+			// On failure:
+			func(rw http.ResponseWriter, r *http.Request, err error) {
+				rw.Header().Add("Content-Type", "text/html; charset=utf-8")
+				rw.WriteHeader(http.StatusUnauthorized)
+				web.RenderTemplate(rw, "login.tmpl", &web.Page{
+					Title:   "Login failed - ClusterCockpit",
+					MsgType: "alert-warning",
+					Message: err.Error(),
+					Build:   buildInfo,
+					Infos:   info,
+				})
+			})).Methods(http.MethodPost)
+
+		router.Handle("/jwt-login", authHandle.Login(
+			// On success: Handled within Login()
+			// On failure:
+			func(rw http.ResponseWriter, r *http.Request, err error) {
+				rw.Header().Add("Content-Type", "text/html; charset=utf-8")
+				rw.WriteHeader(http.StatusUnauthorized)
+				web.RenderTemplate(rw, "login.tmpl", &web.Page{
+					Title:   "Login failed - ClusterCockpit",
+					MsgType: "alert-warning",
+					Message: err.Error(),
+					Build:   buildInfo,
+					Infos:   info,
+				})
+			}))
+
+		router.Handle("/logout", authHandle.Logout(
+			http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+				rw.Header().Add("Content-Type", "text/html; charset=utf-8")
+				rw.WriteHeader(http.StatusOK)
+				web.RenderTemplate(rw, "login.tmpl", &web.Page{
+					Title:   "Bye - ClusterCockpit",
+					MsgType: "alert-info",
+					Message: "Logout successful",
+					Build:   buildInfo,
+					Infos:   info,
+				})
+			}))).Methods(http.MethodPost)
+
+		secured.Use(func(next http.Handler) http.Handler {
+			return authHandle.Auth(
+				// On success;
+				next,
+
+				// On failure:
+				func(rw http.ResponseWriter, r *http.Request, err error) {
+					rw.WriteHeader(http.StatusUnauthorized)
+					web.RenderTemplate(rw, "login.tmpl", &web.Page{
+						Title:    "Authentication failed - ClusterCockpit",
+						MsgType:  "alert-danger",
+						Message:  err.Error(),
+						Build:    buildInfo,
+						Infos:    info,
+						Redirect: r.RequestURI,
+					})
+				})
+		})
+
+		securedapi.Use(func(next http.Handler) http.Handler {
+			return authHandle.AuthApi(
+				// On success;
+				next,
+				// On failure: JSON Response
+				onFailureResponse)
+		})
+
+		userapi.Use(func(next http.Handler) http.Handler {
+			return authHandle.AuthUserApi(
+				// On success;
+				next,
+				// On failure: JSON Response
+				onFailureResponse)
+		})
+
+		configapi.Use(func(next http.Handler) http.Handler {
+			return authHandle.AuthConfigApi(
+				// On success;
+				next,
+				// On failure: JSON Response
+				onFailureResponse)
+		})
+
+		frontendapi.Use(func(next http.Handler) http.Handler {
+			return authHandle.AuthFrontendApi(
+				// On success;
+				next,
+				// On failure: JSON Response
+				onFailureResponse)
+		})
+	}
+
+	if flagDev {
+		router.Handle("/playground", playground.Handler("GraphQL playground", "/query"))
+		router.PathPrefix("/swagger/").Handler(httpSwagger.Handler(
+			httpSwagger.URL("http://" + config.Keys.Addr + "/swagger/doc.json"))).Methods(http.MethodGet)
+	}
+	secured.Handle("/query", graphQLServer)
+
+	// Send a searchId and then reply with a redirect to a user, or directly send query to job table for jobid and project.
+	secured.HandleFunc("/search", func(rw http.ResponseWriter, r *http.Request) {
+		routerConfig.HandleSearchBar(rw, r, buildInfo)
+	})
+
+	// Mount all /monitoring/... and /api/... routes.
+	routerConfig.SetupRoutes(secured, buildInfo)
+	apiHandle.MountApiRoutes(securedapi)
+	apiHandle.MountUserApiRoutes(userapi)
+	apiHandle.MountConfigApiRoutes(configapi)
+	apiHandle.MountFrontendApiRoutes(frontendapi)
+
+	if config.Keys.EmbedStaticFiles {
+		if i, err := os.Stat("./var/img"); err == nil {
+			if i.IsDir() {
+				log.Info("Use local directory for static images")
+				router.PathPrefix("/img/").Handler(http.StripPrefix("/img/", http.FileServer(http.Dir("./var/img"))))
+			}
+		}
+		router.PathPrefix("/").Handler(web.ServeFiles())
+	} else {
+		router.PathPrefix("/").Handler(http.FileServer(http.Dir(config.Keys.StaticFiles)))
+	}
+
+	router.Use(handlers.CompressHandler)
+	router.Use(handlers.RecoveryHandler(handlers.PrintRecoveryStack(true)))
+	router.Use(handlers.CORS(
+		handlers.AllowCredentials(),
+		handlers.AllowedHeaders([]string{"X-Requested-With", "Content-Type", "Authorization", "Origin"}),
+		handlers.AllowedMethods([]string{"GET", "POST", "HEAD", "OPTIONS"}),
+		handlers.AllowedOrigins([]string{"*"})))
+}
+
+func serverStart() {
+	handler := handlers.CustomLoggingHandler(io.Discard, router, func(_ io.Writer, params handlers.LogFormatterParams) {
+		if strings.HasPrefix(params.Request.RequestURI, "/api/") {
+			log.Debugf("%s %s (%d, %.02fkb, %dms)",
+				params.Request.Method, params.URL.RequestURI(),
+				params.StatusCode, float32(params.Size)/1024,
+				time.Since(params.TimeStamp).Milliseconds())
+		} else {
+			log.Debugf("%s %s (%d, %.02fkb, %dms)",
+				params.Request.Method, params.URL.RequestURI(),
+				params.StatusCode, float32(params.Size)/1024,
+				time.Since(params.TimeStamp).Milliseconds())
+		}
+	})
+
+	server = &http.Server{
+		ReadTimeout:  20 * time.Second,
+		WriteTimeout: 20 * time.Second,
+		Handler:      handler,
+		Addr:         config.Keys.Addr,
+	}
+
+	// Start http or https server
+	listener, err := net.Listen("tcp", config.Keys.Addr)
+	if err != nil {
+		log.Abortf("Server Start: Starting http listener on '%s' failed.\nError: %s\n", config.Keys.Addr, err.Error())
+	}
+
+	if !strings.HasSuffix(config.Keys.Addr, ":80") && config.Keys.RedirectHttpTo != "" {
+		go func() {
+			http.ListenAndServe(":80", http.RedirectHandler(config.Keys.RedirectHttpTo, http.StatusMovedPermanently))
+		}()
+	}
+
+	if config.Keys.HttpsCertFile != "" && config.Keys.HttpsKeyFile != "" {
+		cert, err := tls.LoadX509KeyPair(
+			config.Keys.HttpsCertFile, config.Keys.HttpsKeyFile)
+		if err != nil {
+			log.Abortf("Server Start: Loading X509 keypair failed. Check options 'https-cert-file' and 'https-key-file' in 'config.json'.\nError: %s\n", err.Error())
+		}
+		listener = tls.NewListener(listener, &tls.Config{
+			Certificates: []tls.Certificate{cert},
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			},
+			MinVersion:               tls.VersionTLS12,
+			PreferServerCipherSuites: true,
+		})
+		log.Printf("HTTPS server listening at %s...\n", config.Keys.Addr)
+	} else {
+		log.Printf("HTTP server listening at %s...\n", config.Keys.Addr)
+	}
+	//
+	// Because this program will want to bind to a privileged port (like 80), the listener must
+	// be established first, then the user can be changed, and after that,
+	// the actual http server can be started.
+	if err := runtimeEnv.DropPrivileges(config.Keys.Group, config.Keys.User); err != nil {
+		log.Abortf("Server Start: Error while preparing server start.\nError: %s\n", err.Error())
+	}
+
+	if err = server.Serve(listener); err != nil && err != http.ErrServerClosed {
+		log.Abortf("Server Start: Starting server failed.\nError: %s\n", err.Error())
+	}
+}
+
+func serverShutdown() {
+	// First shut down the server gracefully (waiting for all ongoing requests)
+	server.Shutdown(context.Background())
+
+	// Then, wait for any async archivings still pending...
+	archiver.WaitForArchiving()
+}
--- a/configs/README.md
+++ b/configs/README.md
@@ -1,76 +0,0 @@
-## Intro
-
-cc-backend requires a configuration file specifying the cluster systems to be used. Still many  default
-options documented below are used. cc-backend tries to load a config.json from the working directory per default.
-To overwrite the default specify a json config file location using the command line option `--config <filepath>`.
-All security relevant configuration. e.g., keys and passwords, are set using environment variables.
-It is supported to specify these by means of an `.env` file located in the project root.
-
-## Configuration Options
-
-* `addr`: Type string.  Address where the http (or https) server will listen on (for example: 'localhost:80'). Default `:8080`.
-* `user`: Type string. Drop root permissions once .env was read and the port was taken. Only applicable if using privileged port.
-* `group`: Type string.  Drop root permissions once .env was read and the port was taken. Only applicable if using privileged port.
-* `disable-authentication`: Type bool.  Disable authentication (for everything: API, Web-UI, ...). Default `false`.
-* `embed-static-files`: Type bool. If all files in `web/frontend/public` should be served from within the binary itself (they are embedded) or not. Default `true`.
-* `static-files`: Type string. Folder where static assets can be found, if `embed-static-files` is `false`. No default.
-* `db-driver`: Type string. 'sqlite3' or 'mysql' (mysql will work for mariadb as well). Default `sqlite3`.
-* `db`: Type string. For sqlite3 a filename, for mysql a DSN in this format: https://github.com/go-sql-driver/mysql#dsn-data-source-name (Without query parameters!). Default: `./var/job.db`.
-* `job-archive`: Type string. Path to the job-archive. Default: `./var/job-archive`.
-* `disable-archive`: Type bool. Keep all metric data in the metric data repositories, do not write to the job-archive. Default `false`.
-* `validate`: Type bool. Validate all input json documents against json schema.
-* `"session-max-age`: Type string. Specifies for how long a session shall be valid  as a string parsable by time.ParseDuration(). If 0 or empty, the session/token does not expire! Default `168h`.
-* `"jwt-max-age`: Type string. Specifies for how long a JWT token shall be valid  as a string parsable by time.ParseDuration(). If 0 or empty, the session/token does not expire! Default `0`.
-* `https-cert-file` and `https-key-file`: Type string. If both those options are not empty, use HTTPS using those certificates.
-* `redirect-http-to`: Type string. If not the empty string and `addr` does not end in ":80", redirect every request incoming at port 80 to that url.
-* `machine-state-dir`: Type string. Where to store MachineState files. TODO: Explain in more detail!
-* `"stop-jobs-exceeding-walltime`: Type int. If not zero, automatically mark jobs as stopped running X seconds longer than their walltime. Only applies if walltime is set for job. Default `0`.
-* `short-running-jobs-duration`: Type int. Do not show running jobs shorter than X seconds. Default `300`.
-* `ldap`: Type object. For LDAP Authentication and user synchronisation. Default `nil`.
-   - `url`: Type string.  URL of LDAP directory server.
-   - `user_base`: Type string. Base DN of user tree root.
-   - `search_dn`: Type string. DN for authenticating LDAP admin account with general read rights.
-   - `user_bind`: Type string. Expression used to authenticate users via LDAP bind. Must contain `uid={username}`.
-   - `user_filter`: Type string. Filter to extract users for syncing.
-   - `sync_interval`: Type string. Interval used for syncing local user table with LDAP directory. Parsed using time.ParseDuration.
-   - `sync_del_old_users`: Type bool. Delete obsolete users in database.
-* `clusters`: Type array of objects
-   - `name`: Type string. The name of the cluster.
-   - `metricDataRepository`: Type object with properties: `kind` (Type string, can be one of `cc-metric-store`, `influxdb` ), `url` (Type string), `token` (Type string)
-   - `filterRanges` Type object. This option controls the slider ranges for the UI controls of numNodes, duration, and startTime.  Example:
-   ```
-   "filterRanges": {
-                "numNodes": { "from": 1, "to": 64 },
-                "duration": { "from": 0, "to": 86400 },
-                "startTime": { "from": "2022-01-01T00:00:00Z", "to": null }
-            }
-   ```
-* `ui-defaults`: Type object. Default configuration for ui views. If overwritten, all options  must be provided! Most options can be overwritten by the user via the web interface.
-   - `analysis_view_histogramMetrics`: Type string array. Metrics to show as job count histograms in analysis view. Default `["flops_any", "mem_bw", "mem_used"]`.
-   - `analysis_view_scatterPlotMetrics`: Type array of string array. Initial
-   scatter plot configuration in analysis view. Default `[["flops_any", "mem_bw"], ["flops_any", "cpu_load"], ["cpu_load", "mem_bw"]]`.
-   - `job_view_nodestats_selectedMetrics`: Type string array. Initial metrics shown in node statistics table of single job view. Default `["flops_any", "mem_bw", "mem_used"]`.
-   - `job_view_polarPlotMetrics`: Type string array. Metrics shown in polar plot of single job view. Default `["flops_any", "mem_bw", "mem_used", "net_bw", "file_bw"]`.
-   - `job_view_selectedMetrics`: Type string array.  Default `["flops_any", "mem_bw", "mem_used"]`.
-   - `plot_general_colorBackground`: Type bool. Color plot background according to job average threshold limits. Default `true`.
-   - `plot_general_colorscheme`: Type string array. Initial color scheme. Default `"#00bfff", "#0000ff", "#ff00ff", "#ff0000", "#ff8000", "#ffff00", "#80ff00"`.
-   - `plot_general_lineWidth`: Type int. Initial linewidth. Default `3`.
-   - `plot_list_jobsPerPage`: Type int. Jobs shown per page in job lists. Default `50`.
-   - `plot_list_selectedMetrics`: Type string array. Initial metric plots shown in jobs lists. Default `"cpu_load", "ipc", "mem_used", "flops_any", "mem_bw"`.
-   - `plot_view_plotsPerRow`: Type int. Number of plots per row in single job view. Default `3`.
-   - `plot_view_showPolarplot`: Type bool. Option to toggle polar plot in single job view. Default `true`.
-   - `plot_view_showRoofline`: Type bool. Option to toggle roofline plot in single job view. Default `true`.
-   - `plot_view_showStatTable`: Type bool. Option to toggle the node statistic table in single job view. Default `true`.
-   - `system_view_selectedMetric`: Type string. Initial metric shown in system view. Default `cpu_load`.
-
-Some of the `ui-defaults` values can be appended by `:<clustername>` in order to have different settings depending on the current cluster. Those are notably `job_view_nodestats_selectedMetrics`, `job_view_polarPlotMetrics`, `job_view_selectedMetrics` and `plot_list_selectedMetrics`.
-
-## Environment Variables
-
-An example env file is found in this directory. Copy it to `.env` in the project root and adapt it for your needs.
-
-* `JWT_PUBLIC_KEY` and `JWT_PRIVATE_KEY`: Base64 encoded Ed25519 keys used for JSON Web Token (JWT) authentication. You can generate your own keypair using `go run ./cmd/gen-keypair/gen-keypair.go`. More information in [README_TOKENS.md](./README_TOKENS.md).
-* `SESSION_KEY`: Some random bytes used as secret for cookie-based sessions.
-* `LDAP_ADMIN_PASSWORD`: The LDAP admin user password (optional).
-* `CROSS_LOGIN_JWT_HS512_KEY`: Used for token based logins via another authentication service.
-* `LOGLEVEL`: Can be `err`, `warn`, `info` or `debug` (optional, `debug` by default). Can be used to reduce logging.
--- a/configs/README_TOKENS.md
+++ b/configs/README_TOKENS.md
@@ -1,51 +0,0 @@
-## Introduction
-
-ClusterCockpit uses JSON Web Tokens (JWT) for authorization of its APIs.
-JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
-This information can be verified and trusted because it is digitally signed.
-In ClusterCockpit JWTs are signed using a public/private key pair using ECDSA.
-Because tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.
-Expiration of the generated tokens as well as the max. length of a browser session can be configured in the `config.json` file described [here](./README.md).
-
-The [Ed25519](https://ed25519.cr.yp.to/) algorithm for signatures was used because it is compatible with other tools that require authentication, such as NATS.io, and because these elliptic-curve methods provide simillar security with smaller keys compared to something like RSA. They are sligthly more expensive to validate, but that effect is negligible.
-
-## JWT Payload
-
-You may view the payload of a JWT token at [https://jwt.io/#debugger-io](https://jwt.io/#debugger-io).
-Currently ClusterCockpit sets the following claims:
-* `iat`: Issued at claim. The “iat” claim is used to identify the the time at which the JWT was issued. This claim can be used to determine the age of the JWT.
-* `sub`: Subject claim. Identifies the subject of the JWT, in our case this is the username.
-* `roles`: An array of strings specifying the roles set for the subject.
-* `exp`: Expiration date of the token (only if explicitly configured)
-
-It is important to know that JWTs are not encrypted, only signed. This means that outsiders cannot create new JWTs or modify existing ones, but they are able to read out the username.
-
-## Workflow
-
-1. Create a new ECDSA Public/private keypair:
-```
-$ go build ./cmd/gen-keypair/
-$ ./gen-keypair
-```
-2. Add keypair in your `.env` file. A template can be found in `./configs`.
-
-When a user logs in via the `/login` page using a browser, a session cookie (secured using the random bytes in the `SESSION_KEY` env. variable you shoud change as well) is used for all requests after the successfull login. The JWTs make it easier to use the APIs of ClusterCockpit using scripts or other external programs. The token is specified n the `Authorization` HTTP header using the [Bearer schema](https://datatracker.ietf.org/doc/html/rfc6750) (there is an example below). Tokens can be issued to users from the configuration view in the Web-UI or the command line. In order to use the token for API endpoints such as `/api/jobs/start_job/`, the user that executes it needs to have the `api` role. Regular users can only perform read-only queries and only look at data connected to jobs they started themselves.
-
-## cc-metric-store
-
-The [cc-metric-store](https://github.com/ClusterCockpit/cc-metric-store) also uses JWTs for authentication. As it does not issue new tokens, it does not need to kown the private key. The public key of the keypair that is used to generate the JWTs that grant access to the `cc-metric-store` can be specified in its `config.json`. When configuring the `metricDataRepository` object in the `cluster.json` file, you can put a token issued by ClusterCockpit itself.
-
-## Setup user and JWT token for REST API authorization
-
-1. Create user:
-```
-$ ./cc-backend --add-user <username>:api:<password> --no-server
-```
-2. Issue token for user:
-```
-$ ./cc-backend --jwt <username> --no-server
-```
-3. Use issued token token on client side:
-```
-$ curl -X GET "<API ENDPOINT>" -H "accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer <JWT TOKEN>"
-```
--- a/configs/config-demo.json
+++ b/configs/config-demo.json
@@ -1,9 +1,26 @@
 {
  "addr": "127.0.0.1:8080",
+  "short-running-jobs-duration": 300,
  "archive": {
    "kind": "file",
    "path": "./var/job-archive"
  },
+  "jwts": {
+    "max-age": "2000h"
+  },
+  "enable-resampling": {
+    "trigger": 30,
+    "resolutions": [
+      600,
+      300,
+      120,
+      60
+    ]
+  },
+  "apiAllowedIPs": [
+    "*"
+  ],
+  "emission-constant": 317,
  "clusters": [
    {
      "name": "fritz",
--- a/configs/config-mariadb.json
+++ b/configs/config-mariadb.json
@@ -0,0 +1,69 @@
+{
+  "addr": "127.0.0.1:8080",
+  "short-running-jobs-duration": 300,
+  "archive": {
+    "kind": "file",
+    "path": "./var/job-archive"
+  },
+  "jwts": {
+    "max-age": "2000h"
+  },
+  "db-driver": "mysql",
+  "db": "clustercockpit:demo@tcp(127.0.0.1:3306)/clustercockpit",
+  "enable-resampling": {
+    "trigger": 30,
+    "resolutions": [
+      600,
+      300,
+      120,
+      60
+    ]
+  },
+  "emission-constant": 317,
+  "clusters": [
+    {
+      "name": "fritz",
+      "metricDataRepository": {
+        "kind": "cc-metric-store",
+        "url": "http://localhost:8082",
+        "token": ""
+      },
+      "filterRanges": {
+        "numNodes": {
+          "from": 1,
+          "to": 64
+        },
+        "duration": {
+          "from": 0,
+          "to": 86400
+        },
+        "startTime": {
+          "from": "2022-01-01T00:00:00Z",
+          "to": null
+        }
+      }
+    },
+    {
+      "name": "alex",
+      "metricDataRepository": {
+        "kind": "cc-metric-store",
+        "url": "http://localhost:8082",
+        "token": ""
+      },
+      "filterRanges": {
+        "numNodes": {
+          "from": 1,
+          "to": 64
+        },
+        "duration": {
+          "from": 0,
+          "to": 86400
+        },
+        "startTime": {
+          "from": "2022-01-01T00:00:00Z",
+          "to": null
+        }
+      }
+    }
+  ]
+}
--- a/configs/config.json
+++ b/configs/config.json
@@ -5,7 +5,7 @@
    "user_base": "ou=people,ou=hpc,dc=test,dc=de",
    "search_dn": "cn=hpcmonitoring,ou=roadm,ou=profile,ou=hpc,dc=test,dc=de",
    "user_bind": "uid={username},ou=people,ou=hpc,dc=test,dc=de",
-        "user_filter": "(&(objectclass=posixAccount)(uid=*))"
+    "user_filter": "(&(objectclass=posixAccount))"
  },
  "https-cert-file": "/etc/letsencrypt/live/url/fullchain.pem",
  "https-key-file": "/etc/letsencrypt/live/url/privkey.pem",
@@ -15,7 +15,10 @@
    "kind": "file",
    "path": "./var/job-archive"
  },
-    "validate": true,
+  "validate": false,
+  "apiAllowedIPs": [
+    "*"
+  ],
  "clusters": [
    {
      "name": "test",
@@ -42,9 +45,18 @@
  ],
  "jwts": {
    "cookieName": "",
-        "forceJWTValidationViaDatabase": false,
-        "max-age": 0,
-        "trustedExternalIssuer": ""
+    "validateUser": false,
+    "max-age": "2000h",
+    "trustedIssuer": ""
+  },
+  "enable-resampling": {
+    "trigger": 30,
+    "resolutions": [
+      600,
+      300,
+      120,
+      60
+    ]
  },
  "short-running-jobs-duration": 300
 }
--- a/configs/default_metrics.json
+++ b/configs/default_metrics.json
@@ -0,0 +1,12 @@
+{
+  "clusters": [
+    {
+      "name": "fritz",
+      "default_metrics": "cpu_load, flops_any, core_power, lustre_open, mem_used, mem_bw, net_bytes_in"
+    },
+    {
+      "name": "alex",
+      "default_metrics": "flops_any, mem_bw, mem_used, vectorization_ratio"
+    }
+  ]
+}
--- a/configs/env-template.txt
+++ b/configs/env-template.txt
@@ -1,10 +1,10 @@
 # Base64 encoded Ed25519 keys (DO NOT USE THESE TWO IN PRODUCTION!)
-# You can generate your own keypair using `go run utils/gen-keypair.go`
+# You can generate your own keypair using `go run tools/gen-keypair/main.go`
 JWT_PUBLIC_KEY="kzfYrYy+TzpanWZHJ5qSdMj5uKUWgq74BWhQG6copP0="
 JWT_PRIVATE_KEY="dtPC/6dWJFKZK7KZ78CvWuynylOmjBFyMsUWArwmodOTN9itjL5POlqdZkcnmpJ0yPm4pRaCrvgFaFAbpyik/Q=="

 # Base64 encoded Ed25519 public key for accepting externally generated JWTs
-# Keys in PEM format can be converted, see `tools/convert-pem-pubkey-for-cc/Readme.md`
+# Keys in PEM format can be converted, see `tools/convert-pem-pubkey/Readme.md`
 CROSS_LOGIN_JWT_PUBLIC_KEY=""

 # Some random bytes used as secret for cookie-based sessions (DO NOT USE THIS ONE IN PRODUCTION)
--- a/configs/generate-subcluster.pl
+++ b/configs/generate-subcluster.pl
@@ -117,10 +117,12 @@ foreach my $ln (split("\n", $topo)) {

 my $node;
 my @sockets;
+my @nodeCores;
 foreach my $socket ( @{$DOMAINS{socket}} ) {
    push @sockets, "[".join(",", @{$socket})."]";
-    $node .=  join(",", @{$socket})
+    push @nodeCores, join(",", @{$socket});
 }
+$node =  join(",", @nodeCores);
 $INFO{sockets} = join(",\n", @sockets);

 my @memDomains;
@@ -212,9 +214,27 @@ print <<"END";
      "socketsPerNode": $INFO{socketsPerNode},
      "coresPerSocket": $INFO{coresPerSocket},
      "threadsPerCore": $INFO{threadsPerCore},
-      "flopRateScalar": $flopsScalar,
-      "flopRateSimd": $flopsSimd,
-      "memoryBandwidth": $memBw,
+      "flopRateScalar": {
+           "unit": {
+               "base": "F/s",
+               "prefix": "G"
+           },
+           "value": $flopsScalar
+      },
+      "flopRateSimd": {
+           "unit": {
+               "base": "F/s",
+               "prefix": "G"
+           },
+           "value": $flopsSimd
+      },
+      "memoryBandwidth": {
+           "unit": {
+               "base": "B/s",
+               "prefix": "G"
+           },
+           "value": $memBw
+      },
      "nodes": "<FILL IN NODE RANGES>",
      "topology": {
          "node": [$node],
--- a/docs/ConfigurationManagement.md
+++ b/docs/ConfigurationManagement.md
@@ -1,37 +0,0 @@
-# Release versioning
-
-Releases are numbered with an integer ID, starting with 1.
-Each release embeds the following assets in the binary:
-* Web front-end with Javascript files and all static assets.
-* Golang template files for server-side rendering.
-* JSON schema files for validation.
-* Database migration files
-
-The remaining external assets are:
-* The SQL database used
-* The job archive
-* The configuration file `config.json`
-
-Both external assets are also versioned with integer IDs.
-This means that each release binary is bound to specific versions of the SQL
-database and the job archive.
-The configuration file is validated against the current schema on startup.
-The command line switch `-migrate-db` can be used to upgrade the SQL database
-to migrate from a previous version to the latest one.
-We offer a separate tool `archive-migration` to migrate an existing job archive
-archive from the previous to the latest version.
-
-# Versioning of APIs
-
-cc-backend provides two API backends:
-* A REST API for querying jobs
-* A GraphQL API for data exchange between web frontend and cc-backend
-
-Both APIs will also be versioned. We still need to decide wether we will also support
-older REST API version by versioning the endpoint URLs.
-
-# How to build
-
-Please always build `cc-backend` with the supplied Makefile. This will ensure
-that the frontend is also built correctly and that the version in the binary file is coded
-in the binary.
--- a/docs/Hands-on.md
+++ b/docs/Hands-on.md
@@ -1,239 +0,0 @@
-# CC-HANDSON - Setup ClusterCockpit from scratch (w/o docker)
-
-## Prerequisites
-* Perl
-* Yarn
-* Go
-* Optional: curl
-* Script migrateTimestamp.pl
-
-## Documentation
-You find READMEs or api docs in
-* ./cc-backend/configs
-* ./cc-backend/init
-* ./cc-backend/api
-
-## ClusterCockpit configuration files
-### cc-backend
-* `./.env` Passwords and Tokens set in the environment
-* `./config.json` Configuration options for cc-backend
-
-### cc-metric-store
-* `./config.json` Optional to overwrite configuration options
-
-### cc-metric-collector
-Not yet included in the hands-on setup.
-
-## Setup Components
-Start by creating a base folder for all of the following steps.
-* `mkdir clustercockpit`
-* `cd clustercockpit`
-
-### Setup cc-backend
-* Clone Repository
-    - `git clone https://github.com/ClusterCockpit/cc-backend.git`
-    - `cd cc-backend`
-* Setup Frontend
-    - `cd ./web/frontend`
-    - `yarn install`
-    - `yarn build`
-    - `cd ../..`
-* Build Go Executable
-    - `go build ./cmd/cc-backend/`
-* Activate & Config environment for cc-backend
-    - `cp configs/env-template.txt  .env`
-    - Optional: Have a look via `vim ./.env`
-    - Copy the `config.json` file included in this tarball into the root directory of cc-backend: `cp ../../config.json  ./`
-* Back to toplevel `clustercockpit`
-    - `cd ..`
-* Prepare Datafolder and Database file
-    - `mkdir var`
-    - `./cc-backend --migrate-db`
-
-### Setup cc-metric-store
-* Clone Repository
-    - `git clone https://github.com/ClusterCockpit/cc-metric-store.git`
-    - `cd cc-metric-store`
-* Build Go Executable
-    - `go get`
-    - `go build`
-* Prepare Datafolders
-    - `mkdir -p var/checkpoints`
-    - `mkdir -p var/archive`
-* Update Config
-    - `vim config.json`
-    - Exchange existing setting in `metrics` with the following:
-```
-"clock":      { "frequency": 60, "aggregation": null },
-"cpi":        { "frequency": 60, "aggregation": null },
-"cpu_load":   { "frequency": 60, "aggregation": null },
-"flops_any":  { "frequency": 60, "aggregation": null },
-"flops_dp":   { "frequency": 60, "aggregation": null },
-"flops_sp":   { "frequency": 60, "aggregation": null },
-"ib_bw":      { "frequency": 60, "aggregation": null },
-"lustre_bw":  { "frequency": 60, "aggregation": null },
-"mem_bw":     { "frequency": 60, "aggregation": null },
-"mem_used":   { "frequency": 60, "aggregation": null },
-"rapl_power": { "frequency": 60, "aggregation": null }
-```
-* Back to toplevel `clustercockpit`
-    - `cd ..`
-
-### Setup Demo Data
-* `mkdir source-data`
-* `cd source-data`
-* Download JobArchive-Source:
-    - `wget https://hpc-mover.rrze.uni-erlangen.de/HPC-Data/0x7b58aefb/eig7ahyo6fo2bais0ephuf2aitohv1ai/job-archive-dev.tar.xz`
-    - `tar xJf job-archive-dev.tar.xz`
-    - `mv ./job-archive ./job-archive-source`
-    - `rm ./job-archive-dev.tar.xz`
-* Download CC-Metric-Store Checkpoints:
-    - `mkdir -p cc-metric-store-source/checkpoints`
-    - `cd cc-metric-store-source/checkpoints`
-    - `wget https://hpc-mover.rrze.uni-erlangen.de/HPC-Data/0x7b58aefb/eig7ahyo6fo2bais0ephuf2aitohv1ai/cc-metric-store-checkpoints.tar.xz`
-    - `tar xf cc-metric-store-checkpoints.tar.xz`
-    - `rm cc-metric-store-checkpoints.tar.xz`
-* Back to `source-data`
-    - `cd ../..`
-* Run timestamp migration script. This may take tens of minutes!
-    - `cp ../migrateTimestamps.pl .`
-    - `./migrateTimestamps.pl`
-    - Expected output:
-```
-Starting to update start- and stoptimes in job-archive for emmy
-Starting to update start- and stoptimes in job-archive for woody
-Done for job-archive
-Starting to update checkpoint filenames and data starttimes for emmy
-Starting to update checkpoint filenames and data starttimes for woody
-Done for checkpoints
-```
-* Copy `cluster.json` files from source to migrated folders
-    - `cp source-data/job-archive-source/emmy/cluster.json cc-backend/var/job-archive/emmy/`
-    - `cp source-data/job-archive-source/woody/cluster.json cc-backend/var/job-archive/woody/`
-* Initialize Job-Archive in SQLite3 job.db and add demo user
-    - `cd cc-backend`
-    - `./cc-backend --init-db --add-user demo:admin:AdminDev`
-    - Expected output:
-```
-<6>[INFO]    new user "demo" created (roles: ["admin"], auth-source: 0)
-<6>[INFO]    Building job table...
-<6>[INFO]    A total of 3936 jobs have been registered in 1.791 seconds.
-```
-* Back to toplevel `clustercockpit`
-    - `cd ..`
-
-### Startup both Apps
-* In cc-backend root:  `$./cc-backend --server --dev`
-    - Starts Clustercockpit at `http:localhost:8080`
-        - Log: `<6>[INFO]    HTTP server listening at :8080...`
-    - Use local internet browser to access interface
-        - You should see and be able to browse finished Jobs
-        - Metadata is read from SQLite3 database
-        - Metricdata is read from job-archive/JSON-Files
-    - Create User in settings (top-right corner)
-        - Name `apiuser`
-        - Username `apiuser`
-        - Role `API`
-        - Submit & Refresh Page
-    - Create JTW for `apiuser`
-        - In Userlist, press `Gen. JTW` for `apiuser`
-        - Save JWT for later use
-* In cc-metric-store root:  `$./cc-metric-store`
-    - Start the cc-metric-store on `http:localhost:8081`, Log:
-```
-2022/07/15 17:17:42 Loading checkpoints newer than 2022-07-13T17:17:42+02:00
-2022/07/15 17:17:45 Checkpoints loaded (5621 files, 319 MB, that took 3.034652s)
-2022/07/15 17:17:45 API http endpoint listening on '0.0.0.0:8081'
-```
-    - Does *not* have a graphical interface
-    - Otpional: Test function by executing:
-```
-$ curl -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSJ9.eyJ1c2VyIjoiYWRtaW4iLCJyb2xlcyI6WyJST0xFX0FETUlOIiwiUk9MRV9BTkFMWVNUIiwiUk9MRV9VU0VSIl19.d-3_3FZTsadPjDEdsWrrQ7nS0edMAR4zjl-eK7rJU3HziNBfI9PDHDIpJVHTNN5E5SlLGLFXctWyKAkwhXL-Dw" -D - "http://localhost:8081/api/query" -d "{ \"cluster\": \"emmy\", \"from\": $(expr $(date +%s) - 60), \"to\": $(date +%s), \"queries\": [{
-  \"metric\": \"flops_any\",
-  \"host\": \"e1111\"
-}] }"
-
-HTTP/1.1 200 OK
-Content-Type: application/json
-Date: Fri, 15 Jul 2022 13:57:22 GMT
-Content-Length: 119
-{"results":[[JSON-DATA-ARRAY]]}
-```
-
-### Development API web interfaces
-The `--dev` flag enables web interfaces to document and test the apis:
-* http://localhost:8080/playground - A GraphQL playground. To use it you must have a authenticated session in the same browser.
-* http://localhost:8080/swagger - A Swagger UI. To use it you have to be logged out, so no user session in the same browser. Use the JWT token with role Api generate previously to authenticate via http header.
-
-### Use cc-backend API to start job
-* Enter the URL `http://localhost:8080/swagger/index.html` in your browser.
-* Enter your JWT token you generated for the API user by clicking the green Authorize button in the upper right part of the window.
-* Click the `/job/start_job` endpoint and click the Try it out button.
-* Enter the following json into the request body text area and fill in a recent start timestamp by executing `date +%s`.:
-```
-{
-    "jobId":         100000,
-    "arrayJobId":    0,
-    "user":          "ccdemouser",
-    "subCluster":    "main",
-    "cluster":       "emmy",
-    "startTime":    <date +%s>,
-    "project":       "ccdemoproject",
-    "resources":  [
-        {"hostname":  "e0601"},
-        {"hostname":  "e0823"},
-        {"hostname":  "e0337"},
-        {"hostname": "e1111"}],
-    "numNodes":      4,
-    "numHwthreads":  80,
-    "walltime":      86400
-}
-```
-* The response body should be the database id of the started job, for example:
-```
-{
-  "id": 3937
-}
-```
-* Check in ClusterCockpit
-    - User `ccdemouser` should appear in Users-Tab with one running job
-    - It could take up to 5 Minutes until the Job is displayed with some current data (5 Min Short-Job Filter)
-    - Job then is marked with a green `running` tag
-    - Metricdata displayed is read from cc-metric-store!
-
-
-### Use cc-backend API to stop job
-* Enter the URL `http://localhost:8080/swagger/index.html` in your browser.
-* Enter your JWT token you generated for the API user by clicking the green Authorize button in the upper right part of the window.
-* Click the `/job/stop_job/{id}` endpoint and click the Try it out button.
-* Enter the database id at id that was returned by `start_job` and copy the following into the request body. Replace the timestamp with a recent one:
-```
-{
-  "cluster": "emmy",
-  "jobState": "completed",
-  "stopTime": <RECENT TS>
-}
-```
-* On success a json document with the job meta data is returned.
-
-* Check in ClusterCockpit
-    - User `ccdemouser` should appear in Users-Tab with one completed job
-    - Job is no longer marked with a green `running` tag -> Completed!
-    - Metricdata displayed is now read from job-archive!
-* Check in job-archive
-    - `cd ./cc-backend/var/job-archive/emmy/100/000`
-    - `cd $STARTTIME`
-    - Inspect `meta.json` and `data.json`
-
-## Helper scripts
-* In this tarball you can find the perl script `generate_subcluster.pl` that helps to generate the subcluster section for your system.
-Usage:
-* Log into an exclusive cluster node.
-* The LIKWID tools likwid-topology and likwid-bench must be in the PATH!
-* `$./generate_subcluster.pl` outputs the subcluster section on `stdout`
-
-Please be aware that
-* You have to enter the name and node list for the subCluster manually.
-* GPU detection only works if LIKWID was build with Cuda avalable and you run likwid-topology also with Cuda loaded.
-* Do not blindly trust the measured peakflops values.
-* Because the script blindly relies on the CSV format output by likwid-topology this is a fragile undertaking!
--- a/docs/JWT-Handling.md
+++ b/docs/JWT-Handling.md
@@ -1,82 +0,0 @@
-## Introduction
-
-ClusterCockpit uses JSON Web Tokens (JWT) for authorization of its APIs.
-JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
-This information can be verified and trusted because it is digitally signed.
-In ClusterCockpit JWTs are signed using a public/private key pair using ECDSA.
-Because tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.
-Currently JWT tokens in ClusterCockpit not yet expire.
-
-## JWT Payload
-
-You may view the payload of a JWT token at [https://jwt.io/#debugger-io](https://jwt.io/#debugger-io).
-Currently ClusterCockpit sets the following claims:
-* `iat`: Issued at claim. The “iat” claim is used to identify the the time at which the JWT was issued. This claim can be used to determine the age of the JWT.
-* `sub`: Subject claim. Identifies the subject of the JWT, in our case this is the username.
-* `roles`: An array of strings specifying the roles set for the subject.
-
-## Workflow
-
-1. Create a new ECDSA Public/private keypair:
-```
-$ go build ./tools/gen-keypair.go
-$ ./gen-keypair
-```
-2. Add keypair in your `.env` file. A template can be found in `./configs`.
-
-There are two usage scenarios:
-* The APIs are used during a browser session. In this case on login a JWT token is issued on login, that is used by the web frontend to authorize against the GraphQL and REST APIs.
-* The REST API is used outside a browser session, e.g. by scripts. In this case you have to issue a token manually. This possible from within the configuration view or on the command line. It is recommended to issue a JWT token in this case for a special user that only has the `api` role. By using different users for different purposes a fine grained access control and access revocation management is possible.
-
-The token is commonly specified in the Authorization HTTP header using the Bearer schema.
-
-## Setup user and JWT token for REST API authorization
-
-1. Create user:
-```
-$ ./cc-backend --add-user <username>:api:<Password> --no-server
-```
-2. Issue token for user:
-```
-$ ./cc-backend -jwt <username>  -no-server
-```
-3. Use issued token token on client side:
-```
-$ curl -X GET "<API ENDPOINT>" -H "accept: application/json"  -H "Content-Type: application/json"  -H "Authorization: Bearer <JWT TOKEN>"
-```
-
-## Accept externally generated JWTs provided via cookie
-If there is an external service like an AuthAPI that can generate JWTs and hand them over to ClusterCockpit via cookies, CC can be configured to accept them:
-
-1. `.env`: CC needs a public ed25519 key to verify foreign JWT signatures. Public keys in PEM format can be converted with the instructions in [/tools/convert-pem-pubkey-for-cc](../tools/convert-pem-pubkey-for-cc/Readme.md) .
-
-```
-CROSS_LOGIN_JWT_PUBLIC_KEY="+51iXX8BdLFocrppRxIw52xCOf8xFSH/eNilN5IHVGc="
-```
-
-2. `config.json`: Insert a name for the cookie (set by the external service) containing the JWT so that CC knows where to look at. Define a trusted issuer (JWT claim 'iss'), otherwise it will be rejected.
-If you want usernames and user roles from JWTs ('sub' and 'roles' claim) to be validated against CC's internal database, you need to enable it here. Unknown users will then be rejected and roles set via JWT will be ignored.
-
-```json
-"jwts": {
-    "cookieName": "access_cc",
-    "forceJWTValidationViaDatabase": true,
-    "trustedExternalIssuer": "auth.example.com"
-}
-```
-
-3. Make sure your external service includes the same issuer (`iss`) in its JWTs. Example JWT payload:
-
-```json
-{
-  "iat": 1668161471,
-  "nbf": 1668161471,
-  "exp": 1668161531,
-  "sub": "alice",
-  "roles": [
-    "user"
-  ],
-  "jti": "a1b2c3d4-1234-5678-abcd-a1b2c3d4e5f6",
-  "iss": "auth.example.com"
-}
-```
--- a/docs/Job-Archive.md
+++ b/docs/Job-Archive.md
@@ -1,78 +0,0 @@
-The job archive specifies an exchange format for job meta and performance metric
-data. It consists of two parts:
-* a [SQLite database schema](https://github.com/ClusterCockpit/cc-backend/wiki/Job-Archive#sqlite-database-schema)  for job meta data and performance statistics
-* a [Json file format](https://github.com/ClusterCockpit/cc-backend/wiki/Job-Archive#json-file-format) together with a [Directory hierarchy specification](https://github.com/ClusterCockpit/cc-backend/wiki/Job-Archive#directory-hierarchy-specification)
-
-By using an open, portable and simple specification based on files it is
-possible to exchange job performance data for research and analysis purposes as
-well as use it as a robust way for archiving job performance data to disk.
-
-# SQLite database schema
-## Introduction
-
-A SQLite 3 database schema is provided to standardize the job meta data
-information in a portable way. The schema also includes optional columns for job
-performance statistics (called a job performance footprint). The database acts
-as a front end to filter and select subsets of job IDs, that are the keys to get
-the full job performance data in the job performance tree hierarchy.
-
-## Database schema
-
-The schema includes 3 tables: the job table, a tag table and a jobtag table
-representing the MANY-TO-MANY relation between jobs and tags. The SQL schema is
-specified
-[here](https://github.com/ClusterCockpit/cc-specifications/blob/master/schemas/jobs-sqlite.sql).
-Explanation of the various columns including the JSON datatypes is documented
-[here](https://github.com/ClusterCockpit/cc-specifications/blob/master/datastructures/job-meta.schema.json).
-
-# Directory hierarchy specification
-
-## Specification
-
-To manage the number of directories within a single directory a tree approach is
-used splitting the integer job ID. The job id is split in junks of 1000 each.
-Usually 2 layers of directories is sufficient but the concept can be used for an
-arbitrary number of layers.
-
-For a 2 layer schema this can be achieved with (code example in Perl):
-``` perl
-$level1 = $jobID/1000;
-$level2 = $jobID%1000;
-$dstPath = sprintf("%s/%s/%d/%03d", $trunk, $destdir, $level1, $level2);
-```
-
-## Example
-
-For the job ID 1034871 the directory path is `./1034/871/`.
-
-# Json file format
-## Overview
-
-Every cluster must be configured in a `cluster.json` file.
-
-The job data consists of two files:
-* `meta.json`: Contains job meta information and job statistics.
-* `data.json`: Contains complete job data with time series
-
-The description of the json format specification is available as [[json
-schema|https://json-schema.org/]] format file. The latest version of the json
-schema is part of the `cc-backend` source tree. For external reference it is
-also available in a separate repository.
-
-## Specification `cluster.json`
-
-The json schema specification is available
-[here](https://github.com/ClusterCockpit/cc-specifications/blob/master/datastructures/cluster.schema.json).
-
-## Specification `meta.json`
-
-The json schema specification is available
-[here](https://github.com/RRZE-HPC/HPCJobDatabase/blob/master/json-schema/job-meta.schema.json).
-
-## Specification `data.json`
-
-The json schema specification is available
-[here](https://github.com/RRZE-HPC/HPCJobDatabase/blob/master/json-schema/job-data.schema.json).
-Metric time series data is stored for a fixed time step. The time step is set
-per metric. If no value is available for a metric time series data timestamp
-`null` is entered. 
--- a/docs/adm-customization.md
+++ b/docs/adm-customization.md
@@ -1,13 +0,0 @@
-# Overview
-
-Customizing `cc-backend` means changing the logo and certain legal texts
-instead of the placeholders. To change the logo displayed in the navigation bar, the
-file `web/frontend/public/img/logo.png` in the source tree must be replaced
-and cc-backend must be rebuild.
-
-# Replace legal texts
-
-To replace the `imprint.tmpl` and `privacy.tmpl` legal texts, you can place your
-version in `./var/`. At startup `cc-backend` will check if `./var/imprint.tmpl` and/or
-`./var/privacy.tmpl` exist and use them instead of the built-in placeholders.
-You can use the placeholders in `web/templates` as a blueprint.
--- a/docs/adm-upgrade.md
+++ b/docs/adm-upgrade.md
@@ -1,78 +0,0 @@
-In general, an upgrade is nothing more than a replacement of the binary file.
-All the necessary files, except the database file, the configuration file and
-the job archive, are embedded in the binary file. It is recommended to use a
-directory where the file names of the binary files are named with a version
-indicator. This can be, for example, the date or the Unix epoch time. A symbolic
-link points to the version to be used. This makes it easier to switch to earlier
-versions.
-
-The database and the job archive are versioned. Each release binary supports
-specific versions of the database and job archive. If a version mismatch is
-detected, the application is terminated and migration is required.
-
-**IMPORTANT NOTE**
-
-It is recommended to make a backup copy of the database before each update. This
-is mandatory in case the database needs to be migrated. In the case of sqlite,
-this means to stopping `cc-backend` and copying the sqlite database file
-somewhere.
-
-#  Migrating the database
-
-After you have backed up the database, run the following command to migrate the
-database to the latest version:
-```
-$ ./cc-backend -migrate-db
-```
-
-The migration files are embedded in the binary and can also be viewed in the cc
-backend [source tree](https://github.com/ClusterCockpit/cc-backend/tree/master/internal/repository/migrations).
-There are separate migration files for both supported
-database backends.
-We use the [migrate library](https://github.com/golang-migrate/migrate).
-
-If something goes wrong, you can check the status and get the current schema
-(here for sqlite):
-```
-$ sqlite3 var/job.db
-```
-In the sqlite console execute:
-```
-.schema
-```
-to get the current databse schema.
-You can query the current version and whether the migration failed with:
-```
-SELECT * FROM schema_migrations;
-```
-The first column indicates the current database version and the second column is
-a dirty flag indicating whether the migration was successful.
-
-# Migrating the job archive
-
-Job archive migration requires a separate tool (`archive-migration`), which is
-part of the cc-backend source tree (build with `go build ./tools/archive-migration`)
-and is also provided as part of the releases.
-
-Migration is supported only between two successive releases. The migration tool
-migrates the existing job archive to a new job archive. This means that there
-must be enough disk space for two complete job archives. If the tool is called
-without options:
-```
-$ ./archive-migration
-```
-
-it is assumed that a job archive exists in `./var/job-archive`. The new job
-archive is written to `./var/job-archive-new`. Since execution is threaded in case
-of a fatal error, it is impossible to determine in which job the error occurred.
-In this case, you can run the tool in debug mode (with the `-debug` flag). In
-debug mode, threading is disabled and the job ID of each migrated job is output.
-Jobs with empty files will be skipped. Between multiple runs of the tools, the
-`job-archive-new` directory must be moved or deleted.
-
-The `cluster.json` files in `job-archive-new` must be checked for errors, especially
-whether the aggregation attribute is set correctly for all metrics.
-
-Migration takes several hours for relatively large job archives (several hundred
-GB). A versioned job archive contains a version.txt file in the root directory
-of the job archive. This file contains the version as an unsigned integer.
--- a/docs/dev-frontend.md
+++ b/docs/dev-frontend.md
@@ -1,33 +0,0 @@
-## Tips for frontend development
-
-The frontend assets including the Svelte js files are per default embedded in
-the bgo binary. To enable a quick turnaround cycle for web development of the
-frontend disable embedding of static assets in `config.json`:
-```
-"embed-static-files": false,
-"static-files": "./web/frontend/public/",
-
-```
-
-Start the node build process (in directory `./web/frontend`) in development mode:
-```
-$ npm run dev
-```
-
-This will start the build process in listen mode. Whenever you change a source
-files the depending javascript targets will be automatically rebuild.
-In case the javascript files are minified you may need to set the production
-flag by hand to false in `./web/frontend/rollup.config.mjs`:
-```
-const production = false
-```
-
-Usually this should work automatically.
-
-Because the files are still served by ./cc-backend you have to reload the view
-explicitly in your browser.
-
-A common setup is to have three terminals open:
-* One running cc-backend (working directory repository root): `./cc-backend -server -dev`
-* Another running npm in developer mode (working directory `./web/frontend`): `npm run dev`
-* And the last one editing the frontend source files
--- a/docs/dev-testing.md
+++ b/docs/dev-testing.md
@@ -1,34 +0,0 @@
-## Overview
-
-We use the standard golang testing environment.
-
-The following conventions are used:
-
-* *White box unit tests*: Tests for internal functionality are placed in files
-* *Black box unit tests*: Tests for public interfaces are placed in files
-with `<package name>_test.go` and belong to the package `<package_name>_test`.
-There only exists one package test file per package.
-* *Integration tests*: Tests that use multiple componenents are placed in a
-package test file. These are named `<package name>_test.go` and belong to the
-package `<package_name>_test`.
-* *Test assets*: Any required files are placed in a directory `./testdata`
-within each package directory.
-
-## Executing tests
-
-Visual Studio Code has a very good golang test integration.
-For debugging a test this is the recommended solution.
-
-The Makefile provided by us has a `test` target that executes:
-```
-$ go clean -testcache
-$ go build ./...
-$ go vet ./...
-$ go test ./...
-```
-
-Of course the commands can also be used on the command line.
-For details about golang testing refer to the standard documentation:
-
-* [Testing package](https://pkg.go.dev/testing)
-* [go test command](https://pkg.go.dev/cmd/go#hdr-Test_packages)
--- a/docs/migrateTimestamps.pl
+++ b/docs/migrateTimestamps.pl
@@ -1,229 +0,0 @@
-#!/usr/bin/env perl
-use strict;
-use warnings;
-use utf8;
-
-use JSON::PP; # from Perl default install
-use Time::Local qw( timelocal ); # from Perl default install
-use Time::Piece; # from Perl default install
-
-### JSON
-my $json = JSON::PP->new->allow_nonref;
-
-### TIME AND DATE
-# now
-my $localtime = localtime;
-my $epochtime = $localtime->epoch;
-# 5 days ago: Via epoch due to possible reverse month borders
-my $epochlessfive = $epochtime - (86400 * 5);
-my $locallessfive = localtime($epochlessfive);
-# Calc like `date --date 'TZ="Europe/Berlin" 0:00 5 days ago' +%s`)
-my ($day, $month, $year) = ($locallessfive->mday, $locallessfive->_mon, $locallessfive->year);
-my $checkpointStart = timelocal(0, 0, 0, $day, $month, $year);
-# for checkpoints
-my $halfday = 43200;
-
-### JOB-ARCHIVE
-my $archiveTarget = './cc-backend/var/job-archive';
-my $archiveSrc = './source-data/job-archive-source';
-my @ArchiveClusters;
-
-# Gen folder
-if ( not -d $archiveTarget ){
-    mkdir( $archiveTarget ) or die "Couldn't create $archiveTarget directory, $!";
-}
-
-# Get clusters by job-archive/$subfolder
-opendir my $dh, $archiveSrc  or die "can't open directory: $!";
-while ( readdir $dh ) {
-    chomp; next if $_ eq '.' or $_ eq '..'  or $_ eq 'job-archive';
-    my $cluster = $_;
-    push @ArchiveClusters, $cluster;
-}
-
-# start for jobarchive
-foreach my $cluster ( @ArchiveClusters ) {
-    print "Starting to update start- and stoptimes in job-archive for $cluster\n";
-
-    my $clusterTarget = "$archiveTarget/$cluster";
-
-    if ( not -d $clusterTarget ){
-        mkdir( $clusterTarget ) or die "Couldn't create $clusterTarget directory, $!";
-    }
-
-    opendir my $dhLevel1, "$archiveSrc/$cluster" or die "can't open directory: $!";
-    while ( readdir $dhLevel1 ) {
-        chomp; next if $_ eq '.' or $_ eq '..';
-        my $level1 = $_;
-
-        if ( -d "$archiveSrc/$cluster/$level1" ) {
-            opendir my $dhLevel2, "$archiveSrc/$cluster/$level1" or die "can't open directory: $!";
-            while ( readdir $dhLevel2 ) {
-                chomp; next if $_ eq '.' or $_ eq '..';
-                my $level2 = $_;
-                my $jobSource = "$archiveSrc/$cluster/$level1/$level2";
-                my $jobOrigin = "$jobSource";
-                my $jobTargetL1 = "$clusterTarget/$level1";
-                my $jobTargetL2 = "$jobTargetL1/$level2";
-
-                # check if files are directly accessible (old format) else get subfolders as file and update path
-                if ( ! -e "$jobSource/meta.json") {
-                    opendir(D, "$jobSource") || die "Can't open directory $jobSource: $!\n";
-                    my @folders = readdir(D);
-                    closedir(D);
-                    if (!@folders) {
-                        next;
-                    }
-
-                    foreach my $folder ( @folders ) {
-                        next if $folder eq '.' or $folder eq '..';
-                        $jobSource = "$jobSource/".$folder;
-                    }
-                }
-                # check if subfolder contains file, else skip
-                if ( ! -e "$jobSource/meta.json") {
-                    print "$jobSource skipped\n";
-                    next;
-                }
-
-                open my $metafh, '<', "$jobSource/meta.json" or die "Can't open file $!";
-                my $rawstr = do { local $/; <$metafh> };
-                close($metafh);
-                my $metadata = $json->decode($rawstr);
-
-                # NOTE Start meta.json iteration here
-                # my $random_number = int(rand(UPPERLIMIT)) + LOWERLIMIT;
-                # Set new startTime: Between 5 days and 1 day before now
-
-                #  Remove id from attributes
-                $metadata->{startTime} = $epochtime - (int(rand(432000)) + 86400);
-                $metadata->{stopTime} = $metadata->{startTime} + $metadata->{duration};
-
-                # Add starttime subfolder to target path
-                my $jobTargetL3 = "$jobTargetL2/".$metadata->{startTime};
-
-                if ( not -d $jobTargetL1 ){
-                    mkdir( $jobTargetL1 ) or die "Couldn't create $jobTargetL1 directory, $!";
-                }
-
-                if ( not -d $jobTargetL2 ){
-                    mkdir( $jobTargetL2 ) or die "Couldn't create $jobTargetL2 directory, $!";
-                }
-
-                # target is not directory
-                if ( not -d $jobTargetL3 ){
-                    mkdir( $jobTargetL3 ) or die "Couldn't create $jobTargetL3 directory, $!";
-
-                    my $outstr = $json->encode($metadata);
-                    open my $metaout, '>', "$jobTargetL3/meta.json" or die "Can't write to file $!";
-                    print $metaout $outstr;
-                    close($metaout);
-
-                    open my $datafh, '<', "$jobSource/data.json" or die "Can't open file $!";
-                    my $datastr = do { local $/; <$datafh> };
-                    close($datafh);
-
-                    open my $dataout, '>', "$jobTargetL3/data.json" or die "Can't write to file $!";
-                    print $dataout $datastr;
-                    close($dataout);
-                }
-            }
-        }
-    }
-}
-print "Done for job-archive\n";
-sleep(1);
-exit;
-
-## CHECKPOINTS
-my $checkpTarget = './cc-metric-store/var/checkpoints';
-my $checkpSource = './source-data/cc-metric-store-source/checkpoints';
-my @CheckpClusters;
-
-# Gen folder
-if ( not -d $checkpTarget ){
-    mkdir( $checkpTarget ) or die "Couldn't create $checkpTarget directory, $!";
-}
-
-# Get clusters by cc-metric-store/$subfolder
-opendir my $dhc, $checkpSource  or die "can't open directory: $!";
-while ( readdir $dhc ) {
-    chomp; next if $_ eq '.' or $_ eq '..'  or $_ eq 'job-archive';
-    my $cluster = $_;
-    push @CheckpClusters, $cluster;
-}
-closedir($dhc);
-
-# start for checkpoints
-foreach my $cluster ( @CheckpClusters ) {
-    print "Starting to update checkpoint filenames and data starttimes for $cluster\n";
-
-    my $clusterTarget = "$checkpTarget/$cluster";
-
-    if ( not -d $clusterTarget ){
-        mkdir( $clusterTarget ) or die "Couldn't create $clusterTarget directory, $!";
-    }
-
-    opendir my $dhLevel1, "$checkpSource/$cluster" or die "can't open directory: $!";
-    while ( readdir $dhLevel1 ) {
-        chomp; next if $_ eq '.' or $_ eq '..';
-        # Nodename as level1-folder
-        my $level1 = $_;
-
-        if ( -d "$checkpSource/$cluster/$level1" ) {
-
-            my $nodeSource = "$checkpSource/$cluster/$level1/";
-            my $nodeOrigin = "$nodeSource";
-            my $nodeTarget = "$clusterTarget/$level1";
-            my @files;
-
-            if ( -e "$nodeSource/1609459200.json") { # 1609459200 == First Checkpoint time in latest dump
-                opendir(D, "$nodeSource") || die "Can't open directory $nodeSource: $!\n";
-                while ( readdir D ) {
-                    chomp; next if $_ eq '.' or $_ eq '..';
-                    my $nodeFile = $_;
-                    push @files, $nodeFile;
-                }
-                closedir(D);
-                my $length = @files;
-                if (!@files || $length != 14) { # needs 14 files == 7 days worth of data
-                    next;
-                }
-            } else {
-                next;
-            }
-
-            # sort for integer timestamp-filename-part (moduleless): Guarantees start with index == 0 == 1609459200.json
-            my @sortedFiles = sort { ($a =~ /^([0-9]{10}).json$/)[0] <=> ($b =~ /^([0-9]{10}).json$/)[0] } @files;
-
-            if ( not -d $nodeTarget ){
-                mkdir( $nodeTarget ) or die "Couldn't create $nodeTarget directory, $!";
-
-                while (my ($index, $file) = each(@sortedFiles)) {
-                    open my $checkfh, '<', "$nodeSource/$file" or die "Can't open file $!";
-                    my $rawstr = do { local $/; <$checkfh> };
-                    close($checkfh);
-                    my $checkpdata = $json->decode($rawstr);
-
-                    my $newTimestamp = $checkpointStart + ($index * $halfday);
-                    # Get Diff from old Timestamp
-                    my $timeDiff = $newTimestamp - $checkpdata->{from};
-                    # Set new timestamp
-                    $checkpdata->{from} = $newTimestamp;
-
-                    foreach my $metric (keys %{$checkpdata->{metrics}}) {
-                        $checkpdata->{metrics}->{$metric}->{start} += $timeDiff;
-                    }
-
-                    my $outstr = $json->encode($checkpdata);
-
-                    open my $checkout, '>', "$nodeTarget/$newTimestamp.json" or die "Can't write to file $!";
-                    print $checkout $outstr;
-                    close($checkout);
-                }
-            }
-        }
-    }
-    closedir($dhLevel1);
-}
-print "Done for checkpoints\n";
--- a/docs/searchbar.md
+++ b/docs/searchbar.md
@@ -1,35 +0,0 @@
-# Docs for ClusterCockpit Searchbar
-
-## Usage
-
-* Searchtags are implemented as `type:<query>` search-string
-  * Types `jobId, jobName, projectId, username, name` for roles `admin` and `support`
-    * `jobName` is jobName as persisted in `job.meta_data` table-column
-    * `username` is actual account identifier as persisted in `job.user` table-column
-    * `name` is account owners name as persisted in `user.name` table-column
-  * Types `jobId, jobName, projectId` for role `user`
-  * Examples:
-    * `jobName:myJob12`
-    * `jobId:123456`
-    * `username:abcd100`
-    * `name:Paul`
-* If no searchTag used: Best guess search with the following hierarchy
-  * `jobId -> username -> name -> projectId -> jobName`
-* Destinations:
-  * JobId: Job-Table (Allows multiple identical matches, e.g. JobIds from different clusters)
-  * JobName: Job-Table (Allows multiple identical matches, e.g. JobNames from different clusters)
-  * ProjectId: Job-Table
-  * Username: Users-Table
-    * **Please Note**: Only users with jobs will be shown in table! I.e., Users without jobs will be missing in table.
-  * Name: Users-Table
-    * **Please Note**: Only users with jobs will be shown in table! I.e., Users without jobs will be missing in table.
-  * Best guess search always redirects to Job-Table or `/monitoring/user/$USER` (first username match)
-  * Unprocessable queries will redirect to `/monitoring/jobs/?`
-* Spaces trimmed (both for searchTag and queryString)
-  * `  job12` == `job12`
-  * `projectID : abcd ` == `projectId:abcd`
-* `jobName`- and `name-`queries work with a part of the target-string
-  * `jobName:myjob` for jobName "myjob_cluster1"
-  * `name:Paul` for name "Paul Atreides"
-
-* JobName GQL Query is resolved as matching the query as a part of the whole metaData-JSON in the SQL DB.
--- a/go.mod
+++ b/go.mod
@@ -1,91 +1,92 @@
 module github.com/ClusterCockpit/cc-backend

-go 1.18
+go 1.23.5
+
+toolchain go1.24.1

 require (
-	github.com/99designs/gqlgen v0.17.24
+	github.com/99designs/gqlgen v0.17.66
 	github.com/ClusterCockpit/cc-units v0.4.0
-	github.com/Masterminds/squirrel v1.5.3
-	github.com/go-ldap/ldap/v3 v3.4.4
-	github.com/go-sql-driver/mysql v1.7.0
-	github.com/golang-jwt/jwt/v4 v4.5.0
-	github.com/golang-migrate/migrate/v4 v4.15.2
-	github.com/google/gops v0.3.27
-	github.com/gorilla/handlers v1.5.1
-	github.com/gorilla/mux v1.8.0
-	github.com/gorilla/sessions v1.2.1
-	github.com/influxdata/influxdb-client-go/v2 v2.12.2
-	github.com/jmoiron/sqlx v1.3.5
-	github.com/mattn/go-sqlite3 v1.14.16
-	github.com/prometheus/client_golang v1.14.0
-	github.com/prometheus/common v0.40.0
+	github.com/Masterminds/squirrel v1.5.4
+	github.com/coreos/go-oidc/v3 v3.12.0
+	github.com/go-co-op/gocron/v2 v2.16.0
+	github.com/go-ldap/ldap/v3 v3.4.10
+	github.com/go-sql-driver/mysql v1.9.0
+	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/golang-migrate/migrate/v4 v4.18.2
+	github.com/google/gops v0.3.28
+	github.com/gorilla/handlers v1.5.2
+	github.com/gorilla/mux v1.8.1
+	github.com/gorilla/sessions v1.4.0
+	github.com/influxdata/influxdb-client-go/v2 v2.14.0
+	github.com/jmoiron/sqlx v1.4.0
+	github.com/mattn/go-sqlite3 v1.14.24
+	github.com/prometheus/client_golang v1.21.0
+	github.com/prometheus/common v0.62.0
 	github.com/qustavo/sqlhooks/v2 v2.1.0
-	github.com/santhosh-tekuri/jsonschema/v5 v5.2.0
-	github.com/swaggo/http-swagger v1.3.3
-	github.com/swaggo/swag v1.8.10
-	github.com/vektah/gqlparser/v2 v2.5.1
-	golang.org/x/crypto v0.6.0
+	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
+	github.com/swaggo/http-swagger v1.3.4
+	github.com/swaggo/swag v1.16.4
+	github.com/vektah/gqlparser/v2 v2.5.22
+	golang.org/x/crypto v0.36.0
+	golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa
+	golang.org/x/oauth2 v0.27.0
+	golang.org/x/time v0.5.0
 )

 require (
+	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/KyleBanks/depth v1.2.1 // indirect
-	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/agnivade/levenshtein v1.2.1 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/containerd/containerd v1.6.18 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/deepmap/oapi-codegen v1.12.4 // indirect
-	github.com/felixge/httpsnoop v1.0.3 // indirect
-	github.com/ghodss/yaml v1.0.0 // indirect
-	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
-	github.com/go-co-op/gocron v1.25.0 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/spec v0.20.8 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/gorilla/securecookie v1.1.1 // indirect
-	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
+	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf // indirect
+	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/jpillora/backoff v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kr/pretty v0.3.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f // indirect
-	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/oapi-codegen/runtime v1.1.1 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
-	github.com/rogpeppe/go-internal v1.8.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/stretchr/testify v1.8.2 // indirect
-	github.com/swaggo/files v1.0.0 // indirect
-	github.com/urfave/cli/v2 v2.24.4 // indirect
-	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
-	go.uber.org/atomic v1.10.0 // indirect
-	golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea // indirect
-	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/oauth2 v0.5.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
-	golang.org/x/tools v0.6.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	github.com/sosodev/duration v1.3.1 // indirect
+	github.com/swaggo/files v1.0.1 // indirect
+	github.com/urfave/cli/v2 v2.27.5 // indirect
+	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	golang.org/x/mod v0.23.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/tools v0.30.0 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/gqlgen.yml
+++ b/gqlgen.yml
@@ -30,6 +30,7 @@ resolver:
 # gqlgen will search for any type names in the schema in these go packages
 # if they match it will use them, otherwise it will generate them.
 autobind:
+  - "github.com/99designs/gqlgen/graphql/introspection"
  - "github.com/ClusterCockpit/cc-backend/internal/graph/model"

 # This section declares type mapping between the GraphQL and go type systems
@@ -61,23 +62,50 @@ models:
    fields:
      partitions:
        resolver: true
-  NullableFloat: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.Float" }
-  MetricScope: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.MetricScope" }
-  MetricValue: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.MetricValue" }
-  JobStatistics: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.JobStatistics" }
+  NullableFloat:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.Float" }
+  MetricScope:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.MetricScope" }
+  MetricValue:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.MetricValue" }
+  JobStatistics:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.JobStatistics" }
+  GlobalMetricListItem:
+    {
+      model: "github.com/ClusterCockpit/cc-backend/pkg/schema.GlobalMetricListItem",
+    }
+  ClusterSupport:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.ClusterSupport" }
  Tag: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.Tag" }
-  Resource: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.Resource" }
-  JobState: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.JobState" }
-  TimeRange: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.TimeRange" }
-  IntRange: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.IntRange" }
-  JobMetric: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.JobMetric" }
+  Resource:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.Resource" }
+  JobState:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.JobState" }
+  TimeRange:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.TimeRange" }
+  IntRange:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.IntRange" }
+  JobMetric:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.JobMetric" }
  Series: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.Series" }
-  MetricStatistics: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.MetricStatistics" }
-  MetricConfig: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.MetricConfig" }
-  SubClusterConfig: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.SubClusterConfig" }
-  Accelerator: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.Accelerator" }
-  Topology: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.Topology" }
-  FilterRanges: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.FilterRanges" }
-  SubCluster: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.SubCluster" }
-  StatsSeries: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.StatsSeries" }
+  MetricStatistics:
+    {
+      model: "github.com/ClusterCockpit/cc-backend/pkg/schema.MetricStatistics",
+    }
+  MetricConfig:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.MetricConfig" }
+  SubClusterConfig:
+    {
+      model: "github.com/ClusterCockpit/cc-backend/pkg/schema.SubClusterConfig",
+    }
+  Accelerator:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.Accelerator" }
+  Topology:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.Topology" }
+  FilterRanges:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.FilterRanges" }
+  SubCluster:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.SubCluster" }
+  StatsSeries:
+    { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.StatsSeries" }
  Unit: { model: "github.com/ClusterCockpit/cc-backend/pkg/schema.Unit" }
--- a/init/README.md
+++ b/init/README.md
@@ -1,71 +1,79 @@
-# How to run this as a systemd service
+# How to run `cc-backend` as a systemd service.

-The files in this directory assume that you install ClusterCockpit to `/opt/monitoring`.
-Of course you can choose any other location, but make sure to replace all paths that begin with `/opt/monitoring` in the `clustercockpit.service` file!
+The files in this directory assume that you install ClusterCockpit to
+`/opt/monitoring/cc-backend`.
+Of course you can choose any other location, but make sure you replace all paths
+starting with `/opt/monitoring/cc-backend` in the `clustercockpit.service` file!

-If you have not installed [yarn](https://yarnpkg.com/getting-started/install) and [go](https://go.dev/doc/install) already, do that (Golang is available in most package managers).
-It is recommended and easy to install the most recent stable version of Golang as every version also improves the Golang standard library.
-
-The `config.json` can have the optional fields *user* and *group*.
-If provided, the application will call [setuid](https://man7.org/linux/man-pages/man2/setuid.2.html) and [setgid](https://man7.org/linux/man-pages/man2/setgid.2.html) after having read the config file and having bound to a TCP port (so that it can take a privileged port), but before it starts accepting any connections.
-This is good for security, but means that the directories `web/frontend/public`, `var/` and `web/templates/` must be readable by that user and `var/` writable as well (All paths relative to the repos root).
-The `.env` and `config.json` files might contain secrets and should not be readable by that user.
-If those files are changed, the server has to be restarted.
+The `config.json` may contain the optional fields *user* and *group*. If
+specified, the application will call
+[setuid](https://man7.org/linux/man-pages/man2/setuid.2.html) and
+[setgid](https://man7.org/linux/man-pages/man2/setgid.2.html) after reading the
+config file and binding to a TCP port (so it can take a privileged port), but
+before it starts accepting any connections. This is good for security, but also
+means that the `var/` directory must be readable and writeable by this user.
+The `.env` and `config.json` files may contain secrets and should not be
+readable by this user. If these files are changed, the server must be restarted.

 ```sh
-# 1.: Clone this repository to /opt/monitoring
-git clone git@github.com:ClusterCockpit/cc-backend.git /opt/monitoring
+# 1. Clone this repository somewhere in your home
+git clone git@github.com:ClusterCockpit/cc-backend.git <DSTDIR>

-# 2.: Install all dependencies and build everything
-cd /mnt/monitoring
-go get && go build cmd/cc-backend && (cd ./web/frontend && yarn install && yarn build)
+# 2. (Optional) Install dependencies and build. In general it is recommended to use the provided release binaries.
+cd <DSTDIR>
+make
+sudo mkdir -p /opt/monitoring/cc-backend/
+cp ./cc-backend /opt/monitoring/cc-backend/

-# 3.: Modify the `./config.json` and env-template.txt file from the configs directory to your liking and put it in the repo root
-cp ./configs/config.json ./config.json
-cp ./configs/env-template.txt ./.env
-vim ./config.json # do your thing...
-vim ./.env # do your thing...
+# 3. Modify the `./config.json` and env-template.txt file from the configs directory to your liking and put it in the target directory
+cp ./configs/config.json /opt/monitoring/config.json
+cp ./configs/env-template.txt /opt/monitoring/.env
+vim /opt/monitoring/config.json # do your thing...
+vim /opt/monitoring/.env # do your thing...

-# 4.: Add the systemd service unit file (in case /opt/ is mounted on another file system it may be better to copy the file to /etc)
-sudo ln -s /mnt/monitoring/init/clustercockpit.service /etc/systemd/system/clustercockpit.service
+# 4. (Optional) Customization: Add your versions of the login view, legal texts, and logo image.
+# You may use the templates in `./web/templates` as blueprint. Every overwrite separate.
+cp login.tmpl /opt/monitoring/cc-backend/var/
+cp imprint.tmpl /opt/monitoring/cc-backend/var/
+cp privacy.tmpl /opt/monitoring/cc-backend/var/
+# Ensure your logo, and any images you use in your login template has a suitable size.
+cp -R img /opt/monitoring/cc-backend/img

-# 5.: Enable and start the server
+# 5. Copy the systemd service unit file. You may adopt it to your needs.
+sudo cp ./init/clustercockpit.service /etc/systemd/system/clustercockpit.service
+
+# 6. Enable and start the server
 sudo systemctl enable clustercockpit.service # optional (if done, (re-)starts automatically)
 sudo systemctl start clustercockpit.service

 # Check whats going on:
+sudo systemctl status clustercockpit.service
 sudo journalctl -u clustercockpit.service
 ```

-# Recommended deployment workflow
+# Recommended workflow for deployment

-It is recommended to install all ClusterCockpit components in a common durectory, this can be something like `/opt/monitoring`, `var/monitoring` or `var/clustercockpit`.
-In the following we are using `/opt/monitoring`.
+It is recommended to install all ClusterCockpit components in a common directory, e.g. `/opt/monitoring`, `var/monitoring` or `var/clustercockpit`.
+In the following we use `/opt/monitoring`.

-Two systemd services are running on the central monitoring server:
+Two systemd services run on the central monitoring server:
+* clustercockpit : binary cc-backend in `/opt/monitoring/cc-backend`.
+* cc-metric-store : Binary cc-metric-store in `/opt/monitoring/cc-metric-store`.

-clustercockpit : Binary cc-backend in `/opt/monitoring/cc-backend`
-cc-metric-store: Binary cc-metric-store in `/opt/monitoring/cc-metric-store`
-
-ClusterCockpit is deployed as a single file binary that embeds all static assets.
-We recommend to keep all binaries in a folder `archive` and link the currently active from cc-backend root.
-This allows to easily roll-back in case something breaks.
+ClusterCockpit is deployed as a single binary that embeds all static assets.
+We recommend keeping all `cc-backend` binary versions in a folder `archive` and
+linking the currently active one from the `cc-backend` root.
+This allows for easy roll-back in case something doesn't work.

 ## Workflow to deploy new version

-This example assumes the DB and job archive did not change.
+This example assumes the DB and job archive versions did not change.
+* Stop systemd service: `$ sudo systemctl stop clustercockpit.service`
 * Backup the sqlite DB file and Job archive directory tree!
-* Clone cc-backend source tree (e.g. in your home directory)
-* Copy the adapted legal text files into the git source tree (./web/templates).
-* Build cc-backend:
-```
-$ cd web/frontend
-$ yarn && yarn build
-$ cd ../../
-$ go build ./cmd/cc-backend
-```
-* Copy `cc-backend` binary to `/opt/monitoring/cc-backend/archive`
-* Link from cc-backend root to recent version
-* Restart systemd service: `$ sudo systemctl restart clustercockpit.service`
+* Copy `cc-backend` binary to `/opt/monitoring/cc-backend/archive` (Tip: Use a
+date tag like `YYYYMMDD-cc-backend`)
+* Link from cc-backend root to current version
+* Start systemd service: `$ sudo systemctl start clustercockpit.service`
+* Check if everything is ok: `$ sudo systemctl status clustercockpit.service`
 * Check log for issues: `$ sudo journalctl -u clustercockpit.service`
 * Check the ClusterCockpit web frontend and your Slurm adapters if anything is broken!
--- a/init/clustercockpit.service
+++ b/init/clustercockpit.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=ClusterCockpit Web Server (Go edition)
+Description=ClusterCockpit Web Server
 Documentation=https://github.com/ClusterCockpit/cc-backend
 Wants=network-online.target
 After=network-online.target
--- a/internal/api/api_test.go
+++ b/internal/api/api_test.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -14,13 +14,16 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
-	"strconv"
 	"strings"
 	"testing"
+	"time"

 	"github.com/ClusterCockpit/cc-backend/internal/api"
+	"github.com/ClusterCockpit/cc-backend/internal/archiver"
+	"github.com/ClusterCockpit/cc-backend/internal/auth"
 	"github.com/ClusterCockpit/cc-backend/internal/config"
 	"github.com/ClusterCockpit/cc-backend/internal/graph"
+	"github.com/ClusterCockpit/cc-backend/internal/metricDataDispatcher"
 	"github.com/ClusterCockpit/cc-backend/internal/metricdata"
 	"github.com/ClusterCockpit/cc-backend/internal/repository"
 	"github.com/ClusterCockpit/cc-backend/pkg/archive"
@@ -39,6 +42,12 @@ func setup(t *testing.T) *api.RestApi {
 		"kind": "file",
 		"path": "./var/job-archive"
 	},
+    "jwts": {
+        "max-age": "2m"
+    },
+  "apiAllowedIPs": [
+    "*"
+  ],
 	"clusters": [
 	{
 	   "name": "testcluster",
@@ -114,7 +123,7 @@ func setup(t *testing.T) *api.RestApi {
 		t.Fatal(err)
 	}

-	if err := os.WriteFile(filepath.Join(jobarchive, "version.txt"), []byte(fmt.Sprintf("%d", 1)), 0666); err != nil {
+	if err := os.WriteFile(filepath.Join(jobarchive, "version.txt"), []byte(fmt.Sprintf("%d", 2)), 0666); err != nil {
 		t.Fatal(err)
 	}

@@ -141,23 +150,20 @@ func setup(t *testing.T) *api.RestApi {
 	archiveCfg := fmt.Sprintf("{\"kind\": \"file\",\"path\": \"%s\"}", jobarchive)

 	repository.Connect("sqlite3", dbfilepath)
-	db := repository.GetConnection()

 	if err := archive.Init(json.RawMessage(archiveCfg), config.Keys.DisableArchive); err != nil {
 		t.Fatal(err)
 	}

-	if err := metricdata.Init(config.Keys.DisableArchive); err != nil {
+	if err := metricdata.Init(); err != nil {
 		t.Fatal(err)
 	}

-	jobRepo := repository.GetJobRepository()
-	resolver := &graph.Resolver{DB: db.DB, Repo: jobRepo}
+	archiver.Start(repository.GetJobRepository())
+	auth.Init()
+	graph.Init()

-	return &api.RestApi{
-		JobRepository: resolver.Repo,
-		Resolver:      resolver,
-	}
+	return api.New()
 }

 func cleanup() {
@@ -172,7 +178,6 @@ func cleanup() {
 func TestRestApi(t *testing.T) {
 	restapi := setup(t)
 	t.Cleanup(cleanup)
-
 	testData := schema.JobData{
 		"load_one": map[schema.MetricScope]*schema.JobMetric{
 			schema.MetricScopeNode: {
@@ -189,12 +194,18 @@ func TestRestApi(t *testing.T) {
 		},
 	}

-	metricdata.TestLoadDataCallback = func(job *schema.Job, metrics []string, scopes []schema.MetricScope, ctx context.Context) (schema.JobData, error) {
+	metricdata.TestLoadDataCallback = func(job *schema.Job, metrics []string, scopes []schema.MetricScope, ctx context.Context, resolution int) (schema.JobData, error) {
 		return testData, nil
 	}

 	r := mux.NewRouter()
-	restapi.MountRoutes(r)
+	r.PathPrefix("/api").Subrouter()
+	r.StrictSlash(true)
+	restapi.MountApiRoutes(r)
+
+	var TestJobId int64 = 123
+	var TestClusterName string = "testcluster"
+	var TestStartTime int64 = 123456789

 	const startJobBody string = `{
        "jobId":            123,
@@ -210,7 +221,7 @@ func TestRestApi(t *testing.T) {
 		"exclusive":        1,
 		"monitoringStatus": 1,
 		"smt":              1,
-		"tags":             [{ "type": "testTagType", "name": "testTagName" }],
+		"tags":             [{ "type": "testTagType", "name": "testTagName", "scope": "testuser" }],
 		"resources": [
 			{
 				"hostname": "host123",
@@ -221,28 +232,33 @@ func TestRestApi(t *testing.T) {
 		"startTime": 123456789
 	}`

-	var dbid int64
+	const contextUserKey repository.ContextKey = "user"
+	contextUserValue := &schema.User{
+		Username:   "testuser",
+		Projects:   make([]string, 0),
+		Roles:      []string{"user"},
+		AuthType:   0,
+		AuthSource: 2,
+	}
+
 	if ok := t.Run("StartJob", func(t *testing.T) {
-		req := httptest.NewRequest(http.MethodPost, "/api/jobs/start_job/", bytes.NewBuffer([]byte(startJobBody)))
+		req := httptest.NewRequest(http.MethodPost, "/jobs/start_job/", bytes.NewBuffer([]byte(startJobBody)))
 		recorder := httptest.NewRecorder()

-		r.ServeHTTP(recorder, req)
+		ctx := context.WithValue(req.Context(), contextUserKey, contextUserValue)
+
+		r.ServeHTTP(recorder, req.WithContext(ctx))
 		response := recorder.Result()
 		if response.StatusCode != http.StatusCreated {
 			t.Fatal(response.Status, recorder.Body.String())
 		}
-
-		var res api.StartJobApiResponse
-		if err := json.Unmarshal(recorder.Body.Bytes(), &res); err != nil {
-			t.Fatal(err)
-		}
-
-		job, err := restapi.Resolver.Query().Job(context.Background(), strconv.Itoa(int(res.DBID)))
+		resolver := graph.GetResolverInstance()
+		job, err := restapi.JobRepository.Find(&TestJobId, &TestClusterName, &TestStartTime)
 		if err != nil {
 			t.Fatal(err)
 		}

-		job.Tags, err = restapi.Resolver.Job().Tags(context.Background(), job)
+		job.Tags, err = resolver.Job().Tags(ctx, job)
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -266,11 +282,9 @@ func TestRestApi(t *testing.T) {
 			t.Fatalf("unexpected job properties: %#v", job)
 		}

-		if len(job.Tags) != 1 || job.Tags[0].Type != "testTagType" || job.Tags[0].Name != "testTagName" {
+		if len(job.Tags) != 1 || job.Tags[0].Type != "testTagType" || job.Tags[0].Name != "testTagName" || job.Tags[0].Scope != "testuser" {
 			t.Fatalf("unexpected tags: %#v", job.Tags)
 		}
-
-		dbid = res.DBID
 	}); !ok {
 		return
 	}
@@ -286,17 +300,19 @@ func TestRestApi(t *testing.T) {

 	var stoppedJob *schema.Job
 	if ok := t.Run("StopJob", func(t *testing.T) {
-		req := httptest.NewRequest(http.MethodPost, "/api/jobs/stop_job/", bytes.NewBuffer([]byte(stopJobBody)))
+		req := httptest.NewRequest(http.MethodPost, "/jobs/stop_job/", bytes.NewBuffer([]byte(stopJobBody)))
 		recorder := httptest.NewRecorder()

-		r.ServeHTTP(recorder, req)
+		ctx := context.WithValue(req.Context(), contextUserKey, contextUserValue)
+
+		r.ServeHTTP(recorder, req.WithContext(ctx))
 		response := recorder.Result()
 		if response.StatusCode != http.StatusOK {
 			t.Fatal(response.Status, recorder.Body.String())
 		}

-		restapi.JobRepository.WaitForArchiving()
-		job, err := restapi.Resolver.Query().Job(context.Background(), strconv.Itoa(int(dbid)))
+		archiver.WaitForArchiving()
+		job, err := restapi.JobRepository.Find(&TestJobId, &TestClusterName, &TestStartTime)
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -324,7 +340,7 @@ func TestRestApi(t *testing.T) {
 	}

 	t.Run("CheckArchive", func(t *testing.T) {
-		data, err := metricdata.LoadData(stoppedJob, []string{"load_one"}, []schema.MetricScope{schema.MetricScopeNode}, context.Background())
+		data, err := metricDataDispatcher.LoadData(stoppedJob, []string{"load_one"}, []schema.MetricScope{schema.MetricScopeNode}, context.Background(), 60)
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -338,10 +354,12 @@ func TestRestApi(t *testing.T) {
 		// Starting a job with the same jobId and cluster should only be allowed if the startTime is far appart!
 		body := strings.Replace(startJobBody, `"startTime": 123456789`, `"startTime": 123456790`, -1)

-		req := httptest.NewRequest(http.MethodPost, "/api/jobs/start_job/", bytes.NewBuffer([]byte(body)))
+		req := httptest.NewRequest(http.MethodPost, "/jobs/start_job/", bytes.NewBuffer([]byte(body)))
 		recorder := httptest.NewRecorder()

-		r.ServeHTTP(recorder, req)
+		ctx := context.WithValue(req.Context(), contextUserKey, contextUserValue)
+
+		r.ServeHTTP(recorder, req.WithContext(ctx))
 		response := recorder.Result()
 		if response.StatusCode != http.StatusUnprocessableEntity {
 			t.Fatal(response.Status, recorder.Body.String())
@@ -368,10 +386,12 @@ func TestRestApi(t *testing.T) {
 	}`

 	ok := t.Run("StartJobFailed", func(t *testing.T) {
-		req := httptest.NewRequest(http.MethodPost, "/api/jobs/start_job/", bytes.NewBuffer([]byte(startJobBodyFailed)))
+		req := httptest.NewRequest(http.MethodPost, "/jobs/start_job/", bytes.NewBuffer([]byte(startJobBodyFailed)))
 		recorder := httptest.NewRecorder()

-		r.ServeHTTP(recorder, req)
+		ctx := context.WithValue(req.Context(), contextUserKey, contextUserValue)
+
+		r.ServeHTTP(recorder, req.WithContext(ctx))
 		response := recorder.Result()
 		if response.StatusCode != http.StatusCreated {
 			t.Fatal(response.Status, recorder.Body.String())
@@ -381,6 +401,8 @@ func TestRestApi(t *testing.T) {
 		t.Fatal("subtest failed")
 	}

+	time.Sleep(1 * time.Second)
+
 	const stopJobBodyFailed string = `{
    "jobId":     12345,
 		"cluster":   "testcluster",
@@ -390,16 +412,18 @@ func TestRestApi(t *testing.T) {
 	}`

 	ok = t.Run("StopJobFailed", func(t *testing.T) {
-		req := httptest.NewRequest(http.MethodPost, "/api/jobs/stop_job/", bytes.NewBuffer([]byte(stopJobBodyFailed)))
+		req := httptest.NewRequest(http.MethodPost, "/jobs/stop_job/", bytes.NewBuffer([]byte(stopJobBodyFailed)))
 		recorder := httptest.NewRecorder()

-		r.ServeHTTP(recorder, req)
+		ctx := context.WithValue(req.Context(), contextUserKey, contextUserValue)
+
+		r.ServeHTTP(recorder, req.WithContext(ctx))
 		response := recorder.Result()
 		if response.StatusCode != http.StatusOK {
 			t.Fatal(response.Status, recorder.Body.String())
 		}

-		restapi.JobRepository.WaitForArchiving()
+		archiver.WaitForArchiving()
 		jobid, cluster := int64(12345), "testcluster"
 		job, err := restapi.JobRepository.Find(&jobid, &cluster, nil)
 		if err != nil {
--- a/internal/api/docs.go
+++ b/internal/api/docs.go
--- a/internal/api/rest.go
+++ b/internal/api/rest.go
--- a/internal/archiver/archiveWorker.go
+++ b/internal/archiver/archiveWorker.go
@@ -0,0 +1,94 @@
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package archiver
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+	sq "github.com/Masterminds/squirrel"
+)
+
+var (
+	archivePending sync.WaitGroup
+	archiveChannel chan *schema.Job
+	jobRepo        *repository.JobRepository
+)
+
+func Start(r *repository.JobRepository) {
+	archiveChannel = make(chan *schema.Job, 128)
+	jobRepo = r
+
+	go archivingWorker()
+}
+
+// Archiving worker thread
+func archivingWorker() {
+	for {
+		select {
+		case job, ok := <-archiveChannel:
+			if !ok {
+				break
+			}
+			start := time.Now()
+			// not using meta data, called to load JobMeta into Cache?
+			// will fail if job meta not in repository
+			if _, err := jobRepo.FetchMetadata(job); err != nil {
+				log.Errorf("archiving job (dbid: %d) failed at check metadata step: %s", job.ID, err.Error())
+				jobRepo.UpdateMonitoringStatus(job.ID, schema.MonitoringStatusArchivingFailed)
+				continue
+			}
+
+			// ArchiveJob will fetch all the data from a MetricDataRepository and push into configured archive backend
+			// TODO: Maybe use context with cancel/timeout here
+			jobMeta, err := ArchiveJob(job, context.Background())
+			if err != nil {
+				log.Errorf("archiving job (dbid: %d) failed at archiving job step: %s", job.ID, err.Error())
+				jobRepo.UpdateMonitoringStatus(job.ID, schema.MonitoringStatusArchivingFailed)
+				continue
+			}
+
+			stmt := sq.Update("job").Where("job.id = ?", job.ID)
+
+			if stmt, err = jobRepo.UpdateFootprint(stmt, jobMeta); err != nil {
+				log.Errorf("archiving job (dbid: %d) failed at update Footprint step: %s", job.ID, err.Error())
+				continue
+			}
+			if stmt, err = jobRepo.UpdateEnergy(stmt, jobMeta); err != nil {
+				log.Errorf("archiving job (dbid: %d) failed at update Energy step: %s", job.ID, err.Error())
+				continue
+			}
+			// Update the jobs database entry one last time:
+			stmt = jobRepo.MarkArchived(stmt, schema.MonitoringStatusArchivingSuccessful)
+			if err := jobRepo.Execute(stmt); err != nil {
+				log.Errorf("archiving job (dbid: %d) failed at db execute: %s", job.ID, err.Error())
+				continue
+			}
+			log.Debugf("archiving job %d took %s", job.JobID, time.Since(start))
+			log.Printf("archiving job (dbid: %d) successful", job.ID)
+			archivePending.Done()
+		}
+	}
+}
+
+// Trigger async archiving
+func TriggerArchiving(job *schema.Job) {
+	if archiveChannel == nil {
+		log.Fatal("Cannot archive without archiving channel. Did you Start the archiver?")
+	}
+
+	archivePending.Add(1)
+	archiveChannel <- job
+}
+
+// Wait for background thread to finish pending archiving operations
+func WaitForArchiving() {
+	// close channel and wait for worker to process remaining jobs
+	archivePending.Wait()
+}
--- a/internal/archiver/archiver.go
+++ b/internal/archiver/archiver.go
@@ -0,0 +1,83 @@
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package archiver
+
+import (
+	"context"
+	"math"
+
+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/metricDataDispatcher"
+	"github.com/ClusterCockpit/cc-backend/pkg/archive"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+)
+
+// Writes a running job to the job-archive
+func ArchiveJob(job *schema.Job, ctx context.Context) (*schema.JobMeta, error) {
+	allMetrics := make([]string, 0)
+	metricConfigs := archive.GetCluster(job.Cluster).MetricConfig
+	for _, mc := range metricConfigs {
+		allMetrics = append(allMetrics, mc.Name)
+	}
+
+	scopes := []schema.MetricScope{schema.MetricScopeNode}
+	// FIXME: Add a config option for this
+	if job.NumNodes <= 8 {
+		// This will add the native scope if core scope is not available
+		scopes = append(scopes, schema.MetricScopeCore)
+	}
+
+	if job.NumAcc > 0 {
+		scopes = append(scopes, schema.MetricScopeAccelerator)
+	}
+
+	jobData, err := metricDataDispatcher.LoadData(job, allMetrics, scopes, ctx, 0) // 0 Resulotion-Value retrieves highest res (60s)
+	if err != nil {
+		log.Error("Error wile loading job data for archiving")
+		return nil, err
+	}
+
+	jobMeta := &schema.JobMeta{
+		BaseJob:    job.BaseJob,
+		StartTime:  job.StartTime.Unix(),
+		Statistics: make(map[string]schema.JobStatistics),
+	}
+
+	for metric, data := range jobData {
+		avg, min, max := 0.0, math.MaxFloat32, -math.MaxFloat32
+		nodeData, ok := data["node"]
+		if !ok {
+			// This should never happen ?
+			continue
+		}
+
+		for _, series := range nodeData.Series {
+			avg += series.Statistics.Avg
+			min = math.Min(min, series.Statistics.Min)
+			max = math.Max(max, series.Statistics.Max)
+		}
+
+		// Round AVG Result to 2 Digits
+		jobMeta.Statistics[metric] = schema.JobStatistics{
+			Unit: schema.Unit{
+				Prefix: archive.GetMetricConfig(job.Cluster, metric).Unit.Prefix,
+				Base:   archive.GetMetricConfig(job.Cluster, metric).Unit.Base,
+			},
+			Avg: (math.Round((avg/float64(job.NumNodes))*100) / 100),
+			Min: min,
+			Max: max,
+		}
+	}
+
+	// If the file based archive is disabled,
+	// only return the JobMeta structure as the
+	// statistics in there are needed.
+	if config.Keys.DisableArchive {
+		return jobMeta, nil
+	}
+
+	return jobMeta, archive.GetHandle().ImportJob(jobMeta, &jobData)
+}
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -7,289 +7,63 @@ package auth
 import (
 	"context"
 	"crypto/rand"
+	"database/sql"
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"os"
 	"strings"
+	"sync"
 	"time"

+	"golang.org/x/time/rate"
+
+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
+	"github.com/ClusterCockpit/cc-backend/internal/util"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 	"github.com/gorilla/sessions"
-	"github.com/jmoiron/sqlx"
 )

-type AuthSource int
-
-const (
-	AuthViaLocalPassword AuthSource = iota
-	AuthViaLDAP
-	AuthViaToken
-)
-
-type User struct {
-	Username   string     `json:"username"`
-	Password   string     `json:"-"`
-	Name       string     `json:"name"`
-	Roles      []string   `json:"roles"`
-	AuthSource AuthSource `json:"via"`
-	Email      string     `json:"email"`
-	Projects   []string   `json:"projects"`
-	Expiration time.Time
-}
-
-type Role int
-
-const (
-	RoleAnonymous Role = iota
-	RoleApi
-	RoleUser
-	RoleManager
-	RoleSupport
-	RoleAdmin
-	RoleError
-)
-
-func GetRoleString(roleInt Role) string {
-	return [6]string{"anonymous", "api", "user", "manager", "support", "admin"}[roleInt]
-}
-
-func getRoleEnum(roleStr string) Role {
-	switch strings.ToLower(roleStr) {
-	case "admin":
-		return RoleAdmin
-	case "support":
-		return RoleSupport
-	case "manager":
-		return RoleManager
-	case "user":
-		return RoleUser
-	case "api":
-		return RoleApi
-	case "anonymous":
-		return RoleAnonymous
-	default:
-		return RoleError
-	}
-}
-
-func isValidRole(role string) bool {
-	if getRoleEnum(role) == RoleError {
-		return false
-	}
-	return true
-}
-
-func (u *User) HasValidRole(role string) (hasRole bool, isValid bool) {
-	if isValidRole(role) {
-		for _, r := range u.Roles {
-			if r == role {
-				return true, true
-			}
-		}
-		return false, true
-	}
-	return false, false
-}
-
-func (u *User) HasRole(role Role) bool {
-	for _, r := range u.Roles {
-		if r == GetRoleString(role) {
-			return true
-		}
-	}
-	return false
-}
-
-// Role-Arrays are short: performance not impacted by nested loop
-func (u *User) HasAnyRole(queryroles []Role) bool {
-	for _, ur := range u.Roles {
-		for _, qr := range queryroles {
-			if ur == GetRoleString(qr) {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-// Role-Arrays are short: performance not impacted by nested loop
-func (u *User) HasAllRoles(queryroles []Role) bool {
-	target := len(queryroles)
-	matches := 0
-	for _, ur := range u.Roles {
-		for _, qr := range queryroles {
-			if ur == GetRoleString(qr) {
-				matches += 1
-				break
-			}
-		}
-	}
-
-	if matches == target {
-		return true
-	} else {
-		return false
-	}
-}
-
-// Role-Arrays are short: performance not impacted by nested loop
-func (u *User) HasNotRoles(queryroles []Role) bool {
-	matches := 0
-	for _, ur := range u.Roles {
-		for _, qr := range queryroles {
-			if ur == GetRoleString(qr) {
-				matches += 1
-				break
-			}
-		}
-	}
-
-	if matches == 0 {
-		return true
-	} else {
-		return false
-	}
-}
-
-// Called by API endpoint '/roles/' from frontend: Only required for admin config -> Check Admin Role
-func GetValidRoles(user *User) ([]string, error) {
-	var vals []string
-	if user.HasRole(RoleAdmin) {
-		for i := RoleApi; i < RoleError; i++ {
-			vals = append(vals, GetRoleString(i))
-		}
-		return vals, nil
-	}
-
-	return vals, fmt.Errorf("%s: only admins are allowed to fetch a list of roles", user.Username)
-}
-
-// Called by routerConfig web.page setup in backend: Only requires known user and/or not API user
-func GetValidRolesMap(user *User) (map[string]Role, error) {
-	named := make(map[string]Role)
-	if user.HasNotRoles([]Role{RoleApi, RoleAnonymous}) {
-		for i := RoleApi; i < RoleError; i++ {
-			named[GetRoleString(i)] = i
-		}
-		return named, nil
-	}
-	return named, fmt.Errorf("Only known users are allowed to fetch a list of roles")
-}
-
-// Find highest role
-func (u *User) GetAuthLevel() Role {
-	if u.HasRole(RoleAdmin) {
-		return RoleAdmin
-	} else if u.HasRole(RoleSupport) {
-		return RoleSupport
-	} else if u.HasRole(RoleManager) {
-		return RoleManager
-	} else if u.HasRole(RoleUser) {
-		return RoleUser
-	} else if u.HasRole(RoleApi) {
-		return RoleApi
-	} else if u.HasRole(RoleAnonymous) {
-		return RoleAnonymous
-	} else {
-		return RoleError
-	}
-}
-
-func (u *User) HasProject(project string) bool {
-	for _, p := range u.Projects {
-		if p == project {
-			return true
-		}
-	}
-	return false
-}
-
-func GetUser(ctx context.Context) *User {
-	x := ctx.Value(ContextUserKey)
-	if x == nil {
-		return nil
-	}
-
-	return x.(*User)
-}
-
 type Authenticator interface {
-	Init(auth *Authentication, config interface{}) error
-	CanLogin(user *User, rw http.ResponseWriter, r *http.Request) bool
-	Login(user *User, rw http.ResponseWriter, r *http.Request) (*User, error)
-	Auth(rw http.ResponseWriter, r *http.Request) (*User, error)
+	CanLogin(user *schema.User, username string, rw http.ResponseWriter, r *http.Request) (*schema.User, bool)
+	Login(user *schema.User, rw http.ResponseWriter, r *http.Request) (*schema.User, error)
 }

-type ContextKey string
+var (
+	initOnce     sync.Once
+	authInstance *Authentication
+)

-const ContextUserKey ContextKey = "user"
+var ipUserLimiters sync.Map
+
+func getIPUserLimiter(ip, username string) *rate.Limiter {
+	key := ip + ":" + username
+	limiter, ok := ipUserLimiters.Load(key)
+	if !ok {
+		newLimiter := rate.NewLimiter(rate.Every(time.Hour/10), 10)
+		ipUserLimiters.Store(key, newLimiter)
+		return newLimiter
+	}
+	return limiter.(*rate.Limiter)
+}

 type Authentication struct {
-	db            *sqlx.DB
 	sessionStore   *sessions.CookieStore
-	SessionMaxAge time.Duration
-
-	authenticators []Authenticator
 	LdapAuth       *LdapAuthenticator
 	JwtAuth        *JWTAuthenticator
 	LocalAuth      *LocalAuthenticator
-}
-
-func Init(db *sqlx.DB,
-	configs map[string]interface{}) (*Authentication, error) {
-	auth := &Authentication{}
-	auth.db = db
-
-	sessKey := os.Getenv("SESSION_KEY")
-	if sessKey == "" {
-		log.Warn("environment variable 'SESSION_KEY' not set (will use non-persistent random key)")
-		bytes := make([]byte, 32)
-		if _, err := rand.Read(bytes); err != nil {
-			log.Error("Error while initializing authentication -> failed to generate random bytes for session key")
-			return nil, err
-		}
-		auth.sessionStore = sessions.NewCookieStore(bytes)
-	} else {
-		bytes, err := base64.StdEncoding.DecodeString(sessKey)
-		if err != nil {
-			log.Error("Error while initializing authentication -> decoding session key failed")
-			return nil, err
-		}
-		auth.sessionStore = sessions.NewCookieStore(bytes)
-	}
-
-	auth.LocalAuth = &LocalAuthenticator{}
-	if err := auth.LocalAuth.Init(auth, nil); err != nil {
-		log.Error("Error while initializing authentication -> localAuth init failed")
-		return nil, err
-	}
-	auth.authenticators = append(auth.authenticators, auth.LocalAuth)
-
-	auth.JwtAuth = &JWTAuthenticator{}
-	if err := auth.JwtAuth.Init(auth, configs["jwt"]); err != nil {
-		log.Error("Error while initializing authentication -> jwtAuth init failed")
-		return nil, err
-	}
-	auth.authenticators = append(auth.authenticators, auth.JwtAuth)
-
-	if config, ok := configs["ldap"]; ok {
-		auth.LdapAuth = &LdapAuthenticator{}
-		if err := auth.LdapAuth.Init(auth, config); err != nil {
-			log.Error("Error while initializing authentication -> ldapAuth init failed")
-			return nil, err
-		}
-		auth.authenticators = append(auth.authenticators, auth.LdapAuth)
-	}
-
-	return auth, nil
+	authenticators []Authenticator
+	SessionMaxAge  time.Duration
 }

 func (auth *Authentication) AuthViaSession(
 	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
-
+	r *http.Request,
+) (*schema.User, error) {
 	session, err := auth.sessionStore.Get(r, "session")
 	if err != nil {
 		log.Error("Error while getting session store")
@@ -300,108 +74,371 @@ func (auth *Authentication) AuthViaSession(
 		return nil, nil
 	}

+	// TODO: Check if session keys exist
 	username, _ := session.Values["username"].(string)
 	projects, _ := session.Values["projects"].([]string)
 	roles, _ := session.Values["roles"].([]string)
-	return &User{
+	return &schema.User{
 		Username:   username,
 		Projects:   projects,
 		Roles:      roles,
+		AuthType:   schema.AuthSession,
 		AuthSource: -1,
 	}, nil
 }

-// Handle a POST request that should log the user in, starting a new session.
-func (auth *Authentication) Login(
-	onsuccess http.Handler,
-	onfailure func(rw http.ResponseWriter, r *http.Request, loginErr error)) http.Handler {
+func Init() {
+	initOnce.Do(func() {
+		authInstance = &Authentication{}

-	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		err := errors.New("no authenticator applied")
-		username := r.FormValue("username")
-		user := (*User)(nil)
-		if username != "" {
-			if user, _ = auth.GetUser(username); err != nil {
-				// log.Warnf("login of unkown user %v", username)
-				_ = err
+		sessKey := os.Getenv("SESSION_KEY")
+		if sessKey == "" {
+			log.Warn("environment variable 'SESSION_KEY' not set (will use non-persistent random key)")
+			bytes := make([]byte, 32)
+			if _, err := rand.Read(bytes); err != nil {
+				log.Fatal("Error while initializing authentication -> failed to generate random bytes for session key")
 			}
-		}
-
-		for _, authenticator := range auth.authenticators {
-			if !authenticator.CanLogin(user, rw, r) {
-				continue
-			}
-
-			user, err = authenticator.Login(user, rw, r)
+			authInstance.sessionStore = sessions.NewCookieStore(bytes)
+		} else {
+			bytes, err := base64.StdEncoding.DecodeString(sessKey)
 			if err != nil {
-				log.Warnf("user login failed: %s", err.Error())
-				onfailure(rw, r, err)
-				return
+				log.Fatal("Error while initializing authentication -> decoding session key failed")
+			}
+			authInstance.sessionStore = sessions.NewCookieStore(bytes)
 		}

+		if d, err := time.ParseDuration(config.Keys.SessionMaxAge); err == nil {
+			authInstance.SessionMaxAge = d
+		}
+
+		if config.Keys.LdapConfig != nil {
+			ldapAuth := &LdapAuthenticator{}
+			if err := ldapAuth.Init(); err != nil {
+				log.Warn("Error while initializing authentication -> ldapAuth init failed")
+			} else {
+				authInstance.LdapAuth = ldapAuth
+				authInstance.authenticators = append(authInstance.authenticators, authInstance.LdapAuth)
+			}
+		} else {
+			log.Info("Missing LDAP configuration: No LDAP support!")
+		}
+
+		if config.Keys.JwtConfig != nil {
+			authInstance.JwtAuth = &JWTAuthenticator{}
+			if err := authInstance.JwtAuth.Init(); err != nil {
+				log.Fatal("Error while initializing authentication -> jwtAuth init failed")
+			}
+
+			jwtSessionAuth := &JWTSessionAuthenticator{}
+			if err := jwtSessionAuth.Init(); err != nil {
+				log.Info("jwtSessionAuth init failed: No JWT login support!")
+			} else {
+				authInstance.authenticators = append(authInstance.authenticators, jwtSessionAuth)
+			}
+
+			jwtCookieSessionAuth := &JWTCookieSessionAuthenticator{}
+			if err := jwtCookieSessionAuth.Init(); err != nil {
+				log.Info("jwtCookieSessionAuth init failed: No JWT cookie login support!")
+			} else {
+				authInstance.authenticators = append(authInstance.authenticators, jwtCookieSessionAuth)
+			}
+		} else {
+			log.Info("Missing JWT configuration: No JWT token support!")
+		}
+
+		authInstance.LocalAuth = &LocalAuthenticator{}
+		if err := authInstance.LocalAuth.Init(); err != nil {
+			log.Fatal("Error while initializing authentication -> localAuth init failed")
+		}
+		authInstance.authenticators = append(authInstance.authenticators, authInstance.LocalAuth)
+	})
+}
+
+func GetAuthInstance() *Authentication {
+	if authInstance == nil {
+		log.Fatal("Authentication module not initialized!")
+	}
+
+	return authInstance
+}
+
+func handleTokenUser(tokenUser *schema.User) {
+	r := repository.GetUserRepository()
+	dbUser, err := r.GetUser(tokenUser.Username)
+
+	if err != nil && err != sql.ErrNoRows {
+		log.Errorf("Error while loading user '%s': %v", tokenUser.Username, err)
+	} else if err == sql.ErrNoRows && config.Keys.JwtConfig.SyncUserOnLogin { // Adds New User
+		if err := r.AddUser(tokenUser); err != nil {
+			log.Errorf("Error while adding user '%s' to DB: %v", tokenUser.Username, err)
+		}
+	} else if err == nil && config.Keys.JwtConfig.UpdateUserOnLogin { // Update Existing User
+		if err := r.UpdateUser(dbUser, tokenUser); err != nil {
+			log.Errorf("Error while updating user '%s' to DB: %v", dbUser.Username, err)
+		}
+	}
+}
+
+func handleOIDCUser(OIDCUser *schema.User) {
+	r := repository.GetUserRepository()
+	dbUser, err := r.GetUser(OIDCUser.Username)
+
+	if err != nil && err != sql.ErrNoRows {
+		log.Errorf("Error while loading user '%s': %v", OIDCUser.Username, err)
+	} else if err == sql.ErrNoRows && config.Keys.OpenIDConfig.SyncUserOnLogin { // Adds New User
+		if err := r.AddUser(OIDCUser); err != nil {
+			log.Errorf("Error while adding user '%s' to DB: %v", OIDCUser.Username, err)
+		}
+	} else if err == nil && config.Keys.OpenIDConfig.UpdateUserOnLogin { // Update Existing User
+		if err := r.UpdateUser(dbUser, OIDCUser); err != nil {
+			log.Errorf("Error while updating user '%s' to DB: %v", dbUser.Username, err)
+		}
+	}
+}
+
+func (auth *Authentication) SaveSession(rw http.ResponseWriter, r *http.Request, user *schema.User) error {
 	session, err := auth.sessionStore.New(r, "session")
 	if err != nil {
 		log.Errorf("session creation failed: %s", err.Error())
 		http.Error(rw, err.Error(), http.StatusInternalServerError)
-				return
+		return err
 	}

 	if auth.SessionMaxAge != 0 {
 		session.Options.MaxAge = int(auth.SessionMaxAge.Seconds())
 	}
+	if config.Keys.HttpsCertFile == "" && config.Keys.HttpsKeyFile == "" {
+		session.Options.Secure = false
+	}
+	session.Options.SameSite = http.SameSiteStrictMode
 	session.Values["username"] = user.Username
 	session.Values["projects"] = user.Projects
 	session.Values["roles"] = user.Roles
 	if err := auth.sessionStore.Save(r, rw, session); err != nil {
 		log.Warnf("session save failed: %s", err.Error())
 		http.Error(rw, err.Error(), http.StatusInternalServerError)
+		return err
+	}
+
+	return nil
+}
+
+func (auth *Authentication) Login(
+	onfailure func(rw http.ResponseWriter, r *http.Request, loginErr error),
+) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		ip, _, err := net.SplitHostPort(r.RemoteAddr)
+		if err != nil {
+			ip = r.RemoteAddr
+		}
+
+		username := r.FormValue("username")
+
+		limiter := getIPUserLimiter(ip, username)
+		if !limiter.Allow() {
+			log.Warnf("AUTH/RATE > Too many login attempts for combination IP: %s, Username: %s", ip, username)
+			onfailure(rw, r, errors.New("Too many login attempts, try again in a few minutes."))
+			return
+		}
+
+		var dbUser *schema.User
+		if username != "" {
+			var err error
+			dbUser, err = repository.GetUserRepository().GetUser(username)
+			if err != nil && err != sql.ErrNoRows {
+				log.Errorf("Error while loading user '%v'", username)
+			}
+		}
+
+		for _, authenticator := range auth.authenticators {
+			var ok bool
+			var user *schema.User
+			if user, ok = authenticator.CanLogin(dbUser, username, rw, r); !ok {
+				continue
+			} else {
+				log.Debugf("Can login with user %v", user)
+			}
+
+			user, err := authenticator.Login(user, rw, r)
+			if err != nil {
+				log.Warnf("user login failed: %s", err.Error())
+				onfailure(rw, r, err)
+				return
+			}
+
+			if err := auth.SaveSession(rw, r, user); err != nil {
 				return
 			}

 			log.Infof("login successfull: user: %#v (roles: %v, projects: %v)", user.Username, user.Roles, user.Projects)
-			ctx := context.WithValue(r.Context(), ContextUserKey, user)
-			onsuccess.ServeHTTP(rw, r.WithContext(ctx))
+			ctx := context.WithValue(r.Context(), repository.ContextUserKey, user)
+
+			if r.FormValue("redirect") != "" {
+				http.RedirectHandler(r.FormValue("redirect"), http.StatusFound).ServeHTTP(rw, r.WithContext(ctx))
 				return
 			}

-		log.Warn("login failed: no authenticator applied")
-		onfailure(rw, r, err)
+			http.RedirectHandler("/", http.StatusFound).ServeHTTP(rw, r.WithContext(ctx))
+			return
+		}
+
+		log.Debugf("login failed: no authenticator applied")
+		onfailure(rw, r, errors.New("no authenticator applied"))
 	})
 }

-// Authenticate the user and put a User object in the
-// context of the request. If authentication fails,
-// do not continue but send client to the login screen.
 func (auth *Authentication) Auth(
 	onsuccess http.Handler,
-	onfailure func(rw http.ResponseWriter, r *http.Request, authErr error)) http.Handler {
-
+	onfailure func(rw http.ResponseWriter, r *http.Request, authErr error),
+) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		for _, authenticator := range auth.authenticators {
-			user, err := authenticator.Auth(rw, r)
+		user, err := auth.JwtAuth.AuthViaJWT(rw, r)
 		if err != nil {
-				log.Warnf("authentication failed: %s", err.Error())
+			log.Infof("auth -> authentication failed: %s", err.Error())
 			http.Error(rw, err.Error(), http.StatusUnauthorized)
 			return
 		}
 		if user == nil {
-				continue
+			user, err = auth.AuthViaSession(rw, r)
+			if err != nil {
+				log.Infof("auth -> authentication failed: %s", err.Error())
+				http.Error(rw, err.Error(), http.StatusUnauthorized)
+				return
 			}
-
-			ctx := context.WithValue(r.Context(), ContextUserKey, user)
+		}
+		if user != nil {
+			ctx := context.WithValue(r.Context(), repository.ContextUserKey, user)
 			onsuccess.ServeHTTP(rw, r.WithContext(ctx))
 			return
 		}

-		log.Warnf("authentication failed: %s", "no authenticator applied")
-		// http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
-		onfailure(rw, r, errors.New("unauthorized (login first or use a token)"))
+		log.Info("auth -> authentication failed")
+		onfailure(rw, r, errors.New("unauthorized (please login first)"))
 	})
 }

-// Clears the session cookie
-func (auth *Authentication) Logout(onsuccess http.Handler) http.Handler {
+func (auth *Authentication) AuthApi(
+	onsuccess http.Handler,
+	onfailure func(rw http.ResponseWriter, r *http.Request, authErr error),
+) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		user, err := auth.JwtAuth.AuthViaJWT(rw, r)
+		if err != nil {
+			log.Infof("auth api -> authentication failed: %s", err.Error())
+			onfailure(rw, r, err)
+			return
+		}

+		ipErr := securedCheck(user, r)
+		if ipErr != nil {
+			log.Infof("auth api -> secured check failed: %s", ipErr.Error())
+			onfailure(rw, r, ipErr)
+			return
+		}
+
+		if user != nil {
+			switch {
+			case len(user.Roles) == 1:
+				if user.HasRole(schema.RoleApi) {
+					ctx := context.WithValue(r.Context(), repository.ContextUserKey, user)
+					onsuccess.ServeHTTP(rw, r.WithContext(ctx))
+					return
+				}
+			case len(user.Roles) >= 2:
+				if user.HasAllRoles([]schema.Role{schema.RoleAdmin, schema.RoleApi}) {
+					ctx := context.WithValue(r.Context(), repository.ContextUserKey, user)
+					onsuccess.ServeHTTP(rw, r.WithContext(ctx))
+					return
+				}
+			default:
+				log.Info("auth api -> authentication failed: missing role")
+				onfailure(rw, r, errors.New("unauthorized"))
+			}
+		}
+		log.Info("auth api -> authentication failed: no auth")
+		onfailure(rw, r, errors.New("unauthorized"))
+	})
+}
+
+func (auth *Authentication) AuthUserApi(
+	onsuccess http.Handler,
+	onfailure func(rw http.ResponseWriter, r *http.Request, authErr error),
+) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		user, err := auth.JwtAuth.AuthViaJWT(rw, r)
+		if err != nil {
+			log.Infof("auth user api -> authentication failed: %s", err.Error())
+			onfailure(rw, r, err)
+			return
+		}
+
+		if user != nil {
+			switch {
+			case len(user.Roles) == 1:
+				if user.HasRole(schema.RoleApi) {
+					ctx := context.WithValue(r.Context(), repository.ContextUserKey, user)
+					onsuccess.ServeHTTP(rw, r.WithContext(ctx))
+					return
+				}
+			case len(user.Roles) >= 2:
+				if user.HasRole(schema.RoleApi) && user.HasAnyRole([]schema.Role{schema.RoleUser, schema.RoleManager, schema.RoleAdmin}) {
+					ctx := context.WithValue(r.Context(), repository.ContextUserKey, user)
+					onsuccess.ServeHTTP(rw, r.WithContext(ctx))
+					return
+				}
+			default:
+				log.Info("auth user api -> authentication failed: missing role")
+				onfailure(rw, r, errors.New("unauthorized"))
+			}
+		}
+		log.Info("auth user api -> authentication failed: no auth")
+		onfailure(rw, r, errors.New("unauthorized"))
+	})
+}
+
+func (auth *Authentication) AuthConfigApi(
+	onsuccess http.Handler,
+	onfailure func(rw http.ResponseWriter, r *http.Request, authErr error),
+) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		user, err := auth.AuthViaSession(rw, r)
+		if err != nil {
+			log.Infof("auth config api -> authentication failed: %s", err.Error())
+			onfailure(rw, r, err)
+			return
+		}
+		if user != nil && user.HasRole(schema.RoleAdmin) {
+			ctx := context.WithValue(r.Context(), repository.ContextUserKey, user)
+			onsuccess.ServeHTTP(rw, r.WithContext(ctx))
+			return
+		}
+		log.Info("auth config api -> authentication failed: no auth")
+		onfailure(rw, r, errors.New("unauthorized"))
+	})
+}
+
+func (auth *Authentication) AuthFrontendApi(
+	onsuccess http.Handler,
+	onfailure func(rw http.ResponseWriter, r *http.Request, authErr error),
+) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		user, err := auth.AuthViaSession(rw, r)
+		if err != nil {
+			log.Infof("auth frontend api -> authentication failed: %s", err.Error())
+			onfailure(rw, r, err)
+			return
+		}
+		if user != nil {
+			ctx := context.WithValue(r.Context(), repository.ContextUserKey, user)
+			onsuccess.ServeHTTP(rw, r.WithContext(ctx))
+			return
+		}
+		log.Info("auth frontend api -> authentication failed: no auth")
+		onfailure(rw, r, errors.New("unauthorized"))
+	})
+}
+
+func (auth *Authentication) Logout(onsuccess http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		session, err := auth.sessionStore.Get(r, "session")
 		if err != nil {
@@ -420,3 +457,38 @@ func (auth *Authentication) Logout(onsuccess http.Handler) http.Handler {
 		onsuccess.ServeHTTP(rw, r)
 	})
 }
+
+// Helper Moved To MiddleWare Auth Handlers
+func securedCheck(user *schema.User, r *http.Request) error {
+	if user == nil {
+		return fmt.Errorf("no user for secured check")
+	}
+
+	// extract IP address for checking
+	IPAddress := r.Header.Get("X-Real-Ip")
+	if IPAddress == "" {
+		IPAddress = r.Header.Get("X-Forwarded-For")
+	}
+	if IPAddress == "" {
+		IPAddress = r.RemoteAddr
+	}
+
+	if strings.Contains(IPAddress, ":") {
+		IPAddress = strings.Split(IPAddress, ":")[0]
+	}
+
+	// If nothing declared in config: deny all request to this api endpoint
+	if len(config.Keys.ApiAllowedIPs) == 0 {
+		return fmt.Errorf("missing configuration key ApiAllowedIPs")
+	}
+	// If wildcard declared in config: Continue
+	if config.Keys.ApiAllowedIPs[0] == "*" {
+		return nil
+	}
+	// check if IP is allowed
+	if !util.Contains(config.Keys.ApiAllowedIPs, IPAddress) {
+		return fmt.Errorf("unknown ip: %v", IPAddress)
+	}
+
+	return nil
+}
--- a/internal/auth/jwt.go
+++ b/internal/auth/jwt.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -6,39 +6,26 @@ package auth

 import (
 	"crypto/ed25519"
-	"database/sql"
 	"encoding/base64"
 	"errors"
-	"fmt"
 	"net/http"
 	"os"
 	"strings"
 	"time"

+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 )

 type JWTAuthenticator struct {
-	auth *Authentication
-
 	publicKey  ed25519.PublicKey
 	privateKey ed25519.PrivateKey
-	publicKeyCrossLogin ed25519.PublicKey // For accepting externally generated JWTs
-
-	loginTokenKey []byte // HS256 key
-
-	config *schema.JWTAuthConfig
 }

-var _ Authenticator = (*JWTAuthenticator)(nil)
-
-func (ja *JWTAuthenticator) Init(auth *Authentication, conf interface{}) error {
-
-	ja.auth = auth
-	ja.config = conf.(*schema.JWTAuthConfig)
-
+func (ja *JWTAuthenticator) Init() error {
 	pubKey, privKey := os.Getenv("JWT_PUBLIC_KEY"), os.Getenv("JWT_PRIVATE_KEY")
 	if pubKey == "" || privKey == "" {
 		log.Warn("environment variables 'JWT_PUBLIC_KEY' or 'JWT_PRIVATE_KEY' not set (token based authentication will not work)")
@@ -57,192 +44,38 @@ func (ja *JWTAuthenticator) Init(auth *Authentication, conf interface{}) error {
 		ja.privateKey = ed25519.PrivateKey(bytes)
 	}

-	if pubKey = os.Getenv("CROSS_LOGIN_JWT_HS512_KEY"); pubKey != "" {
-		bytes, err := base64.StdEncoding.DecodeString(pubKey)
-		if err != nil {
-			log.Warn("Could not decode cross login JWT HS512 key")
-			return err
-		}
-		ja.loginTokenKey = bytes
-	}
-
-	// Look for external public keys
-	pubKeyCrossLogin, keyFound := os.LookupEnv("CROSS_LOGIN_JWT_PUBLIC_KEY")
-	if keyFound && pubKeyCrossLogin != "" {
-		bytes, err := base64.StdEncoding.DecodeString(pubKeyCrossLogin)
-		if err != nil {
-			log.Warn("Could not decode cross login JWT public key")
-			return err
-		}
-		ja.publicKeyCrossLogin = ed25519.PublicKey(bytes)
-
-		// Warn if other necessary settings are not configured
-		if ja.config != nil {
-			if ja.config.CookieName == "" {
-				log.Warn("cookieName for JWTs not configured (cross login via JWT cookie will fail)")
-			}
-			if !ja.config.ForceJWTValidationViaDatabase {
-				log.Warn("forceJWTValidationViaDatabase not set to true: CC will accept users and roles defined in JWTs regardless of its own database!")
-			}
-			if ja.config.TrustedExternalIssuer == "" {
-				log.Warn("trustedExternalIssuer for JWTs not configured (cross login via JWT cookie will fail)")
-			}
-		} else {
-			log.Warn("cookieName and trustedExternalIssuer for JWTs not configured (cross login via JWT cookie will fail)")
-		}
-	} else {
-		ja.publicKeyCrossLogin = nil
-		log.Warn("environment variable 'CROSS_LOGIN_JWT_PUBLIC_KEY' not set (cross login token based authentication will not work)")
-	}
-
 	return nil
 }

-func (ja *JWTAuthenticator) CanLogin(
-	user *User,
+func (ja *JWTAuthenticator) AuthViaJWT(
 	rw http.ResponseWriter,
-	r *http.Request) bool {
-
-	return (user != nil && user.AuthSource == AuthViaToken) || r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != ""
-}
-
-func (ja *JWTAuthenticator) Login(
-	user *User,
-	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
-
-	rawtoken := r.Header.Get("X-Auth-Token")
-	if rawtoken == "" {
-		rawtoken = r.Header.Get("Authorization")
-		rawtoken = strings.TrimPrefix(rawtoken, "Bearer ")
-		if rawtoken == "" {
-			rawtoken = r.URL.Query().Get("login-token")
-		}
-	}
-
-	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
-		if t.Method == jwt.SigningMethodEdDSA {
-			return ja.publicKey, nil
-		}
-		if t.Method == jwt.SigningMethodHS256 || t.Method == jwt.SigningMethodHS512 {
-			return ja.loginTokenKey, nil
-		}
-		return nil, fmt.Errorf("AUTH/JWT > unkown signing method for login token: %s (known: HS256, HS512, EdDSA)", t.Method.Alg())
-	})
-	if err != nil {
-		log.Warn("Error while parsing jwt token")
-		return nil, err
-	}
-
-	if err := token.Claims.Valid(); err != nil {
-		log.Warn("jwt token claims are not valid")
-		return nil, err
-	}
-
-	claims := token.Claims.(jwt.MapClaims)
-	sub, _ := claims["sub"].(string)
-	exp, _ := claims["exp"].(float64)
-	var roles []string
-	if rawroles, ok := claims["roles"].([]interface{}); ok {
-		for _, rr := range rawroles {
-			if r, ok := rr.(string); ok {
-				if isValidRole(r) {
-					roles = append(roles, r)
-				}
-			}
-		}
-	}
-	if rawrole, ok := claims["roles"].(string); ok {
-		if isValidRole(rawrole) {
-			roles = append(roles, rawrole)
-		}
-	}
-
-	if user == nil {
-		user, err = ja.auth.GetUser(sub)
-		if err != nil && err != sql.ErrNoRows {
-			log.Errorf("Error while loading user '%v'", sub)
-			return nil, err
-		} else if user == nil {
-			user = &User{
-				Username:   sub,
-				Roles:      roles,
-				AuthSource: AuthViaToken,
-			}
-			if err := ja.auth.AddUser(user); err != nil {
-				log.Errorf("Error while adding user '%v' to auth from token", user.Username)
-				return nil, err
-			}
-		}
-	}
-
-	user.Expiration = time.Unix(int64(exp), 0)
-	return user, nil
-}
-
-func (ja *JWTAuthenticator) Auth(
-	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
-
+	r *http.Request,
+) (*schema.User, error) {
 	rawtoken := r.Header.Get("X-Auth-Token")
 	if rawtoken == "" {
 		rawtoken = r.Header.Get("Authorization")
 		rawtoken = strings.TrimPrefix(rawtoken, "Bearer ")
 	}

-	// If no auth header was found, check for a certain cookie containing a JWT
-	cookieName := ""
-	cookieFound := false
-	if ja.config != nil && ja.config.CookieName != "" {
-		cookieName = ja.config.CookieName
-	}
-
-	// Try to read the JWT cookie
-	if rawtoken == "" && cookieName != "" {
-		jwtCookie, err := r.Cookie(cookieName)
-
-		if err == nil && jwtCookie.Value != "" {
-			rawtoken = jwtCookie.Value
-			cookieFound = true
-		}
-	}
-
-	// Because a user can also log in via a token, the
-	// session cookie must be checked here as well:
+	// there is no token
 	if rawtoken == "" {
-		return ja.auth.AuthViaSession(rw, r)
+		return nil, nil
 	}

-	// Try to parse JWT
 	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
 		if t.Method != jwt.SigningMethodEdDSA {
 			return nil, errors.New("only Ed25519/EdDSA supported")
 		}

-		// Is there more than one public key?
-		if ja.publicKeyCrossLogin != nil && ja.config != nil && ja.config.TrustedExternalIssuer != "" {
-			// Determine whether to use the external public key
-			unvalidatedIssuer, success := t.Claims.(jwt.MapClaims)["iss"].(string)
-			if success && unvalidatedIssuer == ja.config.TrustedExternalIssuer {
-				// The (unvalidated) issuer seems to be the expected one,
-				// use public cross login key from config
-				return ja.publicKeyCrossLogin, nil
-			}
-		}
-
-		// No cross login key configured or issuer not expected
-		// Try own key
 		return ja.publicKey, nil
 	})
 	if err != nil {
-		log.Warn("Error while parsing token")
+		log.Warn("Error while parsing JWT token")
 		return nil, err
 	}
-
-	// Check token validity
-	if err := token.Claims.Valid(); err != nil {
+	if !token.Valid {
 		log.Warn("jwt token claims are not valid")
-		return nil, err
+		return nil, errors.New("jwt token claims are not valid")
 	}

 	// Token is valid, extract payload
@@ -252,15 +85,14 @@ func (ja *JWTAuthenticator) Auth(
 	var roles []string

 	// Validate user + roles from JWT against database?
-	if ja.config != nil && ja.config.ForceJWTValidationViaDatabase {
-		user, err := ja.auth.GetUser(sub)
-
+	if config.Keys.JwtConfig.ValidateUser {
+		ur := repository.GetUserRepository()
+		user, err := ur.GetUser(sub)
 		// Deny any logins for unknown usernames
 		if err != nil {
 			log.Warn("Could not find user from JWT in internal database.")
 			return nil, errors.New("unknown user")
 		}
-
 		// Take user roles from database instead of trusting the JWT
 		roles = user.Roles
 	} else {
@@ -274,48 +106,16 @@ func (ja *JWTAuthenticator) Auth(
 		}
 	}

-	if cookieFound {
-		// Create a session so that we no longer need the JTW Cookie
-		session, err := ja.auth.sessionStore.New(r, "session")
-		if err != nil {
-			log.Errorf("session creation failed: %s", err.Error())
-			http.Error(rw, err.Error(), http.StatusInternalServerError)
-			return nil, err
-		}
-
-		if ja.auth.SessionMaxAge != 0 {
-			session.Options.MaxAge = int(ja.auth.SessionMaxAge.Seconds())
-		}
-		session.Values["username"] = sub
-		session.Values["roles"] = roles
-
-		if err := ja.auth.sessionStore.Save(r, rw, session); err != nil {
-			log.Warnf("session save failed: %s", err.Error())
-			http.Error(rw, err.Error(), http.StatusInternalServerError)
-			return nil, err
-		}
-
-		// (Ask browser to) Delete JWT cookie
-		deletedCookie := &http.Cookie{
-			Name:     cookieName,
-			Value:    "",
-			Path:     "/",
-			MaxAge:   -1,
-			HttpOnly: true,
-		}
-		http.SetCookie(rw, deletedCookie)
-	}
-
-	return &User{
+	return &schema.User{
 		Username:   sub,
 		Roles:      roles,
-		AuthSource: AuthViaToken,
+		AuthType:   schema.AuthToken,
+		AuthSource: -1,
 	}, nil
 }

 // Generate a new JWT that can be used for authentication
-func (ja *JWTAuthenticator) ProvideJWT(user *User) (string, error) {
-
+func (ja *JWTAuthenticator) ProvideJWT(user *schema.User) (string, error) {
 	if ja.privateKey == nil {
 		return "", errors.New("environment variable 'JWT_PRIVATE_KEY' not set")
 	}
@@ -326,8 +126,12 @@ func (ja *JWTAuthenticator) ProvideJWT(user *User) (string, error) {
 		"roles": user.Roles,
 		"iat":   now.Unix(),
 	}
-	if ja.config != nil && ja.config.MaxAge != 0 {
-		claims["exp"] = now.Add(time.Duration(ja.config.MaxAge)).Unix()
+	if config.Keys.JwtConfig.MaxAge != "" {
+		d, err := time.ParseDuration(config.Keys.JwtConfig.MaxAge)
+		if err != nil {
+			return "", errors.New("cannot parse max-age config key")
+		}
+		claims["exp"] = now.Add(d).Unix()
 	}

 	return jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims).SignedString(ja.privateKey)
--- a/internal/auth/jwtCookieSession.go
+++ b/internal/auth/jwtCookieSession.go
@@ -0,0 +1,217 @@
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package auth
+
+import (
+	"crypto/ed25519"
+	"database/sql"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"os"
+
+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+type JWTCookieSessionAuthenticator struct {
+	publicKey           ed25519.PublicKey
+	privateKey          ed25519.PrivateKey
+	publicKeyCrossLogin ed25519.PublicKey // For accepting externally generated JWTs
+}
+
+var _ Authenticator = (*JWTCookieSessionAuthenticator)(nil)
+
+func (ja *JWTCookieSessionAuthenticator) Init() error {
+	pubKey, privKey := os.Getenv("JWT_PUBLIC_KEY"), os.Getenv("JWT_PRIVATE_KEY")
+	if pubKey == "" || privKey == "" {
+		log.Warn("environment variables 'JWT_PUBLIC_KEY' or 'JWT_PRIVATE_KEY' not set (token based authentication will not work)")
+		return errors.New("environment variables 'JWT_PUBLIC_KEY' or 'JWT_PRIVATE_KEY' not set (token based authentication will not work)")
+	} else {
+		bytes, err := base64.StdEncoding.DecodeString(pubKey)
+		if err != nil {
+			log.Warn("Could not decode JWT public key")
+			return err
+		}
+		ja.publicKey = ed25519.PublicKey(bytes)
+		bytes, err = base64.StdEncoding.DecodeString(privKey)
+		if err != nil {
+			log.Warn("Could not decode JWT private key")
+			return err
+		}
+		ja.privateKey = ed25519.PrivateKey(bytes)
+	}
+
+	// Look for external public keys
+	pubKeyCrossLogin, keyFound := os.LookupEnv("CROSS_LOGIN_JWT_PUBLIC_KEY")
+	if keyFound && pubKeyCrossLogin != "" {
+		bytes, err := base64.StdEncoding.DecodeString(pubKeyCrossLogin)
+		if err != nil {
+			log.Warn("Could not decode cross login JWT public key")
+			return err
+		}
+		ja.publicKeyCrossLogin = ed25519.PublicKey(bytes)
+	} else {
+		ja.publicKeyCrossLogin = nil
+		log.Debug("environment variable 'CROSS_LOGIN_JWT_PUBLIC_KEY' not set (cross login token based authentication will not work)")
+		return errors.New("environment variable 'CROSS_LOGIN_JWT_PUBLIC_KEY' not set (cross login token based authentication will not work)")
+	}
+
+	jc := config.Keys.JwtConfig
+	// Warn if other necessary settings are not configured
+	if jc != nil {
+		if jc.CookieName == "" {
+			log.Info("cookieName for JWTs not configured (cross login via JWT cookie will fail)")
+			return errors.New("cookieName for JWTs not configured (cross login via JWT cookie will fail)")
+		}
+		if !jc.ValidateUser {
+			log.Info("forceJWTValidationViaDatabase not set to true: CC will accept users and roles defined in JWTs regardless of its own database!")
+		}
+		if jc.TrustedIssuer == "" {
+			log.Info("trustedExternalIssuer for JWTs not configured (cross login via JWT cookie will fail)")
+			return errors.New("trustedExternalIssuer for JWTs not configured (cross login via JWT cookie will fail)")
+		}
+	} else {
+		log.Warn("config for JWTs not configured (cross login via JWT cookie will fail)")
+		return errors.New("config for JWTs not configured (cross login via JWT cookie will fail)")
+	}
+
+	log.Info("JWT Cookie Session authenticator successfully registered")
+	return nil
+}
+
+func (ja *JWTCookieSessionAuthenticator) CanLogin(
+	user *schema.User,
+	username string,
+	rw http.ResponseWriter,
+	r *http.Request,
+) (*schema.User, bool) {
+	jc := config.Keys.JwtConfig
+	cookieName := ""
+	if jc.CookieName != "" {
+		cookieName = jc.CookieName
+	}
+
+	// Try to read the JWT cookie
+	if cookieName != "" {
+		jwtCookie, err := r.Cookie(cookieName)
+
+		if err == nil && jwtCookie.Value != "" {
+			return user, true
+		}
+	}
+
+	return nil, false
+}
+
+func (ja *JWTCookieSessionAuthenticator) Login(
+	user *schema.User,
+	rw http.ResponseWriter,
+	r *http.Request,
+) (*schema.User, error) {
+	jc := config.Keys.JwtConfig
+	jwtCookie, err := r.Cookie(jc.CookieName)
+	var rawtoken string
+
+	if err == nil && jwtCookie.Value != "" {
+		rawtoken = jwtCookie.Value
+	}
+
+	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
+		if t.Method != jwt.SigningMethodEdDSA {
+			return nil, errors.New("only Ed25519/EdDSA supported")
+		}
+
+		unvalidatedIssuer, success := t.Claims.(jwt.MapClaims)["iss"].(string)
+		if success && unvalidatedIssuer == jc.TrustedIssuer {
+			// The (unvalidated) issuer seems to be the expected one,
+			// use public cross login key from config
+			return ja.publicKeyCrossLogin, nil
+		}
+
+		// No cross login key configured or issuer not expected
+		// Try own key
+		return ja.publicKey, nil
+	})
+	if err != nil {
+		log.Warn("JWT cookie session: error while parsing token")
+		return nil, err
+	}
+
+	if !token.Valid {
+		log.Warn("jwt token claims are not valid")
+		return nil, errors.New("jwt token claims are not valid")
+	}
+
+	claims := token.Claims.(jwt.MapClaims)
+	sub, _ := claims["sub"].(string)
+
+	var roles []string
+	projects := make([]string, 0)
+
+	if jc.ValidateUser {
+		var err error
+		user, err = repository.GetUserRepository().GetUser(sub)
+		if err != nil && err != sql.ErrNoRows {
+			log.Errorf("Error while loading user '%v'", sub)
+		}
+
+		// Deny any logins for unknown usernames
+		if user == nil {
+			log.Warn("Could not find user from JWT in internal database.")
+			return nil, errors.New("unknown user")
+		}
+	} else {
+		var name string
+		if wrap, ok := claims["name"].(map[string]interface{}); ok {
+			if vals, ok := wrap["values"].([]interface{}); ok {
+				if len(vals) != 0 {
+					name = fmt.Sprintf("%v", vals[0])
+
+					for i := 1; i < len(vals); i++ {
+						name += fmt.Sprintf(" %v", vals[i])
+					}
+				}
+			}
+		}
+
+		// Extract roles from JWT (if present)
+		if rawroles, ok := claims["roles"].([]interface{}); ok {
+			for _, rr := range rawroles {
+				if r, ok := rr.(string); ok {
+					roles = append(roles, r)
+				}
+			}
+		}
+		user = &schema.User{
+			Username:   sub,
+			Name:       name,
+			Roles:      roles,
+			Projects:   projects,
+			AuthType:   schema.AuthSession,
+			AuthSource: schema.AuthViaToken,
+		}
+
+		if jc.SyncUserOnLogin || jc.UpdateUserOnLogin {
+			handleTokenUser(user)
+		}
+	}
+
+	// (Ask browser to) Delete JWT cookie
+	deletedCookie := &http.Cookie{
+		Name:     jc.CookieName,
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+	}
+	http.SetCookie(rw, deletedCookie)
+
+	return user, nil
+}
--- a/internal/auth/jwtSession.go
+++ b/internal/auth/jwtSession.go
@@ -0,0 +1,147 @@
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package auth
+
+import (
+	"database/sql"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+type JWTSessionAuthenticator struct {
+	loginTokenKey []byte // HS256 key
+}
+
+var _ Authenticator = (*JWTSessionAuthenticator)(nil)
+
+func (ja *JWTSessionAuthenticator) Init() error {
+	if pubKey := os.Getenv("CROSS_LOGIN_JWT_HS512_KEY"); pubKey != "" {
+		bytes, err := base64.StdEncoding.DecodeString(pubKey)
+		if err != nil {
+			log.Warn("Could not decode cross login JWT HS512 key")
+			return err
+		}
+		ja.loginTokenKey = bytes
+	}
+
+	log.Info("JWT Session authenticator successfully registered")
+	return nil
+}
+
+func (ja *JWTSessionAuthenticator) CanLogin(
+	user *schema.User,
+	username string,
+	rw http.ResponseWriter,
+	r *http.Request,
+) (*schema.User, bool) {
+	return user, r.Header.Get("Authorization") != "" ||
+		r.URL.Query().Get("login-token") != ""
+}
+
+func (ja *JWTSessionAuthenticator) Login(
+	user *schema.User,
+	rw http.ResponseWriter,
+	r *http.Request,
+) (*schema.User, error) {
+	rawtoken := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
+	if rawtoken == "" {
+		rawtoken = r.URL.Query().Get("login-token")
+	}
+
+	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
+		if t.Method == jwt.SigningMethodHS256 || t.Method == jwt.SigningMethodHS512 {
+			return ja.loginTokenKey, nil
+		}
+		return nil, fmt.Errorf("unkown signing method for login token: %s (known: HS256, HS512, EdDSA)", t.Method.Alg())
+	})
+	if err != nil {
+		log.Warn("Error while parsing jwt token")
+		return nil, err
+	}
+
+	if !token.Valid {
+		log.Warn("jwt token claims are not valid")
+		return nil, errors.New("jwt token claims are not valid")
+	}
+
+	claims := token.Claims.(jwt.MapClaims)
+	sub, _ := claims["sub"].(string)
+
+	var roles []string
+	projects := make([]string, 0)
+
+	if config.Keys.JwtConfig.ValidateUser {
+		var err error
+		user, err = repository.GetUserRepository().GetUser(sub)
+		if err != nil && err != sql.ErrNoRows {
+			log.Errorf("Error while loading user '%v'", sub)
+		}
+
+		// Deny any logins for unknown usernames
+		if user == nil {
+			log.Warn("Could not find user from JWT in internal database.")
+			return nil, errors.New("unknown user")
+		}
+	} else {
+		var name string
+		if wrap, ok := claims["name"].(map[string]interface{}); ok {
+			if vals, ok := wrap["values"].([]interface{}); ok {
+				if len(vals) != 0 {
+					name = fmt.Sprintf("%v", vals[0])
+
+					for i := 1; i < len(vals); i++ {
+						name += fmt.Sprintf(" %v", vals[i])
+					}
+				}
+			}
+		}
+
+		// Extract roles from JWT (if present)
+		if rawroles, ok := claims["roles"].([]interface{}); ok {
+			for _, rr := range rawroles {
+				if r, ok := rr.(string); ok {
+					if schema.IsValidRole(r) {
+						roles = append(roles, r)
+					}
+				}
+			}
+		}
+
+		if rawprojs, ok := claims["projects"].([]interface{}); ok {
+			for _, pp := range rawprojs {
+				if p, ok := pp.(string); ok {
+					projects = append(projects, p)
+				}
+			}
+		} else if rawprojs, ok := claims["projects"]; ok {
+			projects = append(projects, rawprojs.([]string)...)
+		}
+
+		user = &schema.User{
+			Username:   sub,
+			Name:       name,
+			Roles:      roles,
+			Projects:   projects,
+			AuthType:   schema.AuthSession,
+			AuthSource: schema.AuthViaToken,
+		}
+
+		if config.Keys.JwtConfig.SyncUserOnLogin || config.Keys.JwtConfig.UpdateUserOnLogin {
+			handleTokenUser(user)
+		}
+	}
+
+	return user, nil
+}
--- a/internal/auth/ldap.go
+++ b/internal/auth/ldap.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -6,76 +6,112 @@ package auth

 import (
 	"errors"
+	"fmt"
 	"net/http"
 	"os"
 	"strings"
-	"time"

+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 	"github.com/go-ldap/ldap/v3"
 )

 type LdapAuthenticator struct {
-	auth         *Authentication
-	config       *schema.LdapConfig
 	syncPassword string
+	UserAttr     string
 }

 var _ Authenticator = (*LdapAuthenticator)(nil)

-func (la *LdapAuthenticator) Init(
-	auth *Authentication,
-	conf interface{}) error {
-
-	la.auth = auth
-	la.config = conf.(*schema.LdapConfig)
-
+func (la *LdapAuthenticator) Init() error {
 	la.syncPassword = os.Getenv("LDAP_ADMIN_PASSWORD")
 	if la.syncPassword == "" {
 		log.Warn("environment variable 'LDAP_ADMIN_PASSWORD' not set (ldap sync will not work)")
 	}

-	if la.config != nil && la.config.SyncInterval != "" {
-		interval, err := time.ParseDuration(la.config.SyncInterval)
-		if err != nil {
-			log.Warnf("Could not parse duration for sync interval: %v", la.config.SyncInterval)
-			return err
-		}
+	lc := config.Keys.LdapConfig

-		if interval == 0 {
-			log.Info("Sync interval is zero")
-			return nil
-		}
-
-		go func() {
-			ticker := time.NewTicker(interval)
-			for t := range ticker.C {
-				log.Printf("sync started at %s", t.Format(time.RFC3339))
-				if err := la.Sync(); err != nil {
-					log.Errorf("sync failed: %s", err.Error())
-				}
-				log.Print("sync done")
-			}
-		}()
+	if lc.UserAttr != "" {
+		la.UserAttr = lc.UserAttr
+	} else {
+		la.UserAttr = "gecos"
 	}

 	return nil
 }

 func (la *LdapAuthenticator) CanLogin(
-	user *User,
+	user *schema.User,
+	username string,
 	rw http.ResponseWriter,
-	r *http.Request) bool {
+	r *http.Request,
+) (*schema.User, bool) {
+	lc := config.Keys.LdapConfig

-	return user != nil && user.AuthSource == AuthViaLDAP
+	if user != nil {
+		if user.AuthSource == schema.AuthViaLDAP {
+			return user, true
+		}
+	} else {
+		if lc.SyncUserOnLogin {
+			l, err := la.getLdapConnection(true)
+			if err != nil {
+				log.Error("LDAP connection error")
+			}
+			defer l.Close()
+
+			// Search for the given username
+			searchRequest := ldap.NewSearchRequest(
+				lc.UserBase,
+				ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+				fmt.Sprintf("(&%s(uid=%s))", lc.UserFilter, username),
+				[]string{"dn", "uid", la.UserAttr}, nil)
+
+			sr, err := l.Search(searchRequest)
+			if err != nil {
+				log.Warn(err)
+				return nil, false
+			}
+
+			if len(sr.Entries) != 1 {
+				log.Warn("LDAP: User does not exist or too many entries returned")
+				return nil, false
+			}
+
+			entry := sr.Entries[0]
+			name := entry.GetAttributeValue(la.UserAttr)
+			var roles []string
+			roles = append(roles, schema.GetRoleString(schema.RoleUser))
+			projects := make([]string, 0)
+
+			user = &schema.User{
+				Username:   username,
+				Name:       name,
+				Roles:      roles,
+				Projects:   projects,
+				AuthType:   schema.AuthSession,
+				AuthSource: schema.AuthViaLDAP,
+			}
+
+			if err := repository.GetUserRepository().AddUser(user); err != nil {
+				log.Errorf("User '%s' LDAP: Insert into DB failed", username)
+				return nil, false
+			}
+
+			return user, true
+		}
+	}
+
+	return nil, false
 }

 func (la *LdapAuthenticator) Login(
-	user *User,
+	user *schema.User,
 	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
-
+	r *http.Request,
+) (*schema.User, error) {
 	l, err := la.getLdapConnection(false)
 	if err != nil {
 		log.Warn("Error while getting ldap connection")
@@ -83,42 +119,30 @@ func (la *LdapAuthenticator) Login(
 	}
 	defer l.Close()

-	userDn := strings.Replace(la.config.UserBind, "{username}", user.Username, -1)
+	userDn := strings.Replace(config.Keys.LdapConfig.UserBind, "{username}", user.Username, -1)
 	if err := l.Bind(userDn, r.FormValue("password")); err != nil {
-		log.Error("Error while binding to ldap connection")
-		return nil, err
+		log.Errorf("AUTH/LDAP > Authentication for user %s failed: %v",
+			user.Username, err)
+		return nil, fmt.Errorf("Authentication failed")
 	}

 	return user, nil
 }

-func (la *LdapAuthenticator) Auth(
-	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
-
-	return la.auth.AuthViaSession(rw, r)
-}
-
 func (la *LdapAuthenticator) Sync() error {
-
 	const IN_DB int = 1
 	const IN_LDAP int = 2
 	const IN_BOTH int = 3
+	ur := repository.GetUserRepository()
+	lc := config.Keys.LdapConfig

 	users := map[string]int{}
-	rows, err := la.auth.db.Query(`SELECT username FROM user WHERE user.ldap = 1`)
+	usernames, err := ur.GetLdapUsernames()
 	if err != nil {
-		log.Warn("Error while querying LDAP users")
-		return err
-	}
-
-	for rows.Next() {
-		var username string
-		if err := rows.Scan(&username); err != nil {
-			log.Warnf("Error while scanning for user '%s'", username)
 		return err
 	}

+	for _, username := range usernames {
 		users[username] = IN_DB
 	}

@@ -130,8 +154,10 @@ func (la *LdapAuthenticator) Sync() error {
 	defer l.Close()

 	ldapResults, err := l.Search(ldap.NewSearchRequest(
-		la.config.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		la.config.UserFilter, []string{"dn", "uid", "gecos"}, nil))
+		lc.UserBase,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		lc.UserFilter,
+		[]string{"dn", "uid", la.UserAttr}, nil))
 	if err != nil {
 		log.Warn("LDAP search error")
 		return err
@@ -147,25 +173,34 @@ func (la *LdapAuthenticator) Sync() error {
 		_, ok := users[username]
 		if !ok {
 			users[username] = IN_LDAP
-			newnames[username] = entry.GetAttributeValue("gecos")
+			newnames[username] = entry.GetAttributeValue(la.UserAttr)
 		} else {
 			users[username] = IN_BOTH
 		}
 	}

 	for username, where := range users {
-		if where == IN_DB && la.config.SyncDelOldUsers {
+		if where == IN_DB && lc.SyncDelOldUsers {
+			ur.DelUser(username)
 			log.Debugf("sync: remove %v (does not show up in LDAP anymore)", username)
-			if _, err := la.auth.db.Exec(`DELETE FROM user WHERE user.username = ?`, username); err != nil {
-				log.Errorf("User '%s' not in LDAP anymore: Delete from DB failed", username)
-				return err
-			}
 		} else if where == IN_LDAP {
 			name := newnames[username]
+
+			var roles []string
+			roles = append(roles, schema.GetRoleString(schema.RoleUser))
+			projects := make([]string, 0)
+
+			user := &schema.User{
+				Username:   username,
+				Name:       name,
+				Roles:      roles,
+				Projects:   projects,
+				AuthSource: schema.AuthViaLDAP,
+			}
+
 			log.Debugf("sync: add %v (name: %v, roles: [user], ldap: true)", username, name)
-			if _, err := la.auth.db.Exec(`INSERT INTO user (username, ldap, name, roles) VALUES (?, ?, ?, ?)`,
-				username, 1, name, "[\""+GetRoleString(RoleUser)+"\"]"); err != nil {
-				log.Errorf("User '%s' new in LDAP: Insert into DB failed", username)
+			if err := ur.AddUser(user); err != nil {
+				log.Errorf("User '%s' LDAP: Insert into DB failed", username)
 				return err
 			}
 		}
@@ -174,18 +209,16 @@ func (la *LdapAuthenticator) Sync() error {
 	return nil
 }

-// TODO: Add a connection pool or something like
-// that so that connections can be reused/cached.
 func (la *LdapAuthenticator) getLdapConnection(admin bool) (*ldap.Conn, error) {
-
-	conn, err := ldap.DialURL(la.config.Url)
+	lc := config.Keys.LdapConfig
+	conn, err := ldap.DialURL(lc.Url)
 	if err != nil {
 		log.Warn("LDAP URL dial failed")
 		return nil, err
 	}

 	if admin {
-		if err := conn.Bind(la.config.SearchDN, la.syncPassword); err != nil {
+		if err := conn.Bind(lc.SearchDN, la.syncPassword); err != nil {
 			conn.Close()
 			log.Warn("LDAP connection bind failed")
 			return nil, err
--- a/internal/auth/local.go
+++ b/internal/auth/local.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -8,6 +8,8 @@ import (
 	"fmt"
 	"net/http"

+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 	"golang.org/x/crypto/bcrypt"
 )

@@ -17,37 +19,29 @@ type LocalAuthenticator struct {

 var _ Authenticator = (*LocalAuthenticator)(nil)

-func (la *LocalAuthenticator) Init(
-	auth *Authentication,
-	_ interface{}) error {
-
-	la.auth = auth
+func (la *LocalAuthenticator) Init() error {
 	return nil
 }

 func (la *LocalAuthenticator) CanLogin(
-	user *User,
+	user *schema.User,
+	username string,
 	rw http.ResponseWriter,
-	r *http.Request) bool {
+	r *http.Request) (*schema.User, bool) {

-	return user != nil && user.AuthSource == AuthViaLocalPassword
+	return user, user != nil && user.AuthSource == schema.AuthViaLocalPassword
 }

 func (la *LocalAuthenticator) Login(
-	user *User,
+	user *schema.User,
 	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
+	r *http.Request) (*schema.User, error) {

-	if e := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(r.FormValue("password"))); e != nil {
-		return nil, fmt.Errorf("AUTH/LOCAL > user '%s' provided the wrong password (%w)", user.Username, e)
+	if e := bcrypt.CompareHashAndPassword([]byte(user.Password),
+		[]byte(r.FormValue("password"))); e != nil {
+		log.Errorf("AUTH/LOCAL > Authentication for user %s failed!", user.Username)
+		return nil, fmt.Errorf("Authentication failed")
 	}

 	return user, nil
 }
-
-func (la *LocalAuthenticator) Auth(
-	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
-
-	return la.auth.AuthViaSession(rw, r)
-}
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -0,0 +1,196 @@
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package auth
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"io"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/gorilla/mux"
+	"golang.org/x/oauth2"
+)
+
+type OIDC struct {
+	client         *oauth2.Config
+	provider       *oidc.Provider
+	authentication *Authentication
+	clientID       string
+}
+
+func randString(nByte int) (string, error) {
+	b := make([]byte, nByte)
+	if _, err := io.ReadFull(rand.Reader, b); err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(b), nil
+}
+
+func setCallbackCookie(w http.ResponseWriter, r *http.Request, name, value string) {
+	c := &http.Cookie{
+		Name:     name,
+		Value:    value,
+		MaxAge:   int(time.Hour.Seconds()),
+		Secure:   r.TLS != nil,
+		HttpOnly: true,
+	}
+	http.SetCookie(w, c)
+}
+
+func NewOIDC(a *Authentication) *OIDC {
+	provider, err := oidc.NewProvider(context.Background(), config.Keys.OpenIDConfig.Provider)
+	if err != nil {
+		log.Fatal(err)
+	}
+	clientID := os.Getenv("OID_CLIENT_ID")
+	if clientID == "" {
+		log.Warn("environment variable 'OID_CLIENT_ID' not set (Open ID connect auth will not work)")
+	}
+	clientSecret := os.Getenv("OID_CLIENT_SECRET")
+	if clientSecret == "" {
+		log.Warn("environment variable 'OID_CLIENT_SECRET' not set (Open ID connect auth will not work)")
+	}
+
+	client := &oauth2.Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		Endpoint:     provider.Endpoint(),
+		RedirectURL:  "oidc-callback",
+		Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
+	}
+
+	oa := &OIDC{provider: provider, client: client, clientID: clientID, authentication: a}
+
+	return oa
+}
+
+func (oa *OIDC) RegisterEndpoints(r *mux.Router) {
+	r.HandleFunc("/oidc-login", oa.OAuth2Login)
+	r.HandleFunc("/oidc-callback", oa.OAuth2Callback)
+}
+
+func (oa *OIDC) OAuth2Callback(rw http.ResponseWriter, r *http.Request) {
+	c, err := r.Cookie("state")
+	if err != nil {
+		http.Error(rw, "state cookie not found", http.StatusBadRequest)
+		return
+	}
+	state := c.Value
+
+	c, err = r.Cookie("verifier")
+	if err != nil {
+		http.Error(rw, "verifier cookie not found", http.StatusBadRequest)
+		return
+	}
+	codeVerifier := c.Value
+
+	_ = r.ParseForm()
+	if r.Form.Get("state") != state {
+		http.Error(rw, "State invalid", http.StatusBadRequest)
+		return
+	}
+	code := r.Form.Get("code")
+	if code == "" {
+		http.Error(rw, "Code not found", http.StatusBadRequest)
+		return
+	}
+	token, err := oa.client.Exchange(context.Background(), code, oauth2.VerifierOption(codeVerifier))
+	if err != nil {
+		http.Error(rw, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	userInfo, err := oa.provider.UserInfo(context.Background(), oauth2.StaticTokenSource(token))
+	if err != nil {
+		http.Error(rw, "Failed to get userinfo: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	// // Extract the ID Token from OAuth2 token.
+	// rawIDToken, ok := token.Extra("id_token").(string)
+	// if !ok {
+	// 	http.Error(rw, "Cannot access idToken", http.StatusInternalServerError)
+	// }
+	//
+	// verifier := oa.provider.Verifier(&oidc.Config{ClientID: oa.clientID})
+	// // Parse and verify ID Token payload.
+	// idToken, err := verifier.Verify(context.Background(), rawIDToken)
+	// if err != nil {
+	// 	http.Error(rw, "Failed to extract idToken: "+err.Error(), http.StatusInternalServerError)
+	// }
+
+	projects := make([]string, 0)
+
+	// Extract custom claims
+	var claims struct {
+		Username string `json:"preferred_username"`
+		Name     string `json:"name"`
+		Profile  struct {
+			Client struct {
+				Roles []string `json:"roles"`
+			} `json:"clustercockpit"`
+		} `json:"resource_access"`
+	}
+	if err := userInfo.Claims(&claims); err != nil {
+		http.Error(rw, "Failed to extract Claims: "+err.Error(), http.StatusInternalServerError)
+	}
+
+	var roles []string
+	for _, r := range claims.Profile.Client.Roles {
+		switch r {
+		case "user":
+			roles = append(roles, schema.GetRoleString(schema.RoleUser))
+		case "admin":
+			roles = append(roles, schema.GetRoleString(schema.RoleAdmin))
+		}
+	}
+
+	if len(roles) == 0 {
+		roles = append(roles, schema.GetRoleString(schema.RoleUser))
+	}
+
+	user := &schema.User{
+		Username:   claims.Username,
+		Name:       claims.Name,
+		Roles:      roles,
+		Projects:   projects,
+		AuthSource: schema.AuthViaOIDC,
+	}
+
+	if config.Keys.OpenIDConfig.SyncUserOnLogin || config.Keys.OpenIDConfig.UpdateUserOnLogin {
+		handleOIDCUser(user)
+	}
+
+	oa.authentication.SaveSession(rw, r, user)
+	log.Infof("login successfull: user: %#v (roles: %v, projects: %v)", user.Username, user.Roles, user.Projects)
+	ctx := context.WithValue(r.Context(), repository.ContextUserKey, user)
+	http.RedirectHandler("/", http.StatusTemporaryRedirect).ServeHTTP(rw, r.WithContext(ctx))
+}
+
+func (oa *OIDC) OAuth2Login(rw http.ResponseWriter, r *http.Request) {
+	state, err := randString(16)
+	if err != nil {
+		http.Error(rw, "Internal error", http.StatusInternalServerError)
+		return
+	}
+	setCallbackCookie(rw, r, "state", state)
+
+	// use PKCE to protect against CSRF attacks
+	codeVerifier := oauth2.GenerateVerifier()
+	setCallbackCookie(rw, r, "verifier", codeVerifier)
+
+	// Redirect user to consent page to ask for permission
+	url := oa.client.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(codeVerifier))
+	http.Redirect(rw, r, url, http.StatusFound)
+}
--- a/internal/auth/users.go
+++ b/internal/auth/users.go
@@ -1,289 +0,0 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
-// All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-package auth
-
-import (
-	"context"
-	"database/sql"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
-	"github.com/ClusterCockpit/cc-backend/pkg/log"
-	sq "github.com/Masterminds/squirrel"
-	"github.com/jmoiron/sqlx"
-	"golang.org/x/crypto/bcrypt"
-)
-
-func (auth *Authentication) GetUser(username string) (*User, error) {
-
-	user := &User{Username: username}
-	var hashedPassword, name, rawRoles, email, rawProjects sql.NullString
-	if err := sq.Select("password", "ldap", "name", "roles", "email", "projects").From("user").
-		Where("user.username = ?", username).RunWith(auth.db).
-		QueryRow().Scan(&hashedPassword, &user.AuthSource, &name, &rawRoles, &email, &rawProjects); err != nil {
-		log.Warnf("Error while querying user '%v' from database", username)
-		return nil, err
-	}
-
-	user.Password = hashedPassword.String
-	user.Name = name.String
-	user.Email = email.String
-	if rawRoles.Valid {
-		if err := json.Unmarshal([]byte(rawRoles.String), &user.Roles); err != nil {
-			log.Warn("Error while unmarshaling raw roles from DB")
-			return nil, err
-		}
-	}
-	if rawProjects.Valid {
-		if err := json.Unmarshal([]byte(rawProjects.String), &user.Projects); err != nil {
-			return nil, err
-		}
-	}
-
-	return user, nil
-}
-
-func (auth *Authentication) AddUser(user *User) error {
-
-	rolesJson, _ := json.Marshal(user.Roles)
-	projectsJson, _ := json.Marshal(user.Projects)
-
-	cols := []string{"username", "roles", "projects"}
-	vals := []interface{}{user.Username, string(rolesJson), string(projectsJson)}
-
-	if user.Name != "" {
-		cols = append(cols, "name")
-		vals = append(vals, user.Name)
-	}
-	if user.Email != "" {
-		cols = append(cols, "email")
-		vals = append(vals, user.Email)
-	}
-	if user.Password != "" {
-		password, err := bcrypt.GenerateFromPassword([]byte(user.Password), bcrypt.DefaultCost)
-		if err != nil {
-			log.Error("Error while encrypting new user password")
-			return err
-		}
-		cols = append(cols, "password")
-		vals = append(vals, string(password))
-	}
-
-	if _, err := sq.Insert("user").Columns(cols...).Values(vals...).RunWith(auth.db).Exec(); err != nil {
-		log.Errorf("Error while inserting new user '%v' into DB", user.Username)
-		return err
-	}
-
-	log.Infof("new user %#v created (roles: %s, auth-source: %d, projects: %s)", user.Username, rolesJson, user.AuthSource, projectsJson)
-	return nil
-}
-
-func (auth *Authentication) DelUser(username string) error {
-
-	_, err := auth.db.Exec(`DELETE FROM user WHERE user.username = ?`, username)
-	log.Errorf("Error while deleting user '%s' from DB", username)
-	return err
-}
-
-func (auth *Authentication) ListUsers(specialsOnly bool) ([]*User, error) {
-
-	q := sq.Select("username", "name", "email", "roles", "projects").From("user")
-	if specialsOnly {
-		q = q.Where("(roles != '[\"user\"]' AND roles != '[]')")
-	}
-
-	rows, err := q.RunWith(auth.db).Query()
-	if err != nil {
-		log.Warn("Error while querying user list")
-		return nil, err
-	}
-
-	users := make([]*User, 0)
-	defer rows.Close()
-	for rows.Next() {
-		rawroles := ""
-		rawprojects := ""
-		user := &User{}
-		var name, email sql.NullString
-		if err := rows.Scan(&user.Username, &name, &email, &rawroles, &rawprojects); err != nil {
-			log.Warn("Error while scanning user list")
-			return nil, err
-		}
-
-		if err := json.Unmarshal([]byte(rawroles), &user.Roles); err != nil {
-			log.Warn("Error while unmarshaling raw role list")
-			return nil, err
-		}
-
-		if err := json.Unmarshal([]byte(rawprojects), &user.Projects); err != nil {
-			return nil, err
-		}
-
-		user.Name = name.String
-		user.Email = email.String
-		users = append(users, user)
-	}
-	return users, nil
-}
-
-func (auth *Authentication) AddRole(
-	ctx context.Context,
-	username string,
-	queryrole string) error {
-
-	newRole := strings.ToLower(queryrole)
-	user, err := auth.GetUser(username)
-	if err != nil {
-		log.Warnf("Could not load user '%s'", username)
-		return err
-	}
-
-	exists, valid := user.HasValidRole(newRole)
-
-	if !valid {
-		return fmt.Errorf("Supplied role is no valid option : %v", newRole)
-	}
-	if exists {
-		return fmt.Errorf("User %v already has role %v", username, newRole)
-	}
-
-	roles, _ := json.Marshal(append(user.Roles, newRole))
-	if _, err := sq.Update("user").Set("roles", roles).Where("user.username = ?", username).RunWith(auth.db).Exec(); err != nil {
-		log.Errorf("Error while adding new role for user '%s'", user.Username)
-		return err
-	}
-	return nil
-}
-
-func (auth *Authentication) RemoveRole(ctx context.Context, username string, queryrole string) error {
-	oldRole := strings.ToLower(queryrole)
-	user, err := auth.GetUser(username)
-	if err != nil {
-		log.Warnf("Could not load user '%s'", username)
-		return err
-	}
-
-	exists, valid := user.HasValidRole(oldRole)
-
-	if !valid {
-		return fmt.Errorf("Supplied role is no valid option : %v", oldRole)
-	}
-	if !exists {
-		return fmt.Errorf("Role already deleted for user '%v': %v", username, oldRole)
-	}
-
-	if oldRole == GetRoleString(RoleManager) && len(user.Projects) != 0 {
-		return fmt.Errorf("Cannot remove role 'manager' while user %s still has assigned project(s) : %v", username, user.Projects)
-	}
-
-	var newroles []string
-	for _, r := range user.Roles {
-		if r != oldRole {
-			newroles = append(newroles, r) // Append all roles not matching requested to be deleted role
-		}
-	}
-
-	var mroles, _ = json.Marshal(newroles)
-	if _, err := sq.Update("user").Set("roles", mroles).Where("user.username = ?", username).RunWith(auth.db).Exec(); err != nil {
-		log.Errorf("Error while removing role for user '%s'", user.Username)
-		return err
-	}
-	return nil
-}
-
-func (auth *Authentication) AddProject(
-	ctx context.Context,
-	username string,
-	project string) error {
-
-	user, err := auth.GetUser(username)
-	if err != nil {
-		return err
-	}
-
-	if !user.HasRole(RoleManager) {
-		return fmt.Errorf("user '%s' is not a manager!", username)
-	}
-
-	if user.HasProject(project) {
-		return fmt.Errorf("user '%s' already manages project '%s'", username, project)
-	}
-
-	projects, _ := json.Marshal(append(user.Projects, project))
-	if _, err := sq.Update("user").Set("projects", projects).Where("user.username = ?", username).RunWith(auth.db).Exec(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (auth *Authentication) RemoveProject(ctx context.Context, username string, project string) error {
-	user, err := auth.GetUser(username)
-	if err != nil {
-		return err
-	}
-
-	if !user.HasRole(RoleManager) {
-		return fmt.Errorf("user '%#v' is not a manager!", username)
-	}
-
-	if !user.HasProject(project) {
-		return fmt.Errorf("user '%#v': Cannot remove project '%#v' - Does not match!", username, project)
-	}
-
-	var exists bool
-	var newprojects []string
-	for _, p := range user.Projects {
-		if p != project {
-			newprojects = append(newprojects, p) // Append all projects not matching requested to be deleted project
-		} else {
-			exists = true
-		}
-	}
-
-	if exists == true {
-		var result interface{}
-		if len(newprojects) == 0 {
-			result = "[]"
-		} else {
-			result, _ = json.Marshal(newprojects)
-		}
-		if _, err := sq.Update("user").Set("projects", result).Where("user.username = ?", username).RunWith(auth.db).Exec(); err != nil {
-			return err
-		}
-		return nil
-	} else {
-		return fmt.Errorf("user %s already does not manage project %s", username, project)
-	}
-}
-
-func FetchUser(ctx context.Context, db *sqlx.DB, username string) (*model.User, error) {
-	me := GetUser(ctx)
-	if me != nil && me.Username != username && me.HasNotRoles([]Role{RoleAdmin, RoleSupport, RoleManager}) {
-		return nil, errors.New("forbidden")
-	}
-
-	user := &model.User{Username: username}
-	var name, email sql.NullString
-	if err := sq.Select("name", "email").From("user").Where("user.username = ?", username).
-		RunWith(db).QueryRow().Scan(&name, &email); err != nil {
-		if err == sql.ErrNoRows {
-			/* This warning will be logged *often* for non-local users, i.e. users mentioned only in job-table or archive, */
-			/* since FetchUser will be called to retrieve full name and mail for every job in query/list									 */
-			// log.Warnf("User '%s' Not found in DB", username)
-			return nil, nil
-		}
-
-		log.Warnf("Error while fetching user '%s'", username)
-		return nil, err
-	}
-
-	user.Name = name.String
-	user.Email = email.String
-	return user, nil
-}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -7,9 +7,9 @@ package config
 import (
 	"bytes"
 	"encoding/json"
-	"log"
 	"os"

+	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 )

@@ -22,7 +22,6 @@ var Keys schema.ProgramConfig = schema.ProgramConfig{
 	Archive:                   json.RawMessage(`{\"kind\":\"file\",\"path\":\"./var/job-archive\"}`),
 	DisableArchive:            false,
 	Validate:                  false,
-	LdapConfig:                nil,
 	SessionMaxAge:             "168h",
 	StopJobsExceedingWalltime: 0,
 	ShortRunningJobsDuration:  5 * 60,
@@ -30,8 +29,9 @@ var Keys schema.ProgramConfig = schema.ProgramConfig{
 		"analysis_view_histogramMetrics":         []string{"flops_any", "mem_bw", "mem_used"},
 		"analysis_view_scatterPlotMetrics":       [][]string{{"flops_any", "mem_bw"}, {"flops_any", "cpu_load"}, {"cpu_load", "mem_bw"}},
 		"job_view_nodestats_selectedMetrics":     []string{"flops_any", "mem_bw", "mem_used"},
-		"job_view_polarPlotMetrics":          []string{"flops_any", "mem_bw", "mem_used"},
 		"job_view_selectedMetrics":               []string{"flops_any", "mem_bw", "mem_used"},
+		"job_view_showFootprint":                 true,
+		"job_list_usePaging":                     false,
 		"plot_general_colorBackground":           true,
 		"plot_general_colorscheme":               []string{"#00bfff", "#0000ff", "#ff00ff", "#ff0000", "#ff8000", "#ffff00", "#80ff00"},
 		"plot_general_lineWidth":                 3,
@@ -42,6 +42,10 @@ var Keys schema.ProgramConfig = schema.ProgramConfig{
 		"plot_view_showRoofline":                 true,
 		"plot_view_showStatTable":                true,
 		"system_view_selectedMetric":             "cpu_load",
+		"analysis_view_selectedTopEntity":        "user",
+		"analysis_view_selectedTopCategory":      "totalWalltime",
+		"status_view_selectedTopUserCategory":    "totalJobs",
+		"status_view_selectedTopProjectCategory": "totalJobs",
 	},
 }

@@ -49,20 +53,20 @@ func Init(flagConfigFile string) {
 	raw, err := os.ReadFile(flagConfigFile)
 	if err != nil {
 		if !os.IsNotExist(err) {
-			log.Fatalf("CONFIG ERROR: %v", err)
+			log.Abortf("Config Init: Could not read config file '%s'.\nError: %s\n", flagConfigFile, err.Error())
 		}
 	} else {
 		if err := schema.Validate(schema.Config, bytes.NewReader(raw)); err != nil {
-			log.Fatalf("Validate config: %v\n", err)
+			log.Abortf("Config Init: Could not validate config file '%s'.\nError: %s\n", flagConfigFile, err.Error())
 		}
 		dec := json.NewDecoder(bytes.NewReader(raw))
 		dec.DisallowUnknownFields()
 		if err := dec.Decode(&Keys); err != nil {
-			log.Fatalf("could not decode: %v", err)
+			log.Abortf("Config Init: Could not decode config file '%s'.\nError: %s\n", flagConfigFile, err.Error())
 		}

 		if Keys.Clusters == nil || len(Keys.Clusters) < 1 {
-			log.Fatal("At least one cluster required in config!")
+			log.Abort("Config Init: At least one cluster required in config. Exited with error.")
 		}
 	}
 }
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
--- a/internal/config/default_metrics.go
+++ b/internal/config/default_metrics.go
@@ -0,0 +1,44 @@
+package config
+
+import (
+	"encoding/json"
+	"os"
+	"strings"
+)
+
+type DefaultMetricsCluster struct {
+	Name           string `json:"name"`
+	DefaultMetrics string `json:"default_metrics"`
+}
+
+type DefaultMetricsConfig struct {
+	Clusters []DefaultMetricsCluster `json:"clusters"`
+}
+
+func LoadDefaultMetricsConfig() (*DefaultMetricsConfig, error) {
+	filePath := "default_metrics.json"
+	if _, err := os.Stat(filePath); os.IsNotExist(err) {
+		return nil, nil
+	}
+	data, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, err
+	}
+	var cfg DefaultMetricsConfig
+	if err := json.Unmarshal(data, &cfg); err != nil {
+		return nil, err
+	}
+	return &cfg, nil
+}
+
+func ParseMetricsString(s string) []string {
+	parts := strings.Split(s, ",")
+	var metrics []string
+	for _, p := range parts {
+		trimmed := strings.TrimSpace(p)
+		if trimmed != "" {
+			metrics = append(metrics, trimmed)
+		}
+	}
+	return metrics
+}
--- a/internal/graph/generated/generated.go
+++ b/internal/graph/generated/generated.go
--- a/internal/graph/model/models.go
+++ b/internal/graph/model/models.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
--- a/internal/graph/model/models_gen.go
+++ b/internal/graph/model/models_gen.go
@@ -16,13 +16,25 @@ type Count struct {
 	Count int    `json:"count"`
 }

+type EnergyFootprintValue struct {
+	Hardware string  `json:"hardware"`
+	Metric   string  `json:"metric"`
+	Value    float64 `json:"value"`
+}
+
 type FloatRange struct {
 	From float64 `json:"from"`
 	To   float64 `json:"to"`
 }

+type FootprintValue struct {
+	Name  string  `json:"name"`
+	Stat  string  `json:"stat"`
+	Value float64 `json:"value"`
+}
+
 type Footprints struct {
-	Nodehours []schema.Float      `json:"nodehours"`
+	TimeWeights *TimeWeights        `json:"timeWeights"`
 	Metrics     []*MetricFootprints `json:"metrics"`
 }

@@ -37,30 +49,25 @@ type IntRangeOutput struct {
 }

 type JobFilter struct {
-	Tags            []string          `json:"tags"`
-	JobID           *StringInput      `json:"jobId"`
-	ArrayJobID      *int              `json:"arrayJobId"`
-	User            *StringInput      `json:"user"`
-	Project         *StringInput      `json:"project"`
-	JobName         *StringInput      `json:"jobName"`
-	Cluster         *StringInput      `json:"cluster"`
-	Partition       *StringInput      `json:"partition"`
-	Duration        *schema.IntRange  `json:"duration"`
-	MinRunningFor   *int              `json:"minRunningFor"`
-	NumNodes        *schema.IntRange  `json:"numNodes"`
-	NumAccelerators *schema.IntRange  `json:"numAccelerators"`
-	NumHWThreads    *schema.IntRange  `json:"numHWThreads"`
-	StartTime       *schema.TimeRange `json:"startTime"`
-	State           []schema.JobState `json:"state"`
-	FlopsAnyAvg     *FloatRange       `json:"flopsAnyAvg"`
-	MemBwAvg        *FloatRange       `json:"memBwAvg"`
-	LoadAvg         *FloatRange       `json:"loadAvg"`
-	MemUsedMax      *FloatRange       `json:"memUsedMax"`
-	Exclusive       *int              `json:"exclusive"`
-	SharedNode      *StringInput      `json:"sharedNode"`
-	SelfJobID       *StringInput      `json:"selfJobId"`
-	SelfStartTime   *time.Time        `json:"selfStartTime"`
-	SelfDuration    *int              `json:"selfDuration"`
+	Tags            []string          `json:"tags,omitempty"`
+	JobID           *StringInput      `json:"jobId,omitempty"`
+	ArrayJobID      *int              `json:"arrayJobId,omitempty"`
+	User            *StringInput      `json:"user,omitempty"`
+	Project         *StringInput      `json:"project,omitempty"`
+	JobName         *StringInput      `json:"jobName,omitempty"`
+	Cluster         *StringInput      `json:"cluster,omitempty"`
+	Partition       *StringInput      `json:"partition,omitempty"`
+	Duration        *schema.IntRange  `json:"duration,omitempty"`
+	Energy          *FloatRange       `json:"energy,omitempty"`
+	MinRunningFor   *int              `json:"minRunningFor,omitempty"`
+	NumNodes        *schema.IntRange  `json:"numNodes,omitempty"`
+	NumAccelerators *schema.IntRange  `json:"numAccelerators,omitempty"`
+	NumHWThreads    *schema.IntRange  `json:"numHWThreads,omitempty"`
+	StartTime       *schema.TimeRange `json:"startTime,omitempty"`
+	State           []schema.JobState `json:"state,omitempty"`
+	MetricStats     []*MetricStatItem `json:"metricStats,omitempty"`
+	Exclusive       *int              `json:"exclusive,omitempty"`
+	Node            *StringInput      `json:"node,omitempty"`
 }

 type JobLink struct {
@@ -69,8 +76,9 @@ type JobLink struct {
 }

 type JobLinkResultList struct {
+	ListQuery *string    `json:"listQuery,omitempty"`
 	Items     []*JobLink `json:"items"`
-	Count *int       `json:"count"`
+	Count     *int       `json:"count,omitempty"`
 }

 type JobMetricWithName struct {
@@ -81,9 +89,21 @@ type JobMetricWithName struct {

 type JobResultList struct {
 	Items       []*schema.Job `json:"items"`
-	Offset *int          `json:"offset"`
-	Limit  *int          `json:"limit"`
-	Count  *int          `json:"count"`
+	Offset      *int          `json:"offset,omitempty"`
+	Limit       *int          `json:"limit,omitempty"`
+	Count       *int          `json:"count,omitempty"`
+	HasNextPage *bool         `json:"hasNextPage,omitempty"`
+}
+
+type JobStats struct {
+	Name  string                   `json:"name"`
+	Stats *schema.MetricStatistics `json:"stats"`
+}
+
+type JobStatsWithScope struct {
+	Name  string             `json:"name"`
+	Scope schema.MetricScope `json:"scope"`
+	Stats []*ScopedStats     `json:"stats"`
 }

 type JobsStatistics struct {
@@ -93,11 +113,17 @@ type JobsStatistics struct {
 	RunningJobs    int                  `json:"runningJobs"`
 	ShortJobs      int                  `json:"shortJobs"`
 	TotalWalltime  int                  `json:"totalWalltime"`
+	TotalNodes     int                  `json:"totalNodes"`
 	TotalNodeHours int                  `json:"totalNodeHours"`
+	TotalCores     int                  `json:"totalCores"`
 	TotalCoreHours int                  `json:"totalCoreHours"`
+	TotalAccs      int                  `json:"totalAccs"`
 	TotalAccHours  int                  `json:"totalAccHours"`
 	HistDuration   []*HistoPoint        `json:"histDuration"`
 	HistNumNodes   []*HistoPoint        `json:"histNumNodes"`
+	HistNumCores   []*HistoPoint        `json:"histNumCores"`
+	HistNumAccs    []*HistoPoint        `json:"histNumAccs"`
+	HistMetrics    []*MetricHistoPoints `json:"histMetrics"`
 }

 type MetricFootprints struct {
@@ -105,14 +131,46 @@ type MetricFootprints struct {
 	Data   []schema.Float `json:"data"`
 }

+type MetricHistoPoint struct {
+	Bin   *int `json:"bin,omitempty"`
+	Count int  `json:"count"`
+	Min   *int `json:"min,omitempty"`
+	Max   *int `json:"max,omitempty"`
+}
+
+type MetricHistoPoints struct {
+	Metric string              `json:"metric"`
+	Unit   string              `json:"unit"`
+	Stat   *string             `json:"stat,omitempty"`
+	Data   []*MetricHistoPoint `json:"data,omitempty"`
+}
+
+type MetricStatItem struct {
+	MetricName string      `json:"metricName"`
+	Range      *FloatRange `json:"range"`
+}
+
+type Mutation struct {
+}
+
 type NodeMetrics struct {
 	Host       string               `json:"host"`
 	SubCluster string               `json:"subCluster"`
 	Metrics    []*JobMetricWithName `json:"metrics"`
 }

+type NodesResultList struct {
+	Items       []*NodeMetrics `json:"items"`
+	Offset      *int           `json:"offset,omitempty"`
+	Limit       *int           `json:"limit,omitempty"`
+	Count       *int           `json:"count,omitempty"`
+	TotalNodes  *int           `json:"totalNodes,omitempty"`
+	HasNextPage *bool          `json:"hasNextPage,omitempty"`
+}
+
 type OrderByInput struct {
 	Field string            `json:"field"`
+	Type  string            `json:"type"`
 	Order SortDirectionEnum `json:"order"`
 }

@@ -121,20 +179,33 @@ type PageRequest struct {
 	Page         int `json:"page"`
 }

+type ScopedStats struct {
+	Hostname string                   `json:"hostname"`
+	ID       *string                  `json:"id,omitempty"`
+	Data     *schema.MetricStatistics `json:"data"`
+}
+
 type StringInput struct {
-	Eq         *string  `json:"eq"`
-	Neq        *string  `json:"neq"`
-	Contains   *string  `json:"contains"`
-	StartsWith *string  `json:"startsWith"`
-	EndsWith   *string  `json:"endsWith"`
-	In         []string `json:"in"`
+	Eq         *string  `json:"eq,omitempty"`
+	Neq        *string  `json:"neq,omitempty"`
+	Contains   *string  `json:"contains,omitempty"`
+	StartsWith *string  `json:"startsWith,omitempty"`
+	EndsWith   *string  `json:"endsWith,omitempty"`
+	In         []string `json:"in,omitempty"`
 }

 type TimeRangeOutput struct {
+	Range *string   `json:"range,omitempty"`
 	From  time.Time `json:"from"`
 	To    time.Time `json:"to"`
 }

+type TimeWeights struct {
+	NodeHours []schema.Float `json:"nodeHours"`
+	AccHours  []schema.Float `json:"accHours"`
+	CoreHours []schema.Float `json:"coreHours"`
+}
+
 type User struct {
 	Username string `json:"username"`
 	Name     string `json:"name"`
@@ -167,7 +238,7 @@ func (e Aggregate) String() string {
 	return string(e)
 }

-func (e *Aggregate) UnmarshalGQL(v interface{}) error {
+func (e *Aggregate) UnmarshalGQL(v any) error {
 	str, ok := v.(string)
 	if !ok {
 		return fmt.Errorf("enums must be strings")
@@ -184,6 +255,59 @@ func (e Aggregate) MarshalGQL(w io.Writer) {
 	fmt.Fprint(w, strconv.Quote(e.String()))
 }

+type SortByAggregate string
+
+const (
+	SortByAggregateTotalwalltime  SortByAggregate = "TOTALWALLTIME"
+	SortByAggregateTotaljobs      SortByAggregate = "TOTALJOBS"
+	SortByAggregateTotalnodes     SortByAggregate = "TOTALNODES"
+	SortByAggregateTotalnodehours SortByAggregate = "TOTALNODEHOURS"
+	SortByAggregateTotalcores     SortByAggregate = "TOTALCORES"
+	SortByAggregateTotalcorehours SortByAggregate = "TOTALCOREHOURS"
+	SortByAggregateTotalaccs      SortByAggregate = "TOTALACCS"
+	SortByAggregateTotalacchours  SortByAggregate = "TOTALACCHOURS"
+)
+
+var AllSortByAggregate = []SortByAggregate{
+	SortByAggregateTotalwalltime,
+	SortByAggregateTotaljobs,
+	SortByAggregateTotalnodes,
+	SortByAggregateTotalnodehours,
+	SortByAggregateTotalcores,
+	SortByAggregateTotalcorehours,
+	SortByAggregateTotalaccs,
+	SortByAggregateTotalacchours,
+}
+
+func (e SortByAggregate) IsValid() bool {
+	switch e {
+	case SortByAggregateTotalwalltime, SortByAggregateTotaljobs, SortByAggregateTotalnodes, SortByAggregateTotalnodehours, SortByAggregateTotalcores, SortByAggregateTotalcorehours, SortByAggregateTotalaccs, SortByAggregateTotalacchours:
+		return true
+	}
+	return false
+}
+
+func (e SortByAggregate) String() string {
+	return string(e)
+}
+
+func (e *SortByAggregate) UnmarshalGQL(v any) error {
+	str, ok := v.(string)
+	if !ok {
+		return fmt.Errorf("enums must be strings")
+	}
+
+	*e = SortByAggregate(str)
+	if !e.IsValid() {
+		return fmt.Errorf("%s is not a valid SortByAggregate", str)
+	}
+	return nil
+}
+
+func (e SortByAggregate) MarshalGQL(w io.Writer) {
+	fmt.Fprint(w, strconv.Quote(e.String()))
+}
+
 type SortDirectionEnum string

 const (
@@ -208,7 +332,7 @@ func (e SortDirectionEnum) String() string {
 	return string(e)
 }

-func (e *SortDirectionEnum) UnmarshalGQL(v interface{}) error {
+func (e *SortDirectionEnum) UnmarshalGQL(v any) error {
 	str, ok := v.(string)
 	if !ok {
 		return fmt.Errorf("enums must be strings")
@@ -224,44 +348,3 @@ func (e *SortDirectionEnum) UnmarshalGQL(v interface{}) error {
 func (e SortDirectionEnum) MarshalGQL(w io.Writer) {
 	fmt.Fprint(w, strconv.Quote(e.String()))
 }
-
-type Weights string
-
-const (
-	WeightsNodeCount Weights = "NODE_COUNT"
-	WeightsNodeHours Weights = "NODE_HOURS"
-)
-
-var AllWeights = []Weights{
-	WeightsNodeCount,
-	WeightsNodeHours,
-}
-
-func (e Weights) IsValid() bool {
-	switch e {
-	case WeightsNodeCount, WeightsNodeHours:
-		return true
-	}
-	return false
-}
-
-func (e Weights) String() string {
-	return string(e)
-}
-
-func (e *Weights) UnmarshalGQL(v interface{}) error {
-	str, ok := v.(string)
-	if !ok {
-		return fmt.Errorf("enums must be strings")
-	}
-
-	*e = Weights(str)
-	if !e.IsValid() {
-		return fmt.Errorf("%s is not a valid Weights", str)
-	}
-	return nil
-}
-
-func (e Weights) MarshalGQL(w io.Writer) {
-	fmt.Fprint(w, strconv.Quote(e.String()))
-}
--- a/internal/graph/resolver.go
+++ b/internal/graph/resolver.go
@@ -1,15 +1,39 @@
 package graph

 import (
+	"sync"
+
 	"github.com/ClusterCockpit/cc-backend/internal/repository"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/jmoiron/sqlx"
 )

 // This file will not be regenerated automatically.
 //
 // It serves as dependency injection for your app, add any dependencies you require here.
+var (
+	initOnce         sync.Once
+	resolverInstance *Resolver
+)

 type Resolver struct {
 	DB   *sqlx.DB
 	Repo *repository.JobRepository
 }
+
+func Init() {
+	initOnce.Do(func() {
+		db := repository.GetConnection()
+		resolverInstance = &Resolver{
+			DB: db.DB, Repo: repository.GetJobRepository(),
+		}
+	})
+}
+
+func GetResolverInstance() *Resolver {
+	if resolverInstance == nil {
+		log.Fatal("Authentication module not initialized!")
+	}
+
+	return resolverInstance
+}
--- a/internal/graph/schema.resolvers.go
+++ b/internal/graph/schema.resolvers.go
@@ -2,19 +2,22 @@ package graph

 // This file will be automatically regenerated based on the schema, any resolver implementations
 // will be copied through when generating and any unknown code will be moved to the end.
-// Code generated by github.com/99designs/gqlgen version v0.17.24
+// Code generated by github.com/99designs/gqlgen version v0.17.66

 import (
 	"context"
 	"errors"
 	"fmt"
+	"regexp"
+	"slices"
 	"strconv"
+	"strings"
 	"time"

-	"github.com/ClusterCockpit/cc-backend/internal/auth"
+	"github.com/ClusterCockpit/cc-backend/internal/config"
 	"github.com/ClusterCockpit/cc-backend/internal/graph/generated"
 	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
-	"github.com/ClusterCockpit/cc-backend/internal/metricdata"
+	"github.com/ClusterCockpit/cc-backend/internal/metricDataDispatcher"
 	"github.com/ClusterCockpit/cc-backend/internal/repository"
 	"github.com/ClusterCockpit/cc-backend/pkg/archive"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
@@ -28,69 +31,135 @@ func (r *clusterResolver) Partitions(ctx context.Context, obj *schema.Cluster) (

 // Tags is the resolver for the tags field.
 func (r *jobResolver) Tags(ctx context.Context, obj *schema.Job) ([]*schema.Tag, error) {
-	return r.Repo.GetTags(&obj.ID)
+	return r.Repo.GetTags(repository.GetUserFromContext(ctx), &obj.ID)
 }

 // ConcurrentJobs is the resolver for the concurrentJobs field.
 func (r *jobResolver) ConcurrentJobs(ctx context.Context, obj *schema.Job) (*model.JobLinkResultList, error) {
-	exc := int(obj.Exclusive)
-	if exc != 1 {
-		filter := []*model.JobFilter{}
-		jid := fmt.Sprint(obj.JobID)
-		jdu := int(obj.Duration)
-		filter = append(filter, &model.JobFilter{Exclusive: &exc})
-		filter = append(filter, &model.JobFilter{SharedNode: &model.StringInput{Contains: &obj.Resources[0].Hostname}})
-		filter = append(filter, &model.JobFilter{SelfJobID: &model.StringInput{Neq: &jid}})
-		filter = append(filter, &model.JobFilter{SelfStartTime: &obj.StartTime, SelfDuration: &jdu})
-
-		jobLinks, err := r.Repo.QueryJobLinks(ctx, filter)
-		if err != nil {
-			log.Warn("Error while querying jobLinks")
-			return nil, err
-		}
-
-		count, err := r.Repo.CountJobs(ctx, filter)
-		if err != nil {
-			log.Warn("Error while counting jobLinks")
-			return nil, err
-		}
-
-		result := &model.JobLinkResultList{Items: jobLinks, Count: &count}
-
-		return result, nil
+	// FIXME: Make the hardcoded duration configurable
+	if obj.Exclusive != 1 && obj.Duration > 600 {
+		return r.Repo.FindConcurrentJobs(ctx, obj)
 	}

 	return nil, nil
 }

+// Footprint is the resolver for the footprint field.
+func (r *jobResolver) Footprint(ctx context.Context, obj *schema.Job) ([]*model.FootprintValue, error) {
+	rawFootprint, err := r.Repo.FetchFootprint(obj)
+	if err != nil {
+		log.Warn("Error while fetching job footprint data")
+		return nil, err
+	}
+
+	res := []*model.FootprintValue{}
+	for name, value := range rawFootprint {
+
+		parts := strings.Split(name, "_")
+		statPart := parts[len(parts)-1]
+		nameParts := parts[:len(parts)-1]
+
+		res = append(res, &model.FootprintValue{
+			Name:  strings.Join(nameParts, "_"),
+			Stat:  statPart,
+			Value: value,
+		})
+	}
+
+	return res, err
+}
+
+// EnergyFootprint is the resolver for the energyFootprint field.
+func (r *jobResolver) EnergyFootprint(ctx context.Context, obj *schema.Job) ([]*model.EnergyFootprintValue, error) {
+	rawEnergyFootprint, err := r.Repo.FetchEnergyFootprint(obj)
+	if err != nil {
+		log.Warn("Error while fetching job energy footprint data")
+		return nil, err
+	}
+
+	res := []*model.EnergyFootprintValue{}
+	for name, value := range rawEnergyFootprint {
+		// Suboptimal: Nearly hardcoded metric name expectations
+		matchCpu := regexp.MustCompile(`cpu|Cpu|CPU`)
+		matchAcc := regexp.MustCompile(`acc|Acc|ACC`)
+		matchMem := regexp.MustCompile(`mem|Mem|MEM`)
+		matchCore := regexp.MustCompile(`core|Core|CORE`)
+
+		hwType := ""
+		switch test := name; { // NOtice ';' for var declaration
+		case matchCpu.MatchString(test):
+			hwType = "CPU"
+		case matchAcc.MatchString(test):
+			hwType = "Accelerator"
+		case matchMem.MatchString(test):
+			hwType = "Memory"
+		case matchCore.MatchString(test):
+			hwType = "Core"
+		default:
+			hwType = "Other"
+		}
+
+		res = append(res, &model.EnergyFootprintValue{
+			Hardware: hwType,
+			Metric:   name,
+			Value:    value,
+		})
+	}
+	return res, err
+}
+
 // MetaData is the resolver for the metaData field.
-func (r *jobResolver) MetaData(ctx context.Context, obj *schema.Job) (interface{}, error) {
+func (r *jobResolver) MetaData(ctx context.Context, obj *schema.Job) (any, error) {
 	return r.Repo.FetchMetadata(obj)
 }

 // UserData is the resolver for the userData field.
 func (r *jobResolver) UserData(ctx context.Context, obj *schema.Job) (*model.User, error) {
-	return auth.FetchUser(ctx, r.DB, obj.User)
+	return repository.GetUserRepository().FetchUserInCtx(ctx, obj.User)
+}
+
+// Name is the resolver for the name field.
+func (r *metricValueResolver) Name(ctx context.Context, obj *schema.MetricValue) (*string, error) {
+	panic(fmt.Errorf("not implemented: Name - name"))
 }

 // CreateTag is the resolver for the createTag field.
-func (r *mutationResolver) CreateTag(ctx context.Context, typeArg string, name string) (*schema.Tag, error) {
-	id, err := r.Repo.CreateTag(typeArg, name)
+func (r *mutationResolver) CreateTag(ctx context.Context, typeArg string, name string, scope string) (*schema.Tag, error) {
+	user := repository.GetUserFromContext(ctx)
+	if user == nil {
+		return nil, fmt.Errorf("no user in context")
+	}
+
+	// Test Access: Admins && Admin Tag OR Support/Admin and Global Tag OR Everyone && Private Tag
+	if user.HasRole(schema.RoleAdmin) && scope == "admin" ||
+		user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport}) && scope == "global" ||
+		user.Username == scope {
+		// Create in DB
+		id, err := r.Repo.CreateTag(typeArg, name, scope)
 		if err != nil {
 			log.Warn("Error while creating tag")
 			return nil, err
 		}
-
-	return &schema.Tag{ID: id, Type: typeArg, Name: name}, nil
+		return &schema.Tag{ID: id, Type: typeArg, Name: name, Scope: scope}, nil
+	} else {
+		log.Warnf("Not authorized to create tag with scope: %s", scope)
+		return nil, fmt.Errorf("Not authorized to create tag with scope: %s", scope)
+	}
 }

 // DeleteTag is the resolver for the deleteTag field.
 func (r *mutationResolver) DeleteTag(ctx context.Context, id string) (string, error) {
+	// This Uses ID string <-> ID string, removeTagFromList uses []string <-> []int
 	panic(fmt.Errorf("not implemented: DeleteTag - deleteTag"))
 }

 // AddTagsToJob is the resolver for the addTagsToJob field.
 func (r *mutationResolver) AddTagsToJob(ctx context.Context, job string, tagIds []string) ([]*schema.Tag, error) {
+	user := repository.GetUserFromContext(ctx)
+	if user == nil {
+		return nil, fmt.Errorf("no user in context")
+	}
+
 	jid, err := strconv.ParseInt(job, 10, 64)
 	if err != nil {
 		log.Warn("Error while adding tag to job")
@@ -99,16 +168,33 @@ func (r *mutationResolver) AddTagsToJob(ctx context.Context, job string, tagIds

 	tags := []*schema.Tag{}
 	for _, tagId := range tagIds {
+		// Get ID
 		tid, err := strconv.ParseInt(tagId, 10, 64)
 		if err != nil {
 			log.Warn("Error while parsing tag id")
 			return nil, err
 		}

-		if tags, err = r.Repo.AddTag(jid, tid); err != nil {
+		// Test Exists
+		_, _, tscope, exists := r.Repo.TagInfo(tid)
+		if !exists {
+			log.Warnf("Tag does not exist (ID): %d", tid)
+			return nil, fmt.Errorf("Tag does not exist (ID): %d", tid)
+		}
+
+		// Test Access: Admins && Admin Tag OR Support/Admin and Global Tag OR Everyone && Private Tag
+		if user.HasRole(schema.RoleAdmin) && tscope == "admin" ||
+			user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport}) && tscope == "global" ||
+			user.Username == tscope {
+			// Add to Job
+			if tags, err = r.Repo.AddTag(user, jid, tid); err != nil {
 				log.Warn("Error while adding tag")
 				return nil, err
 			}
+		} else {
+			log.Warnf("Not authorized to add tag: %d", tid)
+			return nil, fmt.Errorf("Not authorized to add tag: %d", tid)
+		}
 	}

 	return tags, nil
@@ -116,6 +202,11 @@ func (r *mutationResolver) AddTagsToJob(ctx context.Context, job string, tagIds

 // RemoveTagsFromJob is the resolver for the removeTagsFromJob field.
 func (r *mutationResolver) RemoveTagsFromJob(ctx context.Context, job string, tagIds []string) ([]*schema.Tag, error) {
+	user := repository.GetUserFromContext(ctx)
+	if user == nil {
+		return nil, fmt.Errorf("no user in context")
+	}
+
 	jid, err := strconv.ParseInt(job, 10, 64)
 	if err != nil {
 		log.Warn("Error while parsing job id")
@@ -124,24 +215,83 @@ func (r *mutationResolver) RemoveTagsFromJob(ctx context.Context, job string, ta

 	tags := []*schema.Tag{}
 	for _, tagId := range tagIds {
+		// Get ID
 		tid, err := strconv.ParseInt(tagId, 10, 64)
 		if err != nil {
 			log.Warn("Error while parsing tag id")
 			return nil, err
 		}

-		if tags, err = r.Repo.RemoveTag(jid, tid); err != nil {
+		// Test Exists
+		_, _, tscope, exists := r.Repo.TagInfo(tid)
+		if !exists {
+			log.Warnf("Tag does not exist (ID): %d", tid)
+			return nil, fmt.Errorf("Tag does not exist (ID): %d", tid)
+		}
+
+		// Test Access: Admins && Admin Tag OR Support/Admin and Global Tag OR Everyone && Private Tag
+		if user.HasRole(schema.RoleAdmin) && tscope == "admin" ||
+			user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport}) && tscope == "global" ||
+			user.Username == tscope {
+			// Remove from Job
+			if tags, err = r.Repo.RemoveTag(user, jid, tid); err != nil {
 				log.Warn("Error while removing tag")
 				return nil, err
 			}
+		} else {
+			log.Warnf("Not authorized to remove tag: %d", tid)
+			return nil, fmt.Errorf("Not authorized to remove tag: %d", tid)
+		}
+
 	}

 	return tags, nil
 }

+// RemoveTagFromList is the resolver for the removeTagFromList field.
+func (r *mutationResolver) RemoveTagFromList(ctx context.Context, tagIds []string) ([]int, error) {
+	// Needs Contextuser
+	user := repository.GetUserFromContext(ctx)
+	if user == nil {
+		return nil, fmt.Errorf("no user in context")
+	}
+
+	tags := []int{}
+	for _, tagId := range tagIds {
+		// Get ID
+		tid, err := strconv.ParseInt(tagId, 10, 64)
+		if err != nil {
+			log.Warn("Error while parsing tag id for removal")
+			return nil, err
+		}
+
+		// Test Exists
+		_, _, tscope, exists := r.Repo.TagInfo(tid)
+		if !exists {
+			log.Warnf("Tag does not exist (ID): %d", tid)
+			return nil, fmt.Errorf("Tag does not exist (ID): %d", tid)
+		}
+
+		// Test Access: Admins && Admin Tag OR Everyone && Private Tag
+		if user.HasRole(schema.RoleAdmin) && (tscope == "global" || tscope == "admin") || user.Username == tscope {
+			// Remove from DB
+			if err = r.Repo.RemoveTagById(tid); err != nil {
+				log.Warn("Error while removing tag")
+				return nil, err
+			} else {
+				tags = append(tags, int(tid))
+			}
+		} else {
+			log.Warnf("Not authorized to remove tag: %d", tid)
+			return nil, fmt.Errorf("Not authorized to remove tag: %d", tid)
+		}
+	}
+	return tags, nil
+}
+
 // UpdateConfiguration is the resolver for the updateConfiguration field.
 func (r *mutationResolver) UpdateConfiguration(ctx context.Context, name string, value string) (*string, error) {
-	if err := repository.GetUserCfgRepo().UpdateConfig(name, value, auth.GetUser(ctx)); err != nil {
+	if err := repository.GetUserCfgRepo().UpdateConfig(name, value, repository.GetUserFromContext(ctx)); err != nil {
 		log.Warn("Error while updating user config")
 		return nil, err
 	}
@@ -156,12 +306,17 @@ func (r *queryResolver) Clusters(ctx context.Context) ([]*schema.Cluster, error)

 // Tags is the resolver for the tags field.
 func (r *queryResolver) Tags(ctx context.Context) ([]*schema.Tag, error) {
-	return r.Repo.GetTags(nil)
+	return r.Repo.GetTags(repository.GetUserFromContext(ctx), nil)
+}
+
+// GlobalMetrics is the resolver for the globalMetrics field.
+func (r *queryResolver) GlobalMetrics(ctx context.Context) ([]*schema.GlobalMetricListItem, error) {
+	return archive.GlobalMetricList, nil
 }

 // User is the resolver for the user field.
 func (r *queryResolver) User(ctx context.Context, username string) (*model.User, error) {
-	return auth.FetchUser(ctx, r.DB, username)
+	return repository.GetUserRepository().FetchUserInCtx(ctx, username)
 }

 // AllocatedNodes is the resolver for the allocatedNodes field.
@@ -191,13 +346,15 @@ func (r *queryResolver) Job(ctx context.Context, id string) (*schema.Job, error)
 		return nil, err
 	}

-	job, err := r.Repo.FindById(numericId)
+	job, err := r.Repo.FindById(ctx, numericId)
 	if err != nil {
 		log.Warn("Error while finding job by id")
 		return nil, err
 	}

-	if user := auth.GetUser(ctx); user != nil && job.User != user.Username && user.HasNotRoles([]auth.Role{auth.RoleAdmin, auth.RoleSupport, auth.RoleManager}) {
+	if user := repository.GetUserFromContext(ctx); user != nil &&
+		job.User != user.Username &&
+		user.HasNotRoles([]schema.Role{schema.RoleAdmin, schema.RoleSupport, schema.RoleManager}) {
 		return nil, errors.New("you are not allowed to see this job")
 	}

@@ -205,14 +362,24 @@ func (r *queryResolver) Job(ctx context.Context, id string) (*schema.Job, error)
 }

 // JobMetrics is the resolver for the jobMetrics field.
-func (r *queryResolver) JobMetrics(ctx context.Context, id string, metrics []string, scopes []schema.MetricScope) ([]*model.JobMetricWithName, error) {
+func (r *queryResolver) JobMetrics(ctx context.Context, id string, metrics []string, scopes []schema.MetricScope, resolution *int) ([]*model.JobMetricWithName, error) {
+	if resolution == nil { // Load from Config
+		if config.Keys.EnableResampling != nil {
+			defaultRes := slices.Max(config.Keys.EnableResampling.Resolutions)
+			resolution = &defaultRes
+		} else { // Set 0 (Loads configured metric timestep)
+			defaultRes := 0
+			resolution = &defaultRes
+		}
+	}
+
 	job, err := r.Query().Job(ctx, id)
 	if err != nil {
 		log.Warn("Error while querying job for metrics")
 		return nil, err
 	}

-	data, err := metricdata.LoadData(job, metrics, scopes, ctx)
+	data, err := metricDataDispatcher.LoadData(job, metrics, scopes, ctx, *resolution)
 	if err != nil {
 		log.Warn("Error while loading job data")
 		return nil, err
@@ -232,8 +399,72 @@ func (r *queryResolver) JobMetrics(ctx context.Context, id string, metrics []str
 	return res, err
 }

+// JobStats is the resolver for the jobStats field.
+func (r *queryResolver) JobStats(ctx context.Context, id string, metrics []string) ([]*model.JobStats, error) {
+	job, err := r.Query().Job(ctx, id)
+	if err != nil {
+		log.Warnf("Error while querying job %s for metadata", id)
+		return nil, err
+	}
+
+	data, err := metricDataDispatcher.LoadJobStats(job, metrics, ctx)
+	if err != nil {
+		log.Warnf("Error while loading jobStats data for job id %s", id)
+		return nil, err
+	}
+
+	res := []*model.JobStats{}
+	for name, md := range data {
+		res = append(res, &model.JobStats{
+			Name:  name,
+			Stats: &md,
+		})
+	}
+
+	return res, err
+}
+
+// ScopedJobStats is the resolver for the scopedJobStats field.
+func (r *queryResolver) ScopedJobStats(ctx context.Context, id string, metrics []string, scopes []schema.MetricScope) ([]*model.JobStatsWithScope, error) {
+	job, err := r.Query().Job(ctx, id)
+	if err != nil {
+		log.Warnf("Error while querying job %s for metadata", id)
+		return nil, err
+	}
+
+	data, err := metricDataDispatcher.LoadScopedJobStats(job, metrics, scopes, ctx)
+	if err != nil {
+		log.Warnf("Error while loading scopedJobStats data for job id %s", id)
+		return nil, err
+	}
+
+	res := make([]*model.JobStatsWithScope, 0)
+	for name, scoped := range data {
+		for scope, stats := range scoped {
+
+			mdlStats := make([]*model.ScopedStats, 0)
+			for _, stat := range stats {
+				mdlStats = append(mdlStats, &model.ScopedStats{
+					Hostname: stat.Hostname,
+					ID:       stat.Id,
+					Data:     stat.Data,
+				})
+			}
+
+			res = append(res, &model.JobStatsWithScope{
+				Name:  name,
+				Scope: scope,
+				Stats: mdlStats,
+			})
+		}
+	}
+
+	return res, nil
+}
+
 // JobsFootprints is the resolver for the jobsFootprints field.
 func (r *queryResolver) JobsFootprints(ctx context.Context, filter []*model.JobFilter, metrics []string) (*model.Footprints, error) {
+	// NOTE: Legacy Naming! This resolver is for normalized histograms in analysis view only - *Not* related to DB "footprint" column!
 	return r.jobsFootprints(ctx, filter, metrics)
 }

@@ -258,38 +489,63 @@ func (r *queryResolver) Jobs(ctx context.Context, filter []*model.JobFilter, pag
 		return nil, err
 	}

-	return &model.JobResultList{Items: jobs, Count: &count}, nil
+	// Note: Even if App-Default 'config.Keys.UiDefaults["job_list_usePaging"]' is set, always return hasNextPage boolean.
+	// Users can decide in frontend to use continuous scroll, even if app-default is paging!
+	/*
+	  Example Page 4 @ 10 IpP : Does item 41 exist?
+	  Minimal Page 41 @ 1 IpP : If len(result) is 1, Page 5 @ 10 IpP exists.
+	*/
+	nextPage := &model.PageRequest{
+		ItemsPerPage: 1,
+		Page:         ((page.Page * page.ItemsPerPage) + 1),
+	}
+	nextJobs, err := r.Repo.QueryJobs(ctx, filter, nextPage, order)
+	if err != nil {
+		log.Warn("Error while querying next jobs")
+		return nil, err
+	}
+
+	hasNextPage := false
+	if len(nextJobs) == 1 {
+		hasNextPage = true
+	}
+
+	return &model.JobResultList{Items: jobs, Count: &count, HasNextPage: &hasNextPage}, nil
 }

 // JobsStatistics is the resolver for the jobsStatistics field.
-func (r *queryResolver) JobsStatistics(ctx context.Context, filter []*model.JobFilter, groupBy *model.Aggregate) ([]*model.JobsStatistics, error) {
+func (r *queryResolver) JobsStatistics(ctx context.Context, filter []*model.JobFilter, metrics []string, page *model.PageRequest, sortBy *model.SortByAggregate, groupBy *model.Aggregate, numDurationBins *string, numMetricBins *int) ([]*model.JobsStatistics, error) {
 	var err error
 	var stats []*model.JobsStatistics

-	if requireField(ctx, "totalJobs") {
+	// Top Level Defaults
+	var defaultDurationBins string = "1h"
+	var defaultMetricBins int = 10
+
+	if requireField(ctx, "totalJobs") || requireField(ctx, "totalWalltime") || requireField(ctx, "totalNodes") || requireField(ctx, "totalCores") ||
+		requireField(ctx, "totalAccs") || requireField(ctx, "totalNodeHours") || requireField(ctx, "totalCoreHours") || requireField(ctx, "totalAccHours") {
 		if groupBy == nil {
 			stats, err = r.Repo.JobsStats(ctx, filter)
 		} else {
-			stats, err = r.Repo.JobsStatsGrouped(ctx, filter, groupBy)
+			stats, err = r.Repo.JobsStatsGrouped(ctx, filter, page, sortBy, groupBy)
 		}
 	} else {
 		stats = make([]*model.JobsStatistics, 0, 1)
-		stats = append(stats,
-			&model.JobsStatistics{})
+		stats = append(stats, &model.JobsStatistics{})
 	}

 	if groupBy != nil {
 		if requireField(ctx, "shortJobs") {
 			stats, err = r.Repo.AddJobCountGrouped(ctx, filter, groupBy, stats, "short")
 		}
-		if requireField(ctx, "RunningJobs") {
+		if requireField(ctx, "runningJobs") {
 			stats, err = r.Repo.AddJobCountGrouped(ctx, filter, groupBy, stats, "running")
 		}
 	} else {
 		if requireField(ctx, "shortJobs") {
 			stats, err = r.Repo.AddJobCount(ctx, filter, stats, "short")
 		}
-		if requireField(ctx, "RunningJobs") {
+		if requireField(ctx, "runningJobs") {
 			stats, err = r.Repo.AddJobCount(ctx, filter, stats, "running")
 		}
 	}
@@ -298,9 +554,14 @@ func (r *queryResolver) JobsStatistics(ctx context.Context, filter []*model.JobF
 		return nil, err
 	}

-	if requireField(ctx, "histDuration") || requireField(ctx, "histNumNodes") {
+	if requireField(ctx, "histDuration") || requireField(ctx, "histNumNodes") || requireField(ctx, "histNumCores") || requireField(ctx, "histNumAccs") {
+
+		if numDurationBins == nil {
+			numDurationBins = &defaultDurationBins
+		}
+
 		if groupBy == nil {
-			stats[0], err = r.Repo.AddHistograms(ctx, filter, stats[0])
+			stats[0], err = r.Repo.AddHistograms(ctx, filter, stats[0], numDurationBins)
 			if err != nil {
 				return nil, err
 			}
@@ -309,25 +570,23 @@ func (r *queryResolver) JobsStatistics(ctx context.Context, filter []*model.JobF
 		}
 	}

-	return stats, nil
-}
+	if requireField(ctx, "histMetrics") {

-// JobsCount is the resolver for the jobsCount field.
-func (r *queryResolver) JobsCount(ctx context.Context, filter []*model.JobFilter, groupBy model.Aggregate, weight *model.Weights, limit *int) ([]*model.Count, error) {
-	counts, err := r.Repo.CountGroupedJobs(ctx, groupBy, filter, weight, limit)
+		if numMetricBins == nil {
+			numMetricBins = &defaultMetricBins
+		}
+
+		if groupBy == nil {
+			stats[0], err = r.Repo.AddMetricHistograms(ctx, filter, metrics, stats[0], numMetricBins)
 			if err != nil {
-		log.Warn("Error while counting grouped jobs")
 				return nil, err
 			}
-
-	res := make([]*model.Count, 0, len(counts))
-	for name, count := range counts {
-		res = append(res, &model.Count{
-			Name:  name,
-			Count: count,
-		})
+		} else {
+			return nil, errors.New("metric histograms only implemented without groupBy argument")
 		}
-	return res, nil
+	}
+
+	return stats, nil
 }

 // RooflineHeatmap is the resolver for the rooflineHeatmap field.
@@ -337,9 +596,9 @@ func (r *queryResolver) RooflineHeatmap(ctx context.Context, filter []*model.Job

 // NodeMetrics is the resolver for the nodeMetrics field.
 func (r *queryResolver) NodeMetrics(ctx context.Context, cluster string, nodes []string, scopes []schema.MetricScope, metrics []string, from time.Time, to time.Time) ([]*model.NodeMetrics, error) {
-	user := auth.GetUser(ctx)
-	if user != nil && !user.HasRole(auth.RoleAdmin) {
-		return nil, errors.New("you need to be an administrator for this query")
+	user := repository.GetUserFromContext(ctx)
+	if user != nil && !user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport}) {
+		return nil, errors.New("you need to be administrator or support staff for this query")
 	}

 	if metrics == nil {
@@ -348,9 +607,9 @@ func (r *queryResolver) NodeMetrics(ctx context.Context, cluster string, nodes [
 		}
 	}

-	data, err := metricdata.LoadNodeData(cluster, metrics, nodes, scopes, from, to, ctx)
+	data, err := metricDataDispatcher.LoadNodeData(cluster, metrics, nodes, scopes, from, to, ctx)
 	if err != nil {
-		log.Warn("Error while loading node data")
+		log.Warn("error while loading node data")
 		return nil, err
 	}

@@ -360,7 +619,10 @@ func (r *queryResolver) NodeMetrics(ctx context.Context, cluster string, nodes [
 			Host:    hostname,
 			Metrics: make([]*model.JobMetricWithName, 0, len(metrics)*len(scopes)),
 		}
-		host.SubCluster, _ = archive.GetSubClusterByNode(cluster, hostname)
+		host.SubCluster, err = archive.GetSubClusterByNode(cluster, hostname)
+		if err != nil {
+			log.Warnf("error in nodeMetrics resolver: %s", err)
+		}

 		for metric, scopedMetrics := range metrics {
 			for _, scopedMetric := range scopedMetrics {
@@ -378,6 +640,68 @@ func (r *queryResolver) NodeMetrics(ctx context.Context, cluster string, nodes [
 	return nodeMetrics, nil
 }

+// NodeMetricsList is the resolver for the nodeMetricsList field.
+func (r *queryResolver) NodeMetricsList(ctx context.Context, cluster string, subCluster string, nodeFilter string, scopes []schema.MetricScope, metrics []string, from time.Time, to time.Time, page *model.PageRequest, resolution *int) (*model.NodesResultList, error) {
+	if resolution == nil { // Load from Config
+		if config.Keys.EnableResampling != nil {
+			defaultRes := slices.Max(config.Keys.EnableResampling.Resolutions)
+			resolution = &defaultRes
+		} else { // Set 0 (Loads configured metric timestep)
+			defaultRes := 0
+			resolution = &defaultRes
+		}
+	}
+
+	user := repository.GetUserFromContext(ctx)
+	if user != nil && !user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport}) {
+		return nil, errors.New("you need to be administrator or support staff for this query")
+	}
+
+	if metrics == nil {
+		for _, mc := range archive.GetCluster(cluster).MetricConfig {
+			metrics = append(metrics, mc.Name)
+		}
+	}
+
+	data, totalNodes, hasNextPage, err := metricDataDispatcher.LoadNodeListData(cluster, subCluster, nodeFilter, metrics, scopes, *resolution, from, to, page, ctx)
+	if err != nil {
+		log.Warn("error while loading node data")
+		return nil, err
+	}
+
+	nodeMetricsList := make([]*model.NodeMetrics, 0, len(data))
+	for hostname, metrics := range data {
+		host := &model.NodeMetrics{
+			Host:    hostname,
+			Metrics: make([]*model.JobMetricWithName, 0, len(metrics)*len(scopes)),
+		}
+		host.SubCluster, err = archive.GetSubClusterByNode(cluster, hostname)
+		if err != nil {
+			log.Warnf("error in nodeMetrics resolver: %s", err)
+		}
+
+		for metric, scopedMetrics := range metrics {
+			for scope, scopedMetric := range scopedMetrics {
+				host.Metrics = append(host.Metrics, &model.JobMetricWithName{
+					Name:   metric,
+					Scope:  scope,
+					Metric: scopedMetric,
+				})
+			}
+		}
+
+		nodeMetricsList = append(nodeMetricsList, host)
+	}
+
+	nodeMetricsListResult := &model.NodesResultList{
+		Items:       nodeMetricsList,
+		TotalNodes:  &totalNodes,
+		HasNextPage: &hasNextPage,
+	}
+
+	return nodeMetricsListResult, nil
+}
+
 // NumberOfNodes is the resolver for the numberOfNodes field.
 func (r *subClusterResolver) NumberOfNodes(ctx context.Context, obj *schema.SubCluster) (int, error) {
 	nodeList, err := archive.ParseNodeList(obj.Nodes)
@@ -393,6 +717,9 @@ func (r *Resolver) Cluster() generated.ClusterResolver { return &clusterResolver
 // Job returns generated.JobResolver implementation.
 func (r *Resolver) Job() generated.JobResolver { return &jobResolver{r} }

+// MetricValue returns generated.MetricValueResolver implementation.
+func (r *Resolver) MetricValue() generated.MetricValueResolver { return &metricValueResolver{r} }
+
 // Mutation returns generated.MutationResolver implementation.
 func (r *Resolver) Mutation() generated.MutationResolver { return &mutationResolver{r} }

@@ -404,6 +731,7 @@ func (r *Resolver) SubCluster() generated.SubClusterResolver { return &subCluste

 type clusterResolver struct{ *Resolver }
 type jobResolver struct{ *Resolver }
+type metricValueResolver struct{ *Resolver }
 type mutationResolver struct{ *Resolver }
 type queryResolver struct{ *Resolver }
 type subClusterResolver struct{ *Resolver }
--- a/internal/graph/util.go
+++ b/internal/graph/util.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -6,15 +6,15 @@ package graph

 import (
 	"context"
-	"errors"
 	"fmt"
 	"math"

 	"github.com/99designs/gqlgen/graphql"
 	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
-	"github.com/ClusterCockpit/cc-backend/internal/metricdata"
+	"github.com/ClusterCockpit/cc-backend/internal/metricDataDispatcher"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+	// "github.com/ClusterCockpit/cc-backend/pkg/archive"
 )

 const MAX_JOBS_FOR_ANALYSIS = 500
@@ -24,15 +24,15 @@ func (r *queryResolver) rooflineHeatmap(
 	ctx context.Context,
 	filter []*model.JobFilter,
 	rows int, cols int,
-	minX float64, minY float64, maxX float64, maxY float64) ([][]float64, error) {
-
+	minX float64, minY float64, maxX float64, maxY float64,
+) ([][]float64, error) {
 	jobs, err := r.Repo.QueryJobs(ctx, filter, &model.PageRequest{Page: 1, ItemsPerPage: MAX_JOBS_FOR_ANALYSIS + 1}, nil)
 	if err != nil {
 		log.Error("Error while querying jobs for roofline")
 		return nil, err
 	}
 	if len(jobs) > MAX_JOBS_FOR_ANALYSIS {
-		return nil, fmt.Errorf("GRAPH/STATS > too many jobs matched (max: %d)", MAX_JOBS_FOR_ANALYSIS)
+		return nil, fmt.Errorf("GRAPH/UTIL > too many jobs matched (max: %d)", MAX_JOBS_FOR_ANALYSIS)
 	}

 	fcols, frows := float64(cols), float64(rows)
@@ -47,22 +47,33 @@ func (r *queryResolver) rooflineHeatmap(
 			continue
 		}

-		jobdata, err := metricdata.LoadData(job, []string{"flops_any", "mem_bw"}, []schema.MetricScope{schema.MetricScopeNode}, ctx)
+		// metricConfigs := archive.GetCluster(job.Cluster).MetricConfig
+		// resolution := 0
+
+		// for _, mc := range metricConfigs {
+		// 	resolution = max(resolution, mc.Timestep)
+		// }
+
+		jobdata, err := metricDataDispatcher.LoadData(job, []string{"flops_any", "mem_bw"}, []schema.MetricScope{schema.MetricScopeNode}, ctx, 0)
 		if err != nil {
-			log.Error("Error while loading metrics for roofline")
+			log.Errorf("Error while loading roofline metrics for job %d", job.ID)
 			return nil, err
 		}

 		flops_, membw_ := jobdata["flops_any"], jobdata["mem_bw"]
 		if flops_ == nil && membw_ == nil {
-			return nil, fmt.Errorf("GRAPH/STATS > 'flops_any' or 'mem_bw' missing for job %d", job.ID)
+			log.Infof("rooflineHeatmap(): 'flops_any' or 'mem_bw' missing for job %d", job.ID)
+			continue
+			// return nil, fmt.Errorf("GRAPH/UTIL > 'flops_any' or 'mem_bw' missing for job %d", job.ID)
 		}

 		flops, ok1 := flops_["node"]
 		membw, ok2 := membw_["node"]
 		if !ok1 || !ok2 {
+			log.Info("rooflineHeatmap() query not implemented for where flops_any or mem_bw not available at 'node' level")
+			continue
 			// TODO/FIXME:
-			return nil, errors.New("GRAPH/STATS > todo: rooflineHeatmap() query not implemented for where flops_any or mem_bw not available at 'node' level")
+			// return nil, errors.New("GRAPH/UTIL > todo: rooflineHeatmap() query not implemented for where flops_any or mem_bw not available at 'node' level")
 		}

 		for n := 0; n < len(flops.Series); n++ {
@@ -98,7 +109,7 @@ func (r *queryResolver) jobsFootprints(ctx context.Context, filter []*model.JobF
 		return nil, err
 	}
 	if len(jobs) > MAX_JOBS_FOR_ANALYSIS {
-		return nil, fmt.Errorf("GRAPH/STATS > too many jobs matched (max: %d)", MAX_JOBS_FOR_ANALYSIS)
+		return nil, fmt.Errorf("GRAPH/UTIL > too many jobs matched (max: %d)", MAX_JOBS_FOR_ANALYSIS)
 	}

 	avgs := make([][]schema.Float, len(metrics))
@@ -106,18 +117,33 @@ func (r *queryResolver) jobsFootprints(ctx context.Context, filter []*model.JobF
 		avgs[i] = make([]schema.Float, 0, len(jobs))
 	}

-	nodehours := make([]schema.Float, 0, len(jobs))
+	timeweights := new(model.TimeWeights)
+	timeweights.NodeHours = make([]schema.Float, 0, len(jobs))
+	timeweights.AccHours = make([]schema.Float, 0, len(jobs))
+	timeweights.CoreHours = make([]schema.Float, 0, len(jobs))
+
 	for _, job := range jobs {
 		if job.MonitoringStatus == schema.MonitoringStatusDisabled || job.MonitoringStatus == schema.MonitoringStatusArchivingFailed {
 			continue
 		}

-		if err := metricdata.LoadAverages(job, metrics, avgs, ctx); err != nil {
+		if err := metricDataDispatcher.LoadAverages(job, metrics, avgs, ctx); err != nil {
 			log.Error("Error while loading averages for footprint")
 			return nil, err
 		}

-		nodehours = append(nodehours, schema.Float(float64(job.Duration)/60.0*float64(job.NumNodes)))
+		// #166 collect arrays: Null values or no null values?
+		timeweights.NodeHours = append(timeweights.NodeHours, schema.Float(float64(job.Duration)/60.0*float64(job.NumNodes)))
+		if job.NumAcc > 0 {
+			timeweights.AccHours = append(timeweights.AccHours, schema.Float(float64(job.Duration)/60.0*float64(job.NumAcc)))
+		} else {
+			timeweights.AccHours = append(timeweights.AccHours, schema.Float(1.0))
+		}
+		if job.NumHWThreads > 0 {
+			timeweights.CoreHours = append(timeweights.CoreHours, schema.Float(float64(job.Duration)/60.0*float64(job.NumHWThreads))) // SQLite HWThreads == Cores; numCoresForJob(job)
+		} else {
+			timeweights.CoreHours = append(timeweights.CoreHours, schema.Float(1.0))
+		}
 	}

 	res := make([]*model.MetricFootprints, len(avgs))
@@ -129,11 +155,34 @@ func (r *queryResolver) jobsFootprints(ctx context.Context, filter []*model.JobF
 	}

 	return &model.Footprints{
-		Nodehours: nodehours,
+		TimeWeights: timeweights,
 		Metrics:     res,
 	}, nil
 }

+// func numCoresForJob(job *schema.Job) (numCores int) {
+
+// 	subcluster, scerr := archive.GetSubCluster(job.Cluster, job.SubCluster)
+// 	if scerr != nil {
+// 		return 1
+// 	}
+
+// 	totalJobCores := 0
+// 	topology := subcluster.Topology
+
+// 	for _, host := range job.Resources {
+// 		hwthreads := host.HWThreads
+// 		if hwthreads == nil {
+// 			hwthreads = topology.Node
+// 		}
+
+// 		hostCores, _ := topology.GetCoresFromHWThreads(hwthreads)
+// 		totalJobCores += len(hostCores)
+// 	}
+
+// 	return totalJobCores
+// }
+
 func requireField(ctx context.Context, name string) bool {
 	fields := graphql.CollectAllFields(ctx)

--- a/internal/importer/handleImport.go
+++ b/internal/importer/handleImport.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -8,9 +8,9 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"math"
 	"os"
 	"strings"
-	"time"

 	"github.com/ClusterCockpit/cc-backend/internal/config"
 	"github.com/ClusterCockpit/cc-backend/internal/repository"
@@ -42,8 +42,8 @@ func HandleImportFlag(flag string) error {
 		}
 		dec := json.NewDecoder(bytes.NewReader(raw))
 		dec.DisallowUnknownFields()
-		jobMeta := schema.JobMeta{BaseJob: schema.JobDefaults}
-		if err = dec.Decode(&jobMeta); err != nil {
+		job := schema.JobMeta{BaseJob: schema.JobDefaults}
+		if err = dec.Decode(&job); err != nil {
 			log.Warn("Error while decoding raw json metadata for import")
 			return err
 		}
@@ -67,32 +67,68 @@ func HandleImportFlag(flag string) error {
 			return err
 		}

-		// checkJobData(&jobData)
+		job.MonitoringStatus = schema.MonitoringStatusArchivingSuccessful

-		jobMeta.MonitoringStatus = schema.MonitoringStatusArchivingSuccessful
-
-		// if _, err = r.Find(&jobMeta.JobID, &jobMeta.Cluster, &jobMeta.StartTime); err != sql.ErrNoRows {
-		// 	if err != nil {
-		// 		log.Warn("Error while finding job in jobRepository")
-		// 		return err
-		// 	}
-		//
-		// 	return fmt.Errorf("REPOSITORY/INIT > a job with that jobId, cluster and startTime does already exist")
-		// }
-		//
-		job := schema.Job{
-			BaseJob:       jobMeta.BaseJob,
-			StartTime:     time.Unix(jobMeta.StartTime, 0),
-			StartTimeUnix: jobMeta.StartTime,
+		sc, err := archive.GetSubCluster(job.Cluster, job.SubCluster)
+		if err != nil {
+			log.Errorf("cannot get subcluster: %s", err.Error())
+			return err
 		}

-		// TODO: Other metrics...
-		job.LoadAvg = loadJobStat(&jobMeta, "cpu_load")
-		job.FlopsAnyAvg = loadJobStat(&jobMeta, "flops_any")
-		job.MemUsedMax = loadJobStat(&jobMeta, "mem_used")
-		job.MemBwAvg = loadJobStat(&jobMeta, "mem_bw")
-		job.NetBwAvg = loadJobStat(&jobMeta, "net_bw")
-		job.FileBwAvg = loadJobStat(&jobMeta, "file_bw")
+		job.Footprint = make(map[string]float64)
+
+		for _, fp := range sc.Footprint {
+			statType := "avg"
+
+			if i, err := archive.MetricIndex(sc.MetricConfig, fp); err != nil {
+				statType = sc.MetricConfig[i].Footprint
+			}
+
+			name := fmt.Sprintf("%s_%s", fp, statType)
+
+			job.Footprint[name] = repository.LoadJobStat(&job, fp, statType)
+		}
+
+		job.RawFootprint, err = json.Marshal(job.Footprint)
+		if err != nil {
+			log.Warn("Error while marshaling job footprint")
+			return err
+		}
+
+		job.EnergyFootprint = make(map[string]float64)
+
+		// Total Job Energy Outside Loop
+		totalEnergy := 0.0
+		for _, fp := range sc.EnergyFootprint {
+			// Always Init Metric Energy Inside Loop
+			metricEnergy := 0.0
+			if i, err := archive.MetricIndex(sc.MetricConfig, fp); err == nil {
+				// Note: For DB data, calculate and save as kWh
+				if sc.MetricConfig[i].Energy == "energy" { // this metric has energy as unit (Joules)
+					log.Warnf("Update EnergyFootprint for Job %d and Metric %s on cluster %s: Set to 'energy' in cluster.json: Not implemented, will return 0.0", job.JobID, job.Cluster, fp)
+					// FIXME: Needs sum as stats type
+				} else if sc.MetricConfig[i].Energy == "power" { // this metric has power as unit (Watt)
+					// Energy: Power (in Watts) * Time (in Seconds)
+					// Unit: (W * (s / 3600)) / 1000 = kWh
+					// Round 2 Digits: round(Energy * 100) / 100
+					// Here: (All-Node Metric Average * Number of Nodes) * (Job Duration in Seconds / 3600) / 1000
+					// Note: Shared Jobs handled correctly since "Node Average" is based on partial resources, while "numNodes" factor is 1
+					rawEnergy := ((repository.LoadJobStat(&job, fp, "avg") * float64(job.NumNodes)) * (float64(job.Duration) / 3600.0)) / 1000.0
+					metricEnergy = math.Round(rawEnergy*100.0) / 100.0
+				}
+			} else {
+				log.Warnf("Error while collecting energy metric %s for job, DB ID '%v', return '0.0'", fp, job.ID)
+			}
+
+			job.EnergyFootprint[fp] = metricEnergy
+			totalEnergy += metricEnergy
+		}
+
+		job.Energy = (math.Round(totalEnergy*100.0) / 100.0)
+		if job.RawEnergyFootprint, err = json.Marshal(job.EnergyFootprint); err != nil {
+			log.Warnf("Error while marshaling energy footprint for job INTO BYTES, DB ID '%v'", job.ID)
+			return err
+		}

 		job.RawResources, err = json.Marshal(job.Resources)
 		if err != nil {
@@ -110,7 +146,7 @@ func HandleImportFlag(flag string) error {
 			return err
 		}

-		if err = archive.GetHandle().ImportJob(&jobMeta, &jobData); err != nil {
+		if err = archive.GetHandle().ImportJob(&job, &jobData); err != nil {
 			log.Error("Error while importing job")
 			return err
 		}
@@ -122,8 +158,8 @@ func HandleImportFlag(flag string) error {
 		}

 		for _, tag := range job.Tags {
-			if _, err := r.AddTagOrCreate(id, tag.Type, tag.Name); err != nil {
-				log.Error("Error while adding or creating tag")
+			if err := r.ImportTag(id, tag.Type, tag.Name, tag.Scope); err != nil {
+				log.Error("Error while adding or creating tag on import")
 				return err
 			}
 		}
--- a/internal/importer/importer_test.go
+++ b/internal/importer/importer_test.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -42,6 +42,12 @@ func setup(t *testing.T) *repository.JobRepository {
 		"kind": "file",
 		"path": "./var/job-archive"
 	},
+    "jwts": {
+        "max-age": "2m"
+    },
+  "apiAllowedIPs": [
+    "*"
+  ],
 	"clusters": [
 	{
 	   "name": "testcluster",
@@ -79,7 +85,7 @@ func setup(t *testing.T) *repository.JobRepository {
 	if err := os.Mkdir(jobarchive, 0777); err != nil {
 		t.Fatal(err)
 	}
-	if err := os.WriteFile(filepath.Join(jobarchive, "version.txt"), []byte(fmt.Sprintf("%d", 1)), 0666); err != nil {
+	if err := os.WriteFile(filepath.Join(jobarchive, "version.txt"), []byte(fmt.Sprintf("%d", 2)), 0666); err != nil {
 		t.Fatal(err)
 	}
 	fritzArchive := filepath.Join(tmpdir, "job-archive", "fritz")
--- a/internal/importer/initDB.go
+++ b/internal/importer/initDB.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -7,6 +7,7 @@ package importer
 import (
 	"encoding/json"
 	"fmt"
+	"math"
 	"strings"
 	"time"

@@ -16,6 +17,11 @@ import (
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 )

+const (
+	addTagQuery = "INSERT INTO tag (tag_name, tag_type) VALUES (?, ?)"
+	setTagQuery = "INSERT INTO jobtag (job_id, tag_id) VALUES (?, ?)"
+)
+
 // Delete the tables "job", "tag" and "jobtag" from the database and
 // repopulate them using the jobs found in `archive`.
 func InitDB() error {
@@ -60,13 +66,66 @@ func InitDB() error {
 			StartTimeUnix: jobMeta.StartTime,
 		}

-		// TODO: Other metrics...
-		job.LoadAvg = loadJobStat(jobMeta, "cpu_load")
-		job.FlopsAnyAvg = loadJobStat(jobMeta, "flops_any")
-		job.MemUsedMax = loadJobStat(jobMeta, "mem_used")
-		job.MemBwAvg = loadJobStat(jobMeta, "mem_bw")
-		job.NetBwAvg = loadJobStat(jobMeta, "net_bw")
-		job.FileBwAvg = loadJobStat(jobMeta, "file_bw")
+		sc, err := archive.GetSubCluster(jobMeta.Cluster, jobMeta.SubCluster)
+		if err != nil {
+			log.Errorf("cannot get subcluster: %s", err.Error())
+			return err
+		}
+
+		job.Footprint = make(map[string]float64)
+
+		for _, fp := range sc.Footprint {
+			statType := "avg"
+
+			if i, err := archive.MetricIndex(sc.MetricConfig, fp); err != nil {
+				statType = sc.MetricConfig[i].Footprint
+			}
+
+			name := fmt.Sprintf("%s_%s", fp, statType)
+
+			job.Footprint[name] = repository.LoadJobStat(jobMeta, fp, statType)
+		}
+
+		job.RawFootprint, err = json.Marshal(job.Footprint)
+		if err != nil {
+			log.Warn("Error while marshaling job footprint")
+			return err
+		}
+
+		job.EnergyFootprint = make(map[string]float64)
+
+		// Total Job Energy Outside Loop
+		totalEnergy := 0.0
+		for _, fp := range sc.EnergyFootprint {
+			// Always Init Metric Energy Inside Loop
+			metricEnergy := 0.0
+			if i, err := archive.MetricIndex(sc.MetricConfig, fp); err == nil {
+				// Note: For DB data, calculate and save as kWh
+				if sc.MetricConfig[i].Energy == "energy" { // this metric has energy as unit (Joules)
+					log.Warnf("Update EnergyFootprint for Job %d and Metric %s on cluster %s: Set to 'energy' in cluster.json: Not implemented, will return 0.0", jobMeta.JobID, jobMeta.Cluster, fp)
+					// FIXME: Needs sum as stats type
+				} else if sc.MetricConfig[i].Energy == "power" { // this metric has power as unit (Watt)
+					// Energy: Power (in Watts) * Time (in Seconds)
+					// Unit: (W * (s / 3600)) / 1000 = kWh
+					// Round 2 Digits: round(Energy * 100) / 100
+					// Here: (All-Node Metric Average * Number of Nodes) * (Job Duration in Seconds / 3600) / 1000
+					// Note: Shared Jobs handled correctly since "Node Average" is based on partial resources, while "numNodes" factor is 1
+					rawEnergy := ((repository.LoadJobStat(jobMeta, fp, "avg") * float64(jobMeta.NumNodes)) * (float64(jobMeta.Duration) / 3600.0)) / 1000.0
+					metricEnergy = math.Round(rawEnergy*100.0) / 100.0
+				}
+			} else {
+				log.Warnf("Error while collecting energy metric %s for job, DB ID '%v', return '0.0'", fp, jobMeta.ID)
+			}
+
+			job.EnergyFootprint[fp] = metricEnergy
+			totalEnergy += metricEnergy
+		}
+
+		job.Energy = (math.Round(totalEnergy*100.0) / 100.0)
+		if job.RawEnergyFootprint, err = json.Marshal(job.EnergyFootprint); err != nil {
+			log.Warnf("Error while marshaling energy footprint for job INTO BYTES, DB ID '%v'", jobMeta.ID)
+			return err
+		}

 		job.RawResources, err = json.Marshal(job.Resources)
 		if err != nil {
@@ -88,7 +147,8 @@ func InitDB() error {
 			continue
 		}

-		id, err := r.TransactionAdd(t, job)
+		id, err := r.TransactionAddNamed(t,
+			repository.NamedJobInsert, job)
 		if err != nil {
 			log.Errorf("repository initDB(): %v", err)
 			errorOccured++
@@ -99,7 +159,9 @@ func InitDB() error {
 			tagstr := tag.Name + ":" + tag.Type
 			tagId, ok := tags[tagstr]
 			if !ok {
-				tagId, err = r.TransactionAddTag(t, tag)
+				tagId, err = r.TransactionAdd(t,
+					addTagQuery,
+					tag.Name, tag.Type)
 				if err != nil {
 					log.Errorf("Error adding tag: %v", err)
 					errorOccured++
@@ -108,7 +170,9 @@ func InitDB() error {
 				tags[tagstr] = tagId
 			}

-			r.TransactionSetTag(t, id, tagId)
+			r.TransactionAdd(t,
+				setTagQuery,
+				id, tagId)
 		}

 		if err == nil {
@@ -150,18 +214,6 @@ func SanityChecks(job *schema.BaseJob) error {
 	return nil
 }

-func loadJobStat(job *schema.JobMeta, metric string) float64 {
-	if stats, ok := job.Statistics[metric]; ok {
-		if metric == "mem_used" {
-			return stats.Max
-		} else {
-			return stats.Avg
-		}
-	}
-
-	return 0.0
-}
-
 func checkJobData(d *schema.JobData) error {
 	for _, scopes := range *d {
 		// var newUnit schema.Unit
--- a/internal/importer/normalize.go
+++ b/internal/importer/normalize.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
--- a/internal/importer/normalize_test.go
+++ b/internal/importer/normalize_test.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
--- a/internal/importer/testdata/cluster-fritz.json
+++ b/internal/importer/testdata/cluster-fritz.json
@@ -8,6 +8,7 @@
      },
      "scope": "node",
      "aggregation": "avg",
+      "footprint": "avg",
      "timestep": 60,
      "peak": 72,
      "normal": 72,
@@ -35,6 +36,7 @@
      },
      "scope": "node",
      "aggregation": "sum",
+      "footprint": "max",
      "timestep": 60,
      "peak": 256,
      "normal": 128,
@@ -49,6 +51,7 @@
      },
      "scope": "hwthread",
      "aggregation": "sum",
+      "footprint": "avg",
      "timestep": 60,
      "peak": 5600,
      "normal": 1000,
@@ -91,6 +94,7 @@
      },
      "scope": "socket",
      "aggregation": "sum",
+      "footprint": "avg",
      "timestep": 60,
      "peak": 350,
      "normal": 100,
--- a/internal/metricDataDispatcher/dataLoader.go
+++ b/internal/metricDataDispatcher/dataLoader.go
@@ -0,0 +1,383 @@
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package metricDataDispatcher
+
+import (
+	"context"
+	"fmt"
+	"math"
+	"time"
+
+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
+	"github.com/ClusterCockpit/cc-backend/internal/metricdata"
+	"github.com/ClusterCockpit/cc-backend/pkg/archive"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/lrucache"
+	"github.com/ClusterCockpit/cc-backend/pkg/resampler"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+)
+
+var cache *lrucache.Cache = lrucache.New(128 * 1024 * 1024)
+
+func cacheKey(
+	job *schema.Job,
+	metrics []string,
+	scopes []schema.MetricScope,
+	resolution int,
+) string {
+	// Duration and StartTime do not need to be in the cache key as StartTime is less unique than
+	// job.ID and the TTL of the cache entry makes sure it does not stay there forever.
+	return fmt.Sprintf("%d(%s):[%v],[%v]-%d",
+		job.ID, job.State, metrics, scopes, resolution)
+}
+
+// Fetches the metric data for a job.
+func LoadData(job *schema.Job,
+	metrics []string,
+	scopes []schema.MetricScope,
+	ctx context.Context,
+	resolution int,
+) (schema.JobData, error) {
+	data := cache.Get(cacheKey(job, metrics, scopes, resolution), func() (_ interface{}, ttl time.Duration, size int) {
+		var jd schema.JobData
+		var err error
+
+		if job.State == schema.JobStateRunning ||
+			job.MonitoringStatus == schema.MonitoringStatusRunningOrArchiving ||
+			config.Keys.DisableArchive {
+
+			repo, err := metricdata.GetMetricDataRepo(job.Cluster)
+			if err != nil {
+				return fmt.Errorf("METRICDATA/METRICDATA > no metric data repository configured for '%s'", job.Cluster), 0, 0
+			}
+
+			if scopes == nil {
+				scopes = append(scopes, schema.MetricScopeNode)
+			}
+
+			if metrics == nil {
+				cluster := archive.GetCluster(job.Cluster)
+				for _, mc := range cluster.MetricConfig {
+					metrics = append(metrics, mc.Name)
+				}
+			}
+
+			jd, err = repo.LoadData(job, metrics, scopes, ctx, resolution)
+			if err != nil {
+				if len(jd) != 0 {
+					log.Warnf("partial error: %s", err.Error())
+					// return err, 0, 0 // Reactivating will block archiving on one partial error
+				} else {
+					log.Error("Error while loading job data from metric repository")
+					return err, 0, 0
+				}
+			}
+			size = jd.Size()
+		} else {
+			var jd_temp schema.JobData
+			jd_temp, err = archive.GetHandle().LoadJobData(job)
+			if err != nil {
+				log.Error("Error while loading job data from archive")
+				return err, 0, 0
+			}
+
+			//Deep copy the cached archive hashmap
+			jd = metricdata.DeepCopy(jd_temp)
+
+			//Resampling for archived data.
+			//Pass the resolution from frontend here.
+			for _, v := range jd {
+				for _, v_ := range v {
+					timestep := 0
+					for i := 0; i < len(v_.Series); i += 1 {
+						v_.Series[i].Data, timestep, err = resampler.LargestTriangleThreeBucket(v_.Series[i].Data, v_.Timestep, resolution)
+						if err != nil {
+							return err, 0, 0
+						}
+					}
+					v_.Timestep = timestep
+				}
+			}
+
+			// Avoid sending unrequested data to the client:
+			if metrics != nil || scopes != nil {
+				if metrics == nil {
+					metrics = make([]string, 0, len(jd))
+					for k := range jd {
+						metrics = append(metrics, k)
+					}
+				}
+
+				res := schema.JobData{}
+				for _, metric := range metrics {
+					if perscope, ok := jd[metric]; ok {
+						if len(perscope) > 1 {
+							subset := make(map[schema.MetricScope]*schema.JobMetric)
+							for _, scope := range scopes {
+								if jm, ok := perscope[scope]; ok {
+									subset[scope] = jm
+								}
+							}
+
+							if len(subset) > 0 {
+								perscope = subset
+							}
+						}
+
+						res[metric] = perscope
+					}
+				}
+				jd = res
+			}
+			size = jd.Size()
+		}
+
+		ttl = 5 * time.Hour
+		if job.State == schema.JobStateRunning {
+			ttl = 2 * time.Minute
+		}
+
+		// FIXME: Review: Is this really necessary or correct.
+		// Note: Lines 147-170 formerly known as prepareJobData(jobData, scopes)
+		// For /monitoring/job/<job> and some other places, flops_any and mem_bw need
+		// to be available at the scope 'node'. If a job has a lot of nodes,
+		// statisticsSeries should be available so that a min/median/max Graph can be
+		// used instead of a lot of single lines.
+		// NOTE: New StatsSeries will always be calculated as 'min/median/max'
+		//       Existing (archived) StatsSeries can be 'min/mean/max'!
+		const maxSeriesSize int = 15
+		for _, scopes := range jd {
+			for _, jm := range scopes {
+				if jm.StatisticsSeries != nil || len(jm.Series) <= maxSeriesSize {
+					continue
+				}
+
+				jm.AddStatisticsSeries()
+			}
+		}
+
+		nodeScopeRequested := false
+		for _, scope := range scopes {
+			if scope == schema.MetricScopeNode {
+				nodeScopeRequested = true
+			}
+		}
+
+		if nodeScopeRequested {
+			jd.AddNodeScope("flops_any")
+			jd.AddNodeScope("mem_bw")
+		}
+
+		// Round Resulting Stat Values
+		jd.RoundMetricStats()
+
+		return jd, ttl, size
+	})
+
+	if err, ok := data.(error); ok {
+		log.Error("Error in returned dataset")
+		return nil, err
+	}
+
+	return data.(schema.JobData), nil
+}
+
+// Used for the jobsFootprint GraphQL-Query. TODO: Rename/Generalize.
+func LoadAverages(
+	job *schema.Job,
+	metrics []string,
+	data [][]schema.Float,
+	ctx context.Context,
+) error {
+	if job.State != schema.JobStateRunning && !config.Keys.DisableArchive {
+		return archive.LoadAveragesFromArchive(job, metrics, data) // #166 change also here?
+	}
+
+	repo, err := metricdata.GetMetricDataRepo(job.Cluster)
+	if err != nil {
+		return fmt.Errorf("METRICDATA/METRICDATA > no metric data repository configured for '%s'", job.Cluster)
+	}
+
+	stats, err := repo.LoadStats(job, metrics, ctx) // #166 how to handle stats for acc normalizazion?
+	if err != nil {
+		log.Errorf("Error while loading statistics for job %v (User %v, Project %v)", job.JobID, job.User, job.Project)
+		return err
+	}
+
+	for i, m := range metrics {
+		nodes, ok := stats[m]
+		if !ok {
+			data[i] = append(data[i], schema.NaN)
+			continue
+		}
+
+		sum := 0.0
+		for _, node := range nodes {
+			sum += node.Avg
+		}
+		data[i] = append(data[i], schema.Float(sum))
+	}
+
+	return nil
+}
+
+// Used for statsTable in frontend: Return scoped statistics by metric.
+func LoadScopedJobStats(
+	job *schema.Job,
+	metrics []string,
+	scopes []schema.MetricScope,
+	ctx context.Context,
+) (schema.ScopedJobStats, error) {
+
+	if job.State != schema.JobStateRunning && !config.Keys.DisableArchive {
+		return archive.LoadScopedStatsFromArchive(job, metrics, scopes)
+	}
+
+	repo, err := metricdata.GetMetricDataRepo(job.Cluster)
+	if err != nil {
+		return nil, fmt.Errorf("job %d: no metric data repository configured for '%s'", job.JobID, job.Cluster)
+	}
+
+	scopedStats, err := repo.LoadScopedStats(job, metrics, scopes, ctx)
+	if err != nil {
+		log.Errorf("error while loading scoped statistics for job %d (User %s, Project %s)", job.JobID, job.User, job.Project)
+		return nil, err
+	}
+
+	return scopedStats, nil
+}
+
+// Used for polar plots in frontend: Aggregates statistics for all nodes to single values for job per metric.
+func LoadJobStats(
+	job *schema.Job,
+	metrics []string,
+	ctx context.Context,
+) (map[string]schema.MetricStatistics, error) {
+	if job.State != schema.JobStateRunning && !config.Keys.DisableArchive {
+		return archive.LoadStatsFromArchive(job, metrics)
+	}
+
+	data := make(map[string]schema.MetricStatistics, len(metrics))
+	repo, err := metricdata.GetMetricDataRepo(job.Cluster)
+	if err != nil {
+		return data, fmt.Errorf("job %d: no metric data repository configured for '%s'", job.JobID, job.Cluster)
+	}
+
+	stats, err := repo.LoadStats(job, metrics, ctx)
+	if err != nil {
+		log.Errorf("error while loading statistics for job %d (User %s, Project %s)", job.JobID, job.User, job.Project)
+		return data, err
+	}
+
+	for _, m := range metrics {
+		sum, avg, min, max := 0.0, 0.0, 0.0, 0.0
+		nodes, ok := stats[m]
+		if !ok {
+			data[m] = schema.MetricStatistics{Min: min, Avg: avg, Max: max}
+			continue
+		}
+
+		for _, node := range nodes {
+			sum += node.Avg
+			min = math.Min(min, node.Min)
+			max = math.Max(max, node.Max)
+		}
+
+		data[m] = schema.MetricStatistics{
+			Avg: (math.Round((sum/float64(job.NumNodes))*100) / 100),
+			Min: (math.Round(min*100) / 100),
+			Max: (math.Round(max*100) / 100),
+		}
+	}
+
+	return data, nil
+}
+
+// Used for the classic node/system view. Returns a map of nodes to a map of metrics.
+func LoadNodeData(
+	cluster string,
+	metrics, nodes []string,
+	scopes []schema.MetricScope,
+	from, to time.Time,
+	ctx context.Context,
+) (map[string]map[string][]*schema.JobMetric, error) {
+	repo, err := metricdata.GetMetricDataRepo(cluster)
+	if err != nil {
+		return nil, fmt.Errorf("METRICDATA/METRICDATA > no metric data repository configured for '%s'", cluster)
+	}
+
+	if metrics == nil {
+		for _, m := range archive.GetCluster(cluster).MetricConfig {
+			metrics = append(metrics, m.Name)
+		}
+	}
+
+	data, err := repo.LoadNodeData(cluster, metrics, nodes, scopes, from, to, ctx)
+	if err != nil {
+		if len(data) != 0 {
+			log.Warnf("partial error: %s", err.Error())
+		} else {
+			log.Error("Error while loading node data from metric repository")
+			return nil, err
+		}
+	}
+
+	if data == nil {
+		return nil, fmt.Errorf("METRICDATA/METRICDATA > the metric data repository for '%s' does not support this query", cluster)
+	}
+
+	return data, nil
+}
+
+func LoadNodeListData(
+	cluster, subCluster, nodeFilter string,
+	metrics []string,
+	scopes []schema.MetricScope,
+	resolution int,
+	from, to time.Time,
+	page *model.PageRequest,
+	ctx context.Context,
+) (map[string]schema.JobData, int, bool, error) {
+	repo, err := metricdata.GetMetricDataRepo(cluster)
+	if err != nil {
+		return nil, 0, false, fmt.Errorf("METRICDATA/METRICDATA > no metric data repository configured for '%s'", cluster)
+	}
+
+	if metrics == nil {
+		for _, m := range archive.GetCluster(cluster).MetricConfig {
+			metrics = append(metrics, m.Name)
+		}
+	}
+
+	data, totalNodes, hasNextPage, err := repo.LoadNodeListData(cluster, subCluster, nodeFilter, metrics, scopes, resolution, from, to, page, ctx)
+	if err != nil {
+		if len(data) != 0 {
+			log.Warnf("partial error: %s", err.Error())
+		} else {
+			log.Error("Error while loading node data from metric repository")
+			return nil, totalNodes, hasNextPage, err
+		}
+	}
+
+	// NOTE: New StatsSeries will always be calculated as 'min/median/max'
+	const maxSeriesSize int = 8
+	for _, jd := range data {
+		for _, scopes := range jd {
+			for _, jm := range scopes {
+				if jm.StatisticsSeries != nil || len(jm.Series) < maxSeriesSize {
+					continue
+				}
+				jm.AddStatisticsSeries()
+			}
+		}
+	}
+
+	if data == nil {
+		return nil, totalNodes, hasNextPage, fmt.Errorf("METRICDATA/METRICDATA > the metric data repository for '%s' does not support this query", cluster)
+	}
+
+	return data, totalNodes, hasNextPage, nil
+}
--- a/internal/metricdata/cc-metric-store.go
+++ b/internal/metricdata/cc-metric-store.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -11,10 +11,12 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"sort"
 	"strconv"
 	"strings"
 	"time"

+	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
 	"github.com/ClusterCockpit/cc-backend/pkg/archive"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
@@ -32,32 +34,33 @@ type CCMetricStoreConfig struct {
 }

 type CCMetricStore struct {
+	here2there    map[string]string
+	there2here    map[string]string
+	client        http.Client
 	jwt           string
 	url           string
 	queryEndpoint string
-	client        http.Client
-	here2there    map[string]string
-	there2here    map[string]string
 }

 type ApiQueryRequest struct {
 	Cluster     string     `json:"cluster"`
+	Queries     []ApiQuery `json:"queries"`
+	ForAllNodes []string   `json:"for-all-nodes"`
 	From        int64      `json:"from"`
 	To          int64      `json:"to"`
 	WithStats   bool       `json:"with-stats"`
 	WithData    bool       `json:"with-data"`
-	Queries     []ApiQuery `json:"queries"`
-	ForAllNodes []string   `json:"for-all-nodes"`
 }

 type ApiQuery struct {
+	Type       *string  `json:"type,omitempty"`
+	SubType    *string  `json:"subtype,omitempty"`
 	Metric     string   `json:"metric"`
 	Hostname   string   `json:"host"`
-	Aggregate  bool     `json:"aggreg"`
-	Type       *string  `json:"type,omitempty"`
+	Resolution int      `json:"resolution"`
 	TypeIds    []string `json:"type-ids,omitempty"`
-	SubType    *string  `json:"subtype,omitempty"`
 	SubTypeIds []string `json:"subtype-ids,omitempty"`
+	Aggregate  bool     `json:"aggreg"`
 }

 type ApiQueryResponse struct {
@@ -67,16 +70,16 @@ type ApiQueryResponse struct {

 type ApiMetricData struct {
 	Error      *string        `json:"error"`
+	Data       []schema.Float `json:"data"`
 	From       int64          `json:"from"`
 	To         int64          `json:"to"`
-	Data  []schema.Float `json:"data"`
+	Resolution int            `json:"resolution"`
 	Avg        schema.Float   `json:"avg"`
 	Min        schema.Float   `json:"min"`
 	Max        schema.Float   `json:"max"`
 }

 func (ccms *CCMetricStore) Init(rawConfig json.RawMessage) error {
-
 	var config CCMetricStoreConfig
 	if err := json.Unmarshal(rawConfig, &config); err != nil {
 		log.Warn("Error while unmarshaling raw json config")
@@ -122,26 +125,33 @@ func (ccms *CCMetricStore) toLocalName(metric string) string {

 func (ccms *CCMetricStore) doRequest(
 	ctx context.Context,
-	body *ApiQueryRequest) (*ApiQueryResponse, error) {
-
+	body *ApiQueryRequest,
+) (*ApiQueryResponse, error) {
 	buf := &bytes.Buffer{}
 	if err := json.NewEncoder(buf).Encode(body); err != nil {
-		log.Warn("Error while encoding request body")
+		log.Errorf("Error while encoding request body: %s", err.Error())
 		return nil, err
 	}

-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, ccms.queryEndpoint, buf)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, ccms.queryEndpoint, buf)
 	if err != nil {
-		log.Warn("Error while building request body")
+		log.Errorf("Error while building request body: %s", err.Error())
 		return nil, err
 	}
 	if ccms.jwt != "" {
 		req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", ccms.jwt))
 	}

+	// versioning the cc-metric-store query API.
+	// v2 = data with resampling
+	// v1 = data without resampling
+	q := req.URL.Query()
+	q.Add("version", "v2")
+	req.URL.RawQuery = q.Encode()
+
 	res, err := ccms.client.Do(req)
 	if err != nil {
-		log.Error("Error while performing request")
+		log.Errorf("Error while performing request: %s", err.Error())
 		return nil, err
 	}

@@ -151,7 +161,7 @@ func (ccms *CCMetricStore) doRequest(

 	var resBody ApiQueryResponse
 	if err := json.NewDecoder(bufio.NewReader(res.Body)).Decode(&resBody); err != nil {
-		log.Warn("Error while decoding result body")
+		log.Errorf("Error while decoding result body: %s", err.Error())
 		return nil, err
 	}

@@ -162,11 +172,12 @@ func (ccms *CCMetricStore) LoadData(
 	job *schema.Job,
 	metrics []string,
 	scopes []schema.MetricScope,
-	ctx context.Context) (schema.JobData, error) {
-
-	queries, assignedScope, err := ccms.buildQueries(job, metrics, scopes)
+	ctx context.Context,
+	resolution int,
+) (schema.JobData, error) {
+	queries, assignedScope, err := ccms.buildQueries(job, metrics, scopes, resolution)
 	if err != nil {
-		log.Warn("Error while building queries")
+		log.Errorf("Error while building queries for jobId %d, Metrics %v, Scopes %v: %s", job.JobID, metrics, scopes, err.Error())
 		return nil, err
 	}

@@ -181,12 +192,12 @@ func (ccms *CCMetricStore) LoadData(

 	resBody, err := ccms.doRequest(ctx, &req)
 	if err != nil {
-		log.Error("Error while performing request")
+		log.Errorf("Error while performing request: %s", err.Error())
 		return nil, err
 	}

 	var errors []string
-	var jobData schema.JobData = make(schema.JobData)
+	jobData := make(schema.JobData)
 	for i, row := range resBody.Results {
 		query := req.Queries[i]
 		metric := ccms.toLocalName(query.Metric)
@@ -196,17 +207,22 @@ func (ccms *CCMetricStore) LoadData(
 			jobData[metric] = make(map[schema.MetricScope]*schema.JobMetric)
 		}

+		res := mc.Timestep
+		if len(row) > 0 {
+			res = row[0].Resolution
+		}
+
 		jobMetric, ok := jobData[metric][scope]
 		if !ok {
 			jobMetric = &schema.JobMetric{
 				Unit:     mc.Unit,
-				Timestep: mc.Timestep,
+				Timestep: res,
 				Series:   make([]schema.Series, 0),
 			}
 			jobData[metric][scope] = jobMetric
 		}

-		for _, res := range row {
+		for ndx, res := range row {
 			if res.Error != nil {
 				/* Build list for "partial errors", if any */
 				errors = append(errors, fmt.Sprintf("failed to fetch '%s' from host '%s': %s", query.Metric, query.Hostname, *res.Error))
@@ -216,12 +232,11 @@ func (ccms *CCMetricStore) LoadData(
 			id := (*string)(nil)
 			if query.Type != nil {
 				id = new(string)
-				*id = query.TypeIds[0]
+				*id = query.TypeIds[ndx]
 			}

 			if res.Avg.IsNaN() || res.Min.IsNaN() || res.Max.IsNaN() {
-				// TODO: use schema.Float instead of float64?
-				// This is done because regular float64 can not be JSONed when NaN.
+				// "schema.Float()" because regular float64 can not be JSONed when NaN.
 				res.Avg = schema.Float(0)
 				res.Min = schema.Float(0)
 				res.Max = schema.Float(0)
@@ -252,7 +267,6 @@ func (ccms *CCMetricStore) LoadData(
 		/* Returns list for "partial errors" */
 		return jobData, fmt.Errorf("METRICDATA/CCMS > Errors: %s", strings.Join(errors, ", "))
 	}
-
 	return jobData, nil
 }

@@ -267,8 +281,9 @@ var (
 func (ccms *CCMetricStore) buildQueries(
 	job *schema.Job,
 	metrics []string,
-	scopes []schema.MetricScope) ([]ApiQuery, []schema.MetricScope, error) {
-
+	scopes []schema.MetricScope,
+	resolution int,
+) ([]ApiQuery, []schema.MetricScope, error) {
 	queries := make([]ApiQuery, 0, len(metrics)*len(scopes)*len(job.Resources))
 	assignedScope := []schema.MetricScope{}

@@ -287,6 +302,20 @@ func (ccms *CCMetricStore) buildQueries(
 			continue
 		}

+		// Skip if metric is removed for subcluster
+		if len(mc.SubClusters) != 0 {
+			isRemoved := false
+			for _, scConfig := range mc.SubClusters {
+				if scConfig.Name == job.SubCluster && scConfig.Remove == true {
+					isRemoved = true
+					break
+				}
+			}
+			if isRemoved {
+				continue
+			}
+		}
+
 		// Avoid duplicates...
 		handledScopes := make([]schema.MetricScope, 0, 3)

@@ -313,12 +342,18 @@ func (ccms *CCMetricStore) buildQueries(

 				// Accelerator -> Accelerator (Use "accelerator" scope if requested scope is lower than node)
 				if nativeScope == schema.MetricScopeAccelerator && scope.LT(schema.MetricScopeNode) {
+					if scope != schema.MetricScopeAccelerator {
+						// Skip all other catched cases
+						continue
+					}
+
 					queries = append(queries, ApiQuery{
 						Metric:     remoteName,
 						Hostname:   host.Hostname,
 						Aggregate:  false,
 						Type:       &acceleratorString,
 						TypeIds:    host.Accelerators,
+						Resolution: resolution,
 					})
 					assignedScope = append(assignedScope, schema.MetricScopeAccelerator)
 					continue
@@ -336,6 +371,7 @@ func (ccms *CCMetricStore) buildQueries(
 						Aggregate:  true,
 						Type:       &acceleratorString,
 						TypeIds:    host.Accelerators,
+						Resolution: resolution,
 					})
 					assignedScope = append(assignedScope, scope)
 					continue
@@ -349,6 +385,7 @@ func (ccms *CCMetricStore) buildQueries(
 						Aggregate:  false,
 						Type:       &hwthreadString,
 						TypeIds:    intToStringSlice(hwthreads),
+						Resolution: resolution,
 					})
 					assignedScope = append(assignedScope, scope)
 					continue
@@ -364,6 +401,7 @@ func (ccms *CCMetricStore) buildQueries(
 							Aggregate:  true,
 							Type:       &hwthreadString,
 							TypeIds:    intToStringSlice(topology.Core[core]),
+							Resolution: resolution,
 						})
 						assignedScope = append(assignedScope, scope)
 					}
@@ -380,6 +418,7 @@ func (ccms *CCMetricStore) buildQueries(
 							Aggregate:  true,
 							Type:       &hwthreadString,
 							TypeIds:    intToStringSlice(topology.Socket[socket]),
+							Resolution: resolution,
 						})
 						assignedScope = append(assignedScope, scope)
 					}
@@ -394,6 +433,7 @@ func (ccms *CCMetricStore) buildQueries(
 						Aggregate:  true,
 						Type:       &hwthreadString,
 						TypeIds:    intToStringSlice(hwthreads),
+						Resolution: resolution,
 					})
 					assignedScope = append(assignedScope, scope)
 					continue
@@ -408,11 +448,29 @@ func (ccms *CCMetricStore) buildQueries(
 						Aggregate:  false,
 						Type:       &coreString,
 						TypeIds:    intToStringSlice(cores),
+						Resolution: resolution,
 					})
 					assignedScope = append(assignedScope, scope)
 					continue
 				}

+				// Core -> Socket
+				if nativeScope == schema.MetricScopeCore && scope == schema.MetricScopeSocket {
+					sockets, _ := topology.GetSocketsFromCores(hwthreads)
+					for _, socket := range sockets {
+						queries = append(queries, ApiQuery{
+							Metric:     remoteName,
+							Hostname:   host.Hostname,
+							Aggregate:  true,
+							Type:       &coreString,
+							TypeIds:    intToStringSlice(topology.Socket[socket]),
+							Resolution: resolution,
+						})
+						assignedScope = append(assignedScope, scope)
+					}
+					continue
+				}
+
 				// Core -> Node
 				if nativeScope == schema.MetricScopeCore && scope == schema.MetricScopeNode {
 					cores, _ := topology.GetCoresFromHWThreads(hwthreads)
@@ -422,6 +480,7 @@ func (ccms *CCMetricStore) buildQueries(
 						Aggregate:  true,
 						Type:       &coreString,
 						TypeIds:    intToStringSlice(cores),
+						Resolution: resolution,
 					})
 					assignedScope = append(assignedScope, scope)
 					continue
@@ -436,6 +495,7 @@ func (ccms *CCMetricStore) buildQueries(
 						Aggregate:  false,
 						Type:       &memoryDomainString,
 						TypeIds:    intToStringSlice(sockets),
+						Resolution: resolution,
 					})
 					assignedScope = append(assignedScope, scope)
 					continue
@@ -450,6 +510,7 @@ func (ccms *CCMetricStore) buildQueries(
 						Aggregate:  true,
 						Type:       &memoryDomainString,
 						TypeIds:    intToStringSlice(sockets),
+						Resolution: resolution,
 					})
 					assignedScope = append(assignedScope, scope)
 					continue
@@ -464,6 +525,7 @@ func (ccms *CCMetricStore) buildQueries(
 						Aggregate:  false,
 						Type:       &socketString,
 						TypeIds:    intToStringSlice(sockets),
+						Resolution: resolution,
 					})
 					assignedScope = append(assignedScope, scope)
 					continue
@@ -478,6 +540,7 @@ func (ccms *CCMetricStore) buildQueries(
 						Aggregate:  true,
 						Type:       &socketString,
 						TypeIds:    intToStringSlice(sockets),
+						Resolution: resolution,
 					})
 					assignedScope = append(assignedScope, scope)
 					continue
@@ -488,6 +551,7 @@ func (ccms *CCMetricStore) buildQueries(
 					queries = append(queries, ApiQuery{
 						Metric:     remoteName,
 						Hostname:   host.Hostname,
+						Resolution: resolution,
 					})
 					assignedScope = append(assignedScope, scope)
 					continue
@@ -504,11 +568,12 @@ func (ccms *CCMetricStore) buildQueries(
 func (ccms *CCMetricStore) LoadStats(
 	job *schema.Job,
 	metrics []string,
-	ctx context.Context) (map[string]map[string]schema.MetricStatistics, error) {
+	ctx context.Context,
+) (map[string]map[string]schema.MetricStatistics, error) {

-	queries, _, err := ccms.buildQueries(job, metrics, []schema.MetricScope{schema.MetricScopeNode})
+	queries, _, err := ccms.buildQueries(job, metrics, []schema.MetricScope{schema.MetricScopeNode}, 0) // #166 Add scope shere for analysis view accelerator normalization?
 	if err != nil {
-		log.Warn("Error while building query")
+		log.Errorf("Error while building queries for jobId %d, Metrics %v: %s", job.JobID, metrics, err.Error())
 		return nil, err
 	}

@@ -523,7 +588,7 @@ func (ccms *CCMetricStore) LoadStats(

 	resBody, err := ccms.doRequest(ctx, &req)
 	if err != nil {
-		log.Error("Error while performing request")
+		log.Errorf("Error while performing request: %s", err.Error())
 		return nil, err
 	}

@@ -533,7 +598,8 @@ func (ccms *CCMetricStore) LoadStats(
 		metric := ccms.toLocalName(query.Metric)
 		data := res[0]
 		if data.Error != nil {
-			return nil, fmt.Errorf("METRICDATA/CCMS > fetching %s for node %s failed: %s", metric, query.Hostname, *data.Error)
+			log.Errorf("fetching %s for node %s failed: %s", metric, query.Hostname, *data.Error)
+			continue
 		}

 		metricdata, ok := stats[metric]
@@ -543,7 +609,8 @@ func (ccms *CCMetricStore) LoadStats(
 		}

 		if data.Avg.IsNaN() || data.Min.IsNaN() || data.Max.IsNaN() {
-			return nil, fmt.Errorf("METRICDATA/CCMS > fetching %s for node %s failed: %s", metric, query.Hostname, "avg/min/max is NaN")
+			log.Warnf("fetching %s for node %s failed: one of avg/min/max is NaN", metric, query.Hostname)
+			continue
 		}

 		metricdata[query.Hostname] = schema.MetricStatistics{
@@ -556,14 +623,105 @@ func (ccms *CCMetricStore) LoadStats(
 	return stats, nil
 }

-// TODO: Support sub-node-scope metrics! For this, the partition of a node needs to be known!
+// Used for Job-View Statistics Table
+func (ccms *CCMetricStore) LoadScopedStats(
+	job *schema.Job,
+	metrics []string,
+	scopes []schema.MetricScope,
+	ctx context.Context,
+) (schema.ScopedJobStats, error) {
+	queries, assignedScope, err := ccms.buildQueries(job, metrics, scopes, 0)
+	if err != nil {
+		log.Errorf("Error while building queries for jobId %d, Metrics %v, Scopes %v: %s", job.JobID, metrics, scopes, err.Error())
+		return nil, err
+	}
+
+	req := ApiQueryRequest{
+		Cluster:   job.Cluster,
+		From:      job.StartTime.Unix(),
+		To:        job.StartTime.Add(time.Duration(job.Duration) * time.Second).Unix(),
+		Queries:   queries,
+		WithStats: true,
+		WithData:  false,
+	}
+
+	resBody, err := ccms.doRequest(ctx, &req)
+	if err != nil {
+		log.Errorf("Error while performing request: %s", err.Error())
+		return nil, err
+	}
+
+	var errors []string
+	scopedJobStats := make(schema.ScopedJobStats)
+
+	for i, row := range resBody.Results {
+		query := req.Queries[i]
+		metric := ccms.toLocalName(query.Metric)
+		scope := assignedScope[i]
+
+		if _, ok := scopedJobStats[metric]; !ok {
+			scopedJobStats[metric] = make(map[schema.MetricScope][]*schema.ScopedStats)
+		}
+
+		if _, ok := scopedJobStats[metric][scope]; !ok {
+			scopedJobStats[metric][scope] = make([]*schema.ScopedStats, 0)
+		}
+
+		for ndx, res := range row {
+			if res.Error != nil {
+				/* Build list for "partial errors", if any */
+				errors = append(errors, fmt.Sprintf("failed to fetch '%s' from host '%s': %s", query.Metric, query.Hostname, *res.Error))
+				continue
+			}
+
+			id := (*string)(nil)
+			if query.Type != nil {
+				id = new(string)
+				*id = query.TypeIds[ndx]
+			}
+
+			if res.Avg.IsNaN() || res.Min.IsNaN() || res.Max.IsNaN() {
+				// "schema.Float()" because regular float64 can not be JSONed when NaN.
+				res.Avg = schema.Float(0)
+				res.Min = schema.Float(0)
+				res.Max = schema.Float(0)
+			}
+
+			scopedJobStats[metric][scope] = append(scopedJobStats[metric][scope], &schema.ScopedStats{
+				Hostname: query.Hostname,
+				Id:       id,
+				Data: &schema.MetricStatistics{
+					Avg: float64(res.Avg),
+					Min: float64(res.Min),
+					Max: float64(res.Max),
+				},
+			})
+		}
+
+		// So that one can later check len(scopedJobStats[metric][scope]): Remove from map if empty
+		if len(scopedJobStats[metric][scope]) == 0 {
+			delete(scopedJobStats[metric], scope)
+			if len(scopedJobStats[metric]) == 0 {
+				delete(scopedJobStats, metric)
+			}
+		}
+	}
+
+	if len(errors) != 0 {
+		/* Returns list for "partial errors" */
+		return scopedJobStats, fmt.Errorf("METRICDATA/CCMS > Errors: %s", strings.Join(errors, ", "))
+	}
+	return scopedJobStats, nil
+}
+
+// Used for Systems-View Node-Overview
 func (ccms *CCMetricStore) LoadNodeData(
 	cluster string,
 	metrics, nodes []string,
 	scopes []schema.MetricScope,
 	from, to time.Time,
-	ctx context.Context) (map[string]map[string][]*schema.JobMetric, error) {
-
+	ctx context.Context,
+) (map[string]map[string][]*schema.JobMetric, error) {
 	req := ApiQueryRequest{
 		Cluster:   cluster,
 		From:      from.Unix(),
@@ -582,6 +740,7 @@ func (ccms *CCMetricStore) LoadNodeData(
 				req.Queries = append(req.Queries, ApiQuery{
 					Hostname:   node,
 					Metric:     ccms.toRemoteName(metric),
+					Resolution: 0, // Default for Node Queries: Will return metric $Timestep Resolution
 				})
 			}
 		}
@@ -589,7 +748,7 @@ func (ccms *CCMetricStore) LoadNodeData(

 	resBody, err := ccms.doRequest(ctx, &req)
 	if err != nil {
-		log.Error("Error while performing request")
+		log.Errorf("Error while performing request: %s", err.Error())
 		return nil, err
 	}

@@ -647,8 +806,478 @@ func (ccms *CCMetricStore) LoadNodeData(
 	return data, nil
 }

-func intToStringSlice(is []int) []string {
+// Used for Systems-View Node-List
+func (ccms *CCMetricStore) LoadNodeListData(
+	cluster, subCluster, nodeFilter string,
+	metrics []string,
+	scopes []schema.MetricScope,
+	resolution int,
+	from, to time.Time,
+	page *model.PageRequest,
+	ctx context.Context,
+) (map[string]schema.JobData, int, bool, error) {

+	// 0) Init additional vars
+	var totalNodes int = 0
+	var hasNextPage bool = false
+
+	// 1) Get list of all nodes
+	var nodes []string
+	if subCluster != "" {
+		scNodes := archive.NodeLists[cluster][subCluster]
+		nodes = scNodes.PrintList()
+	} else {
+		subClusterNodeLists := archive.NodeLists[cluster]
+		for _, nodeList := range subClusterNodeLists {
+			nodes = append(nodes, nodeList.PrintList()...)
+		}
+	}
+
+	// 2) Filter nodes
+	if nodeFilter != "" {
+		filteredNodes := []string{}
+		for _, node := range nodes {
+			if strings.Contains(node, nodeFilter) {
+				filteredNodes = append(filteredNodes, node)
+			}
+		}
+		nodes = filteredNodes
+	}
+
+	// 2.1) Count total nodes && Sort nodes -> Sorting invalidated after ccms return ...
+	totalNodes = len(nodes)
+	sort.Strings(nodes)
+
+	// 3) Apply paging
+	if len(nodes) > page.ItemsPerPage {
+		start := (page.Page - 1) * page.ItemsPerPage
+		end := start + page.ItemsPerPage
+		if end > len(nodes) {
+			end = len(nodes)
+			hasNextPage = false
+		} else {
+			hasNextPage = true
+		}
+		nodes = nodes[start:end]
+	}
+
+	// Note: Order of node data is not guaranteed after this point, but contents match page and filter criteria
+
+	queries, assignedScope, err := ccms.buildNodeQueries(cluster, subCluster, nodes, metrics, scopes, resolution)
+	if err != nil {
+		log.Errorf("Error while building node queries for Cluster %s, SubCLuster %s, Metrics %v, Scopes %v: %s", cluster, subCluster, metrics, scopes, err.Error())
+		return nil, totalNodes, hasNextPage, err
+	}
+
+	req := ApiQueryRequest{
+		Cluster:   cluster,
+		Queries:   queries,
+		From:      from.Unix(),
+		To:        to.Unix(),
+		WithStats: true,
+		WithData:  true,
+	}
+
+	resBody, err := ccms.doRequest(ctx, &req)
+	if err != nil {
+		log.Errorf("Error while performing request: %s", err.Error())
+		return nil, totalNodes, hasNextPage, err
+	}
+
+	var errors []string
+	data := make(map[string]schema.JobData)
+	for i, row := range resBody.Results {
+		var query ApiQuery
+		if resBody.Queries != nil {
+			query = resBody.Queries[i]
+		} else {
+			query = req.Queries[i]
+		}
+		// qdata := res[0]
+		metric := ccms.toLocalName(query.Metric)
+		scope := assignedScope[i]
+		mc := archive.GetMetricConfig(cluster, metric)
+
+		res := mc.Timestep
+		if len(row) > 0 {
+			res = row[0].Resolution
+		}
+
+		// Init Nested Map Data Structures If Not Found
+		hostData, ok := data[query.Hostname]
+		if !ok {
+			hostData = make(schema.JobData)
+			data[query.Hostname] = hostData
+		}
+
+		metricData, ok := hostData[metric]
+		if !ok {
+			metricData = make(map[schema.MetricScope]*schema.JobMetric)
+			data[query.Hostname][metric] = metricData
+		}
+
+		scopeData, ok := metricData[scope]
+		if !ok {
+			scopeData = &schema.JobMetric{
+				Unit:     mc.Unit,
+				Timestep: res,
+				Series:   make([]schema.Series, 0),
+			}
+			data[query.Hostname][metric][scope] = scopeData
+		}
+
+		for ndx, res := range row {
+			if res.Error != nil {
+				/* Build list for "partial errors", if any */
+				errors = append(errors, fmt.Sprintf("failed to fetch '%s' from host '%s': %s", query.Metric, query.Hostname, *res.Error))
+				continue
+			}
+
+			id := (*string)(nil)
+			if query.Type != nil {
+				id = new(string)
+				*id = query.TypeIds[ndx]
+			}
+
+			if res.Avg.IsNaN() || res.Min.IsNaN() || res.Max.IsNaN() {
+				// "schema.Float()" because regular float64 can not be JSONed when NaN.
+				res.Avg = schema.Float(0)
+				res.Min = schema.Float(0)
+				res.Max = schema.Float(0)
+			}
+
+			scopeData.Series = append(scopeData.Series, schema.Series{
+				Hostname: query.Hostname,
+				Id:       id,
+				Statistics: schema.MetricStatistics{
+					Avg: float64(res.Avg),
+					Min: float64(res.Min),
+					Max: float64(res.Max),
+				},
+				Data: res.Data,
+			})
+		}
+	}
+
+	if len(errors) != 0 {
+		/* Returns list of "partial errors" */
+		return data, totalNodes, hasNextPage, fmt.Errorf("METRICDATA/CCMS > Errors: %s", strings.Join(errors, ", "))
+	}
+
+	return data, totalNodes, hasNextPage, nil
+}
+
+func (ccms *CCMetricStore) buildNodeQueries(
+	cluster string,
+	subCluster string,
+	nodes []string,
+	metrics []string,
+	scopes []schema.MetricScope,
+	resolution int,
+) ([]ApiQuery, []schema.MetricScope, error) {
+
+	queries := make([]ApiQuery, 0, len(metrics)*len(scopes)*len(nodes))
+	assignedScope := []schema.MetricScope{}
+
+	// Get Topol before loop if subCluster given
+	var subClusterTopol *schema.SubCluster
+	var scterr error
+	if subCluster != "" {
+		subClusterTopol, scterr = archive.GetSubCluster(cluster, subCluster)
+		if scterr != nil {
+			log.Errorf("could not load cluster %s subCluster %s topology: %s", cluster, subCluster, scterr.Error())
+			return nil, nil, scterr
+		}
+	}
+
+	for _, metric := range metrics {
+		remoteName := ccms.toRemoteName(metric)
+		mc := archive.GetMetricConfig(cluster, metric)
+		if mc == nil {
+			// return nil, fmt.Errorf("METRICDATA/CCMS > metric '%s' is not specified for cluster '%s'", metric, cluster)
+			log.Warnf("metric '%s' is not specified for cluster '%s'", metric, cluster)
+			continue
+		}
+
+		// Skip if metric is removed for subcluster
+		if mc.SubClusters != nil {
+			isRemoved := false
+			for _, scConfig := range mc.SubClusters {
+				if scConfig.Name == subCluster && scConfig.Remove == true {
+					isRemoved = true
+					break
+				}
+			}
+			if isRemoved {
+				continue
+			}
+		}
+
+		// Avoid duplicates...
+		handledScopes := make([]schema.MetricScope, 0, 3)
+
+	scopesLoop:
+		for _, requestedScope := range scopes {
+			nativeScope := mc.Scope
+
+			scope := nativeScope.Max(requestedScope)
+			for _, s := range handledScopes {
+				if scope == s {
+					continue scopesLoop
+				}
+			}
+			handledScopes = append(handledScopes, scope)
+
+			for _, hostname := range nodes {
+
+				// If no subCluster given, get it by node
+				if subCluster == "" {
+					subClusterName, scnerr := archive.GetSubClusterByNode(cluster, hostname)
+					if scnerr != nil {
+						return nil, nil, scnerr
+					}
+					subClusterTopol, scterr = archive.GetSubCluster(cluster, subClusterName)
+					if scterr != nil {
+						return nil, nil, scterr
+					}
+				}
+
+				// Always full node hwthread id list, no partial queries expected -> Use "topology.Node" directly where applicable
+				// Always full accelerator id list, no partial queries expected -> Use "acceleratorIds" directly where applicable
+				topology := subClusterTopol.Topology
+				acceleratorIds := topology.GetAcceleratorIDs()
+
+				// Moved check here if metric matches hardware specs
+				if nativeScope == schema.MetricScopeAccelerator && len(acceleratorIds) == 0 {
+					continue scopesLoop
+				}
+
+				// Accelerator -> Accelerator (Use "accelerator" scope if requested scope is lower than node)
+				if nativeScope == schema.MetricScopeAccelerator && scope.LT(schema.MetricScopeNode) {
+					if scope != schema.MetricScopeAccelerator {
+						// Skip all other catched cases
+						continue
+					}
+
+					queries = append(queries, ApiQuery{
+						Metric:     remoteName,
+						Hostname:   hostname,
+						Aggregate:  false,
+						Type:       &acceleratorString,
+						TypeIds:    acceleratorIds,
+						Resolution: resolution,
+					})
+					assignedScope = append(assignedScope, schema.MetricScopeAccelerator)
+					continue
+				}
+
+				// Accelerator -> Node
+				if nativeScope == schema.MetricScopeAccelerator && scope == schema.MetricScopeNode {
+					if len(acceleratorIds) == 0 {
+						continue
+					}
+
+					queries = append(queries, ApiQuery{
+						Metric:     remoteName,
+						Hostname:   hostname,
+						Aggregate:  true,
+						Type:       &acceleratorString,
+						TypeIds:    acceleratorIds,
+						Resolution: resolution,
+					})
+					assignedScope = append(assignedScope, scope)
+					continue
+				}
+
+				// HWThread -> HWThead
+				if nativeScope == schema.MetricScopeHWThread && scope == schema.MetricScopeHWThread {
+					queries = append(queries, ApiQuery{
+						Metric:     remoteName,
+						Hostname:   hostname,
+						Aggregate:  false,
+						Type:       &hwthreadString,
+						TypeIds:    intToStringSlice(topology.Node),
+						Resolution: resolution,
+					})
+					assignedScope = append(assignedScope, scope)
+					continue
+				}
+
+				// HWThread -> Core
+				if nativeScope == schema.MetricScopeHWThread && scope == schema.MetricScopeCore {
+					cores, _ := topology.GetCoresFromHWThreads(topology.Node)
+					for _, core := range cores {
+						queries = append(queries, ApiQuery{
+							Metric:     remoteName,
+							Hostname:   hostname,
+							Aggregate:  true,
+							Type:       &hwthreadString,
+							TypeIds:    intToStringSlice(topology.Core[core]),
+							Resolution: resolution,
+						})
+						assignedScope = append(assignedScope, scope)
+					}
+					continue
+				}
+
+				// HWThread -> Socket
+				if nativeScope == schema.MetricScopeHWThread && scope == schema.MetricScopeSocket {
+					sockets, _ := topology.GetSocketsFromHWThreads(topology.Node)
+					for _, socket := range sockets {
+						queries = append(queries, ApiQuery{
+							Metric:     remoteName,
+							Hostname:   hostname,
+							Aggregate:  true,
+							Type:       &hwthreadString,
+							TypeIds:    intToStringSlice(topology.Socket[socket]),
+							Resolution: resolution,
+						})
+						assignedScope = append(assignedScope, scope)
+					}
+					continue
+				}
+
+				// HWThread -> Node
+				if nativeScope == schema.MetricScopeHWThread && scope == schema.MetricScopeNode {
+					queries = append(queries, ApiQuery{
+						Metric:     remoteName,
+						Hostname:   hostname,
+						Aggregate:  true,
+						Type:       &hwthreadString,
+						TypeIds:    intToStringSlice(topology.Node),
+						Resolution: resolution,
+					})
+					assignedScope = append(assignedScope, scope)
+					continue
+				}
+
+				// Core -> Core
+				if nativeScope == schema.MetricScopeCore && scope == schema.MetricScopeCore {
+					cores, _ := topology.GetCoresFromHWThreads(topology.Node)
+					queries = append(queries, ApiQuery{
+						Metric:     remoteName,
+						Hostname:   hostname,
+						Aggregate:  false,
+						Type:       &coreString,
+						TypeIds:    intToStringSlice(cores),
+						Resolution: resolution,
+					})
+					assignedScope = append(assignedScope, scope)
+					continue
+				}
+
+				// Core -> Socket
+				if nativeScope == schema.MetricScopeCore && scope == schema.MetricScopeSocket {
+					sockets, _ := topology.GetSocketsFromCores(topology.Node)
+					for _, socket := range sockets {
+						queries = append(queries, ApiQuery{
+							Metric:     remoteName,
+							Hostname:   hostname,
+							Aggregate:  true,
+							Type:       &coreString,
+							TypeIds:    intToStringSlice(topology.Socket[socket]),
+							Resolution: resolution,
+						})
+						assignedScope = append(assignedScope, scope)
+					}
+					continue
+				}
+
+				// Core -> Node
+				if nativeScope == schema.MetricScopeCore && scope == schema.MetricScopeNode {
+					cores, _ := topology.GetCoresFromHWThreads(topology.Node)
+					queries = append(queries, ApiQuery{
+						Metric:     remoteName,
+						Hostname:   hostname,
+						Aggregate:  true,
+						Type:       &coreString,
+						TypeIds:    intToStringSlice(cores),
+						Resolution: resolution,
+					})
+					assignedScope = append(assignedScope, scope)
+					continue
+				}
+
+				// MemoryDomain -> MemoryDomain
+				if nativeScope == schema.MetricScopeMemoryDomain && scope == schema.MetricScopeMemoryDomain {
+					sockets, _ := topology.GetMemoryDomainsFromHWThreads(topology.Node)
+					queries = append(queries, ApiQuery{
+						Metric:     remoteName,
+						Hostname:   hostname,
+						Aggregate:  false,
+						Type:       &memoryDomainString,
+						TypeIds:    intToStringSlice(sockets),
+						Resolution: resolution,
+					})
+					assignedScope = append(assignedScope, scope)
+					continue
+				}
+
+				// MemoryDoman -> Node
+				if nativeScope == schema.MetricScopeMemoryDomain && scope == schema.MetricScopeNode {
+					sockets, _ := topology.GetMemoryDomainsFromHWThreads(topology.Node)
+					queries = append(queries, ApiQuery{
+						Metric:     remoteName,
+						Hostname:   hostname,
+						Aggregate:  true,
+						Type:       &memoryDomainString,
+						TypeIds:    intToStringSlice(sockets),
+						Resolution: resolution,
+					})
+					assignedScope = append(assignedScope, scope)
+					continue
+				}
+
+				// Socket -> Socket
+				if nativeScope == schema.MetricScopeSocket && scope == schema.MetricScopeSocket {
+					sockets, _ := topology.GetSocketsFromHWThreads(topology.Node)
+					queries = append(queries, ApiQuery{
+						Metric:     remoteName,
+						Hostname:   hostname,
+						Aggregate:  false,
+						Type:       &socketString,
+						TypeIds:    intToStringSlice(sockets),
+						Resolution: resolution,
+					})
+					assignedScope = append(assignedScope, scope)
+					continue
+				}
+
+				// Socket -> Node
+				if nativeScope == schema.MetricScopeSocket && scope == schema.MetricScopeNode {
+					sockets, _ := topology.GetSocketsFromHWThreads(topology.Node)
+					queries = append(queries, ApiQuery{
+						Metric:     remoteName,
+						Hostname:   hostname,
+						Aggregate:  true,
+						Type:       &socketString,
+						TypeIds:    intToStringSlice(sockets),
+						Resolution: resolution,
+					})
+					assignedScope = append(assignedScope, scope)
+					continue
+				}
+
+				// Node -> Node
+				if nativeScope == schema.MetricScopeNode && scope == schema.MetricScopeNode {
+					queries = append(queries, ApiQuery{
+						Metric:     remoteName,
+						Hostname:   hostname,
+						Resolution: resolution,
+					})
+					assignedScope = append(assignedScope, scope)
+					continue
+				}
+
+				return nil, nil, fmt.Errorf("METRICDATA/CCMS > TODO: unhandled case: native-scope=%s, requested-scope=%s", nativeScope, requestedScope)
+			}
+		}
+	}
+
+	return queries, assignedScope, nil
+}
+
+func intToStringSlice(is []int) []string {
 	ss := make([]string, len(is))
 	for i, x := range is {
 		ss[i] = strconv.Itoa(x)
--- a/internal/metricdata/influxdb-v2.go
+++ b/internal/metricdata/influxdb-v2.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -10,9 +10,12 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"math"
+	"sort"
 	"strings"
 	"time"

+	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
 	"github.com/ClusterCockpit/cc-backend/pkg/archive"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
@@ -60,7 +63,10 @@ func (idb *InfluxDBv2DataRepository) LoadData(
 	job *schema.Job,
 	metrics []string,
 	scopes []schema.MetricScope,
-	ctx context.Context) (schema.JobData, error) {
+	ctx context.Context,
+	resolution int) (schema.JobData, error) {
+
+	log.Infof("InfluxDB 2 Backend: Resolution Scaling not Implemented, will return default timestep. Requested Resolution %d", resolution)

 	measurementsConds := make([]string, 0, len(metrics))
 	for _, m := range metrics {
@@ -84,7 +90,7 @@ func (idb *InfluxDBv2DataRepository) LoadData(
 		query := ""
 		switch scope {
 		case "node":
-			// Get Finest Granularity, Groupy By Measurement and Hostname (== Metric / Node), Calculate Mean for 60s windows
+			// Get Finest Granularity, Groupy By Measurement and Hostname (== Metric / Node), Calculate Mean for 60s windows <-- Resolution could be added here?
 			// log.Info("Scope 'node' requested. ")
 			query = fmt.Sprintf(`
 								from(bucket: "%s")
@@ -114,6 +120,12 @@ func (idb *InfluxDBv2DataRepository) LoadData(
 			//  	idb.bucket,
 			//  	idb.formatTime(job.StartTime), idb.formatTime(idb.epochToTime(job.StartTimeUnix + int64(job.Duration) + int64(1) )),
 			//  	measurementsCond, hostsCond)
+		case "hwthread":
+			log.Info(" Scope 'hwthread' requested, but not yet supported: Will return 'node' scope only. ")
+			continue
+		case "accelerator":
+			log.Info(" Scope 'accelerator' requested, but not yet supported: Will return 'node' scope only. ")
+			continue
 		default:
 			log.Infof("Unknown scope '%s' requested: Will return 'node' scope.", scope)
 			continue
@@ -171,6 +183,11 @@ func (idb *InfluxDBv2DataRepository) LoadData(
 			}
 		case "socket":
 			continue
+		case "accelerator":
+			continue
+		case "hwthread":
+			// See below @ core
+			continue
 		case "core":
 			continue
 			// Include Series.Id in hostSeries
@@ -299,6 +316,53 @@ func (idb *InfluxDBv2DataRepository) LoadStats(
 	return stats, nil
 }

+// Used in Job-View StatsTable
+// UNTESTED
+func (idb *InfluxDBv2DataRepository) LoadScopedStats(
+	job *schema.Job,
+	metrics []string,
+	scopes []schema.MetricScope,
+	ctx context.Context) (schema.ScopedJobStats, error) {
+
+	// Assumption: idb.loadData() only returns series node-scope - use node scope for statsTable
+	scopedJobStats := make(schema.ScopedJobStats)
+	data, err := idb.LoadData(job, metrics, []schema.MetricScope{schema.MetricScopeNode}, ctx, 0 /*resolution here*/)
+	if err != nil {
+		log.Warn("Error while loading job for scopedJobStats")
+		return nil, err
+	}
+
+	for metric, metricData := range data {
+		for _, scope := range scopes {
+			if scope != schema.MetricScopeNode {
+				logOnce.Do(func() {
+					log.Infof("Note: Scope '%s' requested, but not yet supported: Will return 'node' scope only.", scope)
+				})
+				continue
+			}
+
+			if _, ok := scopedJobStats[metric]; !ok {
+				scopedJobStats[metric] = make(map[schema.MetricScope][]*schema.ScopedStats)
+			}
+
+			if _, ok := scopedJobStats[metric][scope]; !ok {
+				scopedJobStats[metric][scope] = make([]*schema.ScopedStats, 0)
+			}
+
+			for _, series := range metricData[scope].Series {
+				scopedJobStats[metric][scope] = append(scopedJobStats[metric][scope], &schema.ScopedStats{
+					Hostname: series.Hostname,
+					Data:     &series.Statistics,
+				})
+			}
+		}
+	}
+
+	return scopedJobStats, nil
+}
+
+// Used in Systems-View @ Node-Overview
+// UNTESTED
 func (idb *InfluxDBv2DataRepository) LoadNodeData(
 	cluster string,
 	metrics, nodes []string,
@@ -306,8 +370,206 @@ func (idb *InfluxDBv2DataRepository) LoadNodeData(
 	from, to time.Time,
 	ctx context.Context) (map[string]map[string][]*schema.JobMetric, error) {

-	// TODO : Implement to be used in Analysis- und System/Node-View
-	log.Infof("LoadNodeData unimplemented for InfluxDBv2DataRepository, Args: cluster %s, metrics %v, nodes %v, scopes %v", cluster, metrics, nodes, scopes)
+	// Note: scopes[] Array will be ignored, only return node scope

-	return nil, errors.New("METRICDATA/INFLUXV2 > unimplemented for InfluxDBv2DataRepository")
+	// CONVERT ARGS TO INFLUX
+	measurementsConds := make([]string, 0)
+	for _, m := range metrics {
+		measurementsConds = append(measurementsConds, fmt.Sprintf(`r["_measurement"] == "%s"`, m))
+	}
+	measurementsCond := strings.Join(measurementsConds, " or ")
+
+	hostsConds := make([]string, 0)
+	if nodes == nil {
+		var allNodes []string
+		subClusterNodeLists := archive.NodeLists[cluster]
+		for _, nodeList := range subClusterNodeLists {
+			allNodes = append(nodes, nodeList.PrintList()...)
+		}
+		for _, node := range allNodes {
+			nodes = append(nodes, node)
+			hostsConds = append(hostsConds, fmt.Sprintf(`r["hostname"] == "%s"`, node))
+		}
+	} else {
+		for _, node := range nodes {
+			hostsConds = append(hostsConds, fmt.Sprintf(`r["hostname"] == "%s"`, node))
+		}
+	}
+	hostsCond := strings.Join(hostsConds, " or ")
+
+	// BUILD AND PERFORM QUERY
+	query := fmt.Sprintf(`
+						from(bucket: "%s")
+						|> range(start: %s, stop: %s)
+						|> filter(fn: (r) => (%s) and (%s) )
+						|> drop(columns: ["_start", "_stop"])
+						|> group(columns: ["hostname", "_measurement"])
+			|> aggregateWindow(every: 60s, fn: mean)
+						|> drop(columns: ["_time"])`,
+		idb.bucket,
+		idb.formatTime(from), idb.formatTime(to),
+		measurementsCond, hostsCond)
+
+	rows, err := idb.queryClient.Query(ctx, query)
+	if err != nil {
+		log.Error("Error while performing query")
+		return nil, err
+	}
+
+	// HANDLE QUERY RETURN
+	// Collect Float Arrays for Node@Metric -> No Scope Handling!
+	influxData := make(map[string]map[string][]schema.Float)
+	for rows.Next() {
+		row := rows.Record()
+		host, field := row.ValueByKey("hostname").(string), row.Measurement()
+
+		influxHostData, ok := influxData[host]
+		if !ok {
+			influxHostData = make(map[string][]schema.Float)
+			influxData[host] = influxHostData
+		}
+
+		influxFieldData, ok := influxData[host][field]
+		if !ok {
+			influxFieldData = make([]schema.Float, 0)
+			influxData[host][field] = influxFieldData
+		}
+
+		val, ok := row.Value().(float64)
+		if ok {
+			influxData[host][field] = append(influxData[host][field], schema.Float(val))
+		} else {
+			influxData[host][field] = append(influxData[host][field], schema.Float(0))
+		}
+	}
+
+	// BUILD FUNCTION RETURN
+	data := make(map[string]map[string][]*schema.JobMetric)
+	for node, metricData := range influxData {
+
+		nodeData, ok := data[node]
+		if !ok {
+			nodeData = make(map[string][]*schema.JobMetric)
+			data[node] = nodeData
+		}
+
+		for metric, floatArray := range metricData {
+			avg, min, max := 0.0, 0.0, 0.0
+			for _, val := range floatArray {
+				avg += float64(val)
+				min = math.Min(min, float64(val))
+				max = math.Max(max, float64(val))
+			}
+
+			stats := schema.MetricStatistics{
+				Avg: (math.Round((avg/float64(len(floatArray)))*100) / 100),
+				Min: (math.Round(min*100) / 100),
+				Max: (math.Round(max*100) / 100),
+			}
+
+			mc := archive.GetMetricConfig(cluster, metric)
+			nodeData[metric] = append(nodeData[metric], &schema.JobMetric{
+				Unit:     mc.Unit,
+				Timestep: mc.Timestep,
+				Series: []schema.Series{
+					{
+						Hostname:   node,
+						Statistics: stats,
+						Data:       floatArray,
+					},
+				},
+			})
+		}
+	}
+
+	return data, nil
+}
+
+// Used in Systems-View @ Node-List
+// UNTESTED
+func (idb *InfluxDBv2DataRepository) LoadNodeListData(
+	cluster, subCluster, nodeFilter string,
+	metrics []string,
+	scopes []schema.MetricScope,
+	resolution int,
+	from, to time.Time,
+	page *model.PageRequest,
+	ctx context.Context,
+) (map[string]schema.JobData, int, bool, error) {
+
+	// Assumption: idb.loadData() only returns series node-scope - use node scope for NodeList
+
+	// 0) Init additional vars
+	var totalNodes int = 0
+	var hasNextPage bool = false
+
+	// 1) Get list of all nodes
+	var nodes []string
+	if subCluster != "" {
+		scNodes := archive.NodeLists[cluster][subCluster]
+		nodes = scNodes.PrintList()
+	} else {
+		subClusterNodeLists := archive.NodeLists[cluster]
+		for _, nodeList := range subClusterNodeLists {
+			nodes = append(nodes, nodeList.PrintList()...)
+		}
+	}
+
+	// 2) Filter nodes
+	if nodeFilter != "" {
+		filteredNodes := []string{}
+		for _, node := range nodes {
+			if strings.Contains(node, nodeFilter) {
+				filteredNodes = append(filteredNodes, node)
+			}
+		}
+		nodes = filteredNodes
+	}
+
+	// 2.1) Count total nodes && Sort nodes -> Sorting invalidated after return ...
+	totalNodes = len(nodes)
+	sort.Strings(nodes)
+
+	// 3) Apply paging
+	if len(nodes) > page.ItemsPerPage {
+		start := (page.Page - 1) * page.ItemsPerPage
+		end := start + page.ItemsPerPage
+		if end > len(nodes) {
+			end = len(nodes)
+			hasNextPage = false
+		} else {
+			hasNextPage = true
+		}
+		nodes = nodes[start:end]
+	}
+
+	// 4) Fetch And Convert Data, use idb.LoadNodeData() for query
+
+	rawNodeData, err := idb.LoadNodeData(cluster, metrics, nodes, scopes, from, to, ctx)
+	if err != nil {
+		log.Error(fmt.Sprintf("Error while loading influx nodeData for nodeListData %#v\n", err))
+		return nil, totalNodes, hasNextPage, err
+	}
+
+	data := make(map[string]schema.JobData)
+	for node, nodeData := range rawNodeData {
+		// Init Nested Map Data Structures If Not Found
+		hostData, ok := data[node]
+		if !ok {
+			hostData = make(schema.JobData)
+			data[node] = hostData
+		}
+
+		for metric, nodeMetricData := range nodeData {
+			metricData, ok := hostData[metric]
+			if !ok {
+				metricData = make(map[schema.MetricScope]*schema.JobMetric)
+				data[node][metric] = metricData
+			}
+
+			data[node][metric][schema.MetricScopeNode] = nodeMetricData[0] // Only Node Scope Returned from loadNodeData
+		}
+	}
+
+	return data, totalNodes, hasNextPage, nil
 }
--- a/internal/metricdata/metricdata.go
+++ b/internal/metricdata/metricdata.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -8,13 +8,11 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"math"
 	"time"

 	"github.com/ClusterCockpit/cc-backend/internal/config"
-	"github.com/ClusterCockpit/cc-backend/pkg/archive"
+	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
-	"github.com/ClusterCockpit/cc-backend/pkg/lrucache"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 )

@@ -24,22 +22,24 @@ type MetricDataRepository interface {
 	Init(rawConfig json.RawMessage) error

 	// Return the JobData for the given job, only with the requested metrics.
-	LoadData(job *schema.Job, metrics []string, scopes []schema.MetricScope, ctx context.Context) (schema.JobData, error)
+	LoadData(job *schema.Job, metrics []string, scopes []schema.MetricScope, ctx context.Context, resolution int) (schema.JobData, error)

-	// Return a map of metrics to a map of nodes to the metric statistics of the job. node scope assumed for now.
+	// Return a map of metrics to a map of nodes to the metric statistics of the job. node scope only.
 	LoadStats(job *schema.Job, metrics []string, ctx context.Context) (map[string]map[string]schema.MetricStatistics, error)

-	// Return a map of hosts to a map of metrics at the requested scopes for that node.
+	// Return a map of metrics to a map of scopes to the scoped metric statistics of the job.
+	LoadScopedStats(job *schema.Job, metrics []string, scopes []schema.MetricScope, ctx context.Context) (schema.ScopedJobStats, error)
+
+	// Return a map of hosts to a map of metrics at the requested scopes (currently only node) for that node.
 	LoadNodeData(cluster string, metrics, nodes []string, scopes []schema.MetricScope, from, to time.Time, ctx context.Context) (map[string]map[string][]*schema.JobMetric, error)
+
+	// Return a map of hosts to a map of metrics to a map of scopes for multiple nodes.
+	LoadNodeListData(cluster, subCluster, nodeFilter string, metrics []string, scopes []schema.MetricScope, resolution int, from, to time.Time, page *model.PageRequest, ctx context.Context) (map[string]schema.JobData, int, bool, error)
 }

 var metricDataRepos map[string]MetricDataRepository = map[string]MetricDataRepository{}

-var useArchive bool
-
-func Init(disableArchive bool) error {
-
-	useArchive = !disableArchive
+func Init() error {
 	for _, cluster := range config.Keys.Clusters {
 		if cluster.MetricDataRepository != nil {
 			var kind struct {
@@ -74,283 +74,13 @@ func Init(disableArchive bool) error {
 	return nil
 }

-var cache *lrucache.Cache = lrucache.New(128 * 1024 * 1024)
-
-// Fetches the metric data for a job.
-func LoadData(job *schema.Job,
-	metrics []string,
-	scopes []schema.MetricScope,
-	ctx context.Context) (schema.JobData, error) {
-	data := cache.Get(cacheKey(job, metrics, scopes), func() (_ interface{}, ttl time.Duration, size int) {
-		var jd schema.JobData
+func GetMetricDataRepo(cluster string) (MetricDataRepository, error) {
 	var err error
-
-		if job.State == schema.JobStateRunning ||
-			job.MonitoringStatus == schema.MonitoringStatusRunningOrArchiving ||
-			!useArchive {
-
-			repo, ok := metricDataRepos[job.Cluster]
-
-			if !ok {
-				return fmt.Errorf("METRICDATA/METRICDATA > no metric data repository configured for '%s'", job.Cluster), 0, 0
-			}
-
-			if scopes == nil {
-				scopes = append(scopes, schema.MetricScopeNode)
-			}
-
-			if metrics == nil {
-				cluster := archive.GetCluster(job.Cluster)
-				for _, mc := range cluster.MetricConfig {
-					metrics = append(metrics, mc.Name)
-				}
-			}
-
-			jd, err = repo.LoadData(job, metrics, scopes, ctx)
-			if err != nil {
-				if len(jd) != 0 {
-					log.Warnf("partial error: %s", err.Error())
-				} else {
-					log.Error("Error while loading job data from metric repository")
-					return err, 0, 0
-				}
-			}
-			size = jd.Size()
-		} else {
-			jd, err = archive.GetHandle().LoadJobData(job)
-			if err != nil {
-				log.Error("Error while loading job data from archive")
-				return err, 0, 0
-			}
-
-			// Avoid sending unrequested data to the client:
-			if metrics != nil || scopes != nil {
-				if metrics == nil {
-					metrics = make([]string, 0, len(jd))
-					for k := range jd {
-						metrics = append(metrics, k)
-					}
-				}
-
-				res := schema.JobData{}
-				for _, metric := range metrics {
-					if perscope, ok := jd[metric]; ok {
-						if len(perscope) > 1 {
-							subset := make(map[schema.MetricScope]*schema.JobMetric)
-							for _, scope := range scopes {
-								if jm, ok := perscope[scope]; ok {
-									subset[scope] = jm
-								}
-							}
-
-							if len(subset) > 0 {
-								perscope = subset
-							}
-						}
-
-						res[metric] = perscope
-					}
-				}
-				jd = res
-			}
-			size = jd.Size()
-		}
-
-		ttl = 5 * time.Hour
-		if job.State == schema.JobStateRunning {
-			ttl = 2 * time.Minute
-		}
-
-		prepareJobData(job, jd, scopes)
-
-		return jd, ttl, size
-	})
-
-	if err, ok := data.(error); ok {
-		log.Error("Error in returned dataset")
-		return nil, err
-	}
-
-	return data.(schema.JobData), nil
-}
-
-// Used for the jobsFootprint GraphQL-Query. TODO: Rename/Generalize.
-func LoadAverages(
-	job *schema.Job,
-	metrics []string,
-	data [][]schema.Float,
-	ctx context.Context) error {
-
-	if job.State != schema.JobStateRunning && useArchive {
-		return archive.LoadAveragesFromArchive(job, metrics, data)
-	}
-
-	repo, ok := metricDataRepos[job.Cluster]
-	if !ok {
-		return fmt.Errorf("METRICDATA/METRICDATA > no metric data repository configured for '%s'", job.Cluster)
-	}
-
-	stats, err := repo.LoadStats(job, metrics, ctx)
-	if err != nil {
-		log.Errorf("Error while loading statistics for job %v (User %v, Project %v)", job.JobID, job.User, job.Project)
-		return err
-	}
-
-	for i, m := range metrics {
-		nodes, ok := stats[m]
-		if !ok {
-			data[i] = append(data[i], schema.NaN)
-			continue
-		}
-
-		sum := 0.0
-		for _, node := range nodes {
-			sum += node.Avg
-		}
-		data[i] = append(data[i], schema.Float(sum))
-	}
-
-	return nil
-}
-
-// Used for the node/system view. Returns a map of nodes to a map of metrics.
-func LoadNodeData(
-	cluster string,
-	metrics, nodes []string,
-	scopes []schema.MetricScope,
-	from, to time.Time,
-	ctx context.Context) (map[string]map[string][]*schema.JobMetric, error) {
-
 	repo, ok := metricDataRepos[cluster]
+
 	if !ok {
-		return nil, fmt.Errorf("METRICDATA/METRICDATA > no metric data repository configured for '%s'", cluster)
+		err = fmt.Errorf("METRICDATA/METRICDATA > no metric data repository configured for '%s'", cluster)
 	}

-	if metrics == nil {
-		for _, m := range archive.GetCluster(cluster).MetricConfig {
-			metrics = append(metrics, m.Name)
-		}
-	}
-
-	data, err := repo.LoadNodeData(cluster, metrics, nodes, scopes, from, to, ctx)
-	if err != nil {
-		if len(data) != 0 {
-			log.Warnf("partial error: %s", err.Error())
-		} else {
-			log.Error("Error while loading node data from metric repository")
-			return nil, err
-		}
-	}
-
-	if data == nil {
-		return nil, fmt.Errorf("METRICDATA/METRICDATA > the metric data repository for '%s' does not support this query", cluster)
-	}
-
-	return data, nil
-}
-
-func cacheKey(
-	job *schema.Job,
-	metrics []string,
-	scopes []schema.MetricScope) string {
-
-	// Duration and StartTime do not need to be in the cache key as StartTime is less unique than
-	// job.ID and the TTL of the cache entry makes sure it does not stay there forever.
-	return fmt.Sprintf("%d(%s):[%v],[%v]",
-		job.ID, job.State, metrics, scopes)
-}
-
-// For /monitoring/job/<job> and some other places, flops_any and mem_bw need
-// to be available at the scope 'node'. If a job has a lot of nodes,
-// statisticsSeries should be available so that a min/mean/max Graph can be
-// used instead of a lot of single lines.
-func prepareJobData(
-	job *schema.Job,
-	jobData schema.JobData,
-	scopes []schema.MetricScope) {
-
-	const maxSeriesSize int = 15
-	for _, scopes := range jobData {
-		for _, jm := range scopes {
-			if jm.StatisticsSeries != nil || len(jm.Series) <= maxSeriesSize {
-				continue
-			}
-
-			jm.AddStatisticsSeries()
-		}
-	}
-
-	nodeScopeRequested := false
-	for _, scope := range scopes {
-		if scope == schema.MetricScopeNode {
-			nodeScopeRequested = true
-		}
-	}
-
-	if nodeScopeRequested {
-		jobData.AddNodeScope("flops_any")
-		jobData.AddNodeScope("mem_bw")
-	}
-}
-
-// Writes a running job to the job-archive
-func ArchiveJob(job *schema.Job, ctx context.Context) (*schema.JobMeta, error) {
-
-	allMetrics := make([]string, 0)
-	metricConfigs := archive.GetCluster(job.Cluster).MetricConfig
-	for _, mc := range metricConfigs {
-		allMetrics = append(allMetrics, mc.Name)
-	}
-
-	// TODO: Talk about this! What resolutions to store data at...
-	scopes := []schema.MetricScope{schema.MetricScopeNode}
-	if job.NumNodes <= 8 {
-		scopes = append(scopes, schema.MetricScopeCore)
-	}
-
-	jobData, err := LoadData(job, allMetrics, scopes, ctx)
-	if err != nil {
-		log.Error("Error wile loading job data for archiving")
-		return nil, err
-	}
-
-	jobMeta := &schema.JobMeta{
-		BaseJob:    job.BaseJob,
-		StartTime:  job.StartTime.Unix(),
-		Statistics: make(map[string]schema.JobStatistics),
-	}
-
-	for metric, data := range jobData {
-		avg, min, max := 0.0, math.MaxFloat32, -math.MaxFloat32
-		nodeData, ok := data["node"]
-		if !ok {
-			// TODO/FIXME: Calc average for non-node metrics as well!
-			continue
-		}
-
-		for _, series := range nodeData.Series {
-			avg += series.Statistics.Avg
-			min = math.Min(min, series.Statistics.Min)
-			max = math.Max(max, series.Statistics.Max)
-		}
-
-		jobMeta.Statistics[metric] = schema.JobStatistics{
-			Unit: schema.Unit{
-				Prefix: archive.GetMetricConfig(job.Cluster, metric).Unit.Prefix,
-				Base:   archive.GetMetricConfig(job.Cluster, metric).Unit.Base,
-			},
-			Avg: avg / float64(job.NumNodes),
-			Min: min,
-			Max: max,
-		}
-	}
-
-	// If the file based archive is disabled,
-	// only return the JobMeta structure as the
-	// statistics in there are needed.
-	if !useArchive {
-		return jobMeta, nil
-	}
-
-	return jobMeta, archive.GetHandle().ImportJob(jobMeta, &jobData)
+	return repo, err
 }
--- a/internal/metricdata/prometheus.go
+++ b/internal/metricdata/prometheus.go
@@ -20,6 +20,7 @@ import (
 	"text/template"
 	"time"

+	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
 	"github.com/ClusterCockpit/cc-backend/pkg/archive"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
@@ -166,10 +167,10 @@ func (pdb *PrometheusDataRepository) Init(rawConfig json.RawMessage) error {
 	var rt http.RoundTripper = nil
 	if prom_pw := os.Getenv("PROMETHEUS_PASSWORD"); prom_pw != "" && config.Username != "" {
 		prom_pw := promcfg.Secret(prom_pw)
-		rt = promcfg.NewBasicAuthRoundTripper(config.Username, prom_pw, "", promapi.DefaultRoundTripper)
+		rt = promcfg.NewBasicAuthRoundTripper(promcfg.NewInlineSecret(config.Username), promcfg.NewInlineSecret(string(prom_pw)), promapi.DefaultRoundTripper)
 	} else {
 		if config.Username != "" {
-			return errors.New("METRICDATA/PROMETHEUS > Prometheus username provided, but PROMETHEUS_PASSWORD not set.")
+			return errors.New("METRICDATA/PROMETHEUS > Prometheus username provided, but PROMETHEUS_PASSWORD not set")
 		}
 	}
 	// init client
@@ -204,8 +205,8 @@ func (pdb *PrometheusDataRepository) FormatQuery(
 	metric string,
 	scope schema.MetricScope,
 	nodes []string,
-	cluster string) (string, error) {
-
+	cluster string,
+) (string, error) {
 	args := PromQLArgs{}
 	if len(nodes) > 0 {
 		args.Nodes = fmt.Sprintf("(%s)%s", nodeRegex(nodes), pdb.suffix)
@@ -233,12 +234,13 @@ func (pdb *PrometheusDataRepository) RowToSeries(
 	from time.Time,
 	step int64,
 	steps int64,
-	row *promm.SampleStream) schema.Series {
+	row *promm.SampleStream,
+) schema.Series {
 	ts := from.Unix()
 	hostname := strings.TrimSuffix(string(row.Metric["exported_instance"]), pdb.suffix)
 	// init array of expected length with NaN
 	values := make([]schema.Float, steps+1)
-	for i, _ := range values {
+	for i := range values {
 		values[i] = schema.NaN
 	}
 	// copy recorded values from prom sample pair
@@ -263,8 +265,9 @@ func (pdb *PrometheusDataRepository) LoadData(
 	job *schema.Job,
 	metrics []string,
 	scopes []schema.MetricScope,
-	ctx context.Context) (schema.JobData, error) {
-
+	ctx context.Context,
+	resolution int,
+) (schema.JobData, error) {
 	// TODO respect requested scope
 	if len(scopes) == 0 || !contains(scopes, schema.MetricScopeNode) {
 		scopes = append(scopes, schema.MetricScopeNode)
@@ -306,7 +309,6 @@ func (pdb *PrometheusDataRepository) LoadData(
 				Step:  time.Duration(metricConfig.Timestep * 1e9),
 			}
 			result, warnings, err := pdb.queryClient.QueryRange(ctx, query, r)
-
 			if err != nil {
 				log.Errorf("Prometheus query error in LoadData: %v\nQuery: %s", err, query)
 				return nil, errors.New("Prometheus query error")
@@ -326,7 +328,6 @@ func (pdb *PrometheusDataRepository) LoadData(
 					Timestep: metricConfig.Timestep,
 					Series:   make([]schema.Series, 0),
 				}
-				jobData[metric][scope] = jobMetric
 			}
 			step := int64(metricConfig.Timestep)
 			steps := int64(to.Sub(from).Seconds()) / step
@@ -335,6 +336,10 @@ func (pdb *PrometheusDataRepository) LoadData(
 				jobMetric.Series = append(jobMetric.Series,
 					pdb.RowToSeries(from, step, steps, row))
 			}
+			// only add metric if at least one host returned data
+			if !ok && len(jobMetric.Series) > 0 {
+				jobData[metric][scope] = jobMetric
+			}
 			// sort by hostname to get uniform coloring
 			sort.Slice(jobMetric.Series, func(i, j int) bool {
 				return (jobMetric.Series[i].Hostname < jobMetric.Series[j].Hostname)
@@ -348,12 +353,12 @@ func (pdb *PrometheusDataRepository) LoadData(
 func (pdb *PrometheusDataRepository) LoadStats(
 	job *schema.Job,
 	metrics []string,
-	ctx context.Context) (map[string]map[string]schema.MetricStatistics, error) {
-
+	ctx context.Context,
+) (map[string]map[string]schema.MetricStatistics, error) {
 	// map of metrics of nodes of stats
 	stats := map[string]map[string]schema.MetricStatistics{}

-	data, err := pdb.LoadData(job, metrics, []schema.MetricScope{schema.MetricScopeNode}, ctx)
+	data, err := pdb.LoadData(job, metrics, []schema.MetricScope{schema.MetricScopeNode}, ctx, 0 /*resolution here*/)
 	if err != nil {
 		log.Warn("Error while loading job for stats")
 		return nil, err
@@ -373,7 +378,8 @@ func (pdb *PrometheusDataRepository) LoadNodeData(
 	metrics, nodes []string,
 	scopes []schema.MetricScope,
 	from, to time.Time,
-	ctx context.Context) (map[string]map[string][]*schema.JobMetric, error) {
+	ctx context.Context,
+) (map[string]map[string][]*schema.JobMetric, error) {
 	t0 := time.Now()
 	// Map of hosts of metrics of value slices
 	data := make(map[string]map[string][]*schema.JobMetric)
@@ -408,7 +414,6 @@ func (pdb *PrometheusDataRepository) LoadNodeData(
 				Step:  time.Duration(metricConfig.Timestep * 1e9),
 			}
 			result, warnings, err := pdb.queryClient.QueryRange(ctx, query, r)
-
 			if err != nil {
 				log.Errorf("Prometheus query error in LoadNodeData: %v\n", err)
 				return nil, errors.New("Prometheus query error")
@@ -442,3 +447,188 @@ func (pdb *PrometheusDataRepository) LoadNodeData(
 	log.Debugf("LoadNodeData of %v nodes took %s", len(data), t1)
 	return data, nil
 }
+
+// Implemented by NHR@FAU; Used in Job-View StatsTable
+func (pdb *PrometheusDataRepository) LoadScopedStats(
+	job *schema.Job,
+	metrics []string,
+	scopes []schema.MetricScope,
+	ctx context.Context) (schema.ScopedJobStats, error) {
+
+	// Assumption: pdb.loadData() only returns series node-scope - use node scope for statsTable
+	scopedJobStats := make(schema.ScopedJobStats)
+	data, err := pdb.LoadData(job, metrics, []schema.MetricScope{schema.MetricScopeNode}, ctx, 0 /*resolution here*/)
+	if err != nil {
+		log.Warn("Error while loading job for scopedJobStats")
+		return nil, err
+	}
+
+	for metric, metricData := range data {
+		for _, scope := range scopes {
+			if scope != schema.MetricScopeNode {
+				logOnce.Do(func() {
+					log.Infof("Note: Scope '%s' requested, but not yet supported: Will return 'node' scope only.", scope)
+				})
+				continue
+			}
+
+			if _, ok := scopedJobStats[metric]; !ok {
+				scopedJobStats[metric] = make(map[schema.MetricScope][]*schema.ScopedStats)
+			}
+
+			if _, ok := scopedJobStats[metric][scope]; !ok {
+				scopedJobStats[metric][scope] = make([]*schema.ScopedStats, 0)
+			}
+
+			for _, series := range metricData[scope].Series {
+				scopedJobStats[metric][scope] = append(scopedJobStats[metric][scope], &schema.ScopedStats{
+					Hostname: series.Hostname,
+					Data:     &series.Statistics,
+				})
+			}
+		}
+	}
+
+	return scopedJobStats, nil
+}
+
+// Implemented by NHR@FAU; Used in NodeList-View
+func (pdb *PrometheusDataRepository) LoadNodeListData(
+	cluster, subCluster, nodeFilter string,
+	metrics []string,
+	scopes []schema.MetricScope,
+	resolution int,
+	from, to time.Time,
+	page *model.PageRequest,
+	ctx context.Context,
+) (map[string]schema.JobData, int, bool, error) {
+
+	// Assumption: pdb.loadData() only returns series node-scope - use node scope for NodeList
+
+	// 0) Init additional vars
+	var totalNodes int = 0
+	var hasNextPage bool = false
+
+	// 1) Get list of all nodes
+	var nodes []string
+	if subCluster != "" {
+		scNodes := archive.NodeLists[cluster][subCluster]
+		nodes = scNodes.PrintList()
+	} else {
+		subClusterNodeLists := archive.NodeLists[cluster]
+		for _, nodeList := range subClusterNodeLists {
+			nodes = append(nodes, nodeList.PrintList()...)
+		}
+	}
+
+	// 2) Filter nodes
+	if nodeFilter != "" {
+		filteredNodes := []string{}
+		for _, node := range nodes {
+			if strings.Contains(node, nodeFilter) {
+				filteredNodes = append(filteredNodes, node)
+			}
+		}
+		nodes = filteredNodes
+	}
+
+	// 2.1) Count total nodes && Sort nodes -> Sorting invalidated after return ...
+	totalNodes = len(nodes)
+	sort.Strings(nodes)
+
+	// 3) Apply paging
+	if len(nodes) > page.ItemsPerPage {
+		start := (page.Page - 1) * page.ItemsPerPage
+		end := start + page.ItemsPerPage
+		if end > len(nodes) {
+			end = len(nodes)
+			hasNextPage = false
+		} else {
+			hasNextPage = true
+		}
+		nodes = nodes[start:end]
+	}
+
+	// 4) Fetch Data, based on pdb.LoadNodeData()
+
+	t0 := time.Now()
+	// Map of hosts of jobData
+	data := make(map[string]schema.JobData)
+
+	// query db for each metric
+	// TODO: scopes seems to be always empty
+	if len(scopes) == 0 || !contains(scopes, schema.MetricScopeNode) {
+		scopes = append(scopes, schema.MetricScopeNode)
+	}
+
+	for _, scope := range scopes {
+		if scope != schema.MetricScopeNode {
+			logOnce.Do(func() {
+				log.Infof("Note: Scope '%s' requested, but not yet supported: Will return 'node' scope only.", scope)
+			})
+			continue
+		}
+
+		for _, metric := range metrics {
+			metricConfig := archive.GetMetricConfig(cluster, metric)
+			if metricConfig == nil {
+				log.Warnf("Error in LoadNodeListData: Metric %s for cluster %s not configured", metric, cluster)
+				return nil, totalNodes, hasNextPage, errors.New("Prometheus config error")
+			}
+			query, err := pdb.FormatQuery(metric, scope, nodes, cluster)
+			if err != nil {
+				log.Warn("Error while formatting prometheus query")
+				return nil, totalNodes, hasNextPage, err
+			}
+
+			// ranged query over all nodes
+			r := promv1.Range{
+				Start: from,
+				End:   to,
+				Step:  time.Duration(metricConfig.Timestep * 1e9),
+			}
+			result, warnings, err := pdb.queryClient.QueryRange(ctx, query, r)
+			if err != nil {
+				log.Errorf("Prometheus query error in LoadNodeData: %v\n", err)
+				return nil, totalNodes, hasNextPage, errors.New("Prometheus query error")
+			}
+			if len(warnings) > 0 {
+				log.Warnf("Warnings: %v\n", warnings)
+			}
+
+			step := int64(metricConfig.Timestep)
+			steps := int64(to.Sub(from).Seconds()) / step
+
+			// iter rows of host, metric, values
+			for _, row := range result.(promm.Matrix) {
+				hostname := strings.TrimSuffix(string(row.Metric["exported_instance"]), pdb.suffix)
+
+				hostdata, ok := data[hostname]
+				if !ok {
+					hostdata = make(schema.JobData)
+					data[hostname] = hostdata
+				}
+
+				metricdata, ok := hostdata[metric]
+				if !ok {
+					metricdata = make(map[schema.MetricScope]*schema.JobMetric)
+					data[hostname][metric] = metricdata
+				}
+
+				// output per host, metric and scope
+				scopeData, ok := metricdata[scope]
+				if !ok {
+					scopeData = &schema.JobMetric{
+						Unit:     metricConfig.Unit,
+						Timestep: metricConfig.Timestep,
+						Series:   []schema.Series{pdb.RowToSeries(from, step, steps, row)},
+					}
+					data[hostname][metric][scope] = scopeData
+				}
+			}
+		}
+	}
+	t1 := time.Since(t0)
+	log.Debugf("LoadNodeListData of %v nodes took %s", len(data), t1)
+	return data, totalNodes, hasNextPage, nil
+}
--- a/internal/metricdata/utils.go
+++ b/internal/metricdata/utils.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -9,10 +9,11 @@ import (
 	"encoding/json"
 	"time"

+	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 )

-var TestLoadDataCallback func(job *schema.Job, metrics []string, scopes []schema.MetricScope, ctx context.Context) (schema.JobData, error) = func(job *schema.Job, metrics []string, scopes []schema.MetricScope, ctx context.Context) (schema.JobData, error) {
+var TestLoadDataCallback func(job *schema.Job, metrics []string, scopes []schema.MetricScope, ctx context.Context, resolution int) (schema.JobData, error) = func(job *schema.Job, metrics []string, scopes []schema.MetricScope, ctx context.Context, resolution int) (schema.JobData, error) {
 	panic("TODO")
 }

@@ -27,14 +28,25 @@ func (tmdr *TestMetricDataRepository) LoadData(
 	job *schema.Job,
 	metrics []string,
 	scopes []schema.MetricScope,
-	ctx context.Context) (schema.JobData, error) {
+	ctx context.Context,
+	resolution int) (schema.JobData, error) {

-	return TestLoadDataCallback(job, metrics, scopes, ctx)
+	return TestLoadDataCallback(job, metrics, scopes, ctx, resolution)
 }

 func (tmdr *TestMetricDataRepository) LoadStats(
 	job *schema.Job,
-	metrics []string, ctx context.Context) (map[string]map[string]schema.MetricStatistics, error) {
+	metrics []string,
+	ctx context.Context) (map[string]map[string]schema.MetricStatistics, error) {
+
+	panic("TODO")
+}
+
+func (tmdr *TestMetricDataRepository) LoadScopedStats(
+	job *schema.Job,
+	metrics []string,
+	scopes []schema.MetricScope,
+	ctx context.Context) (schema.ScopedJobStats, error) {

 	panic("TODO")
 }
@@ -48,3 +60,62 @@ func (tmdr *TestMetricDataRepository) LoadNodeData(

 	panic("TODO")
 }
+
+func (tmdr *TestMetricDataRepository) LoadNodeListData(
+	cluster, subCluster, nodeFilter string,
+	metrics []string,
+	scopes []schema.MetricScope,
+	resolution int,
+	from, to time.Time,
+	page *model.PageRequest,
+	ctx context.Context,
+) (map[string]schema.JobData, int, bool, error) {
+
+	panic("TODO")
+}
+
+func DeepCopy(jd_temp schema.JobData) schema.JobData {
+	var jd schema.JobData
+
+	jd = make(schema.JobData, len(jd_temp))
+	for k, v := range jd_temp {
+		jd[k] = make(map[schema.MetricScope]*schema.JobMetric, len(jd_temp[k]))
+		for k_, v_ := range v {
+			jd[k][k_] = new(schema.JobMetric)
+			jd[k][k_].Series = make([]schema.Series, len(v_.Series))
+			for i := 0; i < len(v_.Series); i += 1 {
+				jd[k][k_].Series[i].Data = make([]schema.Float, len(v_.Series[i].Data))
+				copy(jd[k][k_].Series[i].Data, v_.Series[i].Data)
+				jd[k][k_].Series[i].Hostname = v_.Series[i].Hostname
+				jd[k][k_].Series[i].Id = v_.Series[i].Id
+				jd[k][k_].Series[i].Statistics.Avg = v_.Series[i].Statistics.Avg
+				jd[k][k_].Series[i].Statistics.Min = v_.Series[i].Statistics.Min
+				jd[k][k_].Series[i].Statistics.Max = v_.Series[i].Statistics.Max
+			}
+			jd[k][k_].Timestep = v_.Timestep
+			jd[k][k_].Unit.Base = v_.Unit.Base
+			jd[k][k_].Unit.Prefix = v_.Unit.Prefix
+			if v_.StatisticsSeries != nil {
+				// Init Slices
+				jd[k][k_].StatisticsSeries = new(schema.StatsSeries)
+				jd[k][k_].StatisticsSeries.Max = make([]schema.Float, len(v_.StatisticsSeries.Max))
+				jd[k][k_].StatisticsSeries.Min = make([]schema.Float, len(v_.StatisticsSeries.Min))
+				jd[k][k_].StatisticsSeries.Median = make([]schema.Float, len(v_.StatisticsSeries.Median))
+				jd[k][k_].StatisticsSeries.Mean = make([]schema.Float, len(v_.StatisticsSeries.Mean))
+				// Copy Data
+				copy(jd[k][k_].StatisticsSeries.Max, v_.StatisticsSeries.Max)
+				copy(jd[k][k_].StatisticsSeries.Min, v_.StatisticsSeries.Min)
+				copy(jd[k][k_].StatisticsSeries.Median, v_.StatisticsSeries.Median)
+				copy(jd[k][k_].StatisticsSeries.Mean, v_.StatisticsSeries.Mean)
+				// Handle Percentiles
+				for k__, v__ := range v_.StatisticsSeries.Percentiles {
+					jd[k][k_].StatisticsSeries.Percentiles[k__] = make([]schema.Float, len(v__))
+					copy(jd[k][k_].StatisticsSeries.Percentiles[k__], v__)
+				}
+			} else {
+				jd[k][k_].StatisticsSeries = v_.StatisticsSeries
+			}
+		}
+	}
+	return jd
+}
--- a/internal/repository/dbConnection.go
+++ b/internal/repository/dbConnection.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -59,17 +59,15 @@ func Connect(driver string, db string) {
 			} else {
 				dbHandle, err = sqlx.Open("sqlite3", opts.URL)
 			}
-			if err != nil {
-				log.Fatal(err)
-			}
 		case "mysql":
 			opts.URL += "?multiStatements=true"
 			dbHandle, err = sqlx.Open("mysql", opts.URL)
-			if err != nil {
-				log.Fatalf("sqlx.Open() error: %v", err)
-			}
 		default:
-			log.Fatalf("unsupported database driver: %s", driver)
+			log.Abortf("DB Connection: Unsupported database driver '%s'.\n", driver)
+		}
+
+		if err != nil {
+			log.Abortf("DB Connection: Could not connect to '%s' database with sqlx.Open().\nError: %s\n", driver, err.Error())
 		}

 		dbHandle.SetMaxOpenConns(opts.MaxOpenConnections)
@@ -80,7 +78,7 @@ func Connect(driver string, db string) {
 		dbConnInstance = &DBConnection{DB: dbHandle, Driver: driver}
 		err = checkDBVersion(driver, dbHandle.DB)
 		if err != nil {
-			log.Fatal(err)
+			log.Abortf("DB Connection: Failed DB version check.\nError: %s\n", err.Error())
 		}
 	})
 }
--- a/internal/repository/hooks.go
+++ b/internal/repository/hooks.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -16,13 +16,13 @@ type Hooks struct{}

 // Before hook will print the query with it's args and return the context with the timestamp
 func (h *Hooks) Before(ctx context.Context, query string, args ...interface{}) (context.Context, error) {
-	log.Infof("SQL query %s %q", query, args)
+	log.Debugf("SQL query %s %q", query, args)
 	return context.WithValue(ctx, "begin", time.Now()), nil
 }

 // After hook will get the timestamp registered on the Before hook and print the elapsed time
 func (h *Hooks) After(ctx context.Context, query string, args ...interface{}) (context.Context, error) {
 	begin := ctx.Value("begin").(time.Time)
-	log.Infof("Took: %s\n", time.Since(begin))
+	log.Debugf("Took: %s\n", time.Since(begin))
 	return ctx, nil
 }
--- a/internal/repository/job.go
+++ b/internal/repository/job.go
@@ -1,22 +1,21 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 package repository

 import (
-	"context"
 	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"math"
 	"strconv"
 	"sync"
 	"time"

-	"github.com/ClusterCockpit/cc-backend/internal/auth"
 	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
-	"github.com/ClusterCockpit/cc-backend/internal/metricdata"
+	"github.com/ClusterCockpit/cc-backend/pkg/archive"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/lrucache"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
@@ -31,13 +30,9 @@ var (

 type JobRepository struct {
 	DB        *sqlx.DB
-	driver string
-
 	stmtCache *sq.StmtCache
 	cache     *lrucache.Cache
-
-	archiveChannel chan *schema.Job
-	archivePending sync.WaitGroup
+	driver    string
 }

 func GetJobRepository() *JobRepository {
@@ -50,46 +45,46 @@ func GetJobRepository() *JobRepository {

 			stmtCache: sq.NewStmtCache(db.DB),
 			cache:     lrucache.New(1024 * 1024),
-			archiveChannel: make(chan *schema.Job, 128),
 		}
-		// start archiving worker
-		go jobRepoInstance.archivingWorker()
 	})
-
 	return jobRepoInstance
 }

 var jobColumns []string = []string{
-	"job.id", "job.job_id", "job.user", "job.project", "job.cluster", "job.subcluster", "job.start_time", "job.partition", "job.array_job_id",
+	"job.id", "job.job_id", "job.hpc_user", "job.project", "job.cluster", "job.subcluster", "job.start_time", "job.cluster_partition", "job.array_job_id",
 	"job.num_nodes", "job.num_hwthreads", "job.num_acc", "job.exclusive", "job.monitoring_status", "job.smt", "job.job_state",
-	"job.duration", "job.walltime", "job.resources", // "job.meta_data",
+	"job.duration", "job.walltime", "job.resources", "job.footprint", "job.energy",
 }

 func scanJob(row interface{ Scan(...interface{}) error }) (*schema.Job, error) {
 	job := &schema.Job{}
+
 	if err := row.Scan(
 		&job.ID, &job.JobID, &job.User, &job.Project, &job.Cluster, &job.SubCluster, &job.StartTimeUnix, &job.Partition, &job.ArrayJobId,
 		&job.NumNodes, &job.NumHWThreads, &job.NumAcc, &job.Exclusive, &job.MonitoringStatus, &job.SMT, &job.State,
-		&job.Duration, &job.Walltime, &job.RawResources /*&job.RawMetaData*/); err != nil {
+		&job.Duration, &job.Walltime, &job.RawResources, &job.RawFootprint, &job.Energy); err != nil {
 		log.Warnf("Error while scanning rows (Job): %v", err)
 		return nil, err
 	}

 	if err := json.Unmarshal(job.RawResources, &job.Resources); err != nil {
-		log.Warn("Error while unmarhsaling raw resources json")
+		log.Warn("Error while unmarshaling raw resources json")
 		return nil, err
 	}
+	job.RawResources = nil

-	// if err := json.Unmarshal(job.RawMetaData, &job.MetaData); err != nil {
-	// 	return nil, err
-	// }
+	if err := json.Unmarshal(job.RawFootprint, &job.Footprint); err != nil {
+		log.Warnf("Error while unmarshaling raw footprint json: %v", err)
+		return nil, err
+	}
+	job.RawFootprint = nil

 	job.StartTime = time.Unix(job.StartTimeUnix, 0)
-	if job.Duration == 0 && job.State == schema.JobStateRunning {
+	// Always ensure accurate duration for running jobs
+	if job.State == schema.JobStateRunning {
 		job.Duration = int32(time.Since(job.StartTime).Seconds())
 	}

-	job.RawResources = nil
 	return job, nil
 }

@@ -178,7 +173,7 @@ func (r *JobRepository) FetchMetadata(job *schema.Job) (map[string]string, error
 	}

 	r.cache.Put(cachekey, job.MetaData, len(job.RawMetaData), 24*time.Hour)
-	log.Infof("Timer FetchMetadata %s", time.Since(start))
+	log.Debugf("Timer FetchMetadata %s", time.Since(start))
 	return job.MetaData, nil
 }

@@ -208,366 +203,136 @@ func (r *JobRepository) UpdateMetadata(job *schema.Job, key, val string) (err er
 		return err
 	}

-	if _, err = sq.Update("job").Set("meta_data", job.RawMetaData).Where("job.id = ?", job.ID).RunWith(r.stmtCache).Exec(); err != nil {
+	if _, err = sq.Update("job").
+		Set("meta_data", job.RawMetaData).
+		Where("job.id = ?", job.ID).
+		RunWith(r.stmtCache).Exec(); err != nil {
 		log.Warnf("Error while updating metadata for job, DB ID '%v'", job.ID)
 		return err
 	}

 	r.cache.Put(cachekey, job.MetaData, len(job.RawMetaData), 24*time.Hour)
-	return nil
+	return archive.UpdateMetadata(job, job.MetaData)
 }

-// Find executes a SQL query to find a specific batch job.
-// The job is queried using the batch job id, the cluster name,
-// and the start time of the job in UNIX epoch time seconds.
-// It returns a pointer to a schema.Job data structure and an error variable.
-// To check if no job was found test err == sql.ErrNoRows
-func (r *JobRepository) Find(
-	jobId *int64,
-	cluster *string,
-	startTime *int64) (*schema.Job, error) {
-
+func (r *JobRepository) FetchFootprint(job *schema.Job) (map[string]float64, error) {
 	start := time.Now()
-	q := sq.Select(jobColumns...).From("job").
-		Where("job.job_id = ?", *jobId)

-	if cluster != nil {
-		q = q.Where("job.cluster = ?", *cluster)
-	}
-	if startTime != nil {
-		q = q.Where("job.start_time = ?", *startTime)
-	}
-
-	log.Infof("Timer Find %s", time.Since(start))
-	return scanJob(q.RunWith(r.stmtCache).QueryRow())
-}
-
-// Find executes a SQL query to find a specific batch job.
-// The job is queried using the batch job id, the cluster name,
-// and the start time of the job in UNIX epoch time seconds.
-// It returns a pointer to a schema.Job data structure and an error variable.
-// To check if no job was found test err == sql.ErrNoRows
-func (r *JobRepository) FindAll(
-	jobId *int64,
-	cluster *string,
-	startTime *int64) ([]*schema.Job, error) {
-
-	start := time.Now()
-	q := sq.Select(jobColumns...).From("job").
-		Where("job.job_id = ?", *jobId)
-
-	if cluster != nil {
-		q = q.Where("job.cluster = ?", *cluster)
-	}
-	if startTime != nil {
-		q = q.Where("job.start_time = ?", *startTime)
-	}
-
-	rows, err := q.RunWith(r.stmtCache).Query()
-	if err != nil {
-		log.Error("Error while running query")
+	if err := sq.Select("job.footprint").From("job").Where("job.id = ?", job.ID).
+		RunWith(r.stmtCache).QueryRow().Scan(&job.RawFootprint); err != nil {
+		log.Warn("Error while scanning for job footprint")
 		return nil, err
 	}

-	jobs := make([]*schema.Job, 0, 10)
-	for rows.Next() {
-		job, err := scanJob(rows)
-		if err != nil {
-			log.Warn("Error while scanning rows")
+	if len(job.RawFootprint) == 0 {
+		return nil, nil
+	}
+
+	if err := json.Unmarshal(job.RawFootprint, &job.Footprint); err != nil {
+		log.Warn("Error while unmarshaling raw footprint json")
 		return nil, err
 	}
-		jobs = append(jobs, job)
-	}
-	log.Infof("Timer FindAll %s", time.Since(start))
-	return jobs, nil
+
+	log.Debugf("Timer FetchFootprint %s", time.Since(start))
+	return job.Footprint, nil
 }

-// FindById executes a SQL query to find a specific batch job.
-// The job is queried using the database id.
-// It returns a pointer to a schema.Job data structure and an error variable.
-// To check if no job was found test err == sql.ErrNoRows
-func (r *JobRepository) FindById(jobId int64) (*schema.Job, error) {
-	q := sq.Select(jobColumns...).
-		From("job").Where("job.id = ?", jobId)
-	return scanJob(q.RunWith(r.stmtCache).QueryRow())
-}
-
-// Start inserts a new job in the table, returning the unique job ID.
-// Statistics are not transfered!
-func (r *JobRepository) Start(job *schema.JobMeta) (id int64, err error) {
-	job.RawResources, err = json.Marshal(job.Resources)
-	if err != nil {
-		return -1, fmt.Errorf("REPOSITORY/JOB > encoding resources field failed: %w", err)
+func (r *JobRepository) FetchEnergyFootprint(job *schema.Job) (map[string]float64, error) {
+	start := time.Now()
+	cachekey := fmt.Sprintf("energyFootprint:%d", job.ID)
+	if cached := r.cache.Get(cachekey, nil); cached != nil {
+		job.EnergyFootprint = cached.(map[string]float64)
+		return job.EnergyFootprint, nil
 	}

-	job.RawMetaData, err = json.Marshal(job.MetaData)
-	if err != nil {
-		return -1, fmt.Errorf("REPOSITORY/JOB > encoding metaData field failed: %w", err)
+	if err := sq.Select("job.energy_footprint").From("job").Where("job.id = ?", job.ID).
+		RunWith(r.stmtCache).QueryRow().Scan(&job.RawEnergyFootprint); err != nil {
+		log.Warn("Error while scanning for job energy_footprint")
+		return nil, err
 	}

-	res, err := r.DB.NamedExec(`INSERT INTO job (
-		job_id, user, project, cluster, subcluster, `+"`partition`"+`, array_job_id, num_nodes, num_hwthreads, num_acc,
-		exclusive, monitoring_status, smt, job_state, start_time, duration, walltime, resources, meta_data
-	) VALUES (
-		:job_id, :user, :project, :cluster, :subcluster, :partition, :array_job_id, :num_nodes, :num_hwthreads, :num_acc,
-		:exclusive, :monitoring_status, :smt, :job_state, :start_time, :duration, :walltime, :resources, :meta_data
-	);`, job)
-	if err != nil {
-		return -1, err
+	if len(job.RawEnergyFootprint) == 0 {
+		return nil, nil
 	}

-	return res.LastInsertId()
-}
+	if err := json.Unmarshal(job.RawEnergyFootprint, &job.EnergyFootprint); err != nil {
+		log.Warn("Error while unmarshaling raw energy footprint json")
+		return nil, err
+	}

-// Stop updates the job with the database id jobId using the provided arguments.
-func (r *JobRepository) Stop(
-	jobId int64,
-	duration int32,
-	state schema.JobState,
-	monitoringStatus int32) (err error) {
-
-	stmt := sq.Update("job").
-		Set("job_state", state).
-		Set("duration", duration).
-		Set("monitoring_status", monitoringStatus).
-		Where("job.id = ?", jobId)
-
-	_, err = stmt.RunWith(r.stmtCache).Exec()
-	return
+	r.cache.Put(cachekey, job.EnergyFootprint, len(job.EnergyFootprint), 24*time.Hour)
+	log.Debugf("Timer FetchEnergyFootprint %s", time.Since(start))
+	return job.EnergyFootprint, nil
 }

 func (r *JobRepository) DeleteJobsBefore(startTime int64) (int, error) {
 	var cnt int
-	qs := fmt.Sprintf("SELECT count(*) FROM job WHERE job.start_time < %d", startTime)
-	err := r.DB.Get(&cnt, qs) //ignore error as it will also occur in delete statement
-	_, err = r.DB.Exec(`DELETE FROM job WHERE job.start_time < ?`, startTime)
+	q := sq.Select("count(*)").From("job").Where("job.start_time < ?", startTime)
+	q.RunWith(r.DB).QueryRow().Scan(cnt)
+	qd := sq.Delete("job").Where("job.start_time < ?", startTime)
+	_, err := qd.RunWith(r.DB).Exec()
+
 	if err != nil {
-		log.Errorf(" DeleteJobsBefore(%d): error %#v", startTime, err)
+		s, _, _ := qd.ToSql()
+		log.Errorf(" DeleteJobsBefore(%d) with %s: error %#v", startTime, s, err)
 	} else {
-		log.Infof("DeleteJobsBefore(%d): Deleted %d jobs", startTime, cnt)
+		log.Debugf("DeleteJobsBefore(%d): Deleted %d jobs", startTime, cnt)
 	}
 	return cnt, err
 }

 func (r *JobRepository) DeleteJobById(id int64) error {
-	_, err := r.DB.Exec(`DELETE FROM job WHERE job.id = ?`, id)
+	qd := sq.Delete("job").Where("job.id = ?", id)
+	_, err := qd.RunWith(r.DB).Exec()
+
 	if err != nil {
-		log.Errorf("DeleteJobById(%d): error %#v", id, err)
+		s, _, _ := qd.ToSql()
+		log.Errorf("DeleteJobById(%d) with %s : error %#v", id, s, err)
 	} else {
-		log.Infof("DeleteJobById(%d): Success", id)
+		log.Debugf("DeleteJobById(%d): Success", id)
 	}
 	return err
 }

-// TODO: Use node hours instead: SELECT job.user, sum(job.num_nodes * (CASE WHEN job.job_state = "running" THEN CAST(strftime('%s', 'now') AS INTEGER) - job.start_time ELSE job.duration END)) as x FROM job GROUP BY user ORDER BY x DESC;
-func (r *JobRepository) CountGroupedJobs(
-	ctx context.Context,
-	aggreg model.Aggregate,
-	filters []*model.JobFilter,
-	weight *model.Weights,
-	limit *int) (map[string]int, error) {
-
-	start := time.Now()
-	if !aggreg.IsValid() {
-		return nil, errors.New("invalid aggregate")
-	}
-
-	runner := (sq.BaseRunner)(r.stmtCache)
-	count := "count(*) as count"
-	if weight != nil {
-		switch *weight {
-		case model.WeightsNodeCount:
-			count = "sum(job.num_nodes) as count"
-		case model.WeightsNodeHours:
-			now := time.Now().Unix()
-			count = fmt.Sprintf(`sum(job.num_nodes * (CASE WHEN job.job_state = "running" THEN %d - job.start_time ELSE job.duration END)) as count`, now)
-			runner = r.DB
-		default:
-			log.Infof("CountGroupedJobs() Weight %v unknown.", *weight)
-		}
-	}
-
-	q, qerr := SecurityCheck(ctx, sq.Select("job."+string(aggreg), count).From("job").GroupBy("job."+string(aggreg)).OrderBy("count DESC"))
-
-	if qerr != nil {
-		return nil, qerr
-	}
-
-	for _, f := range filters {
-		q = BuildWhereClause(f, q)
-	}
-	if limit != nil {
-		q = q.Limit(uint64(*limit))
-	}
-
-	counts := map[string]int{}
-	rows, err := q.RunWith(runner).Query()
-	if err != nil {
-		log.Error("Error while running query")
-		return nil, err
-	}
-
-	for rows.Next() {
-		var group string
-		var count int
-		if err := rows.Scan(&group, &count); err != nil {
-			log.Warn("Error while scanning rows")
-			return nil, err
-		}
-
-		counts[group] = count
-	}
-
-	log.Infof("Timer CountGroupedJobs %s", time.Since(start))
-	return counts, nil
-}
-
-func (r *JobRepository) UpdateMonitoringStatus(job int64, monitoringStatus int32) (err error) {
-	stmt := sq.Update("job").
-		Set("monitoring_status", monitoringStatus).
-		Where("job.id = ?", job)
-
-	_, err = stmt.RunWith(r.stmtCache).Exec()
-	return
-}
-
-// Stop updates the job with the database id jobId using the provided arguments.
-func (r *JobRepository) MarkArchived(
-	jobId int64,
-	monitoringStatus int32,
-	metricStats map[string]schema.JobStatistics) error {
-
-	stmt := sq.Update("job").
-		Set("monitoring_status", monitoringStatus).
-		Where("job.id = ?", jobId)
-
-	for metric, stats := range metricStats {
-		switch metric {
-		case "flops_any":
-			stmt = stmt.Set("flops_any_avg", stats.Avg)
-		case "mem_used":
-			stmt = stmt.Set("mem_used_max", stats.Max)
-		case "mem_bw":
-			stmt = stmt.Set("mem_bw_avg", stats.Avg)
-		case "load":
-		case "cpu_load":
-			stmt = stmt.Set("load_avg", stats.Avg)
-		case "net_bw":
-			stmt = stmt.Set("net_bw_avg", stats.Avg)
-		case "file_bw":
-			stmt = stmt.Set("file_bw_avg", stats.Avg)
-		default:
-			log.Infof("MarkArchived() Metric '%v' unknown", metric)
-		}
-	}
-
-	if _, err := stmt.RunWith(r.stmtCache).Exec(); err != nil {
-		log.Warn("Error while marking job as archived")
-		return err
-	}
-	return nil
-}
-
-// Archiving worker thread
-func (r *JobRepository) archivingWorker() {
-	for {
-		select {
-		case job, ok := <-r.archiveChannel:
-			if !ok {
-				break
-			}
-			// not using meta data, called to load JobMeta into Cache?
-			// will fail if job meta not in repository
-			if _, err := r.FetchMetadata(job); err != nil {
-				log.Errorf("archiving job (dbid: %d) failed: %s", job.ID, err.Error())
-				r.UpdateMonitoringStatus(job.ID, schema.MonitoringStatusArchivingFailed)
-				continue
-			}
-
-			// metricdata.ArchiveJob will fetch all the data from a MetricDataRepository and push into configured archive backend
-			// TODO: Maybe use context with cancel/timeout here
-			jobMeta, err := metricdata.ArchiveJob(job, context.Background())
-			if err != nil {
-				log.Errorf("archiving job (dbid: %d) failed: %s", job.ID, err.Error())
-				r.UpdateMonitoringStatus(job.ID, schema.MonitoringStatusArchivingFailed)
-				continue
-			}
-
-			// Update the jobs database entry one last time:
-			if err := r.MarkArchived(job.ID, schema.MonitoringStatusArchivingSuccessful, jobMeta.Statistics); err != nil {
-				log.Errorf("archiving job (dbid: %d) failed: %s", job.ID, err.Error())
-				continue
-			}
-
-			log.Printf("archiving job (dbid: %d) successful", job.ID)
-			r.archivePending.Done()
-		}
-	}
-}
-
-// Trigger async archiving
-func (r *JobRepository) TriggerArchiving(job *schema.Job) {
-	r.archivePending.Add(1)
-	r.archiveChannel <- job
-}
-
-// Wait for background thread to finish pending archiving operations
-func (r *JobRepository) WaitForArchiving() {
-	// close channel and wait for worker to process remaining jobs
-	r.archivePending.Wait()
-}
-
-var ErrNotFound = errors.New("no such jobname, project or user")
-var ErrForbidden = errors.New("not authorized")
-
-// FindJobnameOrUserOrProject returns a jobName or a username or a projectId if a jobName or user or project matches the search term.
-// If query is found to be an integer (= conversion to INT datatype succeeds), skip back to parent call
-// If nothing matches the search, `ErrNotFound` is returned.
-
-func (r *JobRepository) FindUserOrProjectOrJobname(ctx context.Context, searchterm string) (username string, project string, metasnip string, err error) {
+func (r *JobRepository) FindUserOrProjectOrJobname(user *schema.User, searchterm string) (jobid string, username string, project string, jobname string) {
 	if _, err := strconv.Atoi(searchterm); err == nil { // Return empty on successful conversion: parent method will redirect for integer jobId
-		return "", "", "", nil
+		return searchterm, "", "", ""
 	} else { // Has to have letters and logged-in user for other guesses
-		user := auth.GetUser(ctx)
 		if user != nil {
-			// Find username in jobs (match)
-			uresult, _ := r.FindColumnValue(user, searchterm, "job", "user", "user", false)
+			// Find username by username in job table (match)
+			uresult, _ := r.FindColumnValue(user, searchterm, "job", "hpc_user", "hpc_user", false)
 			if uresult != "" {
-				return uresult, "", "", nil
+				return "", uresult, "", ""
 			}
-			// Find username by name (like)
-			nresult, _ := r.FindColumnValue(user, searchterm, "user", "username", "name", true)
+			// Find username by real name in hpc_user table (like)
+			nresult, _ := r.FindColumnValue(user, searchterm, "hpc_user", "username", "name", true)
 			if nresult != "" {
-				return nresult, "", "", nil
+				return "", nresult, "", ""
 			}
-			// Find projectId in jobs (match)
+			// Find projectId by projectId in job table (match)
 			presult, _ := r.FindColumnValue(user, searchterm, "job", "project", "project", false)
 			if presult != "" {
-				return "", presult, "", nil
-			}
-			// Still no return (or not authorized for above): Try JobName
-			// Match Metadata, on hit, parent method redirects to jobName GQL query
-			err := sq.Select("job.cluster").Distinct().From("job").
-				Where("job.meta_data LIKE ?", "%"+searchterm+"%").
-				RunWith(r.stmtCache).QueryRow().Scan(&metasnip)
-			if err != nil && err != sql.ErrNoRows {
-				return "", "", "", err
-			} else if err == nil {
-				return "", "", metasnip[0:1], nil
+				return "", "", presult, ""
 			}
 		}
-		return "", "", "", ErrNotFound
+		// Return searchterm if no match before: Forward as jobname query to GQL in handleSearchbar function
+		return "", "", "", searchterm
 	}
 }

-func (r *JobRepository) FindColumnValue(user *auth.User, searchterm string, table string, selectColumn string, whereColumn string, isLike bool) (result string, err error) {
+var (
+	ErrNotFound  = errors.New("no such jobname, project or user")
+	ErrForbidden = errors.New("not authorized")
+)
+
+func (r *JobRepository) FindColumnValue(user *schema.User, searchterm string, table string, selectColumn string, whereColumn string, isLike bool) (result string, err error) {
 	compareStr := " = ?"
 	query := searchterm
 	if isLike {
 		compareStr = " LIKE ?"
 		query = "%" + searchterm + "%"
 	}
-	if user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport, auth.RoleManager}) {
+	if user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport, schema.RoleManager}) {
 		theQuery := sq.Select(table+"."+selectColumn).Distinct().From(table).
 			Where(table+"."+whereColumn+compareStr, query)

@@ -592,9 +357,9 @@ func (r *JobRepository) FindColumnValue(user *auth.User, searchterm string, tabl
 	}
 }

-func (r *JobRepository) FindColumnValues(user *auth.User, query string, table string, selectColumn string, whereColumn string) (results []string, err error) {
+func (r *JobRepository) FindColumnValues(user *schema.User, query string, table string, selectColumn string, whereColumn string) (results []string, err error) {
 	emptyResult := make([]string, 0)
-	if user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport, auth.RoleManager}) {
+	if user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport, schema.RoleManager}) {
 		rows, err := sq.Select(table+"."+selectColumn).Distinct().From(table).
 			Where(table+"."+whereColumn+" LIKE ?", fmt.Sprint("%", query, "%")).
 			RunWith(r.stmtCache).Query()
@@ -626,7 +391,7 @@ func (r *JobRepository) Partitions(cluster string) ([]string, error) {
 	start := time.Now()
 	partitions := r.cache.Get("partitions:"+cluster, func() (interface{}, time.Duration, int) {
 		parts := []string{}
-		if err = r.DB.Select(&parts, `SELECT DISTINCT job.partition FROM job WHERE job.cluster = ?;`, cluster); err != nil {
+		if err = r.DB.Select(&parts, `SELECT DISTINCT job.cluster_partition FROM job WHERE job.cluster = ?;`, cluster); err != nil {
 			return nil, 0, 1000
 		}

@@ -635,14 +400,13 @@ func (r *JobRepository) Partitions(cluster string) ([]string, error) {
 	if err != nil {
 		return nil, err
 	}
-	log.Infof("Timer Partitions %s", time.Since(start))
+	log.Debugf("Timer Partitions %s", time.Since(start))
 	return partitions.([]string), nil
 }

 // AllocatedNodes returns a map of all subclusters to a map of hostnames to the amount of jobs running on that host.
 // Hosts with zero jobs running on them will not show up!
 func (r *JobRepository) AllocatedNodes(cluster string) (map[string]map[string]int, error) {
-
 	start := time.Now()
 	subclusters := make(map[string]map[string]int)
 	rows, err := sq.Select("resources", "subcluster").From("job").
@@ -680,12 +444,12 @@ func (r *JobRepository) AllocatedNodes(cluster string) (map[string]map[string]in
 		}
 	}

-	log.Infof("Timer AllocatedNodes %s", time.Since(start))
+	log.Debugf("Timer AllocatedNodes %s", time.Since(start))
 	return subclusters, nil
 }

+// FIXME: Set duration to requested walltime?
 func (r *JobRepository) StopJobsExceedingWalltimeBy(seconds int) error {
-
 	start := time.Now()
 	res, err := sq.Update("job").
 		Set("monitoring_status", schema.MonitoringStatusArchivingFailed).
@@ -709,12 +473,51 @@ func (r *JobRepository) StopJobsExceedingWalltimeBy(seconds int) error {
 	if rowsAffected > 0 {
 		log.Infof("%d jobs have been marked as failed due to running too long", rowsAffected)
 	}
-	log.Infof("Timer StopJobsExceedingWalltimeBy %s", time.Since(start))
+	log.Debugf("Timer StopJobsExceedingWalltimeBy %s", time.Since(start))
+	return nil
+}
+
+func (r *JobRepository) FindRunningJobs(cluster string) ([]*schema.Job, error) {
+	query := sq.Select(jobColumns...).From("job").
+		Where(fmt.Sprintf("job.cluster = '%s'", cluster)).
+		Where("job.job_state = 'running'").
+		Where("job.duration > 600")
+
+	rows, err := query.RunWith(r.stmtCache).Query()
+	if err != nil {
+		log.Error("Error while running query")
+		return nil, err
+	}
+
+	jobs := make([]*schema.Job, 0, 50)
+	for rows.Next() {
+		job, err := scanJob(rows)
+		if err != nil {
+			rows.Close()
+			log.Warn("Error while scanning rows")
+			return nil, err
+		}
+		jobs = append(jobs, job)
+	}
+
+	log.Infof("Return job count %d", len(jobs))
+	return jobs, nil
+}
+
+func (r *JobRepository) UpdateDuration() error {
+	stmnt := sq.Update("job").
+		Set("duration", sq.Expr("? - job.start_time", time.Now().Unix())).
+		Where("job_state = 'running'")
+
+	_, err := stmnt.RunWith(r.stmtCache).Exec()
+	if err != nil {
+		return err
+	}
+
 	return nil
 }

 func (r *JobRepository) FindJobsBetween(startTimeBegin int64, startTimeEnd int64) ([]*schema.Job, error) {
-
 	var query sq.SelectBuilder

 	if startTimeBegin == startTimeEnd || startTimeBegin > startTimeEnd {
@@ -722,9 +525,11 @@ func (r *JobRepository) FindJobsBetween(startTimeBegin int64, startTimeEnd int64
 	}

 	if startTimeBegin == 0 {
+		log.Infof("Find jobs before %d", startTimeEnd)
 		query = sq.Select(jobColumns...).From("job").Where(fmt.Sprintf(
 			"job.start_time < %d", startTimeEnd))
 	} else {
+		log.Infof("Find jobs between %d and %d", startTimeBegin, startTimeEnd)
 		query = sq.Select(jobColumns...).From("job").Where(fmt.Sprintf(
 			"job.start_time BETWEEN %d AND %d", startTimeBegin, startTimeEnd))
 	}
@@ -746,30 +551,122 @@ func (r *JobRepository) FindJobsBetween(startTimeBegin int64, startTimeEnd int64
 		jobs = append(jobs, job)
 	}

+	log.Infof("Return job count %d", len(jobs))
 	return jobs, nil
 }

-const NamedJobInsert string = `INSERT INTO job (
-	job_id, user, project, cluster, subcluster, ` + "`partition`" + `, array_job_id, num_nodes, num_hwthreads, num_acc,
-	exclusive, monitoring_status, smt, job_state, start_time, duration, walltime, resources, meta_data,
-	mem_used_max, flops_any_avg, mem_bw_avg, load_avg, net_bw_avg, net_data_vol_total, file_bw_avg, file_data_vol_total
-) VALUES (
-	:job_id, :user, :project, :cluster, :subcluster, :partition, :array_job_id, :num_nodes, :num_hwthreads, :num_acc,
-	:exclusive, :monitoring_status, :smt, :job_state, :start_time, :duration, :walltime, :resources, :meta_data,
-	:mem_used_max, :flops_any_avg, :mem_bw_avg, :load_avg, :net_bw_avg, :net_data_vol_total, :file_bw_avg, :file_data_vol_total
-);`
+func (r *JobRepository) UpdateMonitoringStatus(job int64, monitoringStatus int32) (err error) {
+	stmt := sq.Update("job").
+		Set("monitoring_status", monitoringStatus).
+		Where("job.id = ?", job)

-func (r *JobRepository) InsertJob(job *schema.Job) (int64, error) {
-	res, err := r.DB.NamedExec(NamedJobInsert, job)
-	if err != nil {
-		log.Warn("Error while NamedJobInsert")
-		return 0, err
-	}
-	id, err := res.LastInsertId()
-	if err != nil {
-		log.Warn("Error while getting last insert ID")
-		return 0, err
-	}
-
-	return id, nil
+	_, err = stmt.RunWith(r.stmtCache).Exec()
+	return
+}
+
+func (r *JobRepository) Execute(stmt sq.UpdateBuilder) error {
+	if _, err := stmt.RunWith(r.stmtCache).Exec(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (r *JobRepository) MarkArchived(
+	stmt sq.UpdateBuilder,
+	monitoringStatus int32,
+) sq.UpdateBuilder {
+	return stmt.Set("monitoring_status", monitoringStatus)
+}
+
+func (r *JobRepository) UpdateEnergy(
+	stmt sq.UpdateBuilder,
+	jobMeta *schema.JobMeta,
+) (sq.UpdateBuilder, error) {
+	/* Note: Only Called for Running Jobs during Intermediate Update or on Archiving */
+	sc, err := archive.GetSubCluster(jobMeta.Cluster, jobMeta.SubCluster)
+	if err != nil {
+		log.Errorf("cannot get subcluster: %s", err.Error())
+		return stmt, err
+	}
+	energyFootprint := make(map[string]float64)
+
+	// Total Job Energy Outside Loop
+	totalEnergy := 0.0
+	for _, fp := range sc.EnergyFootprint {
+		// Always Init Metric Energy Inside Loop
+		metricEnergy := 0.0
+		if i, err := archive.MetricIndex(sc.MetricConfig, fp); err == nil {
+			// Note: For DB data, calculate and save as kWh
+			if sc.MetricConfig[i].Energy == "energy" { // this metric has energy as unit (Joules or Wh)
+				log.Warnf("Update EnergyFootprint for Job %d and Metric %s on cluster %s: Set to 'energy' in cluster.json: Not implemented, will return 0.0", jobMeta.JobID, jobMeta.Cluster, fp)
+				// FIXME: Needs sum as stats type
+			} else if sc.MetricConfig[i].Energy == "power" { // this metric has power as unit (Watt)
+				// Energy: Power (in Watts) * Time (in Seconds)
+				// Unit: (W * (s / 3600)) / 1000 = kWh
+				// Round 2 Digits: round(Energy * 100) / 100
+				// Here: (All-Node Metric Average * Number of Nodes) * (Job Duration in Seconds / 3600) / 1000
+				// Note: Shared Jobs handled correctly since "Node Average" is based on partial resources, while "numNodes" factor is 1
+				rawEnergy := ((LoadJobStat(jobMeta, fp, "avg") * float64(jobMeta.NumNodes)) * (float64(jobMeta.Duration) / 3600.0)) / 1000.0
+				metricEnergy = math.Round(rawEnergy*100.0) / 100.0
+			}
+		} else {
+			log.Warnf("Error while collecting energy metric %s for job, DB ID '%v', return '0.0'", fp, jobMeta.ID)
+		}
+
+		energyFootprint[fp] = metricEnergy
+		totalEnergy += metricEnergy
+
+		// log.Infof("Metric %s Average %f -> %f kWh | Job %d Total -> %f kWh", fp, LoadJobStat(jobMeta, fp, "avg"), energy, jobMeta.JobID, totalEnergy)
+	}
+
+	var rawFootprint []byte
+	if rawFootprint, err = json.Marshal(energyFootprint); err != nil {
+		log.Warnf("Error while marshaling energy footprint for job INTO BYTES, DB ID '%v'", jobMeta.ID)
+		return stmt, err
+	}
+
+	return stmt.Set("energy_footprint", string(rawFootprint)).Set("energy", (math.Round(totalEnergy*100.0) / 100.0)), nil
+}
+
+func (r *JobRepository) UpdateFootprint(
+	stmt sq.UpdateBuilder,
+	jobMeta *schema.JobMeta,
+) (sq.UpdateBuilder, error) {
+	/* Note: Only Called for Running Jobs during Intermediate Update or on Archiving */
+	sc, err := archive.GetSubCluster(jobMeta.Cluster, jobMeta.SubCluster)
+	if err != nil {
+		log.Errorf("cannot get subcluster: %s", err.Error())
+		return stmt, err
+	}
+	footprint := make(map[string]float64)
+
+	for _, fp := range sc.Footprint {
+		var statType string
+		for _, gm := range archive.GlobalMetricList {
+			if gm.Name == fp {
+				statType = gm.Footprint
+			}
+		}
+
+		if statType != "avg" && statType != "min" && statType != "max" {
+			log.Warnf("unknown statType for footprint update: %s", statType)
+			return stmt, fmt.Errorf("unknown statType for footprint update: %s", statType)
+		}
+
+		if i, err := archive.MetricIndex(sc.MetricConfig, fp); err != nil {
+			statType = sc.MetricConfig[i].Footprint
+		}
+
+		name := fmt.Sprintf("%s_%s", fp, statType)
+		footprint[name] = LoadJobStat(jobMeta, fp, statType)
+	}
+
+	var rawFootprint []byte
+	if rawFootprint, err = json.Marshal(footprint); err != nil {
+		log.Warnf("Error while marshaling footprint for job INTO BYTES, DB ID '%v'", jobMeta.ID)
+		return stmt, err
+	}
+
+	return stmt.Set("footprint", string(rawFootprint)), nil
 }
--- a/internal/repository/jobCreate.go
+++ b/internal/repository/jobCreate.go
@@ -0,0 +1,75 @@
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package repository
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+	sq "github.com/Masterminds/squirrel"
+)
+
+const NamedJobInsert string = `INSERT INTO job (
+	job_id, hpc_user, project, cluster, subcluster, cluster_partition, array_job_id, num_nodes, num_hwthreads, num_acc,
+	exclusive, monitoring_status, smt, job_state, start_time, duration, walltime, footprint, energy, energy_footprint, resources, meta_data
+) VALUES (
+	:job_id, :hpc_user, :project, :cluster, :subcluster, :cluster_partition, :array_job_id, :num_nodes, :num_hwthreads, :num_acc,
+  :exclusive, :monitoring_status, :smt, :job_state, :start_time, :duration, :walltime, :footprint,  :energy, :energy_footprint, :resources, :meta_data
+);`
+
+func (r *JobRepository) InsertJob(job *schema.JobMeta) (int64, error) {
+	res, err := r.DB.NamedExec(NamedJobInsert, job)
+	if err != nil {
+		log.Warn("Error while NamedJobInsert")
+		return 0, err
+	}
+	id, err := res.LastInsertId()
+	if err != nil {
+		log.Warn("Error while getting last insert ID")
+		return 0, err
+	}
+
+	return id, nil
+}
+
+// Start inserts a new job in the table, returning the unique job ID.
+// Statistics are not transfered!
+func (r *JobRepository) Start(job *schema.JobMeta) (id int64, err error) {
+	job.RawFootprint, err = json.Marshal(job.Footprint)
+	if err != nil {
+		return -1, fmt.Errorf("REPOSITORY/JOB > encoding footprint field failed: %w", err)
+	}
+
+	job.RawResources, err = json.Marshal(job.Resources)
+	if err != nil {
+		return -1, fmt.Errorf("REPOSITORY/JOB > encoding resources field failed: %w", err)
+	}
+
+	job.RawMetaData, err = json.Marshal(job.MetaData)
+	if err != nil {
+		return -1, fmt.Errorf("REPOSITORY/JOB > encoding metaData field failed: %w", err)
+	}
+
+	return r.InsertJob(job)
+}
+
+// Stop updates the job with the database id jobId using the provided arguments.
+func (r *JobRepository) Stop(
+	jobId int64,
+	duration int32,
+	state schema.JobState,
+	monitoringStatus int32,
+) (err error) {
+	stmt := sq.Update("job").
+		Set("job_state", state).
+		Set("duration", duration).
+		Set("monitoring_status", monitoringStatus).
+		Where("job.id = ?", jobId)
+
+	_, err = stmt.RunWith(r.stmtCache).Exec()
+	return
+}
--- a/internal/repository/jobFind.go
+++ b/internal/repository/jobFind.go
@@ -0,0 +1,263 @@
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package repository
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"time"
+
+	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+	sq "github.com/Masterminds/squirrel"
+)
+
+// Find executes a SQL query to find a specific batch job.
+// The job is queried using the batch job id, the cluster name,
+// and the start time of the job in UNIX epoch time seconds.
+// It returns a pointer to a schema.Job data structure and an error variable.
+// To check if no job was found test err == sql.ErrNoRows
+func (r *JobRepository) Find(
+	jobId *int64,
+	cluster *string,
+	startTime *int64,
+) (*schema.Job, error) {
+	start := time.Now()
+	q := sq.Select(jobColumns...).From("job").
+		Where("job.job_id = ?", *jobId)
+
+	if cluster != nil {
+		q = q.Where("job.cluster = ?", *cluster)
+	}
+	if startTime != nil {
+		q = q.Where("job.start_time = ?", *startTime)
+	}
+
+	q = q.OrderBy("job.id DESC") // always use newest matching job by db id if more than one match
+
+	log.Debugf("Timer Find %s", time.Since(start))
+	return scanJob(q.RunWith(r.stmtCache).QueryRow())
+}
+
+// Find executes a SQL query to find a specific batch job.
+// The job is queried using the batch job id, the cluster name,
+// and the start time of the job in UNIX epoch time seconds.
+// It returns a pointer to a schema.Job data structure and an error variable.
+// To check if no job was found test err == sql.ErrNoRows
+func (r *JobRepository) FindAll(
+	jobId *int64,
+	cluster *string,
+	startTime *int64,
+) ([]*schema.Job, error) {
+	start := time.Now()
+	q := sq.Select(jobColumns...).From("job").
+		Where("job.job_id = ?", *jobId)
+
+	if cluster != nil {
+		q = q.Where("job.cluster = ?", *cluster)
+	}
+	if startTime != nil {
+		q = q.Where("job.start_time = ?", *startTime)
+	}
+
+	rows, err := q.RunWith(r.stmtCache).Query()
+	if err != nil {
+		log.Error("Error while running query")
+		return nil, err
+	}
+
+	jobs := make([]*schema.Job, 0, 10)
+	for rows.Next() {
+		job, err := scanJob(rows)
+		if err != nil {
+			log.Warn("Error while scanning rows")
+			return nil, err
+		}
+		jobs = append(jobs, job)
+	}
+	log.Debugf("Timer FindAll %s", time.Since(start))
+	return jobs, nil
+}
+
+// FindById executes a SQL query to find a specific batch job.
+// The job is queried using the database id.
+// It returns a pointer to a schema.Job data structure and an error variable.
+// To check if no job was found test err == sql.ErrNoRows
+func (r *JobRepository) FindById(ctx context.Context, jobId int64) (*schema.Job, error) {
+	q := sq.Select(jobColumns...).
+		From("job").Where("job.id = ?", jobId)
+
+	q, qerr := SecurityCheck(ctx, q)
+	if qerr != nil {
+		return nil, qerr
+	}
+
+	return scanJob(q.RunWith(r.stmtCache).QueryRow())
+}
+
+// FindByIdWithUser executes a SQL query to find a specific batch job.
+// The job is queried using the database id. The user is passed directly,
+// instead as part of the context.
+// It returns a pointer to a schema.Job data structure and an error variable.
+// To check if no job was found test err == sql.ErrNoRows
+func (r *JobRepository) FindByIdWithUser(user *schema.User, jobId int64) (*schema.Job, error) {
+	q := sq.Select(jobColumns...).
+		From("job").Where("job.id = ?", jobId)
+
+	q, qerr := SecurityCheckWithUser(user, q)
+	if qerr != nil {
+		return nil, qerr
+	}
+
+	return scanJob(q.RunWith(r.stmtCache).QueryRow())
+}
+
+// FindByIdDirect executes a SQL query to find a specific batch job.
+// The job is queried using the database id.
+// It returns a pointer to a schema.Job data structure and an error variable.
+// To check if no job was found test err == sql.ErrNoRows
+func (r *JobRepository) FindByIdDirect(jobId int64) (*schema.Job, error) {
+	q := sq.Select(jobColumns...).
+		From("job").Where("job.id = ?", jobId)
+	return scanJob(q.RunWith(r.stmtCache).QueryRow())
+}
+
+// FindByJobId executes a SQL query to find a specific batch job.
+// The job is queried using the slurm id and the clustername.
+// It returns a pointer to a schema.Job data structure and an error variable.
+// To check if no job was found test err == sql.ErrNoRows
+func (r *JobRepository) FindByJobId(ctx context.Context, jobId int64, startTime int64, cluster string) (*schema.Job, error) {
+	q := sq.Select(jobColumns...).
+		From("job").
+		Where("job.job_id = ?", jobId).
+		Where("job.cluster = ?", cluster).
+		Where("job.start_time = ?", startTime)
+
+	q, qerr := SecurityCheck(ctx, q)
+	if qerr != nil {
+		return nil, qerr
+	}
+
+	return scanJob(q.RunWith(r.stmtCache).QueryRow())
+}
+
+// IsJobOwner executes a SQL query to find a specific batch job.
+// The job is queried using the slurm id,a username and the cluster.
+// It returns a bool.
+// If job was found, user is owner: test err != sql.ErrNoRows
+func (r *JobRepository) IsJobOwner(jobId int64, startTime int64, user string, cluster string) bool {
+	q := sq.Select("id").
+		From("job").
+		Where("job.job_id = ?", jobId).
+		Where("job.hpc_user = ?", user).
+		Where("job.cluster = ?", cluster).
+		Where("job.start_time = ?", startTime)
+
+	_, err := scanJob(q.RunWith(r.stmtCache).QueryRow())
+	return err != sql.ErrNoRows
+}
+
+func (r *JobRepository) FindConcurrentJobs(
+	ctx context.Context,
+	job *schema.Job,
+) (*model.JobLinkResultList, error) {
+	if job == nil {
+		return nil, nil
+	}
+
+	query, qerr := SecurityCheck(ctx, sq.Select("job.id", "job.job_id", "job.start_time").From("job"))
+	if qerr != nil {
+		return nil, qerr
+	}
+
+	query = query.Where("cluster = ?", job.Cluster)
+	var startTime int64
+	var stopTime int64
+
+	startTime = job.StartTimeUnix
+	hostname := job.Resources[0].Hostname
+
+	if job.State == schema.JobStateRunning {
+		stopTime = time.Now().Unix()
+	} else {
+		stopTime = startTime + int64(job.Duration)
+	}
+
+	// Add 200s overlap for jobs start time at the end
+	startTimeTail := startTime + 10
+	stopTimeTail := stopTime - 200
+	startTimeFront := startTime + 200
+
+	queryRunning := query.Where("job.job_state = ?").Where("(job.start_time BETWEEN ? AND ? OR job.start_time < ?)",
+		"running", startTimeTail, stopTimeTail, startTime)
+	// Get At Least One Exact Hostname Match from JSON Resources Array in Database
+	queryRunning = queryRunning.Where("EXISTS (SELECT 1 FROM json_each(job.resources) WHERE json_extract(value, '$.hostname') = ?)", hostname)
+
+	query = query.Where("job.job_state != ?").Where("((job.start_time BETWEEN ? AND ?) OR (job.start_time + job.duration) BETWEEN ? AND ? OR (job.start_time < ?) AND (job.start_time + job.duration) > ?)",
+		"running", startTimeTail, stopTimeTail, startTimeFront, stopTimeTail, startTime, stopTime)
+	// Get At Least One Exact Hostname Match from JSON Resources Array in Database
+	query = query.Where("EXISTS (SELECT 1 FROM json_each(job.resources) WHERE json_extract(value, '$.hostname') = ?)", hostname)
+
+	rows, err := query.RunWith(r.stmtCache).Query()
+	if err != nil {
+		log.Errorf("Error while running query: %v", err)
+		return nil, err
+	}
+
+	items := make([]*model.JobLink, 0, 10)
+	queryString := fmt.Sprintf("cluster=%s", job.Cluster)
+
+	for rows.Next() {
+		var id, jobId, startTime sql.NullInt64
+
+		if err = rows.Scan(&id, &jobId, &startTime); err != nil {
+			log.Warn("Error while scanning rows")
+			return nil, err
+		}
+
+		if id.Valid {
+			queryString += fmt.Sprintf("&jobId=%d", int(jobId.Int64))
+			items = append(items,
+				&model.JobLink{
+					ID:    fmt.Sprint(id.Int64),
+					JobID: int(jobId.Int64),
+				})
+		}
+	}
+
+	rows, err = queryRunning.RunWith(r.stmtCache).Query()
+	if err != nil {
+		log.Errorf("Error while running query: %v", err)
+		return nil, err
+	}
+
+	for rows.Next() {
+		var id, jobId, startTime sql.NullInt64
+
+		if err := rows.Scan(&id, &jobId, &startTime); err != nil {
+			log.Warn("Error while scanning rows")
+			return nil, err
+		}
+
+		if id.Valid {
+			queryString += fmt.Sprintf("&jobId=%d", int(jobId.Int64))
+			items = append(items,
+				&model.JobLink{
+					ID:    fmt.Sprint(id.Int64),
+					JobID: int(jobId.Int64),
+				})
+		}
+	}
+
+	cnt := len(items)
+
+	return &model.JobLinkResultList{
+		ListQuery: &queryString,
+		Items:     items,
+		Count:     &cnt,
+	}, nil
+}
--- a/internal/repository/jobQuery.go
+++ b/internal/repository/jobQuery.go
@@ -0,0 +1,342 @@
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package repository
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+	sq "github.com/Masterminds/squirrel"
+)
+
+func (r *JobRepository) QueryJobs(
+	ctx context.Context,
+	filters []*model.JobFilter,
+	page *model.PageRequest,
+	order *model.OrderByInput,
+) ([]*schema.Job, error) {
+	query, qerr := SecurityCheck(ctx, sq.Select(jobColumns...).From("job"))
+	if qerr != nil {
+		return nil, qerr
+	}
+
+	if order != nil {
+		field := toSnakeCase(order.Field)
+		if order.Type == "col" {
+			// "col": Fixed column name query
+			switch order.Order {
+			case model.SortDirectionEnumAsc:
+				query = query.OrderBy(fmt.Sprintf("job.%s ASC", field))
+			case model.SortDirectionEnumDesc:
+				query = query.OrderBy(fmt.Sprintf("job.%s DESC", field))
+			default:
+				return nil, errors.New("REPOSITORY/QUERY > invalid sorting order for column")
+			}
+		} else {
+			// "foot": Order by footprint JSON field values
+			// Verify and Search Only in Valid Jsons
+			query = query.Where("JSON_VALID(meta_data)")
+			switch order.Order {
+			case model.SortDirectionEnumAsc:
+				query = query.OrderBy(fmt.Sprintf("JSON_EXTRACT(footprint, \"$.%s\") ASC", field))
+			case model.SortDirectionEnumDesc:
+				query = query.OrderBy(fmt.Sprintf("JSON_EXTRACT(footprint, \"$.%s\") DESC", field))
+			default:
+				return nil, errors.New("REPOSITORY/QUERY > invalid sorting order for footprint")
+			}
+		}
+	}
+
+	if page != nil && page.ItemsPerPage != -1 {
+		limit := uint64(page.ItemsPerPage)
+		query = query.Offset((uint64(page.Page) - 1) * limit).Limit(limit)
+	}
+
+	for _, f := range filters {
+		query = BuildWhereClause(f, query)
+	}
+
+	rows, err := query.RunWith(r.stmtCache).Query()
+	if err != nil {
+		queryString, queryVars, _ := query.ToSql()
+		log.Errorf("Error while running query '%s' %v: %v", queryString, queryVars, err)
+		return nil, err
+	}
+
+	jobs := make([]*schema.Job, 0, 50)
+	for rows.Next() {
+		job, err := scanJob(rows)
+		if err != nil {
+			rows.Close()
+			log.Warn("Error while scanning rows (Jobs)")
+			return nil, err
+		}
+		jobs = append(jobs, job)
+	}
+
+	return jobs, nil
+}
+
+func (r *JobRepository) CountJobs(
+	ctx context.Context,
+	filters []*model.JobFilter,
+) (int, error) {
+	// DISTICT count for tags filters, does not affect other queries
+	query, qerr := SecurityCheck(ctx, sq.Select("count(DISTINCT job.id)").From("job"))
+	if qerr != nil {
+		return 0, qerr
+	}
+
+	for _, f := range filters {
+		query = BuildWhereClause(f, query)
+	}
+
+	var count int
+	if err := query.RunWith(r.DB).Scan(&count); err != nil {
+		return 0, err
+	}
+
+	return count, nil
+}
+
+func SecurityCheckWithUser(user *schema.User, query sq.SelectBuilder) (sq.SelectBuilder, error) {
+	if user == nil {
+		var qnil sq.SelectBuilder
+		return qnil, fmt.Errorf("user context is nil")
+	}
+
+	switch {
+	case len(user.Roles) == 1 && user.HasRole(schema.RoleApi): // API-User : All jobs
+		return query, nil
+	case user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport}): // Admin & Support : All jobs
+		return query, nil
+	case user.HasRole(schema.RoleManager): // Manager : Add filter for managed projects' jobs only + personal jobs
+		if len(user.Projects) != 0 {
+			return query.Where(sq.Or{sq.Eq{"job.project": user.Projects}, sq.Eq{"job.hpc_user": user.Username}}), nil
+		} else {
+			log.Debugf("Manager-User '%s' has no defined projects to lookup! Query only personal jobs ...", user.Username)
+			return query.Where("job.hpc_user = ?", user.Username), nil
+		}
+	case user.HasRole(schema.RoleUser): // User : Only personal jobs
+		return query.Where("job.hpc_user = ?", user.Username), nil
+	default: // No known Role, return error
+		var qnil sq.SelectBuilder
+		return qnil, fmt.Errorf("user has no or unknown roles")
+	}
+}
+
+func SecurityCheck(ctx context.Context, query sq.SelectBuilder) (sq.SelectBuilder, error) {
+	user := GetUserFromContext(ctx)
+
+	return SecurityCheckWithUser(user, query)
+}
+
+// Build a sq.SelectBuilder out of a schema.JobFilter.
+func BuildWhereClause(filter *model.JobFilter, query sq.SelectBuilder) sq.SelectBuilder {
+	if filter.Tags != nil {
+		// This is an OR-Logic query: Returns all distinct jobs with at least one of the requested tags; TODO: AND-Logic query?
+		query = query.Join("jobtag ON jobtag.job_id = job.id").Where(sq.Eq{"jobtag.tag_id": filter.Tags}).Distinct()
+	}
+	if filter.JobID != nil {
+		query = buildStringCondition("job.job_id", filter.JobID, query)
+	}
+	if filter.ArrayJobID != nil {
+		query = query.Where("job.array_job_id = ?", *filter.ArrayJobID)
+	}
+	if filter.User != nil {
+		query = buildStringCondition("job.hpc_user", filter.User, query)
+	}
+	if filter.Project != nil {
+		query = buildStringCondition("job.project", filter.Project, query)
+	}
+	if filter.JobName != nil {
+		query = buildMetaJsonCondition("jobName", filter.JobName, query)
+	}
+	if filter.Cluster != nil {
+		query = buildStringCondition("job.cluster", filter.Cluster, query)
+	}
+	if filter.Partition != nil {
+		query = buildStringCondition("job.cluster_partition", filter.Partition, query)
+	}
+	if filter.StartTime != nil {
+		query = buildTimeCondition("job.start_time", filter.StartTime, query)
+	}
+	if filter.Duration != nil {
+		query = buildIntCondition("job.duration", filter.Duration, query)
+	}
+	if filter.MinRunningFor != nil {
+		now := time.Now().Unix() // There does not seam to be a portable way to get the current unix timestamp accross different DBs.
+		query = query.Where("(job.job_state != 'running' OR (? - job.start_time) > ?)", now, *filter.MinRunningFor)
+	}
+	if filter.Exclusive != nil {
+		query = query.Where("job.exclusive = ?", *filter.Exclusive)
+	}
+	if filter.State != nil {
+		states := make([]string, len(filter.State))
+		for i, val := range filter.State {
+			states[i] = string(val)
+		}
+
+		query = query.Where(sq.Eq{"job.job_state": states})
+	}
+	if filter.NumNodes != nil {
+		query = buildIntCondition("job.num_nodes", filter.NumNodes, query)
+	}
+	if filter.NumAccelerators != nil {
+		query = buildIntCondition("job.num_acc", filter.NumAccelerators, query)
+	}
+	if filter.NumHWThreads != nil {
+		query = buildIntCondition("job.num_hwthreads", filter.NumHWThreads, query)
+	}
+	if filter.Node != nil {
+		query = buildResourceJsonCondition("hostname", filter.Node, query)
+	}
+	if filter.Energy != nil {
+		query = buildFloatCondition("job.energy", filter.Energy, query)
+	}
+	if filter.MetricStats != nil {
+		for _, ms := range filter.MetricStats {
+			query = buildFloatJsonCondition(ms.MetricName, ms.Range, query)
+		}
+	}
+	return query
+}
+
+func buildIntCondition(field string, cond *schema.IntRange, query sq.SelectBuilder) sq.SelectBuilder {
+	return query.Where(field+" BETWEEN ? AND ?", cond.From, cond.To)
+}
+
+func buildFloatCondition(field string, cond *model.FloatRange, query sq.SelectBuilder) sq.SelectBuilder {
+	return query.Where(field+" BETWEEN ? AND ?", cond.From, cond.To)
+}
+
+func buildTimeCondition(field string, cond *schema.TimeRange, query sq.SelectBuilder) sq.SelectBuilder {
+	if cond.From != nil && cond.To != nil {
+		return query.Where(field+" BETWEEN ? AND ?", cond.From.Unix(), cond.To.Unix())
+	} else if cond.From != nil {
+		return query.Where("? <= "+field, cond.From.Unix())
+	} else if cond.To != nil {
+		return query.Where(field+" <= ?", cond.To.Unix())
+	} else if cond.Range != "" {
+		now := time.Now().Unix()
+		var then int64
+		switch cond.Range {
+		case "last6h":
+			then = now - (60 * 60 * 6)
+		case "last24h":
+			then = now - (60 * 60 * 24)
+		case "last7d":
+			then = now - (60 * 60 * 24 * 7)
+		case "last30d":
+			then = now - (60 * 60 * 24 * 30)
+		default:
+			log.Debugf("No known named timeRange: startTime.range = %s", cond.Range)
+			return query
+		}
+		return query.Where(field+" BETWEEN ? AND ?", then, now)
+	} else {
+		return query
+	}
+}
+
+func buildFloatJsonCondition(condName string, condRange *model.FloatRange, query sq.SelectBuilder) sq.SelectBuilder {
+	// Verify and Search Only in Valid Jsons
+	query = query.Where("JSON_VALID(footprint)")
+	return query.Where("JSON_EXTRACT(footprint, \"$."+condName+"\") BETWEEN ? AND ?", condRange.From, condRange.To)
+}
+
+func buildStringCondition(field string, cond *model.StringInput, query sq.SelectBuilder) sq.SelectBuilder {
+	if cond.Eq != nil {
+		return query.Where(field+" = ?", *cond.Eq)
+	}
+	if cond.Neq != nil {
+		return query.Where(field+" != ?", *cond.Neq)
+	}
+	if cond.StartsWith != nil {
+		return query.Where(field+" LIKE ?", fmt.Sprint(*cond.StartsWith, "%"))
+	}
+	if cond.EndsWith != nil {
+		return query.Where(field+" LIKE ?", fmt.Sprint("%", *cond.EndsWith))
+	}
+	if cond.Contains != nil {
+		return query.Where(field+" LIKE ?", fmt.Sprint("%", *cond.Contains, "%"))
+	}
+	if cond.In != nil {
+		queryElements := make([]string, len(cond.In))
+		copy(queryElements, cond.In)
+		return query.Where(sq.Or{sq.Eq{field: queryElements}})
+	}
+	return query
+}
+
+func buildMetaJsonCondition(jsonField string, cond *model.StringInput, query sq.SelectBuilder) sq.SelectBuilder {
+	// Verify and Search Only in Valid Jsons
+	query = query.Where("JSON_VALID(meta_data)")
+	// add "AND" Sql query Block for field match
+	if cond.Eq != nil {
+		return query.Where("JSON_EXTRACT(meta_data, \"$."+jsonField+"\") = ?", *cond.Eq)
+	}
+	if cond.Neq != nil {
+		return query.Where("JSON_EXTRACT(meta_data, \"$."+jsonField+"\") != ?", *cond.Neq)
+	}
+	if cond.StartsWith != nil {
+		return query.Where("JSON_EXTRACT(meta_data, \"$."+jsonField+"\") LIKE ?", fmt.Sprint(*cond.StartsWith, "%"))
+	}
+	if cond.EndsWith != nil {
+		return query.Where("JSON_EXTRACT(meta_data, \"$."+jsonField+"\") LIKE ?", fmt.Sprint("%", *cond.EndsWith))
+	}
+	if cond.Contains != nil {
+		return query.Where("JSON_EXTRACT(meta_data, \"$."+jsonField+"\") LIKE ?", fmt.Sprint("%", *cond.Contains, "%"))
+	}
+	return query
+}
+
+func buildResourceJsonCondition(jsonField string, cond *model.StringInput, query sq.SelectBuilder) sq.SelectBuilder {
+	// Verify and Search Only in Valid Jsons
+	query = query.Where("JSON_VALID(resources)")
+	// add "AND" Sql query Block for field match
+	if cond.Eq != nil {
+		return query.Where("EXISTS (SELECT 1 FROM json_each(job.resources) WHERE json_extract(value, \"$."+jsonField+"\") = ?)", *cond.Eq)
+	}
+	if cond.Neq != nil { // Currently Unused
+		return query.Where("EXISTS (SELECT 1 FROM json_each(job.resources) WHERE json_extract(value, \"$."+jsonField+"\") != ?)", *cond.Neq)
+	}
+	if cond.StartsWith != nil { // Currently Unused
+		return query.Where("EXISTS (SELECT 1 FROM json_each(job.resources) WHERE json_extract(value, \"$."+jsonField+"\")) LIKE ?)", fmt.Sprint(*cond.StartsWith, "%"))
+	}
+	if cond.EndsWith != nil { // Currently Unused
+		return query.Where("EXISTS (SELECT 1 FROM json_each(job.resources) WHERE json_extract(value, \"$."+jsonField+"\") LIKE ?)", fmt.Sprint("%", *cond.EndsWith))
+	}
+	if cond.Contains != nil {
+		return query.Where("EXISTS (SELECT 1 FROM json_each(job.resources) WHERE json_extract(value, \"$."+jsonField+"\") LIKE ?)", fmt.Sprint("%", *cond.Contains, "%"))
+	}
+	return query
+}
+
+var (
+	matchFirstCap = regexp.MustCompile("(.)([A-Z][a-z]+)")
+	matchAllCap   = regexp.MustCompile("([a-z0-9])([A-Z])")
+)
+
+func toSnakeCase(str string) string {
+	for _, c := range str {
+		if c == '\'' || c == '\\' {
+			log.Panic("toSnakeCase() attack vector!")
+		}
+	}
+
+	str = strings.ReplaceAll(str, "'", "")
+	str = strings.ReplaceAll(str, "\\", "")
+	snake := matchFirstCap.ReplaceAllString(str, "${1}_${2}")
+	snake = matchAllCap.ReplaceAllString(snake, "${1}_${2}")
+	return strings.ToLower(snake)
+}
--- a/internal/repository/job_test.go
+++ b/internal/repository/job_test.go
@@ -1,13 +1,15 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 package repository

 import (
+	"context"
 	"fmt"
 	"testing"

+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 	_ "github.com/mattn/go-sqlite3"
 )

@@ -30,7 +32,7 @@ func TestFind(t *testing.T) {
 func TestFindById(t *testing.T) {
 	r := setup(t)

-	job, err := r.FindById(5)
+	job, err := r.FindById(getContext(t), 5)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -45,7 +47,19 @@ func TestFindById(t *testing.T) {
 func TestGetTags(t *testing.T) {
 	r := setup(t)

-	tags, counts, err := r.CountTags(nil)
+	const contextUserKey ContextKey = "user"
+	contextUserValue := &schema.User{
+		Username:   "testuser",
+		Projects:   make([]string, 0),
+		Roles:      []string{"user"},
+		AuthType:   0,
+		AuthSource: 2,
+	}
+
+	ctx := context.WithValue(getContext(t), contextUserKey, contextUserValue)
+
+	// Test Tag has Scope "global"
+	tags, counts, err := r.CountTags(GetUserFromContext(ctx))
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/internal/repository/migration.go
+++ b/internal/repository/migration.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -16,7 +16,7 @@ import (
 	"github.com/golang-migrate/migrate/v4/source/iofs"
 )

-const Version uint = 4
+const Version uint = 8

 //go:embed migrations/*
 var migrationFiles embed.FS
@@ -53,9 +53,11 @@ func checkDBVersion(backend string, db *sql.DB) error {
 		if err != nil {
 			return err
 		}
+	default:
+		log.Abortf("Migration: Unsupported database backend '%s'.\n", backend)
 	}

-	v, _, err := m.Version()
+	v, dirty, err := m.Version()
 	if err != nil {
 		if err == migrate.ErrNilVersion {
 			log.Warn("Legacy database without version or missing database file!")
@@ -65,19 +67,19 @@ func checkDBVersion(backend string, db *sql.DB) error {
 	}

 	if v < Version {
-		return fmt.Errorf("unsupported database version %d, need %d.\nPlease backup your database file and run cc-backend --migrate-db", v, Version)
+		return fmt.Errorf("unsupported database version %d, need %d.\nPlease backup your database file and run cc-backend -migrate-db", v, Version)
+	} else if v > Version {
+		return fmt.Errorf("unsupported database version %d, need %d.\nPlease refer to documentation how to downgrade db with external migrate tool", v, Version)
 	}

-	if v > Version {
-		return fmt.Errorf("unsupported database version %d, need %d.\nPlease refer to documentation how to downgrade db with external migrate tool", v, Version)
+	if dirty {
+		return fmt.Errorf("last migration to version %d has failed, please fix the db manually and force version with -force-db flag", Version)
 	}

 	return nil
 }

-func MigrateDB(backend string, db string) error {
-	var m *migrate.Migrate
-
+func getMigrateInstance(backend string, db string) (m *migrate.Migrate, err error) {
 	switch backend {
 	case "sqlite3":
 		d, err := iofs.New(migrationFiles, "migrations/sqlite3")
@@ -87,18 +89,37 @@ func MigrateDB(backend string, db string) error {

 		m, err = migrate.NewWithSourceInstance("iofs", d, fmt.Sprintf("sqlite3://%s?_foreign_keys=on", db))
 		if err != nil {
-			return err
+			return m, err
 		}
 	case "mysql":
 		d, err := iofs.New(migrationFiles, "migrations/mysql")
 		if err != nil {
-			return err
+			return m, err
 		}

 		m, err = migrate.NewWithSourceInstance("iofs", d, fmt.Sprintf("mysql://%s?multiStatements=true", db))
+		if err != nil {
+			return m, err
+		}
+	default:
+		log.Abortf("Migration: Unsupported database backend '%s'.\n", backend)
+	}
+
+	return m, nil
+}
+
+func MigrateDB(backend string, db string) error {
+	m, err := getMigrateInstance(backend, db)
 	if err != nil {
 		return err
 	}
+
+	v, dirty, err := m.Version()
+
+	log.Infof("unsupported database version %d, need %d.\nPlease backup your database file and run cc-backend -migrate-db", v, Version)
+
+	if dirty {
+		return fmt.Errorf("last migration to version %d has failed, please fix the db manually and force version with -force-db flag", Version)
 	}

 	if err := m.Up(); err != nil {
@@ -112,3 +133,35 @@ func MigrateDB(backend string, db string) error {
 	m.Close()
 	return nil
 }
+
+func RevertDB(backend string, db string) error {
+	m, err := getMigrateInstance(backend, db)
+	if err != nil {
+		return err
+	}
+
+	if err := m.Migrate(Version - 1); err != nil {
+		if err == migrate.ErrNoChange {
+			log.Info("DB already up to date!")
+		} else {
+			return err
+		}
+	}
+
+	m.Close()
+	return nil
+}
+
+func ForceDB(backend string, db string) error {
+	m, err := getMigrateInstance(backend, db)
+	if err != nil {
+		return err
+	}
+
+	if err := m.Force(int(Version)); err != nil {
+		return err
+	}
+
+	m.Close()
+	return nil
+}
--- a/internal/repository/migrations/mysql/05_extend-tags.down.sql
+++ b/internal/repository/migrations/mysql/05_extend-tags.down.sql
@@ -0,0 +1,2 @@
+ALTER TABLE tag DROP COLUMN insert_time;
+ALTER TABLE jobtag DROP COLUMN insert_time;
--- a/internal/repository/migrations/mysql/05_extend-tags.up.sql
+++ b/internal/repository/migrations/mysql/05_extend-tags.up.sql
@@ -0,0 +1,2 @@
+ALTER TABLE tag ADD COLUMN insert_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP;
+ALTER TABLE jobtag ADD COLUMN insert_time TIMESTAMP DEFAULT CURRENT_TIMESTAMP;
--- a/internal/repository/migrations/mysql/06_change-config.down.sql
+++ b/internal/repository/migrations/mysql/06_change-config.down.sql
@@ -0,0 +1 @@
+ALTER TABLE configuration MODIFY value VARCHAR(255);
--- a/internal/repository/migrations/mysql/06_change-config.up.sql
+++ b/internal/repository/migrations/mysql/06_change-config.up.sql
@@ -0,0 +1 @@
+ALTER TABLE configuration MODIFY value TEXT;
--- a/internal/repository/migrations/mysql/07_fix-tag-id.down.sql
+++ b/internal/repository/migrations/mysql/07_fix-tag-id.down.sql
@@ -0,0 +1,3 @@
+SET FOREIGN_KEY_CHECKS = 0;
+ALTER TABLE tag MODIFY id INTEGER;
+SET FOREIGN_KEY_CHECKS = 1;
--- a/internal/repository/migrations/mysql/07_fix-tag-id.up.sql
+++ b/internal/repository/migrations/mysql/07_fix-tag-id.up.sql
@@ -0,0 +1,3 @@
+SET FOREIGN_KEY_CHECKS = 0;
+ALTER TABLE tag MODIFY id INTEGER AUTO_INCREMENT;
+SET FOREIGN_KEY_CHECKS = 1;
--- a/internal/repository/migrations/mysql/08_add-footprint.down.sql
+++ b/internal/repository/migrations/mysql/08_add-footprint.down.sql
@@ -0,0 +1,83 @@
+ALTER TABLE job DROP energy;
+ALTER TABLE job DROP energy_footprint;
+ALTER TABLE job ADD COLUMN flops_any_avg;
+ALTER TABLE job ADD COLUMN mem_bw_avg;
+ALTER TABLE job ADD COLUMN mem_used_max;
+ALTER TABLE job ADD COLUMN load_avg;
+ALTER TABLE job ADD COLUMN net_bw_avg;
+ALTER TABLE job ADD COLUMN net_data_vol_total;
+ALTER TABLE job ADD COLUMN file_bw_avg;
+ALTER TABLE job ADD COLUMN file_data_vol_total;
+
+UPDATE job SET flops_any_avg = json_extract(footprint, '$.flops_any_avg');
+UPDATE job SET mem_bw_avg = json_extract(footprint, '$.mem_bw_avg');
+UPDATE job SET mem_used_max = json_extract(footprint, '$.mem_used_max');
+UPDATE job SET load_avg = json_extract(footprint, '$.cpu_load_avg');
+UPDATE job SET net_bw_avg = json_extract(footprint, '$.net_bw_avg');
+UPDATE job SET net_data_vol_total = json_extract(footprint, '$.net_data_vol_total');
+UPDATE job SET file_bw_avg = json_extract(footprint, '$.file_bw_avg');
+UPDATE job SET file_data_vol_total = json_extract(footprint, '$.file_data_vol_total');
+
+ALTER TABLE job DROP footprint;
+-- Do not use reserved keywords anymore
+RENAME TABLE hpc_user TO `user`;
+ALTER TABLE job RENAME COLUMN hpc_user TO `user`;
+ALTER TABLE job RENAME COLUMN cluster_partition TO `partition`;
+
+DROP INDEX IF EXISTS jobs_cluster;
+DROP INDEX IF EXISTS jobs_cluster_user;
+DROP INDEX IF EXISTS jobs_cluster_project;
+DROP INDEX IF EXISTS jobs_cluster_subcluster;
+DROP INDEX IF EXISTS jobs_cluster_starttime;
+DROP INDEX IF EXISTS jobs_cluster_duration;
+DROP INDEX IF EXISTS jobs_cluster_numnodes;
+
+DROP INDEX IF EXISTS jobs_cluster_partition;
+DROP INDEX IF EXISTS jobs_cluster_partition_starttime;
+DROP INDEX IF EXISTS jobs_cluster_partition_duration;
+DROP INDEX IF EXISTS jobs_cluster_partition_numnodes;
+
+DROP INDEX IF EXISTS jobs_cluster_partition_jobstate;
+DROP INDEX IF EXISTS jobs_cluster_partition_jobstate_user;
+DROP INDEX IF EXISTS jobs_cluster_partition_jobstate_project;
+DROP INDEX IF EXISTS jobs_cluster_partition_jobstate_starttime;
+DROP INDEX IF EXISTS jobs_cluster_partition_jobstate_duration;
+DROP INDEX IF EXISTS jobs_cluster_partition_jobstate_numnodes;
+
+DROP INDEX IF EXISTS jobs_cluster_jobstate;
+DROP INDEX IF EXISTS jobs_cluster_jobstate_user;
+DROP INDEX IF EXISTS jobs_cluster_jobstate_project;
+
+DROP INDEX IF EXISTS jobs_cluster_jobstate_starttime;
+DROP INDEX IF EXISTS jobs_cluster_jobstate_duration;
+DROP INDEX IF EXISTS jobs_cluster_jobstate_numnodes;
+
+DROP INDEX IF EXISTS jobs_user;
+DROP INDEX IF EXISTS jobs_user_starttime;
+DROP INDEX IF EXISTS jobs_user_duration;
+DROP INDEX IF EXISTS jobs_user_numnodes;
+
+DROP INDEX IF EXISTS jobs_project;
+DROP INDEX IF EXISTS jobs_project_user;
+DROP INDEX IF EXISTS jobs_project_starttime;
+DROP INDEX IF EXISTS jobs_project_duration;
+DROP INDEX IF EXISTS jobs_project_numnodes;
+
+DROP INDEX IF EXISTS jobs_jobstate;
+DROP INDEX IF EXISTS jobs_jobstate_user;
+DROP INDEX IF EXISTS jobs_jobstate_project;
+DROP INDEX IF EXISTS jobs_jobstate_starttime;
+DROP INDEX IF EXISTS jobs_jobstate_duration;
+DROP INDEX IF EXISTS jobs_jobstate_numnodes;
+
+DROP INDEX IF EXISTS jobs_arrayjobid_starttime;
+DROP INDEX IF EXISTS jobs_cluster_arrayjobid_starttime;
+
+DROP INDEX IF EXISTS jobs_starttime;
+DROP INDEX IF EXISTS jobs_duration;
+DROP INDEX IF EXISTS jobs_numnodes;
+
+DROP INDEX IF EXISTS jobs_duration_starttime;
+DROP INDEX IF EXISTS jobs_numnodes_starttime;
+DROP INDEX IF EXISTS jobs_numacc_starttime;
+DROP INDEX IF EXISTS jobs_energy_starttime;
--- a/internal/repository/migrations/mysql/08_add-footprint.up.sql
+++ b/internal/repository/migrations/mysql/08_add-footprint.up.sql
@@ -0,0 +1,123 @@
+DROP INDEX IF EXISTS job_stats ON job;
+DROP INDEX IF EXISTS job_by_user ON job;
+DROP INDEX IF EXISTS job_by_starttime ON job;
+DROP INDEX IF EXISTS job_by_job_id ON job;
+DROP INDEX IF EXISTS job_list ON job;
+DROP INDEX IF EXISTS job_list_user ON job;
+DROP INDEX IF EXISTS job_list_users ON job;
+DROP INDEX IF EXISTS job_list_users_start ON job;
+
+ALTER TABLE job ADD COLUMN energy REAL NOT NULL DEFAULT 0.0;
+ALTER TABLE job ADD COLUMN energy_footprint JSON;
+
+ALTER TABLE job ADD COLUMN footprint JSON;
+ALTER TABLE tag ADD COLUMN tag_scope TEXT NOT NULL DEFAULT 'global';
+
+-- Do not use reserved keywords anymore
+RENAME TABLE `user` TO hpc_user;
+ALTER TABLE job RENAME COLUMN `user` TO hpc_user;
+ALTER TABLE job RENAME COLUMN `partition` TO cluster_partition;
+
+ALTER TABLE job MODIFY COLUMN cluster VARCHAR(50);
+ALTER TABLE job MODIFY COLUMN hpc_user VARCHAR(50);
+ALTER TABLE job MODIFY COLUMN subcluster VARCHAR(50);
+ALTER TABLE job MODIFY COLUMN project VARCHAR(50);
+ALTER TABLE job MODIFY COLUMN cluster_partition VARCHAR(50);
+ALTER TABLE job MODIFY COLUMN job_state VARCHAR(25);
+
+UPDATE job SET footprint = '{"flops_any_avg": 0.0}';
+UPDATE job SET footprint = json_replace(footprint, '$.flops_any_avg', job.flops_any_avg);
+UPDATE job SET footprint = json_insert(footprint, '$.mem_bw_avg', job.mem_bw_avg);
+UPDATE job SET footprint = json_insert(footprint, '$.mem_used_max', job.mem_used_max);
+UPDATE job SET footprint = json_insert(footprint, '$.cpu_load_avg', job.load_avg);
+UPDATE job SET footprint = json_insert(footprint, '$.net_bw_avg', job.net_bw_avg) WHERE job.net_bw_avg != 0;
+UPDATE job SET footprint = json_insert(footprint, '$.net_data_vol_total', job.net_data_vol_total) WHERE job.net_data_vol_total != 0;
+UPDATE job SET footprint = json_insert(footprint, '$.file_bw_avg', job.file_bw_avg) WHERE job.file_bw_avg != 0;
+UPDATE job SET footprint = json_insert(footprint, '$.file_data_vol_total', job.file_data_vol_total) WHERE job.file_data_vol_total != 0;
+
+ALTER TABLE job DROP flops_any_avg;
+ALTER TABLE job DROP mem_bw_avg;
+ALTER TABLE job DROP mem_used_max;
+ALTER TABLE job DROP load_avg;
+ALTER TABLE job DROP net_bw_avg;
+ALTER TABLE job DROP net_data_vol_total;
+ALTER TABLE job DROP file_bw_avg;
+ALTER TABLE job DROP file_data_vol_total;
+
+-- Indices for: Single filters, combined filters, sorting, sorting with filters
+-- Cluster Filter
+CREATE INDEX IF NOT EXISTS jobs_cluster ON job (cluster);
+CREATE INDEX IF NOT EXISTS jobs_cluster_user ON job (cluster, hpc_user);
+CREATE INDEX IF NOT EXISTS jobs_cluster_project ON job (cluster, project);
+CREATE INDEX IF NOT EXISTS jobs_cluster_subcluster ON job (cluster, subcluster);
+-- Cluster Filter Sorting
+CREATE INDEX IF NOT EXISTS jobs_cluster_starttime ON job (cluster, start_time);
+CREATE INDEX IF NOT EXISTS jobs_cluster_duration ON job (cluster, duration);
+CREATE INDEX IF NOT EXISTS jobs_cluster_numnodes ON job (cluster, num_nodes);
+
+-- Cluster+Partition Filter
+CREATE INDEX IF NOT EXISTS jobs_cluster_partition ON job (cluster, cluster_partition);
+-- Cluster+Partition Filter Sorting
+CREATE INDEX IF NOT EXISTS jobs_cluster_partition_starttime ON job (cluster, cluster_partition, start_time);
+CREATE INDEX IF NOT EXISTS jobs_cluster_partition_duration ON job (cluster, cluster_partition, duration);
+CREATE INDEX IF NOT EXISTS jobs_cluster_partition_numnodes ON job (cluster, cluster_partition, num_nodes);
+
+-- Cluster+Partition+Jobstate Filter
+CREATE INDEX IF NOT EXISTS jobs_cluster_partition_jobstate ON job (cluster, cluster_partition, job_state);
+CREATE INDEX IF NOT EXISTS jobs_cluster_partition_jobstate_user ON job (cluster, cluster_partition, job_state, hpc_user);
+CREATE INDEX IF NOT EXISTS jobs_cluster_partition_jobstate_project ON job (cluster, cluster_partition, job_state, project);
+-- Cluster+Partition+Jobstate Filter Sorting
+CREATE INDEX IF NOT EXISTS jobs_cluster_partition_jobstate_starttime ON job (cluster, cluster_partition, job_state, start_time);
+CREATE INDEX IF NOT EXISTS jobs_cluster_partition_jobstate_duration ON job (cluster, cluster_partition, job_state, duration);
+CREATE INDEX IF NOT EXISTS jobs_cluster_partition_jobstate_numnodes ON job (cluster, cluster_partition, job_state, num_nodes);
+
+-- Cluster+JobState Filter
+CREATE INDEX IF NOT EXISTS jobs_cluster_jobstate ON job (cluster, job_state);
+CREATE INDEX IF NOT EXISTS jobs_cluster_jobstate_user ON job (cluster, job_state, hpc_user);
+CREATE INDEX IF NOT EXISTS jobs_cluster_jobstate_project ON job (cluster, job_state, project);
+-- Cluster+JobState Filter Sorting
+CREATE INDEX IF NOT EXISTS jobs_cluster_jobstate_starttime ON job (cluster, job_state, start_time);
+CREATE INDEX IF NOT EXISTS jobs_cluster_jobstate_duration ON job (cluster, job_state, duration);
+CREATE INDEX IF NOT EXISTS jobs_cluster_jobstate_numnodes ON job (cluster, job_state, num_nodes);
+
+-- User Filter
+CREATE INDEX IF NOT EXISTS jobs_user ON job (hpc_user);
+-- User Filter Sorting
+CREATE INDEX IF NOT EXISTS jobs_user_starttime ON job (hpc_user, start_time);
+CREATE INDEX IF NOT EXISTS jobs_user_duration ON job (hpc_user, duration);
+CREATE INDEX IF NOT EXISTS jobs_user_numnodes ON job (hpc_user, num_nodes);
+
+-- Project Filter
+CREATE INDEX IF NOT EXISTS jobs_project ON job (project);
+CREATE INDEX IF NOT EXISTS jobs_project_user ON job (project, hpc_user);
+-- Project Filter Sorting
+CREATE INDEX IF NOT EXISTS jobs_project_starttime ON job (project, start_time);
+CREATE INDEX IF NOT EXISTS jobs_project_duration ON job (project, duration);
+CREATE INDEX IF NOT EXISTS jobs_project_numnodes ON job (project, num_nodes);
+
+-- JobState Filter
+CREATE INDEX IF NOT EXISTS jobs_jobstate ON job (job_state);
+CREATE INDEX IF NOT EXISTS jobs_jobstate_user ON job (job_state, hpc_user);
+CREATE INDEX IF NOT EXISTS jobs_jobstate_project ON job (job_state, project);
+CREATE INDEX IF NOT EXISTS jobs_jobstate_cluster ON job (job_state, cluster);
+-- JobState Filter Sorting
+CREATE INDEX IF NOT EXISTS jobs_jobstate_starttime ON job (job_state, start_time);
+CREATE INDEX IF NOT EXISTS jobs_jobstate_duration ON job (job_state, duration);
+CREATE INDEX IF NOT EXISTS jobs_jobstate_numnodes ON job (job_state, num_nodes);
+
+-- ArrayJob Filter
+CREATE INDEX IF NOT EXISTS jobs_arrayjobid_starttime ON job (array_job_id, start_time);
+CREATE INDEX IF NOT EXISTS jobs_cluster_arrayjobid_starttime ON job (cluster, array_job_id, start_time);
+
+-- Sorting without active filters
+CREATE INDEX IF NOT EXISTS jobs_starttime ON job (start_time);
+CREATE INDEX IF NOT EXISTS jobs_duration ON job (duration);
+CREATE INDEX IF NOT EXISTS jobs_numnodes ON job (num_nodes);
+
+-- Single filters with default starttime sorting
+CREATE INDEX IF NOT EXISTS jobs_duration_starttime ON job (duration, start_time);
+CREATE INDEX IF NOT EXISTS jobs_numnodes_starttime ON job (num_nodes, start_time);
+CREATE INDEX IF NOT EXISTS jobs_numacc_starttime ON job (num_acc, start_time);
+CREATE INDEX IF NOT EXISTS jobs_energy_starttime ON job (energy, start_time);
+
+-- Optimize DB index usage
--- a/internal/repository/migrations/sqlite3/04_add-constraints.up.sql
+++ b/internal/repository/migrations/sqlite3/04_add-constraints.up.sql
@@ -30,6 +30,8 @@ file_bw_avg         REAL NOT NULL DEFAULT 0.0,
 file_data_vol_total REAL NOT NULL DEFAULT 0.0,
 UNIQUE (job_id, cluster, start_time));

+
+UPDATE job SET job_state='cancelled' WHERE job_state='canceled';
 INSERT INTO job_new SELECT * FROM job;
 DROP TABLE job;
 ALTER TABLE job_new RENAME TO job;
--- a/internal/repository/migrations/sqlite3/05_extend-tags.down.sql
+++ b/internal/repository/migrations/sqlite3/05_extend-tags.down.sql
@@ -0,0 +1,2 @@
+ALTER TABLE tag DROP COLUMN insert_time;
+ALTER TABLE jobtag DROP COLUMN insert_time;
--- a/internal/repository/migrations/sqlite3/05_extend-tags.up.sql
+++ b/internal/repository/migrations/sqlite3/05_extend-tags.up.sql
@@ -0,0 +1,18 @@
+ALTER TABLE tag ADD COLUMN insert_ts TEXT DEFAULT NULL /* replace me */;
+ALTER TABLE jobtag ADD COLUMN insert_ts TEXT DEFAULT NULL /* replace me */;
+UPDATE tag SET insert_ts = CURRENT_TIMESTAMP;
+UPDATE jobtag SET insert_ts = CURRENT_TIMESTAMP;
+PRAGMA writable_schema = on;
+
+UPDATE sqlite_master
+SET sql = replace(sql, 'DEFAULT NULL /* replace me */',
+                       'DEFAULT CURRENT_TIMESTAMP')
+WHERE type = 'table'
+  AND name = 'tag';
+UPDATE sqlite_master
+SET sql = replace(sql, 'DEFAULT NULL /* replace me */',
+                       'DEFAULT CURRENT_TIMESTAMP')
+WHERE type = 'table'
+  AND name = 'jobtag';
+
+PRAGMA writable_schema = off;
--- a/internal/repository/migrations/sqlite3/06_change-config.down.sql
+++ b/internal/repository/migrations/sqlite3/06_change-config.down.sql
@@ -0,0 +1,10 @@
+CREATE TABLE IF NOT EXISTS configuration_new (
+username varchar(255),
+confkey  varchar(255),
+value    varchar(255),
+PRIMARY KEY (username, confkey),
+FOREIGN KEY (username) REFERENCES user (username) ON DELETE CASCADE ON UPDATE NO ACTION);
+
+INSERT INTO configuration_new SELECT * FROM configuration;
+DROP TABLE configuration;
+ALTER TABLE configuration_new RENAME TO configuration;
--- a/internal/repository/migrations/sqlite3/06_change-config.up.sql
+++ b/internal/repository/migrations/sqlite3/06_change-config.up.sql
@@ -0,0 +1,10 @@
+CREATE TABLE IF NOT EXISTS configuration_new (
+username varchar(255),
+confkey  varchar(255),
+value    text,
+PRIMARY KEY (username, confkey),
+FOREIGN KEY (username) REFERENCES user (username) ON DELETE CASCADE ON UPDATE NO ACTION);
+
+INSERT INTO configuration_new SELECT * FROM configuration;
+DROP TABLE configuration;
+ALTER TABLE configuration_new RENAME TO configuration;
--- a/internal/repository/migrations/sqlite3/07_fix-tag-id.down.sql
+++ b/internal/repository/migrations/sqlite3/07_fix-tag-id.down.sql
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`ALTER TABLE configuration MODIFY value VARCHAR(255);`