diff --git a/.github/ISSUE_TEMPLATE/bug-report.md b/.github/ISSUE_TEMPLATE/bug-report.md
new file mode 100644
index 0000000..c9c17f7
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug-report.md
@@ -0,0 +1,28 @@
+---
+name: Bug Report
+about: Use this to report a new bug
+
+---
+
+### Expected Behavior
+<!--- Tell us what should happen -->
+
+### Current Behavior
+<!--- Tell us what happens instead of the expected behavior -->
+
+### Possible Solution
+<!--- Not obligatory, but suggest a fix/reason for the bug, -->
+
+### Steps to Reproduce
+<!--- Provide a link to a live example, or an unambiguous set of steps to -->
+<!--- reproduce this bug. Include code to reproduce, if relevant -->
+1.
+2.
+3.
+4.
+
+### Context (Environment)
+<!--- How has this issue affected you? What are you trying to accomplish? -->
+<!--- Providing context helps us come up with a solution that is most useful in the real world -->
+
+<!--- Provide a general summary of the issue in the Title above -->
diff --git a/.github/ISSUE_TEMPLATE/feature-request.md b/.github/ISSUE_TEMPLATE/feature-request.md
new file mode 100644
index 0000000..d82023b
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature-request.md
@@ -0,0 +1,14 @@
+---
+name: Feature Request
+about: Suggest an idea for this project
+
+---
+
+### Description
+<!-- What use case are you trying to solve with this feature -->
+
+### Proposed solution
+<!-- A clear and concise description of what you want to happen -->
+
+### Definition of Done
+<!-- How to know this is implemeted. Preferably one short sentence -->
diff --git a/.github/ISSUE_TEMPLATE/new-sprint-task.md b/.github/ISSUE_TEMPLATE/new-sprint-task.md
new file mode 100644
index 0000000..5d9134e
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/new-sprint-task.md
@@ -0,0 +1,14 @@
+---
+name: Sprint Task
+about: Use when creating a new task in a sprint
+
+---
+
+### Description
+<!-- What are you working on -->
+
+### Definition of Done
+<!-- How to know when the task is done. -->
+
+### How to test
+<!-- How can someone else verify the task, can be test-suite or something else -->
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
new file mode 100644
index 0000000..9b51b4e
--- /dev/null
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,39 @@
+<!-- Lines like this one are comments and will not be shown in the final output. -->
+<!-- Make sure that you have read the "Contributing" section of the README and also the notes in CodingStyle. -->
+<!-- If you are a collaborator, please add labels and assign other collaborators for a review. -->
+
+### Describe the pull request:
+<!-- Replace [ ] with [x] to select options. -->
+- [ ] Bug fix
+- [ ] Functional change
+- [ ] New feature
+- [ ] Code cleanup
+- [ ] Build system change
+- [ ] Documentation change
+- [ ] Language translation
+
+### Pull request long description:
+<!-- Describe your pull request in detail. -->
+
+### Changes made:
+<!-- Enumerate the changes with 1), 2), 3) etc. -->
+<!-- Ensure the test cases are updated if needed. -->
+
+### Related issues:
+<!-- Reference issues with #<issue-num>. -->
+<!-- Write "Fixes #<issue-num>" to notify Github that this PR fixes an issue. -->
+
+### Additional information:
+<!-- Include sample dive log or other relevant information to allow testing the change where feasible. -->
+
+### Release note:
+<!-- Describe if this change needs a release note present in CHANGELOG.md. -->
+<!-- Also, please make sure to add the release note on top of the file CHANGELOG.md. -->
+
+### Documentation change:
+<!-- If this PR makes changes to user functionality, then the documentation has to be updated too. -->
+<!-- Please, briefly outline here what has changed in terms of the user experience (UX). -->
+<!-- If UX changes have been made, a maintainer should apply the 'needs-documentation-change' label. -->
+
+### Mentions:
+<!-- Mention users that you want to review your pull request with @<user-name>. Leave empty if not sure. -->
diff --git a/.github/workflows/tag_and_build.yaml b/.github/workflows/tag_and_build.yaml
new file mode 100644
index 0000000..b93dd37
--- /dev/null
+++ b/.github/workflows/tag_and_build.yaml
@@ -0,0 +1,71 @@
+name: Bump version
+on:
+  push:
+    branches:
+    - master
+jobs:
+  tag:
+    name: bump tags
+    outputs:
+      part: ${{ steps.bump_tag.outputs.part }}
+      tag: ${{ steps.bump_tag.outputs.tag }}
+      new_tag: ${{ steps.bump_tag.outputs.new_tag }}
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        fetch-depth: '1'
+    - name: Bump version and push tag
+      id: bump_tag
+      uses: anothrNick/github-tag-action@1.36.0
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        WITH_V: true
+        DEFAULT_BUMP: patch
+
+  push_to_registry:
+    needs: tag
+    if: needs.tag.outputs.part != ''
+    name: Push Docker image to Github Container registry
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v2
+
+      - name: Log in to the Github Container registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1 
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ghcr.io/${{ github.repository }}
+      
+      - name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}:${{ needs.tag.outputs.tag }}
+            ghcr.io/${{ github.repository }}:latest
+            ${{ github.repository }}:${{ needs.tag.outputs.tag }}
+            ${{ github.repository }}:latest
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.clone_url }}
+            org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+            org.opencontainers.image.revision=${{ github.sha }}
diff --git a/Dockerfile b/Dockerfile
index e9fe3db..ae10c90 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,20 +1,28 @@
-FROM rabbitmq:3.6.14-management
+FROM rabbitmq:3.8.16-management-alpine
 
-EXPOSE 5672 15672
+ARG BUILD_DATE
+ARG SOURCE_COMMIT
 
-VOLUME /var/lib/rabbitmq
+LABEL maintainer "EGA System Developers"
+LABEL org.label-schema.schema-version="1.0"
+LABEL org.label-schema.build-date=$BUILD_DATE
+LABEL org.label-schema.vcs-url="https://github.com/neicnordic/LocalEGA-mq"
+LABEL org.label-schema.vcs-ref=$SOURCE_COMMIT
 
-RUN mkdir -p /etc/rabbitmq/ && \
-    chown -R rabbitmq:rabbitmq /etc/rabbitmq
+ENV RABBITMQ_CONFIG_FILE=/var/lib/rabbitmq/rabbitmq
+ENV RABBITMQ_ADVANCED_CONFIG_FILE=/var/lib/rabbitmq/advanced
+ENV RABBITMQ_LOG_BASE=/var/lib/rabbitmq
 
-# Initialization
-RUN rabbitmq-plugins enable --offline rabbitmq_federation            && \
-    rabbitmq-plugins enable --offline rabbitmq_federation_management && \
-    rabbitmq-plugins enable --offline rabbitmq_shovel                && \
-    rabbitmq-plugins enable --offline rabbitmq_shovel_management
+RUN apk add --no-cache ca-certificates openssl
 
-COPY entrypoint.sh /usr/local/bin/entrypoint.sh
-RUN chmod 755 /usr/local/bin/entrypoint.sh
+RUN rabbitmq-plugins enable --offline rabbitmq_federation rabbitmq_federation_management rabbitmq_shovel rabbitmq_shovel_management
+
+COPY entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+USER 100:101
+
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
 
-ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 CMD ["rabbitmq-server"]
diff --git a/README.md b/README.md
index ae786c8..5ac233b 100644
--- a/README.md
+++ b/README.md
@@ -1,13 +1,46 @@
-# LocalEGA internal message broker in a docker image
+# NeIC SDA internal message broker in a docker image
 
-We use [RabbitMQ 3.6.14](https://hub.docker.com/_/rabbitmq) including the management plugins.
+We use [RabbitMQ 3.8.16](https://hub.docker.com/_/rabbitmq) including the management plugins.
+
+## Configuration
 
 The following environment variables can be used to configure the broker:
 
 | Variable | Description |
 |---------:|:------------|
+| `MQ_VHOST` | Default vhost other than `/` |
+| `MQ_VERIFY` | Set to `verify_none` to disable verification of client certificate |
 | `MQ_USER` | Default user (with admin rights) |
 | `MQ_PASSWORD_HASH` | Password hash for the above user |
 | `CEGA_CONNECTION` | DSN URL for the shovels and federated queues with CentralEGA |
+| `MQ_SERVER_CERT` | Path to the server SSL certificate |
+| `MQ_SERVER_KEY` | Path to the server SSL key |
+| `MQ_CA` | Path to the CA root certificate |
+| `MQ_VERIFY` | Require client certificates (`verify_peer` or `verify_none`)
+| `NOTLS` | Run the server without SSL |
 
 If you want persistent data, you can use a named volume or a bind-mount and make it point to `/var/lib/rabbitmq`.
+
+## Sample Docker Compose definition
+
+```docker-compose
+version: '3.3'
+
+services:
+
+  mq:
+    image: egarchive/lega-mq:latest
+    hostname: mq
+    ports:
+      - "5672:5672"
+      - "15672:15672"
+    environment:
+      - MQ_VHOST=vhost
+      - MQ_USER=admin
+      - MQ_PASSWORD_HASH=4tHURqDiZzypw0NTvoHhpn8/MMgONWonWxgRZ4NXgR8nZRBz
+      - NOTLS=true
+      - CEGA_CONNECTION
+
+```
+
+Run `docker-compose up -d` to test it.
diff --git a/entrypoint.sh b/entrypoint.sh
index 709f08e..edf4be8 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,137 +1,588 @@
-#!/bin/bash
+#!/bin/sh
 
-set -e
-set -x
+[ -z "${MQ_USER}" ] && echo 'Environment variable MQ_USER is empty' 1>&2 && exit 1
+[ -z "${MQ_PASSWORD_HASH}" ] && echo 'Environment variable MQ_PASSWORD_HASH is empty' 1>&2 && exit 1
 
-[[ -z "${CEGA_CONNECTION}" ]] && echo 'Environment CEGA_CONNECTION is empty' 1>&2 && exit 1
-[[ -z "${MQ_USER}" ]] && echo 'Environment MQ_USER is empty' 1>&2 && exit 1
-[[ -z "${MQ_PASSWORD_HASH}" ]] && echo 'Environment MQ_PASSWORD_HASH is empty' 1>&2 && exit 1
+if [ -n "${NOTLS+x}" ]; then
+	echo "Disabeling TLS"
+	unset MQ_SERVER_CERT
+	unset MQ_SERVER_KEY
+	unset MQ_CA
+	cat > "/var/lib/rabbitmq/rabbitmq.conf" <<-EOF
+	listeners.tcp.default = 5672
+	disk_free_limit.absolute = 1GB
+	management.tcp.port = 15672
+	management.load_definitions = /var/lib/rabbitmq/definitions.json
+	default_vhost = ${MQ_VHOST:-/}
+	EOF
+else
+	if [ -e "${MQ_SERVER_CERT}" ] || [ -e "${MQ_SERVER_KEY}" ]; then
+		echo "Enabeling TLS"
+		cat > "/var/lib/rabbitmq/rabbitmq.conf" <<-EOF
+		listeners.ssl.default = 5671
+		ssl_options.certfile = ${MQ_SERVER_CERT}
+		ssl_options.keyfile = ${MQ_SERVER_KEY}
+		ssl_options.versions.1 = tlsv1.2
+		disk_free_limit.absolute = 1GB
+		management.ssl.port = 15672
+		management.ssl.certfile   = ${MQ_SERVER_CERT}
+		management.ssl.keyfile    = ${MQ_SERVER_KEY}
+		management.load_definitions = /var/lib/rabbitmq/definitions.json
+		default_vhost = ${MQ_VHOST:-/}
+		EOF
 
-cat > /etc/rabbitmq/defs.json <<EOF
-{"rabbit_version":"3.6.14",
- "users":[{"name":"${MQ_USER}","password_hash":"${MQ_PASSWORD_HASH}","hashing_algorithm":"rabbit_password_hashing_sha256","tags":"administrator"}],
- "vhosts":[{"name":"/"}],
- "permissions":[{"user":"guest","vhost":"/","configure":".*","write":".*","read":".*"}],
- "parameters":[],
- "global_parameters":[{"name":"cluster_name","value":"rabbit@localhost"}],
- "policies":[],
- "queues":[{"name":"files","vhost":"/","durable":true,"auto_delete":false,"arguments":{}},
-	   {"name":"archived","vhost":"/","durable":true,"auto_delete":false,"arguments":{}},
-	   {"name":"stableIDs","vhost":"/","durable":true,"auto_delete":false,"arguments":{}}],
- "exchanges":[{"name":"lega","vhost":"/","type":"topic","durable":true,"auto_delete":false,"internal":false,"arguments":{}},
-              {"name":"cega","vhost":"/","type":"topic","durable":true,"auto_delete":false,"internal":false,"arguments":{}}],
- "bindings":[{"source":"lega", "vhost":"/", "destination":"archived",  "destination_type":"queue", "routing_key":"archived", "arguments":{}}]
-}
-EOF
-chown rabbitmq:rabbitmq /etc/rabbitmq/defs.json
-chmod 640 /etc/rabbitmq/defs.json
+		if [ -e "${MQ_CA}" ] && [ "${MQ_VERIFY}" = "verify_peer" ]; then
+			cat >> "/var/lib/rabbitmq/rabbitmq.conf" <<-EOF
+				ssl_options.verify = verify_peer
+				ssl_options.fail_if_no_peer_cert = true
+				ssl_options.cacertfile = ${MQ_CA}
+			EOF
+		fi
 
-cat > /etc/rabbitmq/rabbitmq.config <<EOF
-%% -*- mode: erlang -*-
-%%
-[{rabbit,[{loopback_users, [ ] },
-          {tcp_listeners, [ 5672 ] },
-          {ssl_listeners, [ ] },
-          {hipe_compile, false },
-	  {disk_free_limit, "1GB"}]},
- {rabbitmq_management, [ { listener, [ { port, 15672 }, { ssl, false }] },
-                         { load_definitions, "/etc/rabbitmq/defs.json"} ]}
-].
-EOF
-chown rabbitmq:rabbitmq /etc/rabbitmq/rabbitmq.config
-chmod 640 /etc/rabbitmq/rabbitmq.config
+	else
+		echo 'No server certificates found, shuting down.' 1>&2 && exit 1
+	fi
 
-# Problem of loading the plugins and definitions out-of-orders.
-# Explanation: https://github.com/rabbitmq/rabbitmq-shovel/issues/13
-# Therefore: we run the server, with some default confs
-# and then we upload the cega-definitions through the HTTP API
+	chmod 600 "/var/lib/rabbitmq/rabbitmq.conf"
+fi
 
-# We cannot add those definitions to defs.json (loaded by the
-# management plugin. See /etc/rabbitmq/rabbitmq.config)
-# So we use curl afterwards, to upload the extras definitions
-# See also https://pulse.mozilla.org/api/
+if [ -n "${CEGA_CONNECTION}" ]; then
+	cat > "/var/lib/rabbitmq/definitions.json" <<-EOF
+	{
+		"users": [
+			{
+				"name": "${MQ_USER}",
+				"password_hash": "${MQ_PASSWORD_HASH}",
+				"hashing_algorithm": "rabbit_password_hashing_sha256",
+				"tags": "administrator"
+			}
+		],
+		"vhosts": [
+			{
+				"name": "${MQ_VHOST:-/}"
+			}
+		],
+		"permissions": [
+			{
+				"user": "${MQ_USER}",
+				"vhost": "${MQ_VHOST:-/}",
+				"configure": ".*",
+				"write": ".*",
+				"read": ".*"
+			}
+		],
+		"parameters": [
+			{
+				"name": "CEGA-files",
+				"vhost": "${MQ_VHOST:-/}",
+				"component": "federation-upstream",
+				"value": {
+					"ack-mode": "on-confirm",
+					"queue": "v1.files",
+					"trust-user-id": false,
+					"uri": "${CEGA_CONNECTION}"
+				}
+			}
+		],
+		"policies": [
+			{
+				"vhost": "${MQ_VHOST:-/}",
+				"name": "CEGA-files",
+				"pattern": "files",
+				"apply-to": "queues",
+				"priority": 0,
+				"definition": {
+					"federation-upstream": "CEGA-files"
+				}
+			}
+		],
+		"queues": [
+			{
+				"name": "archived",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "backup",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "completed",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "files",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "inbox",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "ingest",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "mappings",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "accessionIDs",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "verified",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			}
+		],
+		"exchanges": [
+			{
+				"name": "to_cega",
+				"vhost": "${MQ_VHOST:-/}",
+				"type": "topic",
+				"durable": true,
+				"auto_delete": false,
+				"internal": false,
+				"arguments": {}
+			},
+			{
+				"name": "sda",
+				"vhost": "${MQ_VHOST:-/}",
+				"type": "topic",
+				"durable": true,
+				"auto_delete": false,
+				"internal": false,
+				"arguments": {}
+			}
+		],
+		"bindings": [
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "archived",
+					"routing_key": "archived"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "accessionIDs",
+					"routing_key": "accessionIDs"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "backup",
+					"routing_key": "backup"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "completed",
+					"routing_key": "completed"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "error",
+					"routing_key": "error"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "files",
+					"routing_key": "files"
+			},
+			{
+					"source": "localega",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "inbox",
+					"routing_key": "inbox"
+			},
+			{
+					"source": "localega",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "ingest",
+					"routing_key": "ingest"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "mappings",
+					"routing_key": "mappings"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "verified",
+					"routing_key": "verified"
+			}
+		]
+	}
+	EOF
 
-# dest-exchange-key is not set for the shovel, so the key is re-used.
+	if [ -n "${MQ_VHOST}" ];then
+		MQ_VHOST="/${MQ_VHOST}"
+	fi
+	if [ -e "${MQ_SERVER_CERT}" ] && [ -e "${MQ_SERVER_KEY}" ]; then
+		cat > "/var/lib/rabbitmq/advanced.config" <<-EOF
+		[
+			{rabbit,  [
+				{tcp_listeners, []}
+			]},
+		EOF
+	else
+		echo "[" > "/var/lib/rabbitmq/advanced.config"
+	fi
+	cat >> "/var/lib/rabbitmq/advanced.config" <<-EOF
+		{rabbitmq_shovel, [
+			{shovels, [
+				{to_cega, [
+					{source, [
+						{protocol, amqp091},
+						{uris,[ "amqp://${MQ_VHOST:-}" ]},
+						{declarations,  [
+															{'queue.declare', [{exclusive, true}]},
+															{'queue.bind', [{exchange, <<"to_cega">>}, {queue, <<>>}, {routing_key, <<"#">>}]}
+														]},
+						{queue, <<>>},
+						{prefetch_count, 10}
+					]},
+					{destination, [
+													{protocol, amqp091},
+													{uris, ["${CEGA_CONNECTION}"]},
+													{declarations, []},
+													{publish_properties, [{delivery_mode, 2}]},
+													{publish_fields, [{exchange, <<"localega.v1">>}]}
+												]},
+					{ack_mode, on_confirm},
+					{reconnect_delay, 5}
+				]},
+				{cega_completion, [
+					{source,  [
+											{protocol, amqp091},
+											{uris, ["amqp://${MQ_VHOST:-}"]},
+											{declarations, [{'queue.declare', [{exclusive, true}] }, {'queue.bind', [{exchange, <<"sda">>}, {queue, <<>>}, {routing_key, <<"completed">>}] } ] },
+											{queue, <<>>},
+											{prefetch_count, 10}
+										]},
+					{destination, [
+													{protocol, amqp091},
+													{uris, ["amqp://${MQ_VHOST:-}"]},
+													{declarations, []},
+													{publish_properties, [{delivery_mode, 2}]},
+													{publish_fields, [{exchange, <<"to_cega">>},
+													{routing_key, <<"files.completed">>}
+												]},
+					{ack_mode, on_confirm},
+					{reconnect_delay, 5}
+					]}
+				]},
+				{cega_error, [
+					{source,  [
+											{protocol, amqp091},
+											{uris, ["amqp://${MQ_VHOST:-}"]},
+											{declarations, [{'queue.declare', [{exclusive, true}] }, {'queue.bind', [{exchange, <<"sda">>}, {queue, <<>>}, {routing_key, <<"error">>}] } ] },
+											{queue, <<>>},
+											{prefetch_count, 10}
+										]},
+					{destination, [
+													{protocol, amqp091},
+													{uris, ["amqp://${MQ_VHOST:-}"]},
+													{declarations, []},
+													{publish_properties, [{delivery_mode, 2}]},
+													{publish_fields, [{exchange, <<"to_cega">>},
+													{routing_key, <<"files.error">>}
+												]},
+					{ack_mode, on_confirm},
+					{reconnect_delay, 5}
+					]}
+				]},
+				{cega_inbox, [
+					{source,  [
+											{protocol, amqp091},
+											{uris, ["amqp://${MQ_VHOST:-}"]},
+											{declarations, [{'queue.declare', [{exclusive, true}] }, {'queue.bind', [{exchange, <<"sda">>}, {queue, <<>>}, {routing_key, <<"inbox">>}] } ] },
+											{queue, <<>>},
+											{prefetch_count, 10}
+										]},
+					{destination, [
+													{protocol, amqp091},
+													{uris, ["amqp://${MQ_VHOST:-}"]},
+													{declarations, []},
+													{publish_properties, [{delivery_mode, 2}]},
+													{publish_fields, [{exchange, <<"to_cega">>},
+													{routing_key, <<"files.inbox">>}
+												]},
+					{ack_mode, on_confirm},
+					{reconnect_delay, 5}
+					]}
+				]},
+				{cega_verified, [
+					{source,  [
+											{protocol, amqp091},
+											{uris, ["amqp://${MQ_VHOST:-}"]},
+											{declarations, [{'queue.declare', [{exclusive, true}] }, {'queue.bind', [{exchange, <<"sda">>}, {queue, <<>>}, {routing_key, <<"verified">>}] } ] },
+											{queue, <<>>},
+											{prefetch_count, 10}
+										]},
+					{destination, [
+													{protocol, amqp091},
+													{uris, ["amqp://${MQ_VHOST:-}"]},
+													{declarations, []},
+													{publish_properties, [{delivery_mode, 2}]},
+													{publish_fields, [{exchange, <<"to_cega">>},
+													{routing_key, <<"files.verified">>}
+												]},
+					{ack_mode, on_confirm},
+					{reconnect_delay, 5}
+					]}
+				]}
+			]}
+		]}
+	].
+	EOF
+	chmod 600 "/var/lib/rabbitmq/advanced.config"
+else
+	cat > "/var/lib/rabbitmq/definitions.json" <<-EOF
+	{
+		"users": [
+			{
+				"name": "${MQ_USER}",
+				"password_hash": "${MQ_PASSWORD_HASH}",
+				"hashing_algorithm": "rabbit_password_hashing_sha256",
+				"tags": "administrator"
+			}
+		],
+		"vhosts": [
+			{
+				"name": "${MQ_VHOST:-/}"
+			}
+		],
+		"permissions": [
+			{
+				"user": "${MQ_USER}",
+				"vhost": "${MQ_VHOST:-/}",
+				"configure": ".*",
+				"write": ".*",
+				"read": ".*"
+			}
+		],
+		"policies": [],
+		"queues": [
+			{
+				"name": "archived",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "backup",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "completed",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "error",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "files",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "inbox",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "ingest",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "mappings",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "accessionIDs",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			},
+			{
+				"name": "verified",
+				"vhost": "${MQ_VHOST:-/}",
+				"durable": true,
+				"auto_delete": false,
+				"arguments": {}
+			}
+		],
+		"exchanges": [
+			{
+				"name": "sda",
+				"vhost": "${MQ_VHOST:-/}",
+				"type": "topic",
+				"durable": true,
+				"auto_delete": false,
+				"internal": false,
+				"arguments": {}
+			}
+		],
+		"bindings": [
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "archived",
+					"routing_key": "archived"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "accessionIDs",
+					"routing_key": "accessionIDs"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "backup",
+					"routing_key": "backup"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "completed",
+					"routing_key": "completed"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "error",
+					"routing_key": "error"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "files",
+					"routing_key": "files"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "inbox",
+					"routing_key": "inbox"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "ingest",
+					"routing_key": "ingest"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "mappings",
+					"routing_key": "mappings"
+			},
+			{
+					"source": "sda",
+					"vhost": "${MQ_VHOST:-/}",
+					"destination_type": "queue",
+					"arguments": {},
+					"destination": "verified",
+					"routing_key": "verified"
+			}
+		]
+	}
+	EOF
+fi
 
-# For the moment, still using guest:guest
-cat > /etc/rabbitmq/defs-cega.json <<EOF
-{"parameters":[{"value": {"src-uri": "amqp://",
-			  "src-exchange": "cega",
-			  "src-exchange-key": "#",
-			  "dest-uri": "${CEGA_CONNECTION}",
-			  "dest-exchange": "localega.v1",
-			  "add-forward-headers": false,
-			  "ack-mode": "on-confirm",
-			  "delete-after": "never"},
-            	"vhost": "/",
-		"component": "shovel",
-		"name": "to-CEGA"},
-	       {"value": {"src-uri": "amqp://",
-			   "src-exchange": "lega",
-			   "src-exchange-key": "completed",
-			   "dest-uri": "amqp://",
-			   "dest-exchange": "cega",
-			   "dest-exchange-key": "files.completed",
-			   "add-forward-headers": false,
-			   "ack-mode": "on-confirm",
-			   "delete-after": "never"},
-		"vhost": "/",
-		"component": "shovel",
-		"name": "CEGA-completion"},
-	       {"value":{"uri":"${CEGA_CONNECTION}",
-			 "ack-mode":"on-confirm",
-			 "trust-user-id":false,
-			 "queue":"v1.files"},
-		"vhost":"/",
-		"component":"federation-upstream",
-		"name":"CEGA-files"},
-	       {"value":{"uri":"${CEGA_CONNECTION}",
-			 "ack-mode":"on-confirm",
-			 "trust-user-id":false,
-			 "queue":"v1.stableIDs"},
-		"vhost":"/",
-		"component":"federation-upstream",
-		"name":"CEGA-ids"}],
- "policies":[{"vhost":"/",
-              "name":"CEGA-files",
-              "pattern":"files",
-              "apply-to":"queues",
-              "definition":{"federation-upstream":"CEGA-files"},
-              "priority":0},
-             {"vhost":"/",
-              "name":"CEGA-ids",
-              "pattern":"stableIDs",
-              "apply-to":"queues",
-              "definition":{"federation-upstream":"CEGA-ids"},
-              "priority":0}]
-}
-EOF
-chown rabbitmq:rabbitmq /etc/rabbitmq/defs-cega.json
-chmod 640 /etc/rabbitmq/defs-cega.json
+chmod 600 "/var/lib/rabbitmq/definitions.json"
 
-# And...cue music
-chown -R rabbitmq /var/lib/rabbitmq
-
-{ # Spawn off
-    sleep 5 # Small delay first
-
-    # Wait until the server is ready (because we don't nave netcat we use wait on the pid)
-    ROUND=30
-    until rabbitmqctl wait /var/lib/rabbitmq/mnesia/rabbit@${HOSTNAME}.pid || ((ROUND<0))
-    do
-	sleep 1
-	$((ROUND--))
-    done
-    ((ROUND<0)) && echo "Central EGA broker *_not_* started" 2>&1 && exit 1
-
-    ROUND=30
-    until rabbitmqadmin import /etc/rabbitmq/defs-cega.json || ((ROUND<0))
-    do
- 	sleep 1
- 	$((ROUND--))
-    done
-    ((ROUND<0)) && echo "Central EGA connections *_not_* loaded" 2>&1 && exit 1
-    echo "Central EGA connections loaded"
-} &
-
-exec "$@" # ie CMD rabbitmq-server
+exec "$@"