added "16.3" support

requirements.txt updated
removed todo
2026-04-05 23:05:48 +03:00 · 2024-03-04 21:19:59 +01:00 · 2024-03-04 21:19:59 +01:00 · 2024-03-04 21:19:59 +01:00 · 2024-03-04 21:19:59 +01:00 · 2024-03-04 21:19:59 +01:00
27 changed files with 1740 additions and 427 deletions
--- a/.DEBIAN/env.default
+++ b/.DEBIAN/env.default
@@ -0,0 +1,27 @@
+# Toggle debug mode
+#DEBUG=false
+
+# Where the client can find the DLS server
+DLS_URL=127.0.0.1
+DLS_PORT=443
+
+# CORS configuration
+## comma separated list without spaces
+#CORS_ORIGINS="https://$DLS_URL:$DLS_PORT"
+
+# Lease expiration in days
+LEASE_EXPIRE_DAYS=90
+LEASE_RENEWAL_PERIOD=0.2
+
+# Database location
+## https://docs.sqlalchemy.org/en/14/core/engines.html
+DATABASE=sqlite:////etc/fastapi-dls/db.sqlite
+
+# UUIDs for identifying the instance
+#SITE_KEY_XID="00000000-0000-0000-0000-000000000000"
+#INSTANCE_REF="10000000-0000-0000-0000-000000000001"
+#ALLOTMENT_REF="20000000-0000-0000-0000-000000000001"
+
+# Site-wide signing keys
+INSTANCE_KEY_RSA=/etc/fastapi-dls/instance.private.pem
+INSTANCE_KEY_PUB=/etc/fastapi-dls/instance.public.pem
--- a/.DEBIAN/fastapi-dls.service
+++ b/.DEBIAN/fastapi-dls.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=Service for fastapi-dls
+Documentation=https://git.collinwebdesigns.de/oscar.krause/fastapi-dls
+After=network.target
+
+[Service]
+User=www-data
+Group=www-data
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+WorkingDirectory=/usr/share/fastapi-dls/app
+EnvironmentFile=/etc/fastapi-dls/env
+ExecStart=uvicorn main:app \
+  --env-file /etc/fastapi-dls/env \
+  --host $DLS_URL --port $DLS_PORT \
+  --app-dir /usr/share/fastapi-dls/app \
+  --ssl-keyfile /etc/fastapi-dls/webserver.key \
+  --ssl-certfile /etc/fastapi-dls/webserver.crt \
+  --proxy-headers
+Restart=always
+KillSignal=SIGQUIT
+Type=simple
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target
--- a/.DEBIAN/postinst
+++ b/.DEBIAN/postinst
@@ -3,94 +3,31 @@
 WORKING_DIR=/usr/share/fastapi-dls
 CONFIG_DIR=/etc/fastapi-dls

-echo "> Create config directory ..."
-mkdir -p $CONFIG_DIR
-
-# normally we would define services in `conffiles` and as separate file, but we like to keep thinks simple.
-echo "> Install service ..."
-cat <<EOF >/etc/systemd/system/fastapi-dls.service
-[Unit]
-Description=Service for fastapi-dls
-Documentation=https://git.collinwebdesigns.de/oscar.krause/fastapi-dls
-After=network.target
-
-[Service]
-User=www-data
-Group=www-data
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-WorkingDirectory=$WORKING_DIR/app
-EnvironmentFile=$CONFIG_DIR/env
-ExecStart=uvicorn main:app \\
-  --env-file /etc/fastapi-dls/env \\
-  --host \$DLS_URL --port \$DLS_PORT \\
-  --app-dir $WORKING_DIR/app \\
-  --ssl-keyfile /etc/fastapi-dls/webserver.key \\
-  --ssl-certfile /etc/fastapi-dls/webserver.crt \\
-  --proxy-headers
-Restart=always
-KillSignal=SIGQUIT
-Type=simple
-NotifyAccess=all
-
-[Install]
-WantedBy=multi-user.target
-
-EOF
-
-systemctl daemon-reload
-
-# normally we would define configfiles in `conffiles` and as separate file, but we like to keep thinks simple.
-if [[ ! -f $CONFIG_DIR/env ]]; then
-  echo "> Writing initial config ..."
-  touch $CONFIG_DIR/env
-  cat <<EOF >$CONFIG_DIR/env
-# Toggle debug mode
-#DEBUG=false
-
-# Where the client can find the DLS server
-DLS_URL=127.0.0.1
-DLS_PORT=443
-
-# CORS configuration
-## comma separated list without spaces
-#CORS_ORIGINS="https://$DLS_URL:$DLS_PORT"
-
-# Lease expiration in days
-LEASE_EXPIRE_DAYS=90
-
-# Database location
-## https://docs.sqlalchemy.org/en/14/core/engines.html
-DATABASE=sqlite:///$CONFIG_DIR/db.sqlite
-
-# UUIDs for identifying the instance
-#SITE_KEY_XID="00000000-0000-0000-0000-000000000000"
-#INSTANCE_REF="00000000-0000-0000-0000-000000000000"
-
-# Site-wide signing keys
-INSTANCE_KEY_RSA=$CONFIG_DIR/instance.private.pem
-INSTANCE_KEY_PUB=$CONFIG_DIR/instance.public.pem
-
-EOF
+if [ ! -f $CONFIG_DIR/instance.private.pem ]; then
+  echo "> Create dls-instance keypair ..."
+  openssl genrsa -out $CONFIG_DIR/instance.private.pem 2048
+  openssl rsa -in $CONFIG_DIR/instance.private.pem -outform PEM -pubout -out $CONFIG_DIR/instance.public.pem
+else
+  echo "> Create dls-instance keypair skipped! (exists)"
 fi

-echo "> Create dls-instance keypair ..."
-openssl genrsa -out $CONFIG_DIR/instance.private.pem 2048
-openssl rsa -in $CONFIG_DIR/instance.private.pem -outform PEM -pubout -out $CONFIG_DIR/instance.public.pem
-
 while true; do
-  read -p "> Do you wish to create self-signed webserver certificate? [Y/n]" yn
-  yn=${yn:-y} # ${parameter:-word} If parameter is unset or null, the expansion of word is substituted. Otherwise, the value of parameter is substituted.
+  [ -f $CONFIG_DIR/webserver.key ] && default_answer="N" || default_answer="Y"
+  [ $default_answer == "Y" ] && V="Y/n" || V="y/N"
+  read -p "> Do you wish to create self-signed webserver certificate? [${V}]" yn
+  yn=${yn:-$default_answer} # ${parameter:-word} If parameter is unset or null, the expansion of word is substituted. Otherwise, the value of parameter is substituted.
  case $yn in
  [Yy]*)
+    echo "> Generating keypair ..."
    openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout $CONFIG_DIR/webserver.key -out $CONFIG_DIR/webserver.crt
    break
    ;;
-  [Nn]*) break ;;
+  [Nn]*) echo "> Generating keypair skipped! (exists)"; break ;;
  *) echo "Please answer [y] or [n]." ;;
  esac
 done

-if [[ -f $CONFIG_DIR/webserver.key ]]; then
+if [ -f $CONFIG_DIR/webserver.key ]; then
  echo "> Starting service ..."
  systemctl start fastapi-dls.service

@@ -115,7 +52,7 @@ cat <<EOF
 #    Service should be up and running.                                        #
 #      Webservice is listen to https://localhost                              #
 #                                                                             #
-#    Configuration is stored in ${CONFIG_DIR}/env                             #
+#    Configuration is stored in /etc/fastapi-dls/env.                         #
 #                                                                             #
 #                                                                             #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
--- a/.DEBIAN/postrm
+++ b/.DEBIAN/postrm
@@ -1,8 +1,9 @@
 #!/bin/bash

-if [[ -f /etc/systemd/system/fastapi-dls.service ]]; then
-  echo "> Removing service file."
-  rm /etc/systemd/system/fastapi-dls.service
-fi
+# is removed automatically
+#if [ "$1" = purge ] && [ -d /usr/share/fastapi-dls ]; then
+#  echo "> Removing app."
+#  rm -r /usr/share/fastapi-dls
+#fi

-# todo
+echo -e "> Done."
--- a/.DEBIAN/prerm
+++ b/.DEBIAN/prerm
@@ -1,5 +1,3 @@
 #!/bin/bash

 echo -e "> Starting uninstallation of 'fastapi-dls'!"
-
-# todo
--- a/.DEBIAN/requirements-bookworm-12.txt
+++ b/.DEBIAN/requirements-bookworm-12.txt
@@ -0,0 +1,11 @@
+# https://packages.debian.org/hu/
+fastapi==0.92.0
+uvicorn[standard]==0.17.6
+python-jose[pycryptodome]==3.3.0
+pycryptodome==3.11.0
+python-dateutil==2.8.2
+sqlalchemy==1.4.46
+markdown==3.4.1
+python-dotenv==0.21.0
+jinja2==3.1.2
+httpx==0.23.3
--- a/.DEBIAN/requirements-ubuntu-23.04.txt
+++ b/.DEBIAN/requirements-ubuntu-23.04.txt
@@ -0,0 +1,10 @@
+# https://packages.ubuntu.com
+fastapi==0.91.0
+uvicorn[standard]==0.15.0
+python-jose[pycryptodome]==3.3.0
+pycryptodome==3.11.0
+python-dateutil==2.8.2
+sqlalchemy==1.4.46
+markdown==3.4.3
+python-dotenv==0.21.0
+jinja2==3.1.2
--- a/.DEBIAN/requirements-ubuntu-23.10.txt
+++ b/.DEBIAN/requirements-ubuntu-23.10.txt
@@ -0,0 +1,10 @@
+# https://packages.ubuntu.com
+fastapi==0.101.0
+uvicorn[standard]==0.23.2
+python-jose[pycryptodome]==3.3.0
+pycryptodome==3.11.0
+python-dateutil==2.8.2
+sqlalchemy==1.4.47
+markdown==3.4.4
+python-dotenv==1.0.0
+jinja2==3.1.2
--- a/.PKGBUILD/PKGBUILD
+++ b/.PKGBUILD/PKGBUILD
@@ -11,7 +11,8 @@ license=('MIT')
 depends=('python' 'python-jose' 'python-starlette' 'python-httpx' 'python-fastapi' 'python-dotenv' 'python-dateutil' 'python-sqlalchemy' 'python-pycryptodome' 'uvicorn' 'python-markdown' 'openssl')
 provider=("$pkgname")
 install="$pkgname.install"
-source=('git+file:///builds/oscar.krause/fastapi-dls' # https://gitea.publichub.eu/oscar.krause/fastapi-dls.git
+backup=('etc/default/fastapi-dls')
+source=("git+file://${CI_PROJECT_DIR}"
        "$pkgname.default"
        "$pkgname.service"
        "$pkgname.tmpfiles")
@@ -21,8 +22,9 @@ sha256sums=('SKIP'
            '3dc60140c08122a8ec0e7fa7f0937eb8c1288058890ba09478420fc30ce9e30c')

 pkgver() {
+  echo -e "VERSION=$VERSION\nCOMMIT=$CI_COMMIT_SHA" > $srcdir/$pkgname/version.env
  source $srcdir/$pkgname/version.env
-  echo ${VERSION}
+  echo $VERSION
 }

 check() {
--- a/.UNRAID/FastAPI-DLS.xml
+++ b/.UNRAID/FastAPI-DLS.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0"?>
+<Container version="2">
+  <Name>FastAPI-DLS</Name>
+  <Repository>collinwebdesigns/fastapi-dls:latest</Repository>
+  <Registry>https://hub.docker.com/r/collinwebdesigns/fastapi-dls</Registry>
+  <Network>br0</Network>
+  <MyIP></MyIP>
+  <Shell>sh</Shell>
+  <Privileged>false</Privileged>
+  <Support/>
+  <Project/>
+  <Overview>Source:&#xD;
+https://git.collinwebdesigns.de/oscar.krause/fastapi-dls#docker&#xD;
+&#xD;
+Make sure you create these certificates before starting the container for the first time:&#xD;
+```&#xD;
+# Check https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/-/tree/main/#docker for more information:&#xD;
+WORKING_DIR=/mnt/user/appdata/fastapi-dls/cert&#xD;
+mkdir -p $WORKING_DIR&#xD;
+cd $WORKING_DIR&#xD;
+# create instance private and public key for singing JWT's&#xD;
+openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 &#xD;
+openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem&#xD;
+# create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl&#xD;
+openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt&#xD;
+```&#xD;
+</Overview>
+  <Category/>
+  <WebUI>https://[IP]:[PORT:443]</WebUI>
+  <TemplateURL/>
+  <Icon>https://git.collinwebdesigns.de/uploads/-/system/project/avatar/106/png-transparent-nvidia-grid-logo-business-nvidia-electronics-text-trademark.png?width=64</Icon>
+  <ExtraParams>--restart always</ExtraParams>
+  <PostArgs/>
+  <CPUset/>
+  <DateInstalled>1679161568</DateInstalled>
+  <DonateText/>
+  <DonateLink/>
+  <Requires/>
+  <Config Name="HTTPS Port" Target="" Default="443" Mode="tcp" Description="Same as DLS Port below." Type="Port" Display="always-hide" Required="true" Mask="false">443</Config>
+  <Config Name="App Cert" Target="/app/cert" Default="/mnt/user/appdata/fastapi-dls/cert" Mode="rw" Description="[REQUIRED] Read the description above to make this folder. &#13;&#10;&#13;&#10;You do not need to change the path." Type="Path" Display="always-hide" Required="true" Mask="false">/mnt/user/appdata/fastapi-dls/cert</Config>
+  <Config Name="DLS Port" Target="DSL_PORT" Default="443" Mode="" Description="Choose port you want to use. Make sure to change the HTTPS port above to match it." Type="Variable" Display="always-hide" Required="true" Mask="false">443</Config>
+  <Config Name="App database" Target="/app/database" Default="/mnt/user/appdata/fastapi-dls/data" Mode="rw" Description="[REQUIRED] Read the description above to make this folder. &#13;&#10;&#13;&#10;You do not need to change the path." Type="Path" Display="always-hide" Required="true" Mask="false">/mnt/user/appdata/fastapi-dls/data</Config>
+  <Config Name="DSL IP" Target="DLS_URL" Default="localhost" Mode="" Description="Put your container's IP (or your host's IP if it's shared)." Type="Variable" Display="always-hide" Required="true" Mask="false"></Config>
+  <Config Name="Time Zone" Target="TZ" Default="" Mode="" Description="Format example: America/New_York. MUST MATCH YOUR CURRENT TIMEZONE AND THE GUEST VMS TIMEZONE! Otherwise you'll get into issues, read the guide above." Type="Variable" Display="always-hide" Required="true" Mask="false"></Config>
+  <Config Name="Database" Target="DATABASE" Default="sqlite:////app/database/db.sqlite" Mode="" Description="Set to sqlite:////app/database/db.sqlite" Type="Variable" Display="advanced-hide" Required="true" Mask="false">sqlite:////app/database/db.sqlite</Config>
+  <Config Name="Debug" Target="DEBUG" Default="true" Mode="" Description="true to enable debugging, false to disable them." Type="Variable" Display="advanced-hide" Required="false" Mask="false">true</Config>
+  <Config Name="Lease" Target="LEASE_EXPIRE_DAYS" Default="90" Mode="" Description="90 days is the maximum value." Type="Variable" Display="advanced" Required="false" Mask="false">90</Config>
+</Container>
--- a/.UNRAID/setup_vgpu_license.sh
+++ b/.UNRAID/setup_vgpu_license.sh
@@ -0,0 +1,197 @@
+#!/bin/bash
+
+# This script automates the licensing of the vGPU guest driver
+# on Unraid boot. Set the Schedule to: "At Startup of Array".
+# 
+# Relies on FastAPI-DLS for the licensing.
+# It assumes FeatureType=1 (vGPU), change it as you see fit in line <114>
+# 
+# Requires `eflutils` to be installed in the system for `nvidia-gridd` to run
+# To Install it:
+# 1) You might find it here: https://packages.slackware.com/ (choose the 64bit version of Slackware)
+# 2) Download the package and put it in /boot/extra to be installed on boot
+# 3) a. Reboot to install it, OR
+#    b. Run `upgradepkg --install-new /boot/extra/elfutils*`
+# [i]: Make sure to have only one version of elfutils, otherwise you might run into issues
+
+# Sources and docs:
+# https://docs.nvidia.com/grid/15.0/grid-vgpu-user-guide/index.html#configuring-nls-licensed-client-on-linux
+# 
+
+################################################
+# MAKE SURE YOU CHANGE THESE VARIABLES         #
+################################################
+
+###### CHANGE ME! 
+# IP and PORT of FastAPI-DLS 
+DLS_IP=192.168.0.123
+DLS_PORT=443
+# Token folder, must be on a filesystem that supports
+# linux filesystem permissions (eg: ext4,xfs,btrfs...)
+TOKEN_PATH=/mnt/user/system/nvidia
+PING=$(which ping)
+
+# Check if the License is applied
+if [[ "$(nvidia-smi -q | grep "Expiry")" == *Expiry* ]]; then
+    echo " [i] Your vGPU Guest drivers are already licensed."
+    echo " [i] $(nvidia-smi -q | grep "Expiry")"
+    echo " [<] Exiting..."
+    exit 0
+fi
+
+# Check if the FastAPI-DLS server is reachable
+# Check if the License is applied
+MAX_RETRIES=30
+for i in $(seq 1 $MAX_RETRIES); do
+    echo -ne "\r [>] Attempt $i to connect to $DLS_IP."
+    if ping -c 1 $DLS_IP >/dev/null 2>&1; then
+        echo -e "\n  [*] Connection successful."
+        break
+    fi
+    if [ $i -eq $MAX_RETRIES ]; then
+        echo -e "\n  [!] Connection failed after $MAX_RETRIES attempts."
+        echo -e "\n [<] Exiting..."
+        exit 1
+    fi
+    sleep 1
+done
+
+# Check if the token folder exists
+if [ -d "${TOKEN_PATH}" ]; then
+	echo " [*] Token Folder exists. Proceeding..."
+else
+	echo " [!] Token Folder does not exists or not ready yet. Exiting."
+	echo " [!] Token Folder Specified: ${TOKEN_PATH}"
+	exit 1
+fi
+
+# Check if elfutils are installed, otherwise nvidia-gridd service
+# wont start
+if [ "$(grep -R "elfutils" /var/log/packages/* | wc -l)" != 0 ]; then
+        echo " [*] Elfutils is installed, proceeding..."
+else
+        echo " [!] Elfutils is not installed, downloading and installing..."
+        echo " [!] Downloading elfutils to /boot/extra"
+        echo " [i] This script will download elfutils from slackware64-15.0 repository."
+        echo " [i] If you have a different version of Unraid (6.11.5), you might want to"
+        echo " [i] download and install a suitable version manually from the slackware"
+        echo " [i] repository, and put it in /boot/extra to be install on boot."
+        echo " [i] You may also install it by running: "
+        echo " [i] upgradepkg --install-new /path/to/elfutils-*.txz"
+        echo ""
+        echo " [>] Downloading elfutils from slackware64-15.0 repository:"
+        wget -q -nc --show-progress --progress=bar:force:noscroll -P /boot/extra https://slackware.uk/slackware/slackware64-15.0/slackware64/l/elfutils-0.186-x86_64-1.txz 2>/dev/null \
+        || { echo " [!] Error while downloading elfutils, please download it and install it manually."; exit 1; }
+	    echo ""
+        if upgradepkg --install-new /boot/extra/elfutils-0.186-x86_64-1.txz 
+        then
+                echo " [*] Elfutils installed and will be installed automatically on boot"
+        else
+                echo " [!] Error while installing, check logs..."
+                exit 1
+        fi
+fi
+
+echo " [~] Sleeping for 60 seconds before continuing..."
+echo " [i] The script is waiting until the boot process settles down."
+
+for i in {60..1}; do
+    printf "\r  [~] %d seconds remaining" "$i"
+    sleep 1
+done
+
+printf "\n"
+
+create_token () {
+	echo " [>] Creating new token..."
+	if ${PING} -c1 ${DLS_IP} > /dev/null 2>&1
+	then
+		# curl --insecure -L -X GET https://${DLS_IP}:${DLS_PORT}/-/client-token -o ${TOKEN_PATH}/client_configuration_token_"$(date '+%d-%m-%Y-%H-%M-%S')".tok || { echo " [!] Could not get the token, please check the server."; exit 1;}
+		wget -q -nc -4c --no-check-certificate --show-progress --progress=bar:force:noscroll -O "${TOKEN_PATH}"/client_configuration_token_"$(date '+%d-%m-%Y-%H-%M-%S')".tok https://${DLS_IP}:${DLS_PORT}/-/client-token \
+		|| { echo " [!] Could not get the token, please check the server."; exit 1;}
+		chmod 744 "${TOKEN_PATH}"/*.tok || { echo " [!] Could not chmod the tokens."; exit 1; }
+		echo ""
+		echo " [*] Token downloaded and stored in ${TOKEN_PATH}."
+	else
+		echo " [!] Could not get token, DLS server unavailable ."
+		exit 1
+	fi
+}
+
+setup_run () {
+        echo " [>] Setting up gridd.conf"
+        cp /etc/nvidia/gridd.conf.template /etc/nvidia/gridd.conf || { echo " [!] Error configuring gridd.conf, did you install the drivers correctly?"; exit 1; }
+        sed -i 's/FeatureType=0/FeatureType=1/g' /etc/nvidia/gridd.conf
+        echo "ClientConfigTokenPath=${TOKEN_PATH}" >> /etc/nvidia/gridd.conf
+        echo " [>] Creating /var/lib/nvidia folder structure"
+        mkdir -p /var/lib/nvidia/GridLicensing
+        echo " [>] Starting nvidia-gridd"
+        if pgrep nvidia-gridd >/dev/null 2>&1; then
+            echo " [!] nvidia-gridd service is running. Closing."
+            sh /usr/lib/nvidia/sysv/nvidia-gridd stop
+            stop_exit_code=$?
+            if [ $stop_exit_code -eq 0 ]; then
+                echo " [*] nvidia-gridd service stopped successfully."
+            else
+                echo " [!] Error while stopping nvidia-gridd service."
+                exit 1
+            fi
+            
+            # Kill the service if it does not close
+            if pgrep nvidia-gridd >/dev/null 2>&1; then
+                kill -9 "$(pgrep nvidia-gridd)" || { 
+                    echo " [!] Error while closing nvidia-gridd service"
+                    exit 1
+                }
+            fi
+        
+            echo " [*] Restarting nvidia-gridd service."
+            sh /usr/lib/nvidia/sysv/nvidia-gridd start
+        
+            if pgrep nvidia-gridd >/dev/null 2>&1; then
+                echo " [*] Service started, PID: $(pgrep nvidia-gridd)"
+            else
+                echo -e " [!] Error while starting nvidia-gridd service. Use strace -f nvidia-gridd to debug.\n [i] Check if elfutils is installed.\n [i] strace is not installed by default."
+                exit 1
+            fi
+        else
+            sh /usr/lib/nvidia/sysv/nvidia-gridd start
+        
+            if pgrep nvidia-gridd >/dev/null 2>&1; then
+                echo " [*] Service started, PID: $(pgrep nvidia-gridd)"
+            else
+                echo -e " [!] Error while starting nvidia-gridd service. Use strace -f nvidia-gridd to debug.\n [i] Check if elfutils is installed.\n [i] strace is not installed by default."
+                exit 1
+            fi
+        fi
+}
+
+for token in "${TOKEN_PATH}"/*; do
+    if [ "${token: -4}" == ".tok" ]
+    then
+        echo " [*] Tokens found..."
+        setup_run
+    else
+        echo " [!] No Tokens found..."
+        create_token
+        setup_run
+    fi
+done
+
+while true; do
+    if nvidia-smi -q | grep "Expiry" >/dev/null 2>&1; then
+        echo " [>] vGPU licensed!"
+        echo " [i] $(nvidia-smi -q | grep "Expiry")"
+        break
+    else
+        echo -ne " [>] vGPU not licensed yet... Checking again in 5 seconds\c"
+        for i in {1..5}; do
+            sleep 1
+            echo -ne ".\c"
+        done
+        echo -ne "\r\c"
+    fi
+done
+
+echo " [>] Done..."
+exit 0
--- a/.codeclimate.yml
+++ b/.codeclimate.yml
@@ -1,7 +1,9 @@
+version: "2"
 plugins:
  bandit:
    enabled: true
  sonar-python:
    enabled: true
-  pylint:
-    enabled: true
+    config:
+      tests_patterns:
+        - test/**
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,6 +1,16 @@
+include:
+  - template: Jobs/Code-Quality.gitlab-ci.yml
+  - template: Jobs/Secret-Detection.gitlab-ci.yml
+  - template: Jobs/SAST.gitlab-ci.yml
+  - template: Jobs/Container-Scanning.gitlab-ci.yml
+  - template: Jobs/Dependency-Scanning.gitlab-ci.yml
+
 cache:
  key: one-key-to-rule-them-all

+variables:
+  DOCKER_BUILDX_PLATFORM: "linux/amd64,linux/arm64"
+
 build:docker:
  image: docker:dind
  interruptible: true
@@ -13,26 +23,38 @@ build:docker:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
  tags: [ docker ]
  before_script:
-    - echo "COMMIT=${CI_COMMIT_SHA}" >> version.env  # COMMIT=`git rev-parse HEAD`
+    - docker buildx inspect
+    - docker buildx create --use
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - docker build . --tag ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:${CI_BUILD_REF}
-    - docker push ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:${CI_BUILD_REF}
+    - IMAGE=$CI_REGISTRY/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME:$CI_COMMIT_SHA
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE --push .
+    - docker buildx imagetools inspect $IMAGE
+    - echo "CS_IMAGE=$IMAGE" > container_scanning.env
+  artifacts:
+    reports:
+      dotenv: container_scanning.env

 build:apt:
  image: debian:bookworm-slim
  interruptible: true
  stage: build
  rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
+      variables:
+        VERSION: $CI_COMMIT_REF_NAME
    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
      changes:
        - app/**/*
        - .DEBIAN/**/*
+        - .gitlab-ci.yml
+      variables:
+        VERSION: "0.0.1"
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      variables:
+        VERSION: "0.0.1"
  before_script:
-    - echo "COMMIT=${CI_COMMIT_SHA}" >> version.env
-    - source version.env
+    - echo -e "VERSION=$VERSION\nCOMMIT=$CI_COMMIT_SHA" > version.env
    # install build dependencies
    - apt-get update -qq && apt-get install -qq -y build-essential
    # create build directory for .deb sources
@@ -46,11 +68,14 @@ build:apt:
    - cp README.md version.env build/usr/share/fastapi-dls
    # create conf file
    - mkdir -p build/etc/fastapi-dls
-    - touch build/etc/fastapi-dls/env
+    - cp .DEBIAN/env.default build/etc/fastapi-dls/env
+    # create service file
+    - mkdir -p build/etc/systemd/system
+    - cp .DEBIAN/fastapi-dls.service build/etc/systemd/system/fastapi-dls.service
    # cd into "build/"
    - cd build/
  script:
-    # set version based on value in "$VERSION" (which is set above from version.env)
+    # set version based on value in "$CI_COMMIT_REF_NAME"
    - sed -i -E 's/(Version\:\s)0.0/\1'"$VERSION"'/g' DEBIAN/control
    # build
    - dpkg -b . build.deb
@@ -65,14 +90,21 @@ build:pacman:
  interruptible: true
  stage: build
  rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
+      variables:
+        VERSION: $CI_COMMIT_REF_NAME
    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
      changes:
        - app/**/*
        - .PKGBUILD/**/*
+        - .gitlab-ci.yml
+      variables:
+        VERSION: "0.0.1"
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      variables:
+        VERSION: "0.0.1"
  before_script:
-    - echo "COMMIT=${CI_COMMIT_SHA}" >> version.env
+    #- echo -e "VERSION=$VERSION\nCOMMIT=$CI_COMMIT_SHA" > version.env
    # install build dependencies
    - pacman -Syu --noconfirm git
    # create a build-user because "makepkg" don't like root user
@@ -87,29 +119,46 @@ build:pacman:
    # download dependencies
    - source PKGBUILD && pacman -Syu --noconfirm --needed --asdeps "${makedepends[@]}" "${depends[@]}"
    # build
-    - sudo -u build makepkg -s
+    - sudo --preserve-env -u build makepkg -s
  artifacts:
    expire_in: 1 week
    paths:
      - "*.pkg.tar.zst"

 test:
-  image: python:3.10-slim-bullseye
+  image: python:3.11-slim-bookworm
  stage: test
+  interruptible: true
  rules:
-    - if: $CI_COMMIT_BRANCH
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
+      changes:
+        - app/**/*
+        - test/**/*
  variables:
    DATABASE: sqlite:///../app/db.sqlite
+  parallel:
+    matrix:
+      - REQUIREMENTS:
+          - requirements.txt
+          - .DEBIAN/requirements-bookworm-12.txt
+          - .DEBIAN/requirements-ubuntu-23.10.txt
  before_script:
-    - pip install -r requirements.txt
+    - apt-get update && apt-get install -y python3-dev gcc
+    - pip install -r $REQUIREMENTS
    - pip install pytest httpx
    - mkdir -p app/cert
    - openssl genrsa -out app/cert/instance.private.pem 2048
    - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem
    - cd test
  script:
-    - pytest main.py
+    - python -m pytest main.py --junitxml=report.xml
+  artifacts:
+    reports:
+      dotenv: version.env
+      junit: ['**/report.xml']

 .test:linux:
  stage: test
@@ -142,6 +191,7 @@ test:
      --proxy-headers &
    - FASTAPI_DLS_PID=$!
    - echo "Started service with pid $FASTAPI_DLS_PID"
+    - cat /etc/fastapi-dls/env
    # testing service
    - if [ "`curl --insecure -s https://127.0.0.1/-/health | jq .status`" != "up" ]; then echo "Success"; else "Error"; fi
    # cleanup
@@ -155,7 +205,7 @@ test:debian:

 test:ubuntu:
  extends: .test:linux
-  image: ubuntu:22.10
+  image: ubuntu:23.10

 test:archlinux:
  image: archlinux:base
@@ -172,42 +222,103 @@ test:archlinux:
    - pacman -Sy
    - pacman -U --noconfirm *.pkg.tar.zst

+code_quality:
+  variables:
+    SOURCE_CODE: app
+  rules:
+    - if: $CODE_QUALITY_DISABLED
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
+secret_detection:
+  rules:
+    - if: $SECRET_DETECTION_DISABLED
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  before_script:
+    - git config --global --add safe.directory $CI_PROJECT_DIR
+
+semgrep-sast:
+  rules:
+    - if: $SAST_DISABLED
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
+test_coverage:
+#  extends: test
+  image: python:3.11-slim-bookworm
+  allow_failure: true
+  stage: test
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  variables:
+    DATABASE: sqlite:///../app/db.sqlite
+  before_script:
+    - apt-get update && apt-get install -y python3-dev gcc
+    - pip install -r requirements.txt
+    - pip install pytest httpx
+    - mkdir -p app/cert
+    - openssl genrsa -out app/cert/instance.private.pem 2048
+    - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem
+    - cd test
+  script:
+    - pip install pytest pytest-cov
+    - coverage run -m pytest main.py
+    - coverage report
+    - coverage xml
+  coverage: '/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/'
+  artifacts:
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: '**/coverage.xml'
+
+container_scanning:
+  dependencies: [ build:docker ]
+  rules:
+    - if: $CONTAINER_SCANNING_DISABLED
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+
+gemnasium-python-dependency_scanning:
+  rules:
+    - if: $DEPENDENCY_SCANNING_DISABLED
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
 .deploy:
  rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_COMMIT_TAG
-      when: never

 deploy:docker:
  extends: .deploy
+  image: docker:dind
  stage: deploy
-  rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  tags: [ docker ]
  before_script:
-    - echo "COMMIT=${CI_COMMIT_SHA}" >> version.env
-    - source version.env
-    - echo "Building docker image for commit ${COMMIT} with version ${VERSION}"
+    - echo "Building docker image for commit $CI_COMMIT_SHA with version $CI_COMMIT_REF_NAME"
+    - docker buildx inspect
+    - docker buildx create --use
  script:
-    - echo "GitLab-Registry"
+    - echo "========== GitLab-Registry =========="
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - docker build . --tag ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:${VERSION}
-    - docker build . --tag ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:latest
-    - docker push ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:${VERSION}
-    - docker push ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:latest
-    - echo "Docker-Hub"
+    - IMAGE=$CI_REGISTRY/$CI_PROJECT_PATH
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME --push .
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest --push .
+    - echo "========== Docker-Hub =========="
    - docker login -u $PUBLIC_REGISTRY_USER -p $PUBLIC_REGISTRY_TOKEN
-    - docker build . --tag $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:${VERSION}
-    - docker build . --tag $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:latest
-    - docker push $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:${VERSION}
-    - docker push $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:latest
+    - IMAGE=$PUBLIC_REGISTRY_USER/$CI_PROJECT_NAME
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME --push .
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest --push .

 deploy:apt:
  # doc: https://git.collinwebdesigns.de/help/user/packages/debian_repository/index.md#install-a-package
  extends: .deploy
  image: debian:bookworm-slim
  stage: deploy
-  rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  needs:
    - job: build:apt
      artifacts: true
@@ -247,18 +358,15 @@ deploy:pacman:
  extends: .deploy
  image: archlinux:base-devel
  stage: deploy
-  rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  needs:
    - job: build:pacman
      artifacts: true
  script:
    - source .PKGBUILD/PKGBUILD
-    - source version.env
    # fastapi-dls-1.0-1-any.pkg.tar.zst
-    - BUILD_NAME=${pkgname}-${VERSION}-${pkgrel}-any.pkg.tar.zst
+    - BUILD_NAME=${pkgname}-${CI_COMMIT_REF_NAME}-${pkgrel}-any.pkg.tar.zst
    - PACKAGE_NAME=${pkgname}
-    - PACKAGE_VERSION=${VERSION}
+    - PACKAGE_VERSION=${CI_COMMIT_REF_NAME}
    - PACKAGE_ARCH=any
    - EXPORT_NAME=${BUILD_NAME}
    - 'echo "PACKAGE_NAME:    ${PACKAGE_NAME}"'
@@ -270,21 +378,15 @@ deploy:pacman:
 release:
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  stage: .post
+  needs: [ test ]
  rules:
    - if: $CI_COMMIT_TAG
-      when: never
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-  before_script:
-    - set -a # make variables from "source" command available to release-cli
-    - source version.env
  script:
-    - echo "Running release-job for $VERSION"
-  after_script:
-    - set +a
+    - echo "Running release-job for $CI_COMMIT_TAG"
  release:
-    name: $CI_PROJECT_TITLE $version
-    description: Release of $CI_PROJECT_TITLE version $VERSION
-    tag_name: $VERSION
+    name: $CI_PROJECT_TITLE $CI_COMMIT_TAG
+    description: Release of $CI_PROJECT_TITLE version $CI_COMMIT_TAG
+    tag_name: $CI_COMMIT_TAG
    ref: $CI_COMMIT_SHA
    assets:
      links:
--- a/13
+++ b/13
@@ -1,17 +1,20 @@
-FROM python:3.10-alpine
+FROM python:3.11-alpine
+
+ARG VERSION
+ARG COMMIT=""
+RUN echo -e "VERSION=$VERSION\nCOMMIT=$COMMIT" > /version.env

 COPY requirements.txt /tmp/requirements.txt

 RUN apk update \
- && apk add --no-cache --virtual build-deps gcc g++ python3-dev musl-dev \
- && apk add --no-cache curl postgresql postgresql-dev mariadb-connector-c-dev sqlite-dev \
+ && apk add --no-cache --virtual build-deps gcc g++ python3-dev musl-dev pkgconfig \
+ && apk add --no-cache curl postgresql postgresql-dev mariadb-dev sqlite-dev \
 && pip install --no-cache-dir --upgrade uvicorn \
- && pip install --no-cache-dir psycopg2==2.9.5 mysqlclient==2.1.1 pysqlite3==0.5.0 \
+ && pip install --no-cache-dir psycopg2==2.9.6 mysqlclient==2.2.0 pysqlite3==0.5.1 \
 && pip install --no-cache-dir -r /tmp/requirements.txt \
 && apk del build-deps

 COPY app /app
-COPY version.env /version.env
 COPY README.md /README.md

 HEALTHCHECK --start-period=30s --interval=10s --timeout=5s --retries=3 CMD curl --insecure --fail https://localhost/-/health || exit 1
--- a/FAQ.md
+++ b/FAQ.md
@@ -0,0 +1,17 @@
+# FAQ
+
+## `Failed to acquire license from <ip> (Info: <license> - Error: The allowed time to process response has expired)`
+
+- Did your timezone settings are correct on fastapi-dls **and your guest**?
+
+- Did you download the client-token more than an hour ago?
+
+Please download a new client-token. The guest have to register within an hour after client-token was created.
+
+
+## `jose.exceptions.JWTError: Signature verification failed.`
+
+- Did you recreated `instance.public.pem` / `instance.private.pem`?
+
+Then you have to download a **new** client-token on each of your guests.
+
--- a/README.md
+++ b/README.md
@@ -2,81 +2,45 @@

 Minimal Delegated License Service (DLS).

+Compatibility tested with official NLS 2.0.1, 2.1.0, 3.1.0. For Driver compatibility see [here](#setup-client).
+
 This service can be used without internet connection.
 Only the clients need a connection to this service on configured port.

+**Official Links**
+
+- https://git.collinwebdesigns.de/oscar.krause/fastapi-dls (Private Git)
+- https://gitea.publichub.eu/oscar.krause/fastapi-dls (Public Git)
+- https://hub.docker.com/r/collinwebdesigns/fastapi-dls (Docker-Hub `collinwebdesigns/fastapi-dls:latest`)
+
+*All other repositories are forks! (which  is no bad - just for information and bug reports)*
+
+---
+
 [[_TOC_]]

-## ToDo's
-
- Support http mode for using external https proxy (disable uvicorn ssl for using behind proxy)
-
-## Endpoints
-
-### [`GET /`](/)
-
-Redirect to `/-/readme`.
-
-### [`GET /status`](/status) (deprecated: use `/-/health`)
-
-Status endpoint, used for *healthcheck*. Shows also current version and commit hash.
-
-### [`GET /-/health`](/-/health)
-
-Status endpoint, used for *healthcheck*. Shows also current version and commit hash.
-
-### [`GET /-/readme`](/-/readme)
-
-HTML rendered README.md.
-
-### [`GET /-/docs`](/-/docs), [`GET /-/redoc`](/-/redoc)
-
-OpenAPI specifications rendered from `GET /-/openapi.json`.
-
-### [`GET /-/manage`](/-/manage)
-
-Shows a very basic UI to delete origins or leases.
-
-### `GET /-/origins?leases=false`
-
-List registered origins.
-
-| Query Parameter | Default | Usage                                |
-|-----------------|---------|--------------------------------------|
-| `leases`        | `false` | Include referenced leases per origin |
-
-### `DELETE /-/origins`
-
-Deletes all origins and their leases.
-
-### `GET /-/leases?origin=false`
-
-List current leases.
-
-| Query Parameter | Default | Usage                               |
-|-----------------|---------|-------------------------------------|
-| `origin`        | `false` | Include referenced origin per lease |
-
-### `DELETE /-/lease/{lease_ref}`
-
-Deletes an lease.
-
-### `GET /client-token`
-
-Generate client token, (see [installation](#installation)).
-
-### Others
-
-There are some more internal api endpoints for handling authentication and lease process.
-
 # Setup (Service)

+**System requirements**
+
+- 256mb ram
+- 4gb hdd
+- *maybe IPv6 must be disabled*
+
+Tested with Ubuntu 22.10 (EOL!) (from Proxmox templates), actually its consuming 100mb ram and 750mb hdd.
+
+**Prepare your system**
+
+- Make sure your timezone is set correct on you fastapi-dls server and your client
+
 ## Docker

-Docker-Images are available here:
+Docker-Images are available here for Intel (x86), AMD (amd64) and ARM (arm64):

 - [Docker-Hub](https://hub.docker.com/repository/docker/collinwebdesigns/fastapi-dls): `collinwebdesigns/fastapi-dls:latest`
- [GitLab-Registry](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry): `registry.git.collinwebdesigns.de/oscar.krause/fastapi-dls/main:latest`
+- [GitLab-Registry](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry): `registry.git.collinwebdesigns.de/oscar.krause/fastapi-dls:latest`
+
+The images include database drivers for `postgres`, `mariadb` and `sqlite`.

 **Run this on the Docker-Host**

@@ -93,6 +57,8 @@ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webse

 **Start container**

+To test if everything is set up properly you can start container as following:
+
 ```shell
 docker volume create dls-db
 docker run -e DLS_URL=`hostname -i` -e DLS_PORT=443 -p 443:443 -v $WORKING_DIR:/app/cert -v dls-db:/app/database collinwebdesigns/fastapi-dls:latest
@@ -100,14 +66,20 @@ docker run -e DLS_URL=`hostname -i` -e DLS_PORT=443 -p 443:443 -v $WORKING_DIR:/

 **Docker-Compose / Deploy stack**

+See [`examples`](examples) directory for more advanced examples (with reverse proxy usage).
+
+> Adjust *REQUIRED* variables as needed
+
 ```yaml
 version: '3.9'

 x-dls-variables: &dls-variables
-  DLS_URL: localhost # REQUIRED
+  TZ: Europe/Berlin # REQUIRED, set your timezone correctly on fastapi-dls AND YOUR CLIENTS !!!
+  DLS_URL: localhost # REQUIRED, change to your ip or hostname
  DLS_PORT: 443
-  LEASE_EXPIRE_DAYS: 90
+  LEASE_EXPIRE_DAYS: 90  # 90 days is maximum
  DATABASE: sqlite:////app/database/db.sqlite
+  DEBUG: false

 services:
  dls:
@@ -120,14 +92,22 @@ services:
    volumes:
      - /opt/docker/fastapi-dls/cert:/app/cert
      - dls-db:/app/database
-
+    logging:  # optional, for those who do not need logs
+      driver: "json-file"
+      options:
+        max-file: 5
+        max-size: 10m
+            
 volumes:
  dls-db:
 ```

-## Debian/Ubuntu (manual method using `git clone`)
+## Debian/Ubuntu/macOS (manual method using `git clone` and python virtual environment)

-Tested on `Debian 11 (bullseye)`, Ubuntu may also work.
+Tested on `Debian 11 (bullseye)`, `Debian 12 (bookworm)` and `macOS Ventura (13.6)`, Ubuntu may also work.
+**Please note that setup on macOS differs from Debian based systems.**
+
+**Make sure you are logged in as root.**

 **Install requirements**

@@ -153,7 +133,7 @@ chown -R www-data:www-data $WORKING_DIR

 ```shell
 WORKING_DIR=/opt/fastapi-dls/app/cert
-mkdir $WORKING_DIR
+mkdir -p $WORKING_DIR
 cd $WORKING_DIR
 # create instance private and public key for singing JWT's
 openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 
@@ -169,12 +149,17 @@ This is only to test whether the service starts successfully.

 ```shell
 cd /opt/fastapi-dls/app
+sudo -u www-data /opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fastapi-dls/app
+# or
 su - www-data -c "/opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fastapi-dls/app"
 ```

 **Create config file**

+> Adjust `DLS_URL` as needed (accessing from LAN won't work with 127.0.0.1)
+
 ```shell
+mkdir /etc/fastapi-dls
 cat <<EOF >/etc/fastapi-dls/env
 DLS_URL=127.0.0.1
 DLS_PORT=443
@@ -219,6 +204,111 @@ EOF
 Now you have to run `systemctl daemon-reload`. After that you can start service
 with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.

+## openSUSE Leap (manual method using `git clone` and python virtual environment)
+
+Tested on `openSUSE Leap 15.4`, openSUSE Tumbleweed may also work.
+
+**Install requirements**
+
+```shell
+zypper in -y python310 python3-virtualenv python3-pip
+```
+
+**Install FastAPI-DLS**
+
+```shell
+BASE_DIR=/opt/fastapi-dls
+SERVICE_USER=dls
+mkdir -p ${BASE_DIR}
+cd ${BASE_DIR}
+git clone https://git.collinwebdesigns.de/oscar.krause/fastapi-dls .
+python3.10 -m venv venv
+source venv/bin/activate
+pip install -r requirements.txt
+deactivate
+useradd -r ${SERVICE_USER} -M -d /opt/fastapi-dls
+chown -R ${SERVICE_USER} ${BASE_DIR}
+```
+
+**Create keypair and webserver certificate**
+
+```shell
+CERT_DIR=${BASE_DIR}/app/cert
+SERVICE_USER=dls
+mkdir ${CERT_DIR}
+cd ${CERT_DIR}
+# create instance private and public key for singing JWT's
+openssl genrsa -out ${CERT_DIR}/instance.private.pem 2048 
+openssl rsa -in ${CERT_DIR}/instance.private.pem -outform PEM -pubout -out ${CERT_DIR}/instance.public.pem
+# create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  ${CERT_DIR}/webserver.key -out ${CERT_DIR}/webserver.crt
+chown -R ${SERVICE_USER} ${CERT_DIR}
+```
+
+**Test Service**
+
+This is only to test whether the service starts successfully.
+
+```shell
+BASE_DIR=/opt/fastapi-dls
+SERVICE_USER=dls
+cd ${BASE_DIR}
+sudo -u ${SERVICE_USER} ${BASE_DIR}/venv/bin/uvicorn main:app --app-dir=${BASE_DIR}/app
+# or
+su - ${SERVICE_USER} -c "${BASE_DIR}/venv/bin/uvicorn main:app --app-dir=${BASE_DIR}/app"
+```
+
+**Create config file**
+
+> Adjust `DLS_URL` as needed (accessing from LAN won't work with 127.0.0.1)
+
+```shell
+BASE_DIR=/opt/fastapi-dls
+cat <<EOF >/etc/fastapi-dls/env
+DLS_URL=127.0.0.1
+DLS_PORT=443
+LEASE_EXPIRE_DAYS=90
+DATABASE=sqlite:///${BASE_DIR}/app/db.sqlite
+
+EOF
+```
+
+**Create service**
+
+```shell
+BASE_DIR=/opt/fastapi-dls
+SERVICE_USER=dls
+cat <<EOF >/etc/systemd/system/fastapi-dls.service
+[Unit]
+Description=Service for fastapi-dls vGPU licensing service
+After=network.target
+
+[Service]
+User=${SERVICE_USER}
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+WorkingDirectory=${BASE_DIR}/app
+EnvironmentFile=/etc/fastapi-dls/env
+ExecStart=${BASE_DIR}/venv/bin/uvicorn main:app \\
+  --env-file /etc/fastapi-dls/env \\
+  --host \$DLS_URL --port \$DLS_PORT \\
+  --app-dir ${BASE_DIR}/app \\
+  --ssl-keyfile ${BASE_DIR}/app/cert/webserver.key \\
+  --ssl-certfile ${BASE_DIR}/app/cert/webserver.crt \\
+  --proxy-headers
+Restart=always
+KillSignal=SIGQUIT
+Type=simple
+NotifyAccess=all
+
+[Install]
+WantedBy=multi-user.target
+
+EOF
+```
+
+Now you have to run `systemctl daemon-reload`. After that you can start service
+with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.
+
 ## Debian/Ubuntu (using `dpkg`)

 Packages are available here:
@@ -227,8 +317,15 @@ Packages are available here:

 Successful tested with:

- Debian 12 (Bookworm) (works but not recommended because it is currently in *testing* state)
- Ubuntu 22.10 (Kinetic Kudu)
+- Debian 12 (Bookworm)
+- Ubuntu 22.10 (Kinetic Kudu) (EOL: July 20, 2023)
+- Ubuntu 23.04 (Lunar Lobster) (EOL: January 2024)
+- Ubuntu 23.10 (Mantic Minotaur) (EOL: July 2024)
+
+Not working with:
+
+- Debian 11 (Bullseye) and lower (missing `python-jose` dependency)
+- Ubuntu 22.04 (Jammy Jellyfish) (not supported as for 15.01.2023 due to [fastapi - uvicorn version missmatch](https://bugs.launchpad.net/ubuntu/+source/fastapi/+bug/1970557))

 **Run this on your server instance**

@@ -244,6 +341,7 @@ apt-get install -f --fix-missing
 ```

 Start with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.
+Now you have to edit `/etc/fastapi-dls/env` as needed.

 ## ArchLinux (using `pacman`)

@@ -256,13 +354,31 @@ Packages are available here:
 ```shell
 pacman -Sy
 FILENAME=/opt/fastapi-dls.pkg.tar.zst
-url -o $FILENAME <download-url>
+
+curl -o $FILENAME <download-url>
+# or
+wget -O $FILENAME <download-url>
+
 pacman -U --noconfirm fastapi-dls.pkg.tar.zst
 ```

 Start with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.
+Now you have to edit `/etc/default/fastapi-dls` as needed.

-## Let's Encrypt Certificate
+## unRAID
+
+1. Download [this xml file](.UNRAID/FastAPI-DLS.xml)
+2. Put it in /boot/config/plugins/dockerMan/templates-user/
+3. Go to Docker page, scroll down to `Add Container`, click on Template list and choose `FastAPI-DLS`
+4. Open terminal/ssh, follow the instructions in overview description
+5. Setup your container `IP`, `Port`, `DLS_URL` and `DLS_PORT`
+6. Apply and let it boot up
+
+*Unraid users must also make sure they have Host access to custom networks enabled if unraid is the vgpu guest*.
+
+Continue [here](#unraid-guest) for docker guest setup.
+
+## Let's Encrypt Certificate (optional)

 If you're using installation via docker, you can use `traefik`. Please refer to their documentation.

@@ -280,20 +396,29 @@ After first success you have to replace `--issue` with `--renew`.

 # Configuration

-| Variable            | Default                                | Usage                                                                               |
-|---------------------|----------------------------------------|-------------------------------------------------------------------------------------|
-| `DEBUG`             | `false`                                | Toggles `fastapi` debug mode                                                        |
-| `DLS_URL`           | `localhost`                            | Used in client-token to tell guest driver where dls instance is reachable           |
-| `DLS_PORT`          | `443`                                  | Used in client-token to tell guest driver where dls instance is reachable           |
-| `LEASE_EXPIRE_DAYS` | `90`                                   | Lease time in days                                                                  |
-| `DATABASE`          | `sqlite:///db.sqlite`                  | See [official SQLAlchemy docs](https://docs.sqlalchemy.org/en/14/core/engines.html) |
-| `CORS_ORIGINS`      | `https://{DLS_URL}`                    | Sets `Access-Control-Allow-Origin` header (comma separated string) \*               |
-| `SITE_KEY_XID`      | `00000000-0000-0000-0000-000000000000` | Site identification uuid                                                            |
-| `INSTANCE_REF`      | `00000000-0000-0000-0000-000000000000` | Instance identification uuid                                                        |
-| `INSTANCE_KEY_RSA`  | `<app-dir>/cert/instance.private.pem`  | Site-wide private RSA key for singing JWTs                                          |
-| `INSTANCE_KEY_PUB`  | `<app-dir>/cert/instance.public.pem`   | Site-wide public key                                                                |
+| Variable               | Default                                | Usage                                                                                                |
+|------------------------|----------------------------------------|------------------------------------------------------------------------------------------------------|
+| `DEBUG`                | `false`                                | Toggles `fastapi` debug mode                                                                         |
+| `DLS_URL`              | `localhost`                            | Used in client-token to tell guest driver where dls instance is reachable                            |
+| `DLS_PORT`             | `443`                                  | Used in client-token to tell guest driver where dls instance is reachable                            |
+| `TOKEN_EXPIRE_DAYS`    | `1`                                    | Client auth-token validity (used for authenticate client against api, **not `.tok` file!**)          |
+| `LEASE_EXPIRE_DAYS`    | `90`                                   | Lease time in days                                                                                   |
+| `LEASE_RENEWAL_PERIOD` | `0.15`                                 | The percentage of the lease period that must elapse before a licensed client can renew a license \*1 |
+| `DATABASE`             | `sqlite:///db.sqlite`                  | See [official SQLAlchemy docs](https://docs.sqlalchemy.org/en/14/core/engines.html)                  |
+| `CORS_ORIGINS`         | `https://{DLS_URL}`                    | Sets `Access-Control-Allow-Origin` header (comma separated string) \*2                               |
+| `SITE_KEY_XID`         | `00000000-0000-0000-0000-000000000000` | Site identification uuid                                                                             |
+| `INSTANCE_REF`         | `10000000-0000-0000-0000-000000000001` | Instance identification uuid                                                                         |
+| `ALLOTMENT_REF`        | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid                                                                        |
+| `INSTANCE_KEY_RSA`     | `<app-dir>/cert/instance.private.pem`  | Site-wide private RSA key for singing JWTs \*3                                                       |
+| `INSTANCE_KEY_PUB`     | `<app-dir>/cert/instance.public.pem`   | Site-wide public key \*3                                                                             |

-\* Always use `https`, since guest-drivers only support secure connections!
+\*1 For example, if the lease period is one day and the renewal period is 20%, the client attempts to renew its license
+every 4.8 hours. If network connectivity is lost, the loss of connectivity is detected during license renewal and the
+client has 19.2 hours in which to re-establish connectivity before its license expires.
+
+\*3 Always use `https`, since guest-drivers only support secure connections!
+
+\*4 If you recreate instance keys you need to **recreate client-token for each guest**!

 # Setup (Client)

@@ -301,33 +426,169 @@ After first success you have to replace `--issue` with `--renew`.

 Successfully tested with this package versions:

- `14.3` (Linux-Host: `510.108.03`, Linux-Guest: `510.108.03`, Windows-Guest: `513.91`)
- `14.4` (Linux-Host: `510.108.03`, Linux-Guest: `510.108.03`, Windows-Guest: `514.08`)
- `15.0` (Linux-Host: `525.60.12`, Linux-Guest: `525.60.13`, Windows-Guest: `527.41`)
+| vGPU Suftware | Linux vGPU Manager | Linux Driver | Windows Driver | Release Date  |
+|---------------|--------------------|--------------|----------------|---------------|
+| `16.3`        | `535.154.02`       | `535.154.05` | `538.15`       | January 2024  |
+| `16.2`        | `535.129.03`       | `535.129.03` | `537.70`       | October 2023  |
+| `16.1`        | `535.104.06`       | `535.104.05` | `537.13`       | August 2023   |
+| `16.0`        | `535.54.06`        | `535.54.03`  | `536.22`       | July 2023     |
+| `15.3`        | `525.125.03`       | `525.125.06` | `529.11`       | June 2023     |
+| `15.2`        | `525.105.14`       | `525.105.17` | `528.89`       | March 2023    |
+| `15.1`        | `525.85.07`        | `525.85.05`  | `528.24`       | January 2023  |
+| `15.0`        | `525.60.12`        | `525.60.13`  | `527.41`       | December 2022 |
+| `14.4`        | `510.108.03`       | `510.108.03` | `514.08`       | December 2022 |
+| `14.3`        | `510.108.03`       | `510.108.03` | `513.91`       | November 2022 |
+
+- https://docs.nvidia.com/grid/index.html
+
+*To get the latest drivers, visit Nvidia or search in Discord-Channel `GPU Unlocking` (Server-ID: `829786927829745685`) on channel `licensing` `biggerthanshit` 
+
+
+https://archive.biggerthanshit.com/NVIDIA/ (nvidia / b1gg3rth4nsh1t)

 ## Linux

+Download *client-token* and place it into `/etc/nvidia/ClientConfigToken`:
+
+```shell
+curl --insecure -L -X GET https://<dls-hostname-or-ip>/-/client-token -o /etc/nvidia/ClientConfigToken/client_configuration_token_$(date '+%d-%m-%Y-%H-%M-%S').tok
+# or
+wget --no-check-certificate -O /etc/nvidia/ClientConfigToken/client_configuration_token_$(date '+%d-%m-%Y-%H-%M-%S').tok https://<dls-hostname-or-ip>/-/client-token
+```
+
+Restart `nvidia-gridd` service:
+
 ```shell
-curl --insecure -X GET https://<dls-hostname-or-ip>/client-token -o /etc/nvidia/ClientConfigToken/client_configuration_token.tok
 service nvidia-gridd restart
+```
+
+Check licensing status:
+
+```shell
 nvidia-smi -q | grep "License"
 ```

-## Windows
+Output should be something like:

-Download file and place it into `C:\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken`.
-Now restart `NvContainerLocalSystem` service.
-
-**Power-Shell**
-
-```Shell
-curl.exe --insecure -X GET https://<dls-hostname-or-ip>/client-token -o "C:\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken\client_configuration_token_$($(Get-Date).tostring('dd-MM-yy-hh-mm-ss')).tok"
-Restart-Service NVDisplay.ContainerLocalSystem
-'C:\Program Files\NVIDIA Corporation\NVSMI\nvidia-smi.exe' -q | Select-String "License"
+```text
+vGPU Software Licensed Product
+    License Status                    : Licensed (Expiry: YYYY-M-DD hh:mm:ss GMT)
 ```

+Done. For more information check [troubleshoot section](#troubleshoot).
+
+## Windows
+
+**Power-Shell** (run as administrator!)
+
+Download *client-token* and place it into `C:\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken`:
+
+```shell
+curl.exe --insecure -L -X GET https://<dls-hostname-or-ip>/-/client-token -o "C:\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken\client_configuration_token_$($(Get-Date).tostring('dd-MM-yy-hh-mm-ss')).tok"
+```
+
+Restart `NvContainerLocalSystem` service:
+
+```Shell
+Restart-Service NVDisplay.ContainerLocalSystem
+```
+
+Check licensing status:
+
+```shell
+& 'nvidia-smi' -q  | Select-String "License"
+```
+
+Output should be something like:
+
+```text
+vGPU Software Licensed Product
+    License Status                    : Licensed (Expiry: YYYY-M-DD hh:mm:ss GMT)
+```
+
+Done. For more information check [troubleshoot section](#troubleshoot).
+
+## unRAID Guest
+
+1. Make sure you create a folder in a linux filesystem (BTRFS/XFS/EXT4...), I recommend `/mnt/user/system/nvidia` (this is where docker and libvirt preferences are saved, so it's a good place to have that)
+2. Edit the script to put your `DLS_IP`, `DLS_PORT` and `TOKEN_PATH`, properly 
+3. Install `User Scripts` plugin from *Community Apps* (the Apps page, or google User Scripts Unraid if you're not using CA)
+4. Go to `Settings > Users Scripts > Add New Script`
+5. Give it a name  (the name must not contain spaces preferably)
+6. Click on the *gear icon* to the left of the script name then edit script
+7. Paste the script and save
+8. Set schedule to `At First Array Start Only`
+9. Click on Apply 
+
+
+# Endpoints
+
+<details>
+  <summary>show</summary>
+
+### `GET /`
+
+Redirect to `/-/readme`.
+
+### `GET /-/health`
+
+Status endpoint, used for *healthcheck*.
+
+### `GET /-/config`
+
+Shows current runtime environment variables and their values.
+
+### `GET /-/readme`
+
+HTML rendered README.md.
+
+### `GET /-/manage`
+
+Shows a very basic UI to delete origins or leases.
+
+### `GET /-/origins?leases=false`
+
+List registered origins.
+
+| Query Parameter | Default | Usage                                |
+|-----------------|---------|--------------------------------------|
+| `leases`        | `false` | Include referenced leases per origin |
+
+### `DELETE /-/origins`
+
+Deletes all origins and their leases.
+
+### `GET /-/leases?origin=false`
+
+List current leases.
+
+| Query Parameter | Default | Usage                               |
+|-----------------|---------|-------------------------------------|
+| `origin`        | `false` | Include referenced origin per lease |
+
+### `DELETE /-/lease/{lease_ref}`
+
+Deletes an lease.
+
+### `GET /-/client-token`
+
+Generate client token, (see [installation](#installation)).
+
+### Others
+
+There are many other internal api endpoints for handling authentication and lease process.
+</details>
+
 # Troubleshoot

+**Please make sure that fastapi-dls and your guests are on the same timezone!**
+
+Maybe you have to disable IPv6 on the machine you are running FastAPI-DLS.
+
+## Docker
+
+Logs are available with `docker logs <container>`. To get the correct container-id use `docker container ls` or `docker ps`.
+
 ## Linux

 Logs are available with `journalctl -u nvidia-gridd -f`.
@@ -346,6 +607,9 @@ This message can be ignored.

 - Ref. https://github.com/encode/uvicorn/issues/441

+<details>
+  <summary>Log example</summary>
+
 ```
 WARNING:uvicorn.error:Invalid HTTP request received.
 Traceback (most recent call last):
@@ -364,6 +628,8 @@ Traceback (most recent call last):
 h11._util.RemoteProtocolError: no request line received
 ```

+</details>
+
 ## Windows

 ### Required cipher on Windows Guests (e.g. managed by domain controller with GPO)
@@ -380,7 +646,7 @@ only
 gets a valid local license.

 <details>
-  <summary>Log</summary>
+  <summary>Log example</summary>

 **Display-Container-LS**

@@ -431,9 +697,44 @@ Dec 20 17:53:34 ubuntu-grid-server nvidia-gridd[10354]: License acquired success

 </details>

+### Error on releasing leases on shutdown (can be ignored and/or fixed with reverse proxy)
+
+The driver wants to release current leases on shutting down windows. This endpoint needs to be a http endpoint.
+The error message can safely be ignored (since we have no license limitation :P) and looks like this:
+
+<details>
+  <summary>Log example</summary>
+
+```
+<1>:NLS initialized
+<1>:License acquired successfully. (Info: 192.168.178.110, NVIDIA RTX Virtual Workstation; Expiry: 2023-3-30 23:0:22 GMT)
+<0>:Failed to return license to 192.168.178.110 (Error: Generic network communication failure)
+<0>:End Logging
+```
+
+#### log with nginx as reverse proxy (see [docker-compose-http-and-https.yml](examples/docker-compose-http-and-https.yml))
+
+```
+<1>:NLS initialized
+<2>:NLS initialized
+<1>:Valid GRID license not found. GPU features and performance will be fully degraded. To enable full functionality please configure licensing details.
+<1>:License acquired successfully. (Info: 192.168.178.33, NVIDIA RTX Virtual Workstation; Expiry: 2023-1-4 16:48:20 GMT)
+<2>:Valid GRID license not found. GPU features and performance will be fully degraded. To enable full functionality please configure licensing details.
+<2>:License acquired successfully from local trusted store. (Info: 192.168.178.33, NVIDIA RTX Virtual Workstation; Expiry: 2023-1-4 16:48:20 GMT)
+<2>:End Logging
+<1>:End Logging
+<0>:License returned successfully. (Info: 192.168.178.33)
+<0>:End Logging
+```
+
+</details>
+
 # Credits

 Thanks to vGPU community and all who uses this project and report bugs.

-Special thanks to @samicrusader who created build file for ArchLinux.
+Special thanks to 

+- @samicrusader who created build file for ArchLinux
+- @cyrus who wrote the section for openSUSE
+- @midi who wrote the section for unRAID
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -0,0 +1,27 @@
+# Roadmap
+
+I am planning to implement the following features in the future.
+
+
+## HA - High Availability
+
+Support Failover-Mode (secondary ip address) as in official DLS.
+
+**Note**: There is no Load-Balancing / Round-Robin HA Mode supported! If you want to use that, consider to use 
+Docker-Swarm with shared/cluster database (e.g. postgres).
+
+*See [ha branch](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/-/tree/ha) for current status.*
+
+
+## UI - User Interface
+
+Add a user interface to manage origins and leases.
+
+*See [ui branch](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/-/tree/ui) for current status.*
+
+
+## Config Database
+
+Instead of using environment variables, configuration files and manually create certificates, store configs and
+certificates in database (like origins and leases). Also, there should be provided a startup assistant to prefill 
+required attributes and create instance-certificates. This is more user-friendly and should improve fist setup.
--- a/app/main.py
+++ b/app/main.py
@@ -6,45 +6,45 @@ from os.path import join, dirname
 from os import getenv as env

 from dotenv import load_dotenv
-from fastapi import FastAPI, HTTPException
+from fastapi import FastAPI
 from fastapi.requests import Request
-import json
+from json import loads as json_loads
 from datetime import datetime
 from dateutil.relativedelta import relativedelta
 from calendar import timegm
-from jose import jws, jwk, jwt
+from jose import jws, jwt, JWTError
 from jose.constants import ALGORITHMS
 from starlette.middleware.cors import CORSMiddleware
-from starlette.responses import StreamingResponse, JSONResponse, HTMLResponse, Response, RedirectResponse
+from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse
 from sqlalchemy import create_engine
 from sqlalchemy.orm import sessionmaker

-from util import load_key, load_file
-from orm import Origin, Lease, init as db_init, migrate
+from orm import init as db_init, migrate, Site, Instance, Origin, Lease

-logger = logging.getLogger()
 load_dotenv('../version.env')

+# get local timezone
+TZ = datetime.now().astimezone().tzinfo
+
+# fetch version info
 VERSION, COMMIT, DEBUG = env('VERSION', 'unknown'), env('COMMIT', 'unknown'), bool(env('DEBUG', False))

-config = dict(openapi_url='/-/openapi.json', docs_url='/-/docs', redoc_url='/-/redoc')
+# fastapi setup
+config = dict(openapi_url='/-/openapi.json', docs_url=None, redoc_url=None)
 app = FastAPI(title='FastAPI-DLS', description='Minimal Delegated License Service (DLS).', version=VERSION, **config)
+
+# database setup
 db = create_engine(str(env('DATABASE', 'sqlite:///db.sqlite')))
 db_init(db), migrate(db)

+# DLS setup (static)
 DLS_URL = str(env('DLS_URL', 'localhost'))
 DLS_PORT = int(env('DLS_PORT', '443'))
-SITE_KEY_XID = str(env('SITE_KEY_XID', '00000000-0000-0000-0000-000000000000'))
-INSTANCE_REF = str(env('INSTANCE_REF', '00000000-0000-0000-0000-000000000000'))
-INSTANCE_KEY_RSA = load_key(str(env('INSTANCE_KEY_RSA', join(dirname(__file__), 'cert/instance.private.pem'))))
-INSTANCE_KEY_PUB = load_key(str(env('INSTANCE_KEY_PUB', join(dirname(__file__), 'cert/instance.public.pem'))))
-TOKEN_EXPIRE_DELTA = relativedelta(hours=1)  # days=1
-LEASE_EXPIRE_DELTA = relativedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)))
 CORS_ORIGINS = str(env('CORS_ORIGINS', '')).split(',') if (env('CORS_ORIGINS')) else [f'https://{DLS_URL}']

-jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
-jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001'))  # todo

+# fastapi middleware
 app.debug = DEBUG
 app.add_middleware(
    CORSMiddleware,
@@ -54,10 +54,25 @@ app.add_middleware(
    allow_headers=['*'],
 )

+# logging
+logging.basicConfig()
+logger = logging.getLogger(__name__)
 logger.setLevel(logging.DEBUG if DEBUG else logging.INFO)


-def __get_token(request: Request) -> dict:
+def validate_settings():
+    session = sessionmaker(bind=db)()
+
+    lease_expire_delta_min, lease_expire_delta_max = 86_400, 7_776_000
+    for instance in session.query(Instance).all():
+        lease_expire_delta = instance.lease_expire_delta
+        if lease_expire_delta < 86_400 or lease_expire_delta > 7_776_000:
+            logging.warning(f'> [ instance ]: {instance.instance_ref}: "lease_expire_delta" should be between {lease_expire_delta_min} and {lease_expire_delta_max}')
+
+    session.close()
+
+
+def __get_token(request: Request, jwt_decode_key: "jose.jwt") -> dict:
    authorization_header = request.headers.get('authorization')
    token = authorization_header.split(' ')[1]
    return jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
@@ -68,26 +83,44 @@ async def index():
    return RedirectResponse('/-/readme')


-@app.get('/status', summary='* Status', description='returns current service status, version (incl. git-commit) and some variables.', deprecated=True)
-async def status(request: Request):
-    return JSONResponse({'status': 'up', 'version': VERSION, 'commit': COMMIT, 'debug': DEBUG})
-
-
@app.get('/-/', summary='* Index')
 async def _index():
    return RedirectResponse('/-/readme')


@app.get('/-/health', summary='* Health')
-async def _health(request: Request):
-    return JSONResponse({'status': 'up', 'version': VERSION, 'commit': COMMIT, 'debug': DEBUG})
+async def _health():
+    return JSONr({'status': 'up'})
+
+
+@app.get('/-/config', summary='* Config', description='returns environment variables.')
+async def _config():
+    default_site, default_instance = Site.get_default_site(db), Instance.get_default_instance(db)
+
+    return JSONr({
+        'VERSION': str(VERSION),
+        'COMMIT': str(COMMIT),
+        'DEBUG': str(DEBUG),
+        'DLS_URL': str(DLS_URL),
+        'DLS_PORT': str(DLS_PORT),
+        'SITE_KEY_XID': str(default_site.site_key),
+        'INSTANCE_REF': str(default_instance.instance_ref),
+        'ALLOTMENT_REF': [str(ALLOTMENT_REF)],
+        'TOKEN_EXPIRE_DELTA': str(default_instance.get_token_expire_delta()),
+        'LEASE_EXPIRE_DELTA': str(default_instance.get_lease_expire_delta()),
+        'LEASE_RENEWAL_PERIOD': str(default_instance.lease_renewal_period),
+        'CORS_ORIGINS': str(CORS_ORIGINS),
+        'TZ': str(TZ),
+    })


@app.get('/-/readme', summary='* Readme')
 async def _readme():
    from markdown import markdown
+    from util import load_file
+
    content = load_file('../README.md').decode('utf-8')
-    return HTMLResponse(markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc']))
+    return HTMLr(markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc']))


@app.get('/-/manage', summary='* Management UI')
@@ -99,14 +132,18 @@ async def _manage(request: Request):
            <title>FastAPI-DLS Management</title>
        </head>
        <body>
-            <button onclick="deleteOrigins()">delete origins and their leases</button>
+            <button onclick="deleteOrigins()">delete ALL origins and their leases</button>
            <button onclick="deleteLease()">delete specific lease</button>
            
            <script>
                function deleteOrigins() {
-                    var xhr = new XMLHttpRequest();
-                    xhr.open("DELETE", '/-/origins', true);
-                    xhr.send();
+                    const response = confirm('Are you sure you want to delete all origins and their leases?');
+
+                    if (response) {
+                        var xhr = new XMLHttpRequest();
+                        xhr.open("DELETE", '/-/origins', true);
+                        xhr.send();
+                    }
                }
                function deleteLease(lease_ref) {
                    if(lease_ref === undefined)
@@ -121,7 +158,7 @@ async def _manage(request: Request):
        </body>
    </html>
    '''
-    return HTMLResponse(response)
+    return HTMLr(response)


@app.get('/-/origins', summary='* Origins')
@@ -134,7 +171,7 @@ async def _origins(request: Request, leases: bool = False):
            x['leases'] = list(map(lambda _: _.serialize(), Lease.find_by_origin_ref(db, origin.origin_ref)))
        response.append(x)
    session.close()
-    return JSONResponse(response)
+    return JSONr(response)


@app.delete('/-/origins', summary='* Origins')
@@ -150,25 +187,38 @@ async def _leases(request: Request, origin: bool = False):
    for lease in session.query(Lease).all():
        x = lease.serialize()
        if origin:
-            # assume that each lease has a valid origin record
-            x['origin'] = session.query(Origin).filter(Origin.origin_ref == lease.origin_ref).first().serialize()
+            lease_origin = session.query(Origin).filter(Origin.origin_ref == lease.origin_ref).first()
+            if lease_origin is not None:
+                x['origin'] = lease_origin.serialize()
        response.append(x)
    session.close()
-    return JSONResponse(response)
+    return JSONr(response)
+
+
+@app.delete('/-/leases/expired', summary='* Leases')
+async def _lease_delete_expired(request: Request):
+    Lease.delete_expired(db)
+    return Response(status_code=201)


@app.delete('/-/lease/{lease_ref}', summary='* Lease')
 async def _lease_delete(request: Request, lease_ref: str):
    if Lease.delete(db, lease_ref) == 1:
        return Response(status_code=201)
-    raise HTTPException(status_code=404, detail='lease not found')
+    return JSONr(status_code=404, content={'status': 404, 'detail': 'lease not found'})


 # venv/lib/python3.9/site-packages/nls_core_service_instance/service_instance_token_manager.py
@app.get('/-/client-token', summary='* Client-Token', description='creates a new messenger token for this service instance')
 async def _client_token():
    cur_time = datetime.utcnow()
-    exp_time = cur_time + relativedelta(years=12)
+
+    default_instance = Instance.get_default_instance(db)
+    public_key = default_instance.get_public_key()
+    # todo: implemented request parameter to support different instances
+    jwt_encode_key = default_instance.get_jwt_encode_key()
+
+    exp_time = cur_time + default_instance.get_client_token_expire_delta()

    payload = {
        "jti": str(uuid4()),
@@ -178,10 +228,10 @@ async def _client_token():
        "nbf": timegm(cur_time.timetuple()),
        "exp": timegm(exp_time.timetuple()),
        "update_mode": "ABSOLUTE",
-        "scope_ref_list": [str(uuid4())],  # this is our LEASE_REF
+        "scope_ref_list": [ALLOTMENT_REF],
        "fulfillment_class_ref_list": [],
        "service_instance_configuration": {
-            "nls_service_instance_ref": INSTANCE_REF,
+            "nls_service_instance_ref": default_instance.instance_ref,
            "svc_port_set_list": [
                {
                    "idx": 0,
@@ -193,10 +243,10 @@ async def _client_token():
        },
        "service_instance_public_key_configuration": {
            "service_instance_public_key_me": {
-                "mod": hex(INSTANCE_KEY_PUB.public_key().n)[2:],
-                "exp": int(INSTANCE_KEY_PUB.public_key().e),
+                "mod": hex(public_key.public_key().n)[2:],
+                "exp": int(public_key.public_key().e),
            },
-            "service_instance_public_key_pem": INSTANCE_KEY_PUB.export_key().decode('utf-8'),
+            "service_instance_public_key_pem": public_key.export_key().decode('utf-8'),
            "key_retention_mode": "LATEST_ONLY"
        },
    }
@@ -210,32 +260,26 @@ async def _client_token():
    return response


-@app.get('/client-token', summary='* Client-Token', description='creates a new messenger token for this service instance', deprecated=True)
-async def client_token():
-    return RedirectResponse('/-/client-token')
-
-
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_origins_controller.py
-# {"candidate_origin_ref":"00112233-4455-6677-8899-aabbccddeeff","environment":{"fingerprint":{"mac_address_list":["ff:ff:ff:ff:ff:ff"]},"hostname":"my-hostname","ip_address_list":["192.168.178.123","fe80::","fe80::1%enp6s18"],"guest_driver_version":"510.85.02","os_platform":"Debian GNU/Linux 11 (bullseye) 11","os_version":"11 (bullseye)"},"registration_pending":false,"update_pending":false}
@app.post('/auth/v1/origin', description='find or create an origin')
 async def auth_v1_origin(request: Request):
-    j, cur_time = json.loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()

-    origin_ref = j['candidate_origin_ref']
+    origin_ref = j.get('candidate_origin_ref')
    logging.info(f'> [  origin  ]: {origin_ref}: {j}')

    data = Origin(
        origin_ref=origin_ref,
-        hostname=j['environment']['hostname'],
-        guest_driver_version=j['environment']['guest_driver_version'],
-        os_platform=j['environment']['os_platform'], os_version=j['environment']['os_version'],
+        hostname=j.get('environment').get('hostname'),
+        guest_driver_version=j.get('environment').get('guest_driver_version'),
+        os_platform=j.get('environment').get('os_platform'), os_version=j.get('environment').get('os_version'),
    )

    Origin.create_or_update(db, data)

    response = {
        "origin_ref": origin_ref,
-        "environment": j['environment'],
+        "environment": j.get('environment'),
        "svc_port_set_list": None,
        "node_url_list": None,
        "node_query_order": None,
@@ -243,56 +287,57 @@ async def auth_v1_origin(request: Request):
        "sync_timestamp": cur_time.isoformat()
    }

-    return JSONResponse(response)
+    return JSONr(response)


 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_origins_controller.py
-# { "environment" : { "guest_driver_version" : "guest_driver_version", "hostname" : "myhost", "ip_address_list" : [ "192.168.1.129" ], "os_version" : "os_version", "os_platform" : "os_platform", "fingerprint" : { "mac_address_list" : [ "e4:b9:7a:e5:7b:ff" ] }, "host_driver_version" : "host_driver_version" }, "origin_ref" : "00112233-4455-6677-8899-aabbccddeeff" }
@app.post('/auth/v1/origin/update', description='update an origin evidence')
 async def auth_v1_origin_update(request: Request):
-    j, cur_time = json.loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()

-    origin_ref = j['origin_ref']
+    origin_ref = j.get('origin_ref')
    logging.info(f'> [  update  ]: {origin_ref}: {j}')

    data = Origin(
        origin_ref=origin_ref,
-        hostname=j['environment']['hostname'],
-        guest_driver_version=j['environment']['guest_driver_version'],
-        os_platform=j['environment']['os_platform'], os_version=j['environment']['os_version'],
+        hostname=j.get('environment').get('hostname'),
+        guest_driver_version=j.get('environment').get('guest_driver_version'),
+        os_platform=j.get('environment').get('os_platform'), os_version=j.get('environment').get('os_version'),
    )

    Origin.create_or_update(db, data)

    response = {
-        "environment": j['environment'],
+        "environment": j.get('environment'),
        "prompts": None,
        "sync_timestamp": cur_time.isoformat()
    }

-    return JSONResponse(response)
+    return JSONr(response)


 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_auth_controller.py
 # venv/lib/python3.9/site-packages/nls_core_auth/auth.py - CodeResponse
-# {"code_challenge":"...","origin_ref":"00112233-4455-6677-8899-aabbccddeeff"}
@app.post('/auth/v1/code', description='get an authorization code')
 async def auth_v1_code(request: Request):
-    j, cur_time = json.loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()

-    origin_ref = j['origin_ref']
+    origin_ref = j.get('origin_ref')
    logging.info(f'> [   code   ]: {origin_ref}: {j}')

    delta = relativedelta(minutes=15)
    expires = cur_time + delta

+    default_site = Site.get_default_site(db)
+    jwt_encode_key = Instance.get_default_instance(db).get_jwt_encode_key()
+
    payload = {
        'iat': timegm(cur_time.timetuple()),
        'exp': timegm(expires.timetuple()),
-        'challenge': j['code_challenge'],
-        'origin_ref': j['origin_ref'],
-        'key_ref': SITE_KEY_XID,
-        'kid': SITE_KEY_XID
+        'challenge': j.get('code_challenge'),
+        'origin_ref': j.get('origin_ref'),
+        'key_ref': default_site.site_key,
+        'kid': default_site.site_key,
    }

    auth_code = jws.sign(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
@@ -303,25 +348,32 @@ async def auth_v1_code(request: Request):
        "prompts": None
    }

-    return JSONResponse(response)
+    return JSONr(response)


 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_auth_controller.py
 # venv/lib/python3.9/site-packages/nls_core_auth/auth.py - TokenResponse
-# {"auth_code":"...","code_verifier":"..."}
@app.post('/auth/v1/token', description='exchange auth code and verifier for token')
 async def auth_v1_token(request: Request):
-    j, cur_time = json.loads((await request.body()).decode('utf-8')), datetime.utcnow()
-    payload = jwt.decode(token=j['auth_code'], key=jwt_decode_key)
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()

-    origin_ref = payload['origin_ref']
+    default_site, default_instance = Site.get_default_site(db), Instance.get_default_instance(db)
+    jwt_encode_key, jwt_decode_key = default_instance.get_jwt_encode_key(), default_instance.get_jwt_decode_key()
+
+    try:
+        payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key, algorithms=[ALGORITHMS.RS256])
+    except JWTError as e:
+        return JSONr(status_code=400, content={'status': 400, 'title': 'invalid token', 'detail': str(e)})
+
+    origin_ref = payload.get('origin_ref')
    logging.info(f'> [   auth   ]: {origin_ref}: {j}')

    # validate the code challenge
-    if payload['challenge'] != b64enc(sha256(j['code_verifier'].encode('utf-8')).digest()).rstrip(b'=').decode('utf-8'):
-        raise HTTPException(status_code=401, detail='expected challenge did not match verifier')
+    challenge = b64enc(sha256(j.get('code_verifier').encode('utf-8')).digest()).rstrip(b'=').decode('utf-8')
+    if payload.get('challenge') != challenge:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'expected challenge did not match verifier'})

-    access_expires_on = cur_time + TOKEN_EXPIRE_DELTA
+    access_expires_on = cur_time + default_instance.get_token_expire_delta()

    new_payload = {
        'iat': timegm(cur_time.timetuple()),
@@ -330,8 +382,8 @@ async def auth_v1_token(request: Request):
        'aud': 'https://cls.nvidia.org',
        'exp': timegm(access_expires_on.timetuple()),
        'origin_ref': origin_ref,
-        'key_ref': SITE_KEY_XID,
-        'kid': SITE_KEY_XID,
+        'key_ref': default_site.site_key,
+        'kid': default_site.site_key,
    }

    auth_token = jwt.encode(new_payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256)
@@ -342,36 +394,47 @@ async def auth_v1_token(request: Request):
        "sync_timestamp": cur_time.isoformat(),
    }

-    return JSONResponse(response)
+    return JSONr(response)


-# {'fulfillment_context': {'fulfillment_class_ref_list': []}, 'lease_proposal_list': [{'license_type_qualifiers': {'count': 1}, 'product': {'name': 'NVIDIA RTX Virtual Workstation'}}], 'proposal_evaluation_mode': 'ALL_OF', 'scope_ref_list': ['00112233-4455-6677-8899-aabbccddeeff']}
+# venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
@app.post('/leasing/v1/lessor', description='request multiple leases (borrow) for current origin')
 async def leasing_v1_lessor(request: Request):
-    j, token, cur_time = json.loads((await request.body()).decode('utf-8')), __get_token(request), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+
+    default_instance = Instance.get_default_instance(db)
+    jwt_decode_key = default_instance.get_jwt_decode_key()
+
+    try:
+        token = __get_token(request, jwt_decode_key)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})

    origin_ref = token.get('origin_ref')
-    scope_ref_list = j['scope_ref_list']
+    scope_ref_list = j.get('scope_ref_list')
    logging.info(f'> [  create  ]: {origin_ref}: create leases for scope_ref_list {scope_ref_list}')

    lease_result_list = []
    for scope_ref in scope_ref_list:
-        expires = cur_time + LEASE_EXPIRE_DELTA
+        # if scope_ref not in [ALLOTMENT_REF]:
+        #     return JSONr(status_code=500, detail=f'no service instances found for scopes: ["{scope_ref}"]')
+
+        lease_ref = str(uuid4())
+        expires = cur_time + default_instance.get_lease_expire_delta()
        lease_result_list.append({
            "ordinal": 0,
            # https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html
            "lease": {
-                "ref": scope_ref,
+                "ref": lease_ref,
                "created": cur_time.isoformat(),
                "expires": expires.isoformat(),
-                # The percentage of the lease period that must elapse before a licensed client can renew a license
-                "recommended_lease_renewal": 0.15,
+                "recommended_lease_renewal": default_instance.lease_renewal_period,
                "offline_lease": "true",
                "license_type": "CONCURRENT_COUNTED_SINGLE"
            }
        })

-        data = Lease(origin_ref=origin_ref, lease_ref=scope_ref, lease_created=cur_time, lease_expires=expires)
+        data = Lease(instance_ref=default_instance.instance_ref, origin_ref=origin_ref, lease_ref=lease_ref, lease_created=cur_time, lease_expires=expires)
        Lease.create_or_update(db, data)

    response = {
@@ -381,14 +444,21 @@ async def leasing_v1_lessor(request: Request):
        "prompts": None
    }

-    return JSONResponse(response)
+    return JSONr(response)


 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 # venv/lib/python3.9/site-packages/nls_dal_service_instance_dls/schema/service_instance/V1_0_21__product_mapping.sql
@app.get('/leasing/v1/lessor/leases', description='get active leases for current origin')
 async def leasing_v1_lessor_lease(request: Request):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    cur_time = datetime.utcnow()
+
+    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
+
+    try:
+        token = __get_token(request, jwt_decode_key)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})

    origin_ref = token.get('origin_ref')

@@ -401,26 +471,35 @@ async def leasing_v1_lessor_lease(request: Request):
        "prompts": None
    }

-    return JSONResponse(response)
+    return JSONr(response)


+# venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
 # venv/lib/python3.9/site-packages/nls_core_lease/lease_single.py
@app.put('/leasing/v1/lease/{lease_ref}', description='renew a lease')
 async def leasing_v1_lease_renew(request: Request, lease_ref: str):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    cur_time = datetime.utcnow()
+
+    default_instance = Instance.get_default_instance(db)
+    jwt_decode_key = default_instance.get_jwt_decode_key()
+
+    try:
+        token = __get_token(request, jwt_decode_key)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})

    origin_ref = token.get('origin_ref')
    logging.info(f'> [  renew   ]: {origin_ref}: renew {lease_ref}')

    entity = Lease.find_by_origin_ref_and_lease_ref(db, origin_ref, lease_ref)
    if entity is None:
-        raise HTTPException(status_code=404, detail='requested lease not available')
+        return JSONr(status_code=404, content={'status': 404, 'detail': 'requested lease not available'})

-    expires = cur_time + LEASE_EXPIRE_DELTA
+    expires = cur_time + default_instance.get_lease_expire_delta()
    response = {
        "lease_ref": lease_ref,
        "expires": expires.isoformat(),
-        "recommended_lease_renewal": 0.16,
+        "recommended_lease_renewal": default_instance.lease_renewal_period,
        "offline_lease": True,
        "prompts": None,
        "sync_timestamp": cur_time.isoformat(),
@@ -428,24 +507,32 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str):

    Lease.renew(db, entity, expires, cur_time)

-    return JSONResponse(response)
+    return JSONr(response)


+# venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
@app.delete('/leasing/v1/lease/{lease_ref}', description='release (return) a lease')
 async def leasing_v1_lease_delete(request: Request, lease_ref: str):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    cur_time = datetime.utcnow()
+
+    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
+
+    try:
+        token = __get_token(request, jwt_decode_key)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})

    origin_ref = token.get('origin_ref')
    logging.info(f'> [  return  ]: {origin_ref}: return {lease_ref}')

    entity = Lease.find_by_lease_ref(db, lease_ref)
    if entity.origin_ref != origin_ref:
-        raise HTTPException(status_code=403, detail='access or operation forbidden')
+        return JSONr(status_code=403, content={'status': 403, 'detail': 'access or operation forbidden'})
    if entity is None:
-        raise HTTPException(status_code=404, detail='requested lease not available')
+        return JSONr(status_code=404, content={'status': 404, 'detail': 'requested lease not available'})

    if Lease.delete(db, lease_ref) == 0:
-        raise HTTPException(status_code=404, detail='lease not found')
+        return JSONr(status_code=404, content={'status': 404, 'detail': 'lease not found'})

    response = {
        "lease_ref": lease_ref,
@@ -453,12 +540,20 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str):
        "sync_timestamp": cur_time.isoformat(),
    }

-    return JSONResponse(response)
+    return JSONr(response)


+# venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
@app.delete('/leasing/v1/lessor/leases', description='release all leases')
 async def leasing_v1_lessor_lease_remove(request: Request):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    cur_time = datetime.utcnow()
+
+    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
+
+    try:
+        token = __get_token(request, jwt_decode_key)
+    except JWTError:
+        return JSONr(status_code=401, content={'status': 401, 'detail': 'token is not valid'})

    origin_ref = token.get('origin_ref')

@@ -473,7 +568,51 @@ async def leasing_v1_lessor_lease_remove(request: Request):
        "prompts": None
    }

-    return JSONResponse(response)
+    return JSONr(response)
+
+
+@app.post('/leasing/v1/lessor/shutdown', description='shutdown all leases')
+async def leasing_v1_lessor_shutdown(request: Request):
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+
+    jwt_decode_key = Instance.get_default_instance(db).get_jwt_decode_key()
+
+    token = j.get('token')
+    token = jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
+    origin_ref = token.get('origin_ref')
+
+    released_lease_list = list(map(lambda x: x.lease_ref, Lease.find_by_origin_ref(db, origin_ref)))
+    deletions = Lease.cleanup(db, origin_ref)
+    logging.info(f'> [ shutdown ]: {origin_ref}: removed {deletions} leases')
+
+    response = {
+        "released_lease_list": released_lease_list,
+        "release_failure_list": None,
+        "sync_timestamp": cur_time.isoformat(),
+        "prompts": None
+    }
+
+    return JSONr(response)
+
+
+@app.on_event('startup')
+async def app_on_startup():
+    default_instance = Instance.get_default_instance(db)
+
+    lease_renewal_period = default_instance.lease_renewal_period
+    lease_renewal_delta = default_instance.get_lease_renewal_delta()
+    client_token_expire_delta = default_instance.get_client_token_expire_delta()
+
+    logger.info(f'''
+    Using timezone: {str(TZ)}. Make sure this is correct and match your clients!
+    
+    Your clients will renew their license every {str(Lease.calculate_renewal(lease_renewal_period, lease_renewal_delta))}.
+    If the renewal fails, the license is valid for {str(lease_renewal_delta)}.
+    
+    Your client-token file (.tok) is valid for {str(client_token_expire_delta)}.
+    ''')
+
+    validate_settings()


 if __name__ == '__main__':
--- a/app/orm.py
+++ b/app/orm.py
@@ -1,18 +1,144 @@
-import datetime
-
-from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_, inspect
-from sqlalchemy.ext.declarative import declarative_base
+import logging
+from datetime import datetime, timedelta
+from dateutil.relativedelta import relativedelta
+from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_, inspect, text, BLOB, INT, FLOAT
 from sqlalchemy.engine import Engine
-from sqlalchemy.orm import sessionmaker
+from sqlalchemy.orm import sessionmaker, declarative_base, Session, relationship
+
+from app.util import parse_key
+
+logging.basicConfig()
+logger = logging.getLogger(__name__)
+logger.setLevel(logging.INFO)

 Base = declarative_base()


+class Site(Base):
+    __tablename__ = "site"
+
+    INITIAL_SITE_KEY_XID = '00000000-0000-0000-0000-000000000000'
+    INITIAL_SITE_NAME = 'default'
+
+    site_key = Column(CHAR(length=36), primary_key=True, unique=True, index=True)  # uuid4, SITE_KEY_XID
+    name = Column(VARCHAR(length=256), nullable=False)
+
+    def __str__(self):
+        return f'SITE_KEY_XID: {self.site_key}'
+
+    @staticmethod
+    def create_statement(engine: Engine):
+        from sqlalchemy.schema import CreateTable
+        return CreateTable(Site.__table__).compile(engine)
+
+    @staticmethod
+    def get_default_site(engine: Engine) -> "Site":
+        session = sessionmaker(bind=engine)()
+        entity = session.query(Site).filter(Site.site_key == Site.INITIAL_SITE_KEY_XID).first()
+        session.close()
+        return entity
+
+
+class Instance(Base):
+    __tablename__ = "instance"
+
+    DEFAULT_INSTANCE_REF = '10000000-0000-0000-0000-000000000001'
+    DEFAULT_TOKEN_EXPIRE_DELTA = 86_400  # 1 day
+    DEFAULT_LEASE_EXPIRE_DELTA = 7_776_000  # 90 days
+    DEFAULT_LEASE_RENEWAL_PERIOD = 0.15
+    DEFAULT_CLIENT_TOKEN_EXPIRE_DELTA = 378_432_000  # 12 years
+    # 1 day = 86400 (min. in production setup, max 90 days), 1 hour = 3600
+
+    instance_ref = Column(CHAR(length=36), primary_key=True, unique=True, index=True)  # uuid4, INSTANCE_REF
+    site_key = Column(CHAR(length=36), ForeignKey(Site.site_key, ondelete='CASCADE'), nullable=False, index=True)  # uuid4
+    private_key = Column(BLOB(length=2048), nullable=False)
+    public_key = Column(BLOB(length=512), nullable=False)
+    token_expire_delta = Column(INT(), nullable=False, default=DEFAULT_TOKEN_EXPIRE_DELTA, comment='in seconds')
+    lease_expire_delta = Column(INT(), nullable=False, default=DEFAULT_LEASE_EXPIRE_DELTA, comment='in seconds')
+    lease_renewal_period = Column(FLOAT(precision=2), nullable=False, default=DEFAULT_LEASE_RENEWAL_PERIOD)
+    client_token_expire_delta = Column(INT(), nullable=False, default=DEFAULT_CLIENT_TOKEN_EXPIRE_DELTA, comment='in seconds')
+
+    __origin = relationship(Site, foreign_keys=[site_key])
+
+    def __str__(self):
+        return f'INSTANCE_REF: {self.instance_ref} (SITE_KEY_XID: {self.site_key})'
+
+    @staticmethod
+    def create_statement(engine: Engine):
+        from sqlalchemy.schema import CreateTable
+        return CreateTable(Instance.__table__).compile(engine)
+
+    @staticmethod
+    def create_or_update(engine: Engine, instance: "Instance"):
+        session = sessionmaker(bind=engine)()
+        entity = session.query(Instance).filter(Instance.instance_ref == instance.instance_ref).first()
+        if entity is None:
+            session.add(instance)
+        else:
+            x = dict(
+                site_key=instance.site_key,
+                private_key=instance.private_key,
+                public_key=instance.public_key,
+                token_expire_delta=instance.token_expire_delta,
+                lease_expire_delta=instance.lease_expire_delta,
+                lease_renewal_period=instance.lease_renewal_period,
+                client_token_expire_delta=instance.client_token_expire_delta,
+            )
+            session.execute(update(Instance).where(Instance.instance_ref == instance.instance_ref).values(**x))
+        session.commit()
+        session.flush()
+        session.close()
+
+    # todo: validate on startup that "lease_expire_delta" is between 1 day and 90 days
+
+    @staticmethod
+    def get_default_instance(engine: Engine) -> "Instance":
+        session = sessionmaker(bind=engine)()
+        site = Site.get_default_site(engine)
+        entity = session.query(Instance).filter(Instance.site_key == site.site_key).first()
+        session.close()
+        return entity
+
+    def get_token_expire_delta(self) -> "dateutil.relativedelta.relativedelta":
+        return relativedelta(seconds=self.token_expire_delta)
+
+    def get_lease_expire_delta(self) -> "dateutil.relativedelta.relativedelta":
+        return relativedelta(seconds=self.lease_expire_delta)
+
+    def get_lease_renewal_delta(self) -> "datetime.timedelta":
+        return timedelta(seconds=self.lease_expire_delta)
+
+    def get_client_token_expire_delta(self) -> "dateutil.relativedelta.relativedelta":
+        return relativedelta(seconds=self.client_token_expire_delta)
+
+    def __get_private_key(self) -> "RsaKey":
+        return parse_key(self.private_key)
+
+    def get_public_key(self) -> "RsaKey":
+        return parse_key(self.public_key)
+
+    def get_jwt_encode_key(self) -> "jose.jkw":
+        from jose import jwk
+        from jose.constants import ALGORITHMS
+        return jwk.construct(self.__get_private_key().export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+
+    def get_jwt_decode_key(self) -> "jose.jwt":
+        from jose import jwk
+        from jose.constants import ALGORITHMS
+        return jwk.construct(self.get_public_key().export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+
+    def get_private_key_str(self, encoding: str = 'utf-8') -> str:
+        return self.private_key.decode(encoding)
+
+    def get_public_key_str(self, encoding: str = 'utf-8') -> str:
+        return self.private_key.decode(encoding)
+
+
 class Origin(Base):
    __tablename__ = "origin"

    origin_ref = Column(CHAR(length=36), primary_key=True, unique=True, index=True)  # uuid4
-
+    # service_instance_xid = Column(CHAR(length=36), nullable=False, index=True)  # uuid4 # not necessary, we only support one service_instance_xid ('INSTANCE_REF')
    hostname = Column(VARCHAR(length=256), nullable=True)
    guest_driver_version = Column(VARCHAR(length=10), nullable=True)
    os_platform = Column(VARCHAR(length=256), nullable=True)
@@ -24,6 +150,7 @@ class Origin(Base):
    def serialize(self) -> dict:
        return {
            'origin_ref': self.origin_ref,
+            # 'service_instance_xid': self.service_instance_xid,
            'hostname': self.hostname,
            'guest_driver_version': self.guest_driver_version,
            'os_platform': self.os_platform,
@@ -39,7 +166,6 @@ class Origin(Base):
    def create_or_update(engine: Engine, origin: "Origin"):
        session = sessionmaker(bind=engine)()
        entity = session.query(Origin).filter(Origin.origin_ref == origin.origin_ref).first()
-        print(entity)
        if entity is None:
            session.add(origin)
        else:
@@ -55,12 +181,12 @@ class Origin(Base):
        session.close()

    @staticmethod
-    def delete(engine: Engine, origins: ["Origin"] = None) -> int:
+    def delete(engine: Engine, origin_refs: [str] = None) -> int:
        session = sessionmaker(bind=engine)()
-        if origins is None:
+        if origin_refs is None:
            deletions = session.query(Origin).delete()
        else:
-            deletions = session.query(Origin).filter(Origin.origin_ref in origins).delete()
+            deletions = session.query(Origin).filter(Origin.origin_ref in origin_refs).delete()
        session.commit()
        session.close()
        return deletions
@@ -69,23 +195,35 @@ class Origin(Base):
 class Lease(Base):
    __tablename__ = "lease"

+    instance_ref = Column(CHAR(length=36), ForeignKey(Instance.instance_ref, ondelete='CASCADE'), nullable=False, index=True)  # uuid4
    lease_ref = Column(CHAR(length=36), primary_key=True, nullable=False, index=True)  # uuid4
-
    origin_ref = Column(CHAR(length=36), ForeignKey(Origin.origin_ref, ondelete='CASCADE'), nullable=False, index=True)  # uuid4
+    # scope_ref = Column(CHAR(length=36), nullable=False, index=True)  # uuid4 # not necessary, we only support one scope_ref ('ALLOTMENT_REF')
    lease_created = Column(DATETIME(), nullable=False)
    lease_expires = Column(DATETIME(), nullable=False)
    lease_updated = Column(DATETIME(), nullable=False)

+    __instance = relationship(Instance, foreign_keys=[instance_ref])
+    __origin = relationship(Origin, foreign_keys=[origin_ref])
+
    def __repr__(self):
        return f'Lease(origin_ref={self.origin_ref}, lease_ref={self.lease_ref}, expires={self.lease_expires})'

    def serialize(self) -> dict:
+        renewal_period = self.__instance.lease_renewal_period
+        renewal_delta = self.__instance.get_lease_renewal_delta
+
+        lease_renewal = int(Lease.calculate_renewal(renewal_period, renewal_delta).total_seconds())
+        lease_renewal = self.lease_updated + relativedelta(seconds=lease_renewal)
+
        return {
            'lease_ref': self.lease_ref,
            'origin_ref': self.origin_ref,
+            # 'scope_ref': self.scope_ref,
            'lease_created': self.lease_created.isoformat(),
            'lease_expires': self.lease_expires.isoformat(),
            'lease_updated': self.lease_updated.isoformat(),
+            'lease_renewal': lease_renewal.isoformat(),
        }

    @staticmethod
@@ -130,7 +268,7 @@ class Lease(Base):
        return entity

    @staticmethod
-    def renew(engine: Engine, lease: "Lease", lease_expires: datetime.datetime, lease_updated: datetime.datetime):
+    def renew(engine: Engine, lease: "Lease", lease_expires: datetime, lease_updated: datetime):
        session = sessionmaker(bind=engine)()
        x = dict(lease_expires=lease_expires, lease_updated=lease_updated)
        session.execute(update(Lease).where(and_(Lease.origin_ref == lease.origin_ref, Lease.lease_ref == lease.lease_ref)).values(**x))
@@ -153,29 +291,135 @@ class Lease(Base):
        session.close()
        return deletions

+    @staticmethod
+    def delete_expired(engine: Engine) -> int:
+        session = sessionmaker(bind=engine)()
+        deletions = session.query(Lease).filter(Lease.lease_expires <= datetime.utcnow()).delete()
+        session.commit()
+        session.close()
+        return deletions
+
+    @staticmethod
+    def calculate_renewal(renewal_period: float, delta: timedelta) -> timedelta:
+        """
+        import datetime
+        LEASE_RENEWAL_PERIOD=0.2  # 20%
+        delta = datetime.timedelta(days=1)
+        renew = delta.total_seconds() * LEASE_RENEWAL_PERIOD
+        renew = datetime.timedelta(seconds=renew)
+        expires = delta - renew  # 19.2
+
+        import datetime
+        LEASE_RENEWAL_PERIOD=0.15  # 15%
+        delta = datetime.timedelta(days=90)
+        renew = delta.total_seconds() * LEASE_RENEWAL_PERIOD
+        renew = datetime.timedelta(seconds=renew)
+        expires = delta - renew  # 76 days, 12:00:00 hours
+
+        """
+        renew = delta.total_seconds() * renewal_period
+        renew = timedelta(seconds=renew)
+        return renew
+
+
+def init_default_site(session: Session):
+    from uuid import uuid4
+    from app.util import generate_key
+
+    private_key = generate_key()
+    public_key = private_key.public_key()
+
+    site = Site(
+        site_key=Site.INITIAL_SITE_KEY_XID,
+        name=Site.INITIAL_SITE_NAME
+    )
+    session.add(site)
+    session.commit()
+
+    instance = Instance(
+        instance_ref=Instance.DEFAULT_INSTANCE_REF,
+        site_key=site.site_key,
+        private_key=private_key.export_key(),
+        public_key=public_key.export_key(),
+    )
+    session.add(instance)
+    session.commit()
+

 def init(engine: Engine):
-    tables = [Origin, Lease]
+    tables = [Site, Instance, Origin, Lease]
    db = inspect(engine)
    session = sessionmaker(bind=engine)()
    for table in tables:
-        if not db.dialect.has_table(engine.connect(), table.__tablename__):
-            session.execute(str(table.create_statement(engine)))
+        exists = db.dialect.has_table(engine.connect(), table.__tablename__)
+        logger.info(f'> Table "{table.__tablename__:<16}" exists: {exists}')
+        if not exists:
+            session.execute(text(str(table.create_statement(engine))))
            session.commit()
+
+    # create default site
+    cnt = session.query(Site).count()
+    if cnt == 0:
+        init_default_site(session)
+
+    session.flush()
    session.close()


 def migrate(engine: Engine):
+    from os import getenv as env
+    from os.path import join, dirname, isfile
+    from util import load_key
+
    db = inspect(engine)

-    def upgrade_1_0_to_1_1():
-        x = db.dialect.get_columns(engine.connect(), Lease.__tablename__)
-        x = next(_ for _ in x if _['name'] == 'origin_ref')
-        if x['primary_key'] > 0:
-            print('Found old database schema with "origin_ref" as primary-key in "lease" table. Dropping table!')
-            print('  Your leases are recreated on next renewal!')
-            print('  If an error message appears on the client, you can ignore it.')
-            Lease.__table__.drop(bind=engine)
-            init(engine)
+    # todo: add update guide to use 1.LATEST to 2.0
+    def upgrade_1_x_to_2_0():
+        site = Site.get_default_site(engine)
+        logger.info(site)
+        instance = Instance.get_default_instance(engine)
+        logger.info(instance)

-    upgrade_1_0_to_1_1()
+        # SITE_KEY_XID
+        if site_key := env('SITE_KEY_XID', None) is not None:
+            site.site_key = str(site_key)
+
+        # INSTANCE_REF
+        if instance_ref := env('INSTANCE_REF', None) is not None:
+            instance.instance_ref = str(instance_ref)
+
+        # ALLOTMENT_REF
+        if allotment_ref := env('ALLOTMENT_REF', None) is not None:
+            pass  # todo
+
+        # INSTANCE_KEY_RSA, INSTANCE_KEY_PUB
+        default_instance_private_key_path = str(join(dirname(__file__), 'cert/instance.private.pem'))
+        if instance_private_key := env('INSTANCE_KEY_RSA', None) is not None:
+            instance.private_key = load_key(str(instance_private_key))
+        elif isfile(default_instance_private_key_path):
+            instance.private_key = load_key(default_instance_private_key_path)
+        default_instance_public_key_path = str(join(dirname(__file__), 'cert/instance.public.pem'))
+        if instance_public_key := env('INSTANCE_KEY_PUB', None) is not None:
+            instance.public_key = load_key(str(instance_public_key))
+        elif isfile(default_instance_public_key_path):
+            instance.public_key = load_key(default_instance_public_key_path)
+
+        # TOKEN_EXPIRE_DELTA
+        if token_expire_delta := env('TOKEN_EXPIRE_DAYS', None) not in (None, 0):
+            instance.token_expire_delta = token_expire_delta * 86_400
+        if token_expire_delta := env('TOKEN_EXPIRE_HOURS', None) not in (None, 0):
+            instance.token_expire_delta = token_expire_delta * 3_600
+
+        # LEASE_EXPIRE_DELTA, LEASE_RENEWAL_DELTA
+        if lease_expire_delta := env('LEASE_EXPIRE_DAYS', None) not in (None, 0):
+            instance.lease_expire_delta = lease_expire_delta * 86_400
+        if lease_expire_delta := env('LEASE_EXPIRE_HOURS', None) not in (None, 0):
+            instance.lease_expire_delta = lease_expire_delta * 3_600
+
+        # LEASE_RENEWAL_PERIOD
+        if lease_renewal_period := env('LEASE_RENEWAL_PERIOD', None) is not None:
+            instance.lease_renewal_period = lease_renewal_period
+
+        # todo: update site, instance
+
+    upgrade_1_x_to_2_0()
--- a/app/util.py
+++ b/app/util.py
@@ -16,6 +16,18 @@ def load_key(filename) -> "RsaKey":
    return RSA.import_key(extern_key=load_file(filename), passphrase=None)


+def parse_key(content: bytes) -> "RsaKey":
+    try:
+        # Crypto | Cryptodome on Debian
+        from Crypto.PublicKey import RSA
+        from Crypto.PublicKey.RSA import RsaKey
+    except ModuleNotFoundError:
+        from Cryptodome.PublicKey import RSA
+        from Cryptodome.PublicKey.RSA import RsaKey
+
+    return RSA.import_key(extern_key=content, passphrase=None)
+
+
 def generate_key() -> "RsaKey":
    try:
        # Crypto | Cryptodome on Debian
--- a/doc/Database.md
+++ b/doc/Database.md
@@ -0,0 +1,26 @@
+# Database structure
+
+## `request_routing.service_instance`
+
+| xid                                    | org_name                 |
+|----------------------------------------|--------------------------|
+| `10000000-0000-0000-0000-000000000000` | `lic-000000000000000000` |
+
+- `xid` is used as `SERVICE_INSTANCE_XID`
+
+## `request_routing.license_allotment_service_instance`
+
+| xid                                    | service_instance_xid                   | license_allotment_xid                  |
+|----------------------------------------|----------------------------------------|----------------------------------------|
+| `90000000-0000-0000-0000-000000000001` | `10000000-0000-0000-0000-000000000000` | `80000000-0000-0000-0000-000000000001` |
+
+- `xid` is only a primary-key and never used as foreign-key or reference
+- `license_allotment_xid` must be used to fetch `xid`'s from `request_routing.license_allotment_reference`
+
+## `request_routing.license_allotment_reference`
+
+| xid                                    | license_allotment_xid                  |
+|----------------------------------------|----------------------------------------|
+| `20000000-0000-0000-0000-000000000001` | `80000000-0000-0000-0000-000000000001` | 
+
+- `xid` is used as `scope_ref_list` on token request
--- a/doc/Reverse
+++ b/doc/Reverse
@@ -33,6 +33,9 @@ nvidia-gridd[2986]: License acquired successfully. (Info: license.nvidia.space,

 Most variables and configs are stored in `/var/lib/docker/volumes/configurations/_data`.

+Files can be modified with `docker cp <container-id>:/venv/... /opt/localfile/...` and back.
+(May you need to fix permissions with `docker exec -u 0 <container-id> chown nonroot:nonroot /venv/...`)
+
 ## Dive / Docker image inspector

 - `dive dls:appliance`
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,29 @@
+version: '3.9'
+
+x-dls-variables: &dls-variables
+  TZ: Europe/Berlin # REQUIRED, set your timezone correctly on fastapi-dls AND YOUR CLIENTS !!!
+  DLS_URL: localhost # REQUIRED, change to your ip or hostname
+  DLS_PORT: 443
+  LEASE_EXPIRE_DAYS: 90  # 90 days is maximum
+  DATABASE: sqlite:////app/database/db.sqlite
+  DEBUG: false
+
+services:
+  dls:
+    image: collinwebdesigns/fastapi-dls:latest
+    restart: always
+    environment:
+      <<: *dls-variables
+    ports:
+      - "443:443"
+    volumes:
+      - /opt/docker/fastapi-dls/cert:/app/cert
+      - dls-db:/app/database
+    logging: # optional, for those who do not need logs
+      driver: "json-file"
+      options:
+        max-file: 5
+        max-size: 10m
+
+volumes:
+  dls-db:
--- a/examples/docker-compose-http-and-https.yml
+++ b/examples/docker-compose-http-and-https.yml
@@ -0,0 +1,120 @@
+version: '3.9'
+
+x-dls-variables: &dls-variables
+  DLS_URL: localhost  # REQUIRED, change to your ip or hostname
+  DLS_PORT: 443  # must match nginx listen & exposed port
+  LEASE_EXPIRE_DAYS: 90
+  DATABASE: sqlite:////app/database/db.sqlite
+  DEBUG: false
+
+services:
+  dls:
+    image: collinwebdesigns/fastapi-dls:latest
+    restart: always
+    environment:
+      <<: *dls-variables
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /opt/docker/fastapi-dls/cert:/app/cert  # instance.private.pem, instance.public.pem
+      - db:/app/database
+    entrypoint: ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--app-dir", "/app", "--proxy-headers"]
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "http://localhost:8000/-/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+  proxy:
+    image: nginx
+    ports:
+      # thees are ports where nginx (!) is listen to
+      - "80:80"  # for "/leasing/v1/lessor/shutdown" used by windows guests, can't be changed!
+      - "443:443"  # first part must match "DLS_PORT"
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /opt/docker/fastapi-dls/cert:/opt/cert
+    healthcheck:
+      test: ["CMD", "curl", "--insecure", "--fail", "https://localhost/-/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+    command: |
+      bash -c "bash -s <<\"EOF\"
+      cat > /etc/nginx/nginx.conf <<\"EON\"
+      daemon off;
+      user root;
+      worker_processes auto;
+      
+      events {
+        worker_connections 1024;
+      }
+      
+      http {
+        gzip on;
+        gzip_disable "msie6";
+        include /etc/nginx/mime.types;
+      
+        upstream dls-backend {
+          server dls:8000;  # must match dls listen port
+        }
+      
+        server {
+          listen 443 ssl http2 default_server;
+          listen [::]:443 ssl http2 default_server;
+      
+          root /var/www/html;
+          index index.html;
+          server_name _;
+      
+          ssl_certificate "/opt/cert/webserver.crt";
+          ssl_certificate_key "/opt/cert/webserver.key";
+          ssl_session_cache shared:SSL:1m;
+          ssl_session_timeout  10m;
+          ssl_protocols TLSv1.3 TLSv1.2;
+          # ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305";
+          # ssl_ciphers PROFILE=SYSTEM;
+          ssl_prefer_server_ciphers on;
+      
+          location / {
+            proxy_set_header Host $$http_host;
+            proxy_set_header X-Real-IP $$remote_addr;
+            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $$scheme;
+            proxy_pass http://dls-backend$$request_uri;
+          }
+      
+          location = /-/health {
+            access_log off;
+            add_header 'Content-Type' 'application/json';
+            return 200 '{\"status\":\"up\",\"service\":\"nginx\"}';
+          }
+        }
+      
+        server {
+          listen 80;
+          listen [::]:80;
+      
+          root /var/www/html;
+          index index.html;
+          server_name _;
+      
+          location /leasing/v1/lessor/shutdown {
+            proxy_set_header Host $$http_host;
+            proxy_set_header X-Real-IP $$remote_addr;
+            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $$scheme;
+            proxy_pass http://dls-backend/leasing/v1/lessor/shutdown;
+          }
+      
+          location / {
+            return 301 https://$$host$$request_uri;
+          }
+        }
+      }
+      EON
+      nginx
+      EOF"
+
+volumes:
+  db:
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,8 +1,8 @@
-fastapi==0.88.0
-uvicorn[standard]==0.20.0
+fastapi==0.110.0
+uvicorn[standard]==0.27.1
 python-jose==3.3.0
-pycryptodome==3.16.0
+pycryptodome==3.20.0
 python-dateutil==2.8.2
-sqlalchemy==1.4.45
-markdown==3.4.1
-python-dotenv==0.21.0
+sqlalchemy==2.0.27
+markdown==3.5.2
+python-dotenv==1.0.1
--- a/test/main.py
+++ b/test/main.py
@@ -1,14 +1,15 @@
+from os import getenv as env
 from base64 import b64encode as b64enc
 from hashlib import sha256
 from calendar import timegm
 from datetime import datetime
-from os.path import dirname, join
-from uuid import uuid4
+from uuid import UUID, uuid4

 from dateutil.relativedelta import relativedelta
-from jose import jwt, jwk
+from jose import jwt
 from jose.constants import ALGORITHMS
 from starlette.testclient import TestClient
+from sqlalchemy import create_engine
 import sys

 # add relative path to use packages as they were in the app/ dir
@@ -16,21 +17,23 @@ sys.path.append('../')
 sys.path.append('../app')

 from app import main
-from app.util import load_key
+from app.orm import init as db_init, migrate, Site, Instance

+
+ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-000000000001', 'HelloWorld'
+
+# fastapi setup
 client = TestClient(main.app)

-ORIGIN_REF, LEASE_REF = str(uuid4()), str(uuid4())
-SECRET = "HelloWorld"
+# database setup
+db = create_engine(str(env('DATABASE', 'sqlite:///db.sqlite')))
+db_init(db), migrate(db)

-# INSTANCE_KEY_RSA = generate_key()
-# INSTANCE_KEY_PUB = INSTANCE_KEY_RSA.public_key()
+# test vars
+DEFAULT_SITE, DEFAULT_INSTANCE = Site.get_default_site(db), Instance.get_default_instance(db)

-INSTANCE_KEY_RSA = load_key(str(join(dirname(__file__), '../app/cert/instance.private.pem')))
-INSTANCE_KEY_PUB = load_key(str(join(dirname(__file__), '../app/cert/instance.public.pem')))
-
-jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
-jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+SITE_KEY = DEFAULT_SITE.site_key
+jwt_encode_key, jwt_decode_key = DEFAULT_INSTANCE.get_jwt_encode_key(), DEFAULT_INSTANCE.get_jwt_decode_key()


 def __bearer_token(origin_ref: str) -> str:
@@ -39,21 +42,26 @@ def __bearer_token(origin_ref: str) -> str:
    return token


+def test_initial_default_site_and_instance():
+    default_site, default_instance = Site.get_default_site(db), Instance.get_default_instance(db)
+    assert default_site.site_key == Site.INITIAL_SITE_KEY_XID
+    assert default_instance.instance_ref == Instance.DEFAULT_INSTANCE_REF
+
+
 def test_index():
    response = client.get('/')
    assert response.status_code == 200


-def test_status():
-    response = client.get('/status')
-    assert response.status_code == 200
-    assert response.json()['status'] == 'up'
-
-
 def test_health():
    response = client.get('/-/health')
    assert response.status_code == 200
-    assert response.json()['status'] == 'up'
+    assert response.json().get('status') == 'up'
+
+
+def test_config():
+    response = client.get('/-/config')
+    assert response.status_code == 200


 def test_readme():
@@ -71,11 +79,6 @@ def test_client_token():
    assert response.status_code == 200


-def test_client_token_deprecated():
-    response = client.get('/client-token')
-    assert response.status_code == 200
-
-
 def test_origins():
    pass

@@ -110,7 +113,7 @@ def test_auth_v1_origin():

    response = client.post('/auth/v1/origin', json=payload)
    assert response.status_code == 200
-    assert response.json()['origin_ref'] == ORIGIN_REF
+    assert response.json().get('origin_ref') == ORIGIN_REF


 def auth_v1_origin_update():
@@ -131,7 +134,7 @@ def auth_v1_origin_update():

    response = client.post('/auth/v1/origin/update', json=payload)
    assert response.status_code == 200
-    assert response.json()['origin_ref'] == ORIGIN_REF
+    assert response.json().get('origin_ref') == ORIGIN_REF


 def test_auth_v1_code():
@@ -143,8 +146,8 @@ def test_auth_v1_code():
    response = client.post('/auth/v1/code', json=payload)
    assert response.status_code == 200

-    payload = jwt.get_unverified_claims(token=response.json()['auth_code'])
-    assert payload['origin_ref'] == ORIGIN_REF
+    payload = jwt.get_unverified_claims(token=response.json().get('auth_code'))
+    assert payload.get('origin_ref') == ORIGIN_REF


 def test_auth_v1_token():
@@ -160,17 +163,16 @@ def test_auth_v1_token():
        "kid": "00000000-0000-0000-0000-000000000000"
    }
    payload = {
-        "auth_code": jwt.encode(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')},
-                                algorithm=ALGORITHMS.RS256),
+        "auth_code": jwt.encode(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256),
        "code_verifier": SECRET,
    }

    response = client.post('/auth/v1/token', json=payload)
    assert response.status_code == 200

-    token = response.json()['auth_token']
+    token = response.json().get('auth_token')
    payload = jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
-    assert payload['origin_ref'] == ORIGIN_REF
+    assert payload.get('origin_ref') == ORIGIN_REF


 def test_leasing_v1_lessor():
@@ -183,46 +185,67 @@ def test_leasing_v1_lessor():
            'product': {'name': 'NVIDIA RTX Virtual Workstation'}
        }],
        'proposal_evaluation_mode': 'ALL_OF',
-        'scope_ref_list': [LEASE_REF]
+        'scope_ref_list': [ALLOTMENT_REF]
    }

    response = client.post('/leasing/v1/lessor', json=payload, headers={'authorization': __bearer_token(ORIGIN_REF)})
    assert response.status_code == 200

-    lease_result_list = response.json()['lease_result_list']
+    lease_result_list = response.json().get('lease_result_list')
    assert len(lease_result_list) == 1
-    assert lease_result_list[0]['lease']['ref'] == LEASE_REF
+    assert len(lease_result_list[0]['lease']['ref']) == 36
+    assert str(UUID(lease_result_list[0]['lease']['ref'])) == lease_result_list[0]['lease']['ref']
+
+    return lease_result_list[0]['lease']['ref']


 def test_leasing_v1_lessor_lease():
    response = client.get('/leasing/v1/lessor/leases', headers={'authorization': __bearer_token(ORIGIN_REF)})
    assert response.status_code == 200

-    active_lease_list = response.json()['active_lease_list']
+    active_lease_list = response.json().get('active_lease_list')
    assert len(active_lease_list) == 1
-    assert active_lease_list[0] == LEASE_REF
+    assert len(active_lease_list[0]) == 36
+    assert str(UUID(active_lease_list[0])) == active_lease_list[0]


 def test_leasing_v1_lease_renew():
-    response = client.put(f'/leasing/v1/lease/{LEASE_REF}', headers={'authorization': __bearer_token(ORIGIN_REF)})
+    response = client.get('/leasing/v1/lessor/leases', headers={'authorization': __bearer_token(ORIGIN_REF)})
+    active_lease_list = response.json().get('active_lease_list')
+    active_lease_ref = active_lease_list[0]
+
+    ###
+
+    response = client.put(f'/leasing/v1/lease/{active_lease_ref}', headers={'authorization': __bearer_token(ORIGIN_REF)})
    assert response.status_code == 200

-    assert response.json()['lease_ref'] == LEASE_REF
+    lease_ref = response.json().get('lease_ref')
+    assert len(lease_ref) == 36
+    assert lease_ref == active_lease_ref


 def test_leasing_v1_lease_delete():
-    response = client.delete(f'/leasing/v1/lease/{LEASE_REF}', headers={'authorization': __bearer_token(ORIGIN_REF)})
+    response = client.get('/leasing/v1/lessor/leases', headers={'authorization': __bearer_token(ORIGIN_REF)})
+    active_lease_list = response.json().get('active_lease_list')
+    active_lease_ref = active_lease_list[0]
+
+    ###
+
+    response = client.delete(f'/leasing/v1/lease/{active_lease_ref}', headers={'authorization': __bearer_token(ORIGIN_REF)})
    assert response.status_code == 200

-    assert response.json()['lease_ref'] == LEASE_REF
+    lease_ref = response.json().get('lease_ref')
+    assert len(lease_ref) == 36
+    assert lease_ref == active_lease_ref


 def test_leasing_v1_lessor_lease_remove():
-    test_leasing_v1_lessor()
+    lease_ref = test_leasing_v1_lessor()

    response = client.delete('/leasing/v1/lessor/leases', headers={'authorization': __bearer_token(ORIGIN_REF)})
    assert response.status_code == 200

-    released_lease_list = response.json()['released_lease_list']
+    released_lease_list = response.json().get('released_lease_list')
    assert len(released_lease_list) == 1
-    assert released_lease_list[0] == LEASE_REF
+    assert len(released_lease_list[0]) == 36
+    assert released_lease_list[0] == lease_ref
--- a/version.env
+++ b/version.env
@@ -1 +0,0 @@
-VERSION=1.2
Author	SHA1	Message	Date
Oscar Krause	16f80cd78b	added "16.3" support	2024-03-04 21:19:59 +01:00
Oscar Krause	07aec53787	requirements.txt updated	2024-03-04 21:19:59 +01:00
Oscar Krause	3e87820f63	removed todo	2024-03-04 21:19:59 +01:00
Oscar Krause	a927e291b5	fixes	2024-03-04 21:19:59 +01:00
Oscar Krause	72054d30c4	make tests interruptible	2024-03-04 21:19:59 +01:00
Oscar Krause	00dc848083	only run test matrix when "app" or "test" changes	2024-03-04 21:19:59 +01:00
Oscar Krause	78b6fe52c7	fixed CI/CD path from "/builds" to "/tmp/builds"	2024-03-04 21:19:59 +01:00
Oscar Krause	f82d73bb01	run different jobs on "$CI_DEFAULT_BRANCH"	2024-03-04 21:19:59 +01:00
Oscar Krause	416df311b8	removed pylint	2024-03-04 21:19:59 +01:00
Oscar Krause	a6ea8241c2	disabled pylint	2024-03-04 21:19:59 +01:00
Oscar Krause	e70f70d806	disabled code_quality debug	2024-03-04 21:19:59 +01:00
Oscar Krause	77be5772c4	Update .codeclimate.yml	2024-03-04 21:19:59 +01:00
Oscar Krause	6c1b05c66a	fixed test_coverage (fail on matrix)	2024-03-04 21:19:59 +01:00
Oscar Krause	a54411a957	added code_quality debug	2024-03-04 21:19:59 +01:00
Oscar Krause	90e0cb8e84	added code_quality “SOURCE_CODE” variable	2024-03-04 21:19:59 +01:00
Oscar Krause	eecb59e2e4	removed "cython" from "test"	2024-03-04 21:19:59 +01:00
Oscar Krause	4c0f65faec	removed tests for "23.04" > gcc -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -I/tmp/pip-install-sazb8fvo/httptools_694f06fa2e354ed9ba9f5c167df7fce4/vendor/llhttp/include -I/tmp/pip-install-sazb8fvo/httptools_694f06fa2e354ed9ba9f5c167df7fce4/vendor/llhttp/src -I/usr/local/include/python3.11 -c httptools/parser/parser.c -o build/temp.linux-x86_64-cpython-311/httptools/parser/parser.o -O2 httptools/parser/parser.c:212:12: fatal error: longintrepr.h: No such file or directory	2024-03-04 21:19:59 +01:00
Oscar Krause	e41084f5c5	added tests for Ubuntu "Mantic Minotaur"	2024-03-04 21:19:59 +01:00
Oscar Krause	36d5b83fb8	requirements.txt updated	2024-03-04 21:19:59 +01:00
Oscar Krause	11138c2191	updated debian bookworm 12 dependencies	2024-03-04 21:19:59 +01:00
Oscar Krause	ff9e85e32b	updated test to debian bookworm	2024-03-04 21:19:59 +01:00
Oscar Krause	cb6a089678	fixed testing dependency	2024-03-04 21:19:59 +01:00
Oscar Krause	085186f82a	added gcc as dependency	2024-03-04 21:19:59 +01:00
Oscar Krause	f77d3feee1	fixes	2024-03-04 21:19:59 +01:00
Oscar Krause	f2721c7663	fixed debian package versions	2024-03-04 21:19:59 +01:00
Oscar Krause	40cb5518cb	fixed versions & added 16.2 as supported	2024-03-04 21:19:59 +01:00
Oscar Krause	021c0ac38d	added os specific requirements.txt	2024-03-04 21:19:59 +01:00
Oscar Krause	9c22628b4e	implemented python test matrix for different python dependencies on different os releases	2024-03-04 21:19:59 +01:00
Oscar Krause	966b421dad	README.md updated	2024-03-04 21:19:59 +01:00
Oscar Krause	7f8752a93d	updated ubuntu from 22.10 (EOL) to 23.04	2024-03-04 21:19:59 +01:00
Oscar Krause	30979fd18e	requirements.txt updated	2024-03-04 21:19:59 +01:00
Oscar Krause	72965cc879	added 16.1 as supported nvidia driver release	2024-03-04 21:19:59 +01:00
Oscar Krause	1887cbc534	added macOS as supported host (using python-venv)	2024-03-04 21:19:59 +01:00
Oscar Krause	2e942f4553	added Docker supported system architectures	2024-03-04 21:19:59 +01:00
Oscar Krause	3dda920a52	added linkt to driver compatibility section	2024-03-04 21:19:59 +01:00
Oscar Krause	765a994d83	requirements.txt updated	2024-03-04 21:19:59 +01:00
Oscar Krause	23488f94d4	added support for 16.0 drivers to readme	2024-03-04 21:19:59 +01:00
Oscar Krause	f9341cdab4	fixed docker image name (gitlab registry)	2024-03-04 21:19:59 +01:00
Oscar Krause	cad81ad1d6	fixed deploy docker	2024-03-04 21:19:59 +01:00
Oscar Krause	b07b7da2f3	fixed new docker registry image path	2024-03-04 21:19:59 +01:00
Oscar Krause	1ef7dd82f6	toggle api endpoints	2024-03-04 21:19:25 +01:00
Oscar Krause	5a1b1a5950	typos	2024-03-04 21:19:25 +01:00
Oscar Krause	83f4b42f01	added information about ipv6 may be must disabled	2024-03-04 21:19:25 +01:00
Oscar Krause	a3baaab26f	removed mysql from included docker drivers	2024-03-04 21:19:25 +01:00
Oscar Krause	aa4ebfce73	added docker command to logging section thanks to @libreshare (https://gitea.publichub.eu/oscar.krause/fastapi-dls/issues/2)	2024-03-04 21:19:25 +01:00
Oscar Krause	aa746feb13	improvements thanks to @AbsolutelyFree (https://gitea.publichub.eu/oscar.krause/fastapi-dls/issues/1)	2024-03-04 21:19:25 +01:00
Oscar Krause	fce0eb6d74	fixed "deploy:pacman"	2024-03-04 21:19:25 +01:00
Oscar Krause	32806e5cca	push multiarch image to docker-hub	2024-03-04 21:19:25 +01:00
Oscar Krause	50eddeecfc	fixed mariadb-client installation ref. https://github.com/PyMySQL/mysqlclient/discussions/624	2024-03-04 21:19:25 +01:00
Oscar Krause	092e6186ab	added missing "pkg-config" for "mysqlclient==2.2.0" ref. https://stackoverflow.com/questions/76533384/docker-alpine-build-fails-on-mysqlclient-installation-with-error-exception-can	2024-03-04 21:19:25 +01:00
Oscar Krause	acbe889fd9	fixed versions	2024-03-04 21:19:25 +01:00
Oscar Krause	05cad95c2a	refactored docker-compose.yml so very simple example, and moved proxy to "examples" directory	2024-03-04 21:19:25 +01:00
Oscar Krause	c9e36759e3	added 15.3 to supported drivers list	2024-03-04 21:19:25 +01:00
Oscar Krause	d116eec626	updated compatibility list	2024-03-04 21:19:25 +01:00
Oscar Krause	b1620154db	docker-compose.yml - added note for TZ	2024-03-04 21:19:25 +01:00
Oscar Krause	4181095791	requirements.txt updated	2024-03-04 21:19:25 +01:00
Oscar Krause	248c70a862	Merge branch 'dev' into db	2023-06-12 15:19:28 +02:00
Oscar Krause	39a2408d8d	migrated api to database-config (Site, Instance)	2023-06-12 15:19:06 +02:00
Oscar Krause	18807401e4	orm improvements & fixes	2023-06-12 15:14:12 +02:00
Oscar Krause	5e47ad7729	fastapi openapi url	2023-06-12 15:13:53 +02:00
Oscar Krause	20448bc587	improved relationships	2023-06-12 15:13:29 +02:00
Oscar Krause	5e945bc43a	code styling	2023-06-12 14:47:32 +02:00
Oscar Krause	b4150fa527	implemented Site and Instance orm models including initialization	2023-06-12 12:42:13 +02:00
Oscar Krause	38e1a1725c	code styling	2023-06-12 12:40:10 +02:00
Oscar Krause	c79636b1c2	fixed .gitlab-ci.yml deprecated build-ref varialbes ref. https://gitlab.com/gitlab-org/gitlab/-/issues/352957	2023-06-12 11:03:03 +02:00
Oscar Krause	8de9a89e56	Merge branch 'main' into 'dev' # Conflicts: # requirements.txt	2023-06-12 08:56:01 +00:00
Oscar Krause	801d1786ef	requirements.txt updated	2023-06-12 10:52:13 +02:00
Oscar Krause	7e5f8b6c8a	implemented endpoint to remove expired leases	2023-06-12 10:48:00 +02:00
Oscar Krause	98da86fc2e	removed debian bookworm testing notes	2023-06-12 09:31:43 +02:00
Oscar Krause	14cf6a953f	typos	2023-05-09 06:58:51 +02:00
Oscar Krause	6a5d3cb2f7	requirements.txt updated	2023-05-09 06:57:17 +02:00
Oscar Krause	774a1c21a1	improved docker build with "ARG" instead of using "version.env" which is not present on local builds (because it's created by ci-pipeline)	2023-05-09 06:57:03 +02:00
Oscar Krause	d1a77df0e1	updated sudo / su commands (list sudo fist instead of su)	2023-04-17 10:58:25 +02:00
Oscar Krause	c9c73f6cf2	updated docker image requirements.txt	2023-04-17 10:35:23 +02:00
Oscar Krause	b216dcb3dd	fixed nvidia-smi path on windows	2023-04-17 10:35:08 +02:00
Oscar Krause	d2e4042932	added 15.2 to supported versions	2023-04-01 23:20:06 +02:00
Oscar Krause	04a1ee0948	added Roadmap	2023-03-24 14:28:44 +01:00
Oscar Krause	c1b5f83f44	Merge branch 'multiarch' into 'main' multiarch support See merge request oscar.krause/fastapi-dls!25	2023-03-24 10:29:23 +01:00
Oscar Krause	9d1422cbdf	secret detection	2023-03-24 10:00:25 +01:00
Oscar Krause	7b7f14bd82	Aktualisieren .gitlab-ci.yml	2023-03-24 09:31:27 +01:00
Oscar Krause	f72c0f7db3	Aktualisieren .gitlab-ci.yml	2023-03-24 09:11:26 +01:00
Oscar Krause	76d8753f28	Aktualisieren .gitlab-ci.yml	2023-03-24 09:07:49 +01:00
Oscar Krause	593db0e789	Aktualisieren .gitlab-ci.yml	2023-03-24 08:43:29 +01:00
Oscar Krause	3d9e3cb88f	set specific arm64 version to v8	2023-03-24 07:48:35 +01:00
Oscar Krause	995b944135	removed "linux/arm/v7"	2023-03-23 11:46:17 +01:00
Oscar Krause	e200c84345	improvements	2023-03-23 11:10:53 +01:00
Oscar Krause	04ff36c94d	Aktualisieren .gitlab-ci.yml	2023-03-23 08:36:34 +01:00
Oscar Krause	89704bc2a1	Aktualisieren .gitlab-ci.yml	2023-03-23 08:35:27 +01:00
Oscar Krause	6395214fa0	Aktualisieren .gitlab-ci.yml	2023-03-23 08:24:40 +01:00
Oscar Krause	c8e000eb3e	Aktualisieren .gitlab-ci.yml	2023-03-23 08:22:51 +01:00
Oscar Krause	c8e5676c01	Aktualisieren .gitlab-ci.yml	2023-03-23 08:17:31 +01:00
Oscar Krause	6f11bc414c	Aktualisieren .gitlab-ci.yml	2023-03-23 08:11:57 +01:00
Oscar Krause	1fc5ac8378	added setup_vgpu_license.sh script	2023-03-22 07:10:18 +01:00
Oscar Krause	87334fbfad	added unraid section	2023-03-20 20:21:17 +01:00
Oscar Krause	0fac033657	Merge branch 'dev' into 'main' dev See merge request oscar.krause/fastapi-dls!24	2023-03-20 15:01:22 +01:00
Oscar Krause	7cd4e6fde0	fixes	2023-03-20 14:51:54 +01:00
Oscar Krause	a22b56edbe	fixes	2023-03-20 14:33:50 +01:00
Oscar Krause	e42dc6aa86	code styling	2023-03-20 10:06:21 +01:00
Oscar Krause	86f703a36c	ci improvements	2023-03-20 08:35:06 +01:00
Oscar Krause	71795cc7a2	di improvements	2023-03-20 08:07:24 +01:00
Oscar Krause	4ef041bb54	styling	2023-02-28 13:08:34 +01:00
Oscar Krause	88c8fb98da	added some notes about included database drivers in docker image	2023-02-28 07:52:14 +01:00
Oscar Krause	a7b4a4b631	requirements.txt updated	2023-02-14 16:00:04 +01:00
Oscar Krause	7ccb254cbf	dependency scanning	2023-02-14 15:48:49 +01:00
Oscar Krause	1d5d3b31fb	dependency scanning	2023-02-14 15:32:32 +01:00
Oscar Krause	7af2e02627	improvements	2023-02-14 15:14:19 +01:00
Oscar Krause	938fc6bd60	added SAST	2023-02-14 14:50:21 +01:00
Oscar Krause	1b9ebb48b1	added secret detection	2023-02-14 13:55:49 +01:00
Oscar Krause	4972f00822	fixes	2023-02-14 13:37:25 +01:00
Oscar Krause	210a36c07f	added code-quality and test-coverage	2023-02-14 12:59:31 +01:00
Oscar Krause	e1bbd42b50	Merge branch 'dev' into 'main' 1.3.5 See merge request oscar.krause/fastapi-dls!23	2023-02-13 17:30:11 +01:00
Oscar Krause	c1d541f7c6	bump version to 1.3.5	2023-02-13 08:09:37 +01:00
Oscar Krause	4b58fe6e20	added openSUSE Leap 15.4 support	2023-02-13 08:09:21 +01:00
Oscar Krause	b36b49df11	fixed missing mkdir for config file on manual installation method	2023-02-01 07:55:12 +01:00
Oscar Krause	a42b1c8cfb	added note to be logged in as root using manual install method (git)	2023-01-30 12:34:46 +01:00
Oscar Krause	59152f95e6	fixed - The ``declarative_base()`` function is now available as sqlalchemy.orm.declarative_base()	2023-01-30 10:23:09 +01:00
Oscar Krause	62d347510d	fixed - sqlalchemy.exc.ArgumentError: Textual SQL expression '\nCREATE TABLE origin (\n\to...' should be explicitly declared as text('\nCREATE TABLE origin (\n\to...')	2023-01-30 10:22:18 +01:00
Oscar Krause	f540c4b25b	requirements.txt updated	2023-01-30 09:19:03 +01:00
Oscar Krause	70212e0edd	improved docker-compose examples	2023-01-30 09:18:57 +01:00
Oscar Krause	616e8fba5e	README - improvements	2023-01-30 08:37:34 +01:00
Oscar Krause	b905ab9dd9	Merge branch 'dev' into 'main' 1.3.4 See merge request oscar.krause/fastapi-dls!22	2023-01-26 07:56:34 +01:00
Oscar Krause	9edc93653e	bump version to 1.3.4	2023-01-26 07:38:48 +01:00
Oscar Krause	f30e9237a5	requirements.txt updated	2023-01-26 07:18:01 +01:00
Oscar Krause	f12dc28c42	fixed overriding config file on update / reinstall	2023-01-26 07:17:16 +01:00
Oscar Krause	02276d5440	disabled openapi endpoints	2023-01-23 07:33:54 +01:00
Oscar Krause	9ebff8d6ca	typos	2023-01-23 07:29:13 +01:00
Oscar Krause	48eb6d6c64	typos	2023-01-23 07:23:42 +01:00
Oscar Krause	f7ef8d76b6	fixed Origin.delete()	2023-01-23 07:12:02 +01:00
Oscar Krause	bed24b56ce	styling	2023-01-19 08:26:35 +01:00
Oscar Krause	95427d430e	added startup script	2023-01-19 07:26:22 +01:00
Oscar Krause	c3ea0aa48c	added variable for client-token-expire-delta	2023-01-19 07:26:07 +01:00
Oscar Krause	91be7b226c	added some comments for default values	2023-01-19 07:25:44 +01:00
Oscar Krause	7045692958	added official links	2023-01-19 07:25:24 +01:00
Oscar Krause	38177fa259	styling	2023-01-18 14:29:48 +01:00
Oscar Krause	9411759f6d	added system requirements and preparements	2023-01-18 14:23:34 +01:00
Oscar Krause	48c37987b2	fixed logging and added current timezone info	2023-01-18 14:23:25 +01:00
Oscar Krause	e3745d7fa8	Merge branch 'dev' into 'main' 1.3.3 See merge request oscar.krause/fastapi-dls!21	2023-01-18 08:13:42 +01:00
Oscar Krause	5bb8f17679	improvements	2023-01-18 08:07:55 +01:00
Oscar Krause	de17b0f1b5	fixes	2023-01-18 08:03:02 +01:00
Oscar Krause	0ab5969d3a	fixes	2023-01-18 06:56:16 +01:00
Oscar Krause	059a51fe74	refactored commands	2023-01-17 17:25:48 +01:00
Oscar Krause	bf858b38f4	fixes	2023-01-17 17:09:13 +01:00
Oscar Krause	f60f08d543	run powershell as administrator	2023-01-17 16:57:15 +01:00
Oscar Krause	b2e6fab294	fixes	2023-01-17 16:49:15 +01:00
Oscar Krause	b09bb091a5	bump version to 1.3.3	2023-01-17 16:29:32 +01:00
Oscar Krause	651af4cc82	fixed client-token url and added wget als alternative to curl	2023-01-17 16:29:21 +01:00
Oscar Krause	70f7d3f483	mark Let's Encrypt section as optional	2023-01-17 15:36:38 +01:00
Oscar Krause	1e4070a1ba	added remove "/usr/share/fastapi-dls" to "postrm"	2023-01-17 14:57:54 +01:00
Oscar Krause	d69d833923	migrated "[[ ]]" if statements to "[ ]"	2023-01-17 14:57:39 +01:00
Oscar Krause	7ef071f92b	removed fastapi-dls.service from conffiles	2023-01-17 14:57:09 +01:00
Oscar Krause	3c19fc9d5b	implemented "lease_renewal" attribute as calculated value within what period of time the license must be renewed	2023-01-17 11:49:56 +01:00
Oscar Krause	164b5ebc44	Merge branch 'dev' into 'main' 1.3.2 See merge request oscar.krause/fastapi-dls!20	2023-01-17 11:36:23 +01:00
Oscar Krause	742fa07ed4	bump version to 1.3.2	2023-01-17 11:18:25 +01:00
Oscar Krause	a758d93970	main.py - fixed empty lease origin response	2023-01-17 11:18:07 +01:00
Oscar Krause	70250f1fca	Merge branch 'dev' into 'main' 1.3.1 See merge request oscar.krause/fastapi-dls!19	2023-01-16 13:08:57 +01:00
Oscar Krause	a65687a082	bump version to 1.3.1	2023-01-16 10:34:20 +01:00
Oscar Krause	3e445c80aa	fixes	2023-01-16 10:33:52 +01:00
Oscar Krause	20cc984799	FAQ.md	2023-01-16 10:30:55 +01:00
Oscar Krause	3495cc3af5	typos	2023-01-16 10:30:40 +01:00
Oscar Krause	ed13577e82	Dockerfile - updated to python 3.11	2023-01-16 10:30:21 +01:00
Oscar Krause	ca8a9df54c	requirements.txt updated	2023-01-16 10:24:08 +01:00
Oscar Krause	5425eec545	.gitlab-ci.yml simplified	2023-01-16 10:23:58 +01:00
Oscar Krause	2f3c7d5433	Merge branch 'main' into dev	2023-01-16 07:00:20 +01:00
Oscar Krause	b551b0e7f9	README.md - added sunsupoorted ubuntu version	2023-01-15 19:47:50 +01:00
Oscar Krause	50dea9ac4e	fixes	2023-01-05 14:08:08 +01:00
Oscar Krause	549a48a10b	Merge branch 'dev' into 'main' 1.3 See merge request oscar.krause/fastapi-dls!18	2023-01-05 07:27:10 +01:00
Oscar Krause	1f3bc8b4af	.gitlab-ci.yml	2023-01-05 07:22:25 +01:00
Oscar Krause	5fc8d4091b	Merge branch 'dev' into 'main' 1.3 See merge request oscar.krause/fastapi-dls!17	2023-01-05 07:21:28 +01:00
Oscar Krause	851ec1a5c6	requirements.txt updated	2023-01-05 06:56:56 +01:00
Oscar Krause	9180222169	README.md	2023-01-04 21:46:02 +01:00
Oscar Krause	e71d4c4f4e	fixed missing servie file for DEBIAN	2023-01-04 18:27:57 +01:00
Oscar Krause	aecad82914	main.py - added confirmation to deleteOrigins()	2023-01-04 18:12:59 +01:00
Oscar Krause	02fccb3605	README.md	2023-01-04 18:05:07 +01:00
Oscar Krause	24dba89dbe	removed todos, currently all done or there is a branch for it	2023-01-04 17:58:23 +01:00
Oscar Krause	f5557a5ccd	README.md	2023-01-04 17:46:19 +01:00
Oscar Krause	e8736c94ec	docker-compose.yml - disabled internal ssl support	2023-01-04 17:46:02 +01:00
Oscar Krause	4325560ec4	README.md - added some collapses for logs	2023-01-04 17:18:13 +01:00
Oscar Krause	05979490ce	README.md - moved "Endpoints" below "Setup"	2023-01-04 17:17:58 +01:00
Oscar Krause	52ffedffc7	code styling	2023-01-04 11:14:26 +01:00
Oscar Krause	5f5569a0c7	improved debian installation	2023-01-04 11:02:54 +01:00
Oscar Krause	32b05808c4	fixed "return" instead of "raise"	2023-01-04 10:14:00 +01:00
Oscar Krause	6c9ea63dc1	added variable for TOKEN_EXPIRE_DELTA	2023-01-04 10:08:17 +01:00
Oscar Krause	b839e6c2b3	code styling - replaced 'json.loads' with 'json_loads' - shortened 'JSONResponse' to 'JSONr' - shortened 'HTMLResponse' to 'HTMLr' - replaced HTTPException with JsonResponses - added some error handing for invalid tokens	2023-01-04 10:04:52 +01:00
Oscar Krause	8bd37c0ead	added some notes to required variables to change	2023-01-04 07:40:37 +01:00
Oscar Krause	27f47b93b8	docker-compose.yml - added experimental health endpoint	2023-01-03 20:45:16 +01:00
Oscar Krause	5bb8437b1d	README.md - added timestamp to linux token filename	2023-01-03 18:59:34 +01:00
Oscar Krause	7e3f2d0345	docker-compose.yml - fixes	2023-01-03 18:44:30 +01:00
Oscar Krause	4198021212	README.md - fixed windows issue with `/leasing/v1/lessor/shutdown`	2023-01-03 18:10:02 +01:00
Oscar Krause	7e6e523799	improved test (checking uuid are 36 chars long)	2023-01-03 18:05:46 +01:00
Oscar Krause	7b2428ea38	removed some debugging	2023-01-03 18:05:46 +01:00
Oscar Krause	ac811d5df7	added 'LEASE_EXPIRE_HOURS' variable for better debugging	2023-01-03 18:05:46 +01:00
Oscar Krause	5575fee382	fixed config test	2023-01-03 18:05:46 +01:00
Oscar Krause	f1369d5e25	added some docs	2023-01-03 17:38:45 +01:00
Oscar Krause	d6cc6dcbee	fixes	2023-01-03 17:38:32 +01:00
Oscar Krause	01fe142850	.gitlab-ci.yml - fixed release job	2023-01-03 15:22:49 +01:00
Oscar Krause	18e9ab2ebf	fixes	2023-01-03 14:52:31 +01:00
Oscar Krause	b64c531898	bump version to 1.3	2023-01-03 14:50:52 +01:00
Oscar Krause	ef1730f4fe	orm.py - added some docs	2023-01-03 14:20:13 +01:00
Oscar Krause	146ae8b824	updated docs	2023-01-03 14:09:35 +01:00
Oscar Krause	5a5ad0e654	removed 'scope_ref' from code checks because we only support one 'ALLOTMENT_REF', so we need no checks	2023-01-03 14:09:19 +01:00
Oscar Krause	0e3e7cbd3a	main.py - corrected leasing behaviour (migrated from 'LEASE_REF' to 'ALLOTMENT_REF')	2023-01-03 13:05:05 +01:00
Oscar Krause	bd5625af42	main.py - removed example responses	2023-01-03 13:02:37 +01:00
Oscar Krause	8f9d95056f	code styling - migrated direct dict access to '.get()'	2023-01-03 09:20:18 +01:00
Oscar Krause	2b8c468270	main.py - fixed missing 'LEASE_RENEWAL_PERIOD' on '/auth/v1/origin'	2023-01-03 07:25:09 +01:00
Oscar Krause	50e0dc8d1f	implemented '/leasing/v1/lessor/shutdown' for windows guests	2023-01-02 19:42:23 +01:00
Oscar Krause	8b934dfeef	fixed '/-/config' endpoint serialisation	2023-01-02 19:23:23 +01:00
Oscar Krause	4fb6243330	removed deprecated endpoints - '/client-token' moved to '/-/client-token' - '/status' moved to '/-/health' and '/-/config' see README.md for more information	2023-01-02 19:18:32 +01:00
Oscar Krause	2e950ca6f4	implemented '/-/config' endpoint to list runtime environment variables	2023-01-02 19:14:25 +01:00
Oscar Krause	34662e6612	implemented 'LEASE_RENEWAL_PERIOD' variable	2023-01-02 18:57:41 +01:00
Oscar Krause	a3e089a3d5	added some references	2023-01-02 18:10:11 +01:00
Oscar Krause	ab996bb030	code styling	2023-01-02 18:04:14 +01:00
Oscar Krause	0853dd64cb	README.md - added known issue for error on releasing leases on windows shutdown	2023-01-02 14:12:15 +01:00
Oscar Krause	838956bdb7	README.md - added '-L' parameter to curl commands to follow redirects (from deprecated endpoints)	2023-01-02 11:40:19 +01:00
Oscar Krause	8c515b7f2e	README.md - removed links from endpoints	2023-01-02 11:39:37 +01:00
Oscar Krause	de5f07273b	README.md - added compatibility to official dls	2023-01-02 11:38:48 +01:00