fixes

.DEBIAN/control

@@ -2,7 +2,7 @@ Package: fastapi-dls
 Version: 0.0
 Architecture: all
 Maintainer: Oscar Krause oscar.krause@collinwebdesigns.de
-Depends: python3, python3-fastapi, python3-uvicorn, python3-dotenv, python3-dateutil, python3-josepy, python3-sqlalchemy, python3-cryptography, python3-markdown, uvicorn, openssl
+Depends: python3, python3-fastapi, python3-uvicorn, python3-dotenv, python3-dateutil, python3-jose, python3-sqlalchemy, python3-cryptography, python3-markdown, uvicorn, openssl
 Recommends: curl
 Installed-Size: 10240
 Homepage: https://git.collinwebdesigns.de/oscar.krause/fastapi-dls

.DEBIAN/env.default

@@ -1,6 +1,9 @@
 # Toggle debug mode
 #DEBUG=false
 
+# Cert Path
+CERT_PATH="/etc/fastapi-dls/cert"
+
 # Where the client can find the DLS server
 DLS_URL=127.0.0.1
 DLS_PORT=443

.DEBIAN/postinst

@@ -3,6 +3,8 @@
 WORKING_DIR=/usr/share/fastapi-dls
 CONFIG_DIR=/etc/fastapi-dls
 
+source $CONFIG_DIR/env
+
 while true; do
   [ -f $CONFIG_DIR/webserver.key ] && default_answer="N" || default_answer="Y"
   [ $default_answer == "Y" ] && V="Y/n" || V="y/N"
@@ -25,27 +27,32 @@ if [ -f $CONFIG_DIR/webserver.key ]; then
 
   if [ -x "$(command -v curl)" ]; then
     echo "> Testing API ..."
-    source $CONFIG_DIR/env
     curl --insecure -X GET https://$DLS_URL:$DLS_PORT/-/health
   else
     echo "> Testing API failed, curl not available. Please test manually!"
   fi
 fi
 
+echo "> Create Certificate-Chain folder ..."
+mkdir -p $CERT_PATH
+
+echo "> Set permissions ..."
 chown -R www-data:www-data $CONFIG_DIR
 chown -R www-data:www-data $WORKING_DIR
 
+echo "> Done."
+
 cat <<EOF
 
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 #                                                                             #
 #    fastapi-dls is now installed.                                            #
 #                                                                             #
-#    Service should be up and running.                                        #
+#    Service should be up and running (if you choose to auto-generate         #
-#      Webservice is listen to https://localhost                              #
+#     self-signed webserver certificate).                                     #
-#                                                                             #
-#    Configuration is stored in /etc/fastapi-dls/env.                         #
 #                                                                             #
+#    - Webservice is listen to https://localhost                              #                                                                       #
+#    - Configuration is stored in /etc/fastapi-dls/env                        #
 #                                                                             #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 

.gitlab-ci.yml

@@ -162,7 +162,6 @@ test:apt:
   image: $IMAGE
   stage: test
   rules:
-    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
     - if: ($CI_PIPELINE_SOURCE == 'merge_request_event') || ($CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
       changes:
         - app/**/*
@@ -173,11 +172,12 @@ test:apt:
   parallel:
     matrix:
       - IMAGE:
-          - debian:trixie-slim # EOL: t.b.a.
+          # - debian:trixie-slim # EOL: t.b.a.; "python3-jose" not available, but "python3-josepy"
           - debian:bookworm-slim # EOL: June 06, 2026
           - debian:bookworm-slim # EOL: June 06, 2026
           - ubuntu:24.04 # EOL: April 2036
-          - ubuntu:24.10
+          # - ubuntu:24.10 # EOL: t.b.a.; "python3-jose" not available, but "python3-josepy"
+          # - ubuntu:25.04 # EOL: t.b.a.; "python3-jose" not available, but "python3-josepy"
   needs:
     - job: build:apt
       artifacts: true
@@ -212,8 +212,7 @@ test:apt:
 test:pacman:archlinux:
   image: archlinux:base
   rules:
-    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: ($CI_PIPELINE_SOURCE == 'merge_request_event') || ($CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
-    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
       changes:
         - app/**/*
         - .PKGBUILD/**/*
@@ -393,4 +392,4 @@ release:
         - name: 'Package Registry'
           url: 'https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/-/packages'
         - name: 'Container Registry'
-          url: 'https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry/40'
+          url: 'https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry/70'

README.md

@@ -334,12 +334,13 @@ Successful tested with (**LTS Version**):
 - *Ubuntu 23.04 (Lunar Lobster)* (EOL: January 2024)
 - *Ubuntu 23.10 (Mantic Minotaur)* (EOL: July 2024)
 - **Ubuntu 24.04 (Noble Numbat)** (EOL: Apr 2029)
-- *Ubuntu 24.10 (Oracular Oriole)* (EOL: Jul 2025)
 
 Not working with:
 
 - Debian 11 (Bullseye) and lower (missing `python-jose` dependency)
+- Debian 13 (Trixie) (missing `python-jose` dependency)
 - Ubuntu 22.04 (Jammy Jellyfish) (not supported as for 15.01.2023 due to [fastapi - uvicorn version missmatch](https://bugs.launchpad.net/ubuntu/+source/fastapi/+bug/1970557))
+- Ubuntu 24.10 (Oracular Oriole) (missing `python-jose` dependency)
 
 **Run this on your server instance**
 
@@ -415,6 +416,140 @@ acme.sh --issue -d example.com \
 
 After first success you have to replace `--issue` with `--renew`.
 
+## Nginx Reverse Proxy (experimental)
+
+- This guide is written for Debian/Ubuntu systems, other may work, but you have to do your setup on your own
+- Uvicorn does no longer serve requests directly
+- NGINX is used as HTTP & HTTPS entrypoint
+- Assumes you already have set up webserver certificate and private-key
+
+**Install Nginx Webserver**
+
+```shell
+apt-get install nginx-light
+```
+
+**Remove default vhost**
+
+```shell
+rm /etc/nginx/sites-enabled/default
+```
+
+**Create fastapi-dls vhost**
+
+<details>
+    <summary>`/etc/nginx/sites-available/fastapi-dls`</summary>
+
+```
+upstream dls-backend {
+        server 127.0.0.1:8000;  # must match dls listen port
+}
+
+server {
+        listen 443 ssl http2 default_server;
+        listen [::]:443 ssl http2 default_server;
+
+        root /var/www/html;
+        index index.html;
+        server_name _;
+
+        ssl_certificate "/etc/fastapi-dls/cert/webserver.crt";
+        ssl_certificate_key "/etc/fastapi-dls/cert/webserver.key";
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout 10m;
+        ssl_protocols TLSv1.3 TLSv1.2;
+        # ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305";
+        # ssl_ciphers PROFILE=SYSTEM;
+        ssl_prefer_server_ciphers on;
+
+        location / {
+                # https://www.uvicorn.org/deployment/
+                proxy_set_header Host $http_host;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection $connection_upgrade;
+                proxy_redirect off;
+                proxy_buffering off;
+
+                proxy_set_header X-Real-IP $remote_addr;
+
+                proxy_pass http://dls-backend$request_uri;
+        }
+
+        location = /-/health {
+                access_log off;
+                add_header 'Content-Type' 'application/json';
+                return 200 '{\"status\":\"up\",\"service\":\"nginx\"}';
+        }
+}
+
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+}
+
+server {
+        listen 80;
+        listen [::]:80;
+
+        root /var/www/html;
+        index index.html;
+        server_name _;
+
+        location /leasing/v1/lessor/shutdown {
+                proxy_set_header Host $http_host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_pass http://dls-backend/leasing/v1/lessor/shutdown;
+        }
+
+        location / {
+                return 301 https://$host$request_uri;
+        }
+}
+```
+</details>
+
+**Enable and test vhost**
+
+```shell
+ln -s /etc/nginx/sites-available/fastapi-dls /etc/nginx/sites-enabled/fastapi-dls
+
+nginx -t
+# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+# nginx: configuration file /etc/nginx/nginx.conf test is successful
+```
+
+**Override default fastapi-dls systemd service**
+
+```shell
+mkdir /etc/systemd/system/fastapi-dls.service.d
+```
+
+<details>
+    <summary>`/etc/systemd/system/fastapi-dls.service.d/override.conf`</summary>
+
+```
+[Service]
+ExecStart=
+ExecStart=uvicorn main:app \
+  --env-file /etc/fastapi-dls/env \
+  --host 127.0.0.1 --port 8000 \
+  --app-dir /usr/share/fastapi-dls/app \
+  --proxy-headers
+```
+</details>
+
+**Run**
+
+```shell
+systemctl daemon-reload
+service nginx start
+service fastapi-dls start
+```
+
 # Configuration
 
 | Variable               | Default                                | Usage                                                                                                |

ROADMAP.md

@@ -2,6 +2,17 @@
 
 I am planning to implement the following features in the future.
 
+## Patching Endpoint
+
+A (optional) Path-Variable to `gridd-unlock-patcher` which enables an additional endpoint.
+Here you can upload your `nvidia-gridd` binary or `nvxdapix.dll` which then will be patched and responded.
+
+## All-In-One Installer Script Endpoint
+
+A new all-in-one installer endpoint
+(here a script is returned for linux or windows which then could be called like
+curl https://<fastapi-dls>/-/install/deb | sh which then
+download and place a client-token in the right directory, patch your girdd / dll and restart nvidia-gridd service)
 
 ## HA - High Availability
 

app/util.py

@@ -45,11 +45,11 @@ class CASetup:
 
         self.service_instance_ref = service_instance_ref
         self.root_private_key_filename = join(cert_path_prefix, CASetup.ROOT_PRIVATE_KEY_FILENAME)
-        self.root_certificate_filename = join(dirname(__file__), 'cert', CASetup.ROOT_CERTIFICATE_FILENAME)
+        self.root_certificate_filename = join(cert_path_prefix, CASetup.ROOT_CERTIFICATE_FILENAME)
-        self.ca_private_key_filename = join(dirname(__file__), 'cert', CASetup.CA_PRIVATE_KEY_FILENAME)
+        self.ca_private_key_filename = join(cert_path_prefix, CASetup.CA_PRIVATE_KEY_FILENAME)
-        self.ca_certificate_filename = join(dirname(__file__), 'cert', CASetup.CA_CERTIFICATE_FILENAME)
+        self.ca_certificate_filename = join(cert_path_prefix, CASetup.CA_CERTIFICATE_FILENAME)
-        self.si_private_key_filename = join(dirname(__file__), 'cert', CASetup.SI_PRIVATE_KEY_FILENAME)
+        self.si_private_key_filename = join(cert_path_prefix, CASetup.SI_PRIVATE_KEY_FILENAME)
-        self.si_certificate_filename = join(dirname(__file__), 'cert', CASetup.SI_CERTIFICATE_FILENAME)
+        self.si_certificate_filename = join(cert_path_prefix, CASetup.SI_CERTIFICATE_FILENAME)
 
         if not (isfile(self.root_private_key_filename)
                 and isfile(self.root_certificate_filename)

requirements.txt

@@ -1,8 +1,8 @@
 fastapi==0.115.12
-uvicorn[standard]==0.34.1
+uvicorn[standard]==0.34.2
 python-jose[cryptography]==3.4.0
-cryptography==44.0.2
+cryptography==44.0.3
 python-dateutil==2.9.0
-sqlalchemy==2.0.40
+sqlalchemy==2.0.41
 markdown==3.8
 python-dotenv==1.1.0