.gitlab-ci.yml bearbeiten

Dev

See merge request oscar.krause/fastapi-dls!51

.DEBIAN/control

@@ -2,7 +2,7 @@ Package: fastapi-dls
 Version: 0.0
 Architecture: all
 Maintainer: Oscar Krause oscar.krause@collinwebdesigns.de
-Depends: python3, python3-fastapi, python3-uvicorn, python3-dotenv, python3-dateutil, python3-jose, python3-sqlalchemy, python3-pycryptodome, python3-markdown, python3-httpx, uvicorn, openssl
+Depends: python3, python3-fastapi, python3-uvicorn, python3-dotenv, python3-dateutil, python3-josepy, python3-sqlalchemy, python3-cryptography, python3-markdown, uvicorn, openssl
 Recommends: curl
 Installed-Size: 10240
 Homepage: https://git.collinwebdesigns.de/oscar.krause/fastapi-dls

.DEBIAN/requirements-bookworm-12.txt

@@ -0,0 +1,11 @@
+# https://packages.debian.org/hu/
+fastapi==0.92.0
+uvicorn[standard]==0.17.6
+python-jose[cryptography]==3.3.0
+cryptography==38.0.4
+python-dateutil==2.8.2
+sqlalchemy==1.4.46
+markdown==3.4.1
+python-dotenv==0.21.0
+jinja2==3.1.2
+httpx==0.23.3

.DEBIAN/requirements-ubuntu-24.04.txt

@@ -0,0 +1,10 @@
+# https://packages.ubuntu.com
+fastapi==0.101.0
+uvicorn[standard]==0.27.1
+python-jose[cryptography]==3.3.0
+cryptography==41.0.7
+python-dateutil==2.8.2
+sqlalchemy==1.4.50
+markdown==3.5.2
+python-dotenv==1.0.1
+jinja2==3.1.2

.DEBIAN/requirements-ubuntu-24.10.txt

@@ -0,0 +1,10 @@
+# https://packages.ubuntu.com
+fastapi==0.110.3
+uvicorn[standard]==0.30.3
+python-jose[cryptography]==3.3.0
+cryptography==42.0.5
+python-dateutil==2.9.0
+sqlalchemy==2.0.32
+markdown==3.6
+python-dotenv==1.0.1
+jinja2==3.1.3

.PKGBUILD/PKGBUILD

@@ -8,11 +8,11 @@ pkgdesc='NVIDIA DLS server implementation with FastAPI'
 arch=('any')
 url='https://git.collinwebdesigns.de/oscar.krause/fastapi-dls'
 license=('MIT')
-depends=('python' 'python-jose' 'python-starlette' 'python-httpx' 'python-fastapi' 'python-dotenv' 'python-dateutil' 'python-sqlalchemy' 'python-pycryptodome' 'uvicorn' 'python-markdown' 'openssl')
+depends=('python' 'python-jose' 'python-starlette' 'python-httpx' 'python-fastapi' 'python-dotenv' 'python-dateutil' 'python-sqlalchemy' 'python-cryptography' 'uvicorn' 'python-markdown' 'openssl')
 provider=("$pkgname")
 install="$pkgname.install"
 backup=('etc/default/fastapi-dls')
-source=('git+file:///builds/oscar.krause/fastapi-dls' # https://gitea.publichub.eu/oscar.krause/fastapi-dls.git
+source=("git+file://${CI_PROJECT_DIR}"
         "$pkgname.default"
         "$pkgname.service"
         "$pkgname.tmpfiles")
@@ -22,8 +22,9 @@ sha256sums=('SKIP'
             '3dc60140c08122a8ec0e7fa7f0937eb8c1288058890ba09478420fc30ce9e30c')
 
 pkgver() {
+  echo -e "VERSION=$VERSION\nCOMMIT=$CI_COMMIT_SHA" > $srcdir/$pkgname/version.env
   source $srcdir/$pkgname/version.env
-  echo ${VERSION}
+  echo $VERSION
 }
 
 check() {
@@ -38,7 +39,7 @@ check() {
 package() {
     install -d "$pkgdir/usr/share/doc/$pkgname"
     install -d "$pkgdir/var/lib/$pkgname/cert"
-    cp -r "$srcdir/$pkgname/doc"/* "$pkgdir/usr/share/doc/$pkgname/"
+    #cp -r "$srcdir/$pkgname/doc"/* "$pkgdir/usr/share/doc/$pkgname/"
     install -Dm644 "$srcdir/$pkgname/README.md" "$pkgdir/usr/share/doc/$pkgname/README.md"
     install -Dm644 "$srcdir/$pkgname/version.env" "$pkgdir/usr/share/doc/$pkgname/version.env"
 

.UNRAID/FastAPI-DLS.xml

@@ -0,0 +1,48 @@
+<?xml version="1.0"?>
+<Container version="2">
+  <Name>FastAPI-DLS</Name>
+  <Repository>collinwebdesigns/fastapi-dls:latest</Repository>
+  <Registry>https://hub.docker.com/r/collinwebdesigns/fastapi-dls</Registry>
+  <Network>br0</Network>
+  <MyIP></MyIP>
+  <Shell>sh</Shell>
+  <Privileged>false</Privileged>
+  <Support/>
+  <Project/>
+  <Overview>Source:&#xD;
+https://git.collinwebdesigns.de/oscar.krause/fastapi-dls#docker&#xD;
+&#xD;
+Make sure you create these certificates before starting the container for the first time:&#xD;
+```&#xD;
+# Check https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/-/tree/main/#docker for more information:&#xD;
+WORKING_DIR=/mnt/user/appdata/fastapi-dls/cert&#xD;
+mkdir -p $WORKING_DIR&#xD;
+cd $WORKING_DIR&#xD;
+# create instance private and public key for singing JWT's&#xD;
+openssl genrsa -out $WORKING_DIR/instance.private.pem 2048 &#xD;
+openssl rsa -in $WORKING_DIR/instance.private.pem -outform PEM -pubout -out $WORKING_DIR/instance.public.pem&#xD;
+# create ssl certificate for integrated webserver (uvicorn) - because clients rely on ssl&#xD;
+openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout  $WORKING_DIR/webserver.key -out $WORKING_DIR/webserver.crt&#xD;
+```&#xD;
+</Overview>
+  <Category/>
+  <WebUI>https://[IP]:[PORT:443]</WebUI>
+  <TemplateURL/>
+  <Icon>https://git.collinwebdesigns.de/uploads/-/system/project/avatar/106/png-transparent-nvidia-grid-logo-business-nvidia-electronics-text-trademark.png?width=64</Icon>
+  <ExtraParams>--restart always</ExtraParams>
+  <PostArgs/>
+  <CPUset/>
+  <DateInstalled>1679161568</DateInstalled>
+  <DonateText/>
+  <DonateLink/>
+  <Requires/>
+  <Config Name="HTTPS Port" Target="" Default="443" Mode="tcp" Description="Same as DLS Port below." Type="Port" Display="always-hide" Required="true" Mask="false">443</Config>
+  <Config Name="App Cert" Target="/app/cert" Default="/mnt/user/appdata/fastapi-dls/cert" Mode="rw" Description="[REQUIRED] Read the description above to make this folder. &#13;&#10;&#13;&#10;You do not need to change the path." Type="Path" Display="always-hide" Required="true" Mask="false">/mnt/user/appdata/fastapi-dls/cert</Config>
+  <Config Name="DLS Port" Target="DSL_PORT" Default="443" Mode="" Description="Choose port you want to use. Make sure to change the HTTPS port above to match it." Type="Variable" Display="always-hide" Required="true" Mask="false">443</Config>
+  <Config Name="App database" Target="/app/database" Default="/mnt/user/appdata/fastapi-dls/data" Mode="rw" Description="[REQUIRED] Read the description above to make this folder. &#13;&#10;&#13;&#10;You do not need to change the path." Type="Path" Display="always-hide" Required="true" Mask="false">/mnt/user/appdata/fastapi-dls/data</Config>
+  <Config Name="DSL IP" Target="DLS_URL" Default="localhost" Mode="" Description="Put your container's IP (or your host's IP if it's shared)." Type="Variable" Display="always-hide" Required="true" Mask="false"></Config>
+  <Config Name="Time Zone" Target="TZ" Default="" Mode="" Description="Format example: America/New_York. MUST MATCH YOUR CURRENT TIMEZONE AND THE GUEST VMS TIMEZONE! Otherwise you'll get into issues, read the guide above." Type="Variable" Display="always-hide" Required="true" Mask="false"></Config>
+  <Config Name="Database" Target="DATABASE" Default="sqlite:////app/database/db.sqlite" Mode="" Description="Set to sqlite:////app/database/db.sqlite" Type="Variable" Display="advanced-hide" Required="true" Mask="false">sqlite:////app/database/db.sqlite</Config>
+  <Config Name="Debug" Target="DEBUG" Default="true" Mode="" Description="true to enable debugging, false to disable them." Type="Variable" Display="advanced-hide" Required="false" Mask="false">true</Config>
+  <Config Name="Lease" Target="LEASE_EXPIRE_DAYS" Default="90" Mode="" Description="90 days is the maximum value." Type="Variable" Display="advanced" Required="false" Mask="false">90</Config>
+</Container>

.UNRAID/setup_vgpu_license.sh

@@ -0,0 +1,197 @@
+#!/bin/bash
+
+# This script automates the licensing of the vGPU guest driver
+# on Unraid boot. Set the Schedule to: "At Startup of Array".
+# 
+# Relies on FastAPI-DLS for the licensing.
+# It assumes FeatureType=1 (vGPU), change it as you see fit in line <114>
+# 
+# Requires `eflutils` to be installed in the system for `nvidia-gridd` to run
+# To Install it:
+# 1) You might find it here: https://packages.slackware.com/ (choose the 64bit version of Slackware)
+# 2) Download the package and put it in /boot/extra to be installed on boot
+# 3) a. Reboot to install it, OR
+#    b. Run `upgradepkg --install-new /boot/extra/elfutils*`
+# [i]: Make sure to have only one version of elfutils, otherwise you might run into issues
+
+# Sources and docs:
+# https://docs.nvidia.com/grid/15.0/grid-vgpu-user-guide/index.html#configuring-nls-licensed-client-on-linux
+# 
+
+################################################
+# MAKE SURE YOU CHANGE THESE VARIABLES         #
+################################################
+
+###### CHANGE ME! 
+# IP and PORT of FastAPI-DLS 
+DLS_IP=192.168.0.123
+DLS_PORT=443
+# Token folder, must be on a filesystem that supports
+# linux filesystem permissions (eg: ext4,xfs,btrfs...)
+TOKEN_PATH=/mnt/user/system/nvidia
+PING=$(which ping)
+
+# Check if the License is applied
+if [[ "$(nvidia-smi -q | grep "Expiry")" == *Expiry* ]]; then
+    echo " [i] Your vGPU Guest drivers are already licensed."
+    echo " [i] $(nvidia-smi -q | grep "Expiry")"
+    echo " [<] Exiting..."
+    exit 0
+fi
+
+# Check if the FastAPI-DLS server is reachable
+# Check if the License is applied
+MAX_RETRIES=30
+for i in $(seq 1 $MAX_RETRIES); do
+    echo -ne "\r [>] Attempt $i to connect to $DLS_IP."
+    if ping -c 1 $DLS_IP >/dev/null 2>&1; then
+        echo -e "\n  [*] Connection successful."
+        break
+    fi
+    if [ $i -eq $MAX_RETRIES ]; then
+        echo -e "\n  [!] Connection failed after $MAX_RETRIES attempts."
+        echo -e "\n [<] Exiting..."
+        exit 1
+    fi
+    sleep 1
+done
+
+# Check if the token folder exists
+if [ -d "${TOKEN_PATH}" ]; then
+	echo " [*] Token Folder exists. Proceeding..."
+else
+	echo " [!] Token Folder does not exists or not ready yet. Exiting."
+	echo " [!] Token Folder Specified: ${TOKEN_PATH}"
+	exit 1
+fi
+
+# Check if elfutils are installed, otherwise nvidia-gridd service
+# wont start
+if [ "$(grep -R "elfutils" /var/log/packages/* | wc -l)" != 0 ]; then
+        echo " [*] Elfutils is installed, proceeding..."
+else
+        echo " [!] Elfutils is not installed, downloading and installing..."
+        echo " [!] Downloading elfutils to /boot/extra"
+        echo " [i] This script will download elfutils from slackware64-15.0 repository."
+        echo " [i] If you have a different version of Unraid (6.11.5), you might want to"
+        echo " [i] download and install a suitable version manually from the slackware"
+        echo " [i] repository, and put it in /boot/extra to be install on boot."
+        echo " [i] You may also install it by running: "
+        echo " [i] upgradepkg --install-new /path/to/elfutils-*.txz"
+        echo ""
+        echo " [>] Downloading elfutils from slackware64-15.0 repository:"
+        wget -q -nc --show-progress --progress=bar:force:noscroll -P /boot/extra https://slackware.uk/slackware/slackware64-15.0/slackware64/l/elfutils-0.186-x86_64-1.txz 2>/dev/null \
+        || { echo " [!] Error while downloading elfutils, please download it and install it manually."; exit 1; }
+	    echo ""
+        if upgradepkg --install-new /boot/extra/elfutils-0.186-x86_64-1.txz 
+        then
+                echo " [*] Elfutils installed and will be installed automatically on boot"
+        else
+                echo " [!] Error while installing, check logs..."
+                exit 1
+        fi
+fi
+
+echo " [~] Sleeping for 60 seconds before continuing..."
+echo " [i] The script is waiting until the boot process settles down."
+
+for i in {60..1}; do
+    printf "\r  [~] %d seconds remaining" "$i"
+    sleep 1
+done
+
+printf "\n"
+
+create_token () {
+	echo " [>] Creating new token..."
+	if ${PING} -c1 ${DLS_IP} > /dev/null 2>&1
+	then
+		# curl --insecure -L -X GET https://${DLS_IP}:${DLS_PORT}/-/client-token -o ${TOKEN_PATH}/client_configuration_token_"$(date '+%d-%m-%Y-%H-%M-%S')".tok || { echo " [!] Could not get the token, please check the server."; exit 1;}
+		wget -q -nc -4c --no-check-certificate --show-progress --progress=bar:force:noscroll -O "${TOKEN_PATH}"/client_configuration_token_"$(date '+%d-%m-%Y-%H-%M-%S')".tok https://${DLS_IP}:${DLS_PORT}/-/client-token \
+		|| { echo " [!] Could not get the token, please check the server."; exit 1;}
+		chmod 744 "${TOKEN_PATH}"/*.tok || { echo " [!] Could not chmod the tokens."; exit 1; }
+		echo ""
+		echo " [*] Token downloaded and stored in ${TOKEN_PATH}."
+	else
+		echo " [!] Could not get token, DLS server unavailable ."
+		exit 1
+	fi
+}
+
+setup_run () {
+        echo " [>] Setting up gridd.conf"
+        cp /etc/nvidia/gridd.conf.template /etc/nvidia/gridd.conf || { echo " [!] Error configuring gridd.conf, did you install the drivers correctly?"; exit 1; }
+        sed -i 's/FeatureType=0/FeatureType=1/g' /etc/nvidia/gridd.conf
+        echo "ClientConfigTokenPath=${TOKEN_PATH}" >> /etc/nvidia/gridd.conf
+        echo " [>] Creating /var/lib/nvidia folder structure"
+        mkdir -p /var/lib/nvidia/GridLicensing
+        echo " [>] Starting nvidia-gridd"
+        if pgrep nvidia-gridd >/dev/null 2>&1; then
+            echo " [!] nvidia-gridd service is running. Closing."
+            sh /usr/lib/nvidia/sysv/nvidia-gridd stop
+            stop_exit_code=$?
+            if [ $stop_exit_code -eq 0 ]; then
+                echo " [*] nvidia-gridd service stopped successfully."
+            else
+                echo " [!] Error while stopping nvidia-gridd service."
+                exit 1
+            fi
+            
+            # Kill the service if it does not close
+            if pgrep nvidia-gridd >/dev/null 2>&1; then
+                kill -9 "$(pgrep nvidia-gridd)" || { 
+                    echo " [!] Error while closing nvidia-gridd service"
+                    exit 1
+                }
+            fi
+        
+            echo " [*] Restarting nvidia-gridd service."
+            sh /usr/lib/nvidia/sysv/nvidia-gridd start
+        
+            if pgrep nvidia-gridd >/dev/null 2>&1; then
+                echo " [*] Service started, PID: $(pgrep nvidia-gridd)"
+            else
+                echo -e " [!] Error while starting nvidia-gridd service. Use strace -f nvidia-gridd to debug.\n [i] Check if elfutils is installed.\n [i] strace is not installed by default."
+                exit 1
+            fi
+        else
+            sh /usr/lib/nvidia/sysv/nvidia-gridd start
+        
+            if pgrep nvidia-gridd >/dev/null 2>&1; then
+                echo " [*] Service started, PID: $(pgrep nvidia-gridd)"
+            else
+                echo -e " [!] Error while starting nvidia-gridd service. Use strace -f nvidia-gridd to debug.\n [i] Check if elfutils is installed.\n [i] strace is not installed by default."
+                exit 1
+            fi
+        fi
+}
+
+for token in "${TOKEN_PATH}"/*; do
+    if [ "${token: -4}" == ".tok" ]
+    then
+        echo " [*] Tokens found..."
+        setup_run
+    else
+        echo " [!] No Tokens found..."
+        create_token
+        setup_run
+    fi
+done
+
+while true; do
+    if nvidia-smi -q | grep "Expiry" >/dev/null 2>&1; then
+        echo " [>] vGPU licensed!"
+        echo " [i] $(nvidia-smi -q | grep "Expiry")"
+        break
+    else
+        echo -ne " [>] vGPU not licensed yet... Checking again in 5 seconds\c"
+        for i in {1..5}; do
+            sleep 1
+            echo -ne ".\c"
+        done
+        echo -ne "\r\c"
+    fi
+done
+
+echo " [>] Done..."
+exit 0

.codeclimate.yml

@@ -1,7 +1,9 @@
+version: "2"
 plugins:
   bandit:
     enabled: true
   sonar-python:
     enabled: true
-  pylint:
+    config:
-    enabled: true
+      tests_patterns:
+        - test/**

.gitignore

@@ -1,6 +1,6 @@
 .DS_Store
 venv/
 .idea/
-app/*.sqlite*
+*.sqlite
 app/cert/*.*
 .pytest_cache

.gitlab-ci.yml

@@ -8,38 +8,51 @@ include:
 cache:
   key: one-key-to-rule-them-all
 
+variables:
+  DOCKER_BUILDX_PLATFORM: "linux/amd64,linux/arm64"
+
 build:docker:
   image: docker:dind
   interruptible: true
   stage: build
   rules:
-    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
+    # deployment is in "deploy:docker:"
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
       changes:
         - app/**/*
         - Dockerfile
-    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+        - requirements.txt
   tags: [ docker ]
   before_script:
-    - echo "COMMIT=${CI_COMMIT_SHA}" >> version.env  # COMMIT=`git rev-parse HEAD`
+    - docker buildx inspect
+    - docker buildx create --use
   script:
     - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - docker build . --tag ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:${CI_BUILD_REF}
+    - IMAGE=$CI_REGISTRY/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME:$CI_COMMIT_SHA
-    - docker push ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:${CI_BUILD_REF}
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE --push .
+    - docker buildx imagetools inspect $IMAGE
+    - echo "CS_IMAGE=$IMAGE" > container_scanning.env
+  artifacts:
+    reports:
+      dotenv: container_scanning.env
 
 build:apt:
   image: debian:bookworm-slim
   interruptible: true
   stage: build
   rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
-    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
+      variables:
+        VERSION: $CI_COMMIT_REF_NAME
+    - if: ($CI_PIPELINE_SOURCE == 'merge_request_event') || ($CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
       changes:
         - app/**/*
         - .DEBIAN/**/*
-    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+        - .gitlab-ci.yml
+      variables:
+        VERSION: "0.0.1"
   before_script:
-    - echo "COMMIT=${CI_COMMIT_SHA}" >> version.env
+    - echo -e "VERSION=$VERSION\nCOMMIT=$CI_COMMIT_SHA" > version.env
-    - source version.env
     # install build dependencies
     - apt-get update -qq && apt-get install -qq -y build-essential
     # create build directory for .deb sources
@@ -60,7 +73,7 @@ build:apt:
     # cd into "build/"
     - cd build/
   script:
-    # set version based on value in "$VERSION" (which is set above from version.env)
+    # set version based on value in "$CI_COMMIT_REF_NAME"
     - sed -i -E 's/(Version\:\s)0.0/\1'"$VERSION"'/g' DEBIAN/control
     # build
     - dpkg -b . build.deb
@@ -75,14 +88,18 @@ build:pacman:
   interruptible: true
   stage: build
   rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
-    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
+      variables:
+        VERSION: $CI_COMMIT_REF_NAME
+    - if: ($CI_PIPELINE_SOURCE == 'merge_request_event') || ($CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
       changes:
         - app/**/*
         - .PKGBUILD/**/*
-    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+        - .gitlab-ci.yml
+      variables:
+        VERSION: "0.0.1"
   before_script:
-    - echo "COMMIT=${CI_COMMIT_SHA}" >> version.env
+    #- echo -e "VERSION=$VERSION\nCOMMIT=$CI_COMMIT_SHA" > version.env
     # install build dependencies
     - pacman -Syu --noconfirm git
     # create a build-user because "makepkg" don't like root user
@@ -97,23 +114,42 @@ build:pacman:
     # download dependencies
     - source PKGBUILD && pacman -Syu --noconfirm --needed --asdeps "${makedepends[@]}" "${depends[@]}"
     # build
-    - sudo -u build makepkg -s
+    - sudo --preserve-env -u build makepkg -s
   artifacts:
     expire_in: 1 week
     paths:
       - "*.pkg.tar.zst"
 
-test:
+test:python:
-  image: python:3.11-slim-bullseye
+  image: $IMAGE
   stage: test
+  interruptible: true
   rules:
-    - if: $CI_COMMIT_BRANCH
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
+      changes:
+        - app/**/*
+        - test/**/*
   variables:
     DATABASE: sqlite:///../app/db.sqlite
+  parallel:
+    matrix:
+      - IMAGE:
+          # https://devguide.python.org/versions/#supported-versions
+#          - python:3.14-rc-alpine  # EOL 2030-10 =>  uvicorn does not support 3.14 yet
+          - python:3.13-alpine  # EOL 2029-10
+          - python:3.12-alpine  # EOL 2028-10
+          - python:3.11-alpine  # EOL 2027-10
+#          - python:3.10-alpine  # EOL 2026-10 => ImportError: cannot import name 'UTC' from 'datetime'
+#          - python:3.9-alpine  # EOL 2025-10 => ImportError: cannot import name 'UTC' from 'datetime'
   before_script:
+    - apk --no-cache add openssl
+    - python3 -m venv venv
+    - source venv/bin/activate
+    - pip install --upgrade pip
     - pip install -r requirements.txt
-    - pip install pytest httpx
+    - pip install pytest pytest-cov pytest-custom_exit_code httpx
     - mkdir -p app/cert
     - openssl genrsa -out app/cert/instance.private.pem 2048
     - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem
@@ -122,17 +158,26 @@ test:
     - python -m pytest main.py --junitxml=report.xml
   artifacts:
     reports:
-      dotenv: version.env
       junit: ['**/report.xml']
 
-.test:linux:
+test:apt:
+  image: $IMAGE
   stage: test
   rules:
-    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
       changes:
         - app/**/*
         - .DEBIAN/**/*
     - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+  parallel:
+    matrix:
+      - IMAGE:
+          - debian:trixie-slim # EOL: t.b.a.
+          - debian:bookworm-slim # EOL: June 06, 2026
+          - debian:bookworm-slim # EOL: June 06, 2026
+          - ubuntu:24.04 # EOL: April 2036
+          - ubuntu:24.10
   needs:
     - job: build:apt
       artifacts: true
@@ -164,22 +209,15 @@ test:
     - apt-get purge -qq -y fastapi-dls
     - apt-get autoremove -qq -y && apt-get clean -qq
 
-test:debian:
+test:pacman:archlinux:
-  extends: .test:linux
-  image: debian:bookworm-slim
-
-test:ubuntu:
-  extends: .test:linux
-  image: ubuntu:22.10
-
-test:archlinux:
   image: archlinux:base
   rules:
-    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
       changes:
         - app/**/*
         - .PKGBUILD/**/*
-    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+        - .gitlab-ci.yml
   needs:
     - job: build:pacman
       artifacts: true
@@ -188,6 +226,8 @@ test:archlinux:
     - pacman -U --noconfirm *.pkg.tar.zst
 
 code_quality:
+  variables:
+    SOURCE_CODE: app
   rules:
     - if: $CODE_QUALITY_DISABLED
       when: never
@@ -199,7 +239,8 @@ secret_detection:
     - if: $SECRET_DETECTION_DISABLED
       when: never
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  before_script:
+    - git config --global --add safe.directory $CI_PROJECT_DIR
 
 semgrep-sast:
   rules:
@@ -209,19 +250,30 @@ semgrep-sast:
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 
 test_coverage:
-  extends: test
+#  extends: test
+  image: python:3.12-slim-bookworm
   allow_failure: true
+  stage: test
   rules:
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  variables:
+    DATABASE: sqlite:///../app/db.sqlite
+  before_script:
+    - apt-get update && apt-get install -y python3-dev gcc
+    - pip install -r requirements.txt
+    - pip install pytest pytest-cov pytest-custom_exit_code httpx
+    - mkdir -p app/cert
+    - openssl genrsa -out app/cert/instance.private.pem 2048
+    - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem
+    - cd test
   script:
-    - pip install pytest pytest-cov
+    - coverage run -m pytest main.py --junitxml=report.xml --suppress-no-test-exit-code
-    - coverage run -m pytest main.py
     - coverage report
     - coverage xml
   coverage: '/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/'
   artifacts:
     reports:
+      junit: [ '**/report.xml' ]
       coverage_report:
         coverage_format: cobertura
         path: '**/coverage.xml'
@@ -232,7 +284,6 @@ container_scanning:
     - if: $CONTAINER_SCANNING_DISABLED
       when: never
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 
 gemnasium-python-dependency_scanning:
   rules:
@@ -241,42 +292,34 @@ gemnasium-python-dependency_scanning:
     - if: $CI_PIPELINE_SOURCE == "merge_request_event"
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 
-.deploy:
-  rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-    - if: $CI_COMMIT_TAG
-      when: never
-
 deploy:docker:
-  extends: .deploy
+  image: docker:dind
   stage: deploy
+  tags: [ docker ]
   rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
   before_script:
-    - echo "COMMIT=${CI_COMMIT_SHA}" >> version.env
+    - echo "Building docker image for commit $CI_COMMIT_SHA with version $CI_COMMIT_REF_NAME"
-    - source version.env
+    - docker buildx inspect
-    - echo "Building docker image for commit ${COMMIT} with version ${VERSION}"
+    - docker buildx create --use
   script:
-    - echo "GitLab-Registry"
+    - echo "========== GitLab-Registry =========="
     - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - docker build . --tag ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:${VERSION}
+    - IMAGE=$CI_REGISTRY/$CI_PROJECT_PATH
-    - docker build . --tag ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:latest
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME --push .
-    - docker push ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:${VERSION}
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest --push .
-    - docker push ${CI_REGISTRY}/${CI_PROJECT_PATH}/${CI_BUILD_REF_NAME}:latest
+    - echo "========== Docker-Hub =========="
-    - echo "Docker-Hub"
     - docker login -u $PUBLIC_REGISTRY_USER -p $PUBLIC_REGISTRY_TOKEN
-    - docker build . --tag $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:${VERSION}
+    - IMAGE=$PUBLIC_REGISTRY_USER/$CI_PROJECT_NAME
-    - docker build . --tag $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:latest
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME --push .
-    - docker push $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:${VERSION}
+    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest --push .
-    - docker push $PUBLIC_REGISTRY_USER/${CI_PROJECT_NAME}:latest
 
 deploy:apt:
   # doc: https://git.collinwebdesigns.de/help/user/packages/debian_repository/index.md#install-a-package
-  extends: .deploy
   image: debian:bookworm-slim
   stage: deploy
   rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
   needs:
     - job: build:apt
       artifacts: true
@@ -313,21 +356,19 @@ deploy:apt:
     - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ${EXPORT_NAME} "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${PACKAGE_NAME}/${PACKAGE_VERSION}/${EXPORT_NAME}"'
 
 deploy:pacman:
-  extends: .deploy
   image: archlinux:base-devel
   stage: deploy
   rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
   needs:
     - job: build:pacman
       artifacts: true
   script:
     - source .PKGBUILD/PKGBUILD
-    - source version.env
     # fastapi-dls-1.0-1-any.pkg.tar.zst
-    - BUILD_NAME=${pkgname}-${VERSION}-${pkgrel}-any.pkg.tar.zst
+    - BUILD_NAME=${pkgname}-${CI_COMMIT_REF_NAME}-${pkgrel}-any.pkg.tar.zst
     - PACKAGE_NAME=${pkgname}
-    - PACKAGE_VERSION=${VERSION}
+    - PACKAGE_VERSION=${CI_COMMIT_REF_NAME}
     - PACKAGE_ARCH=any
     - EXPORT_NAME=${BUILD_NAME}
     - 'echo "PACKAGE_NAME:    ${PACKAGE_NAME}"'
@@ -339,19 +380,15 @@ deploy:pacman:
 release:
   image: registry.gitlab.com/gitlab-org/release-cli:latest
   stage: .post
-  needs:
+  needs: [ deploy:docker, deploy:apt, deploy:pacman ]
-    - job: test
-      artifacts: true
   rules:
     - if: $CI_COMMIT_TAG
-      when: never
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
   script:
-    - echo "Running release-job for $VERSION"
+    - echo "Running release-job for $CI_COMMIT_TAG"
   release:
-    name: $CI_PROJECT_TITLE $VERSION
+    name: $CI_PROJECT_TITLE $CI_COMMIT_TAG
-    description: Release of $CI_PROJECT_TITLE version $VERSION
+    description: Release of $CI_PROJECT_TITLE version $CI_COMMIT_TAG
-    tag_name: $VERSION
+    tag_name: $CI_COMMIT_TAG
     ref: $CI_COMMIT_SHA
     assets:
       links:

Dockerfile

@@ -1,17 +1,20 @@
-FROM python:3.11-alpine
+FROM python:3.12-alpine
+
+ARG VERSION
+ARG COMMIT=""
+RUN echo -e "VERSION=$VERSION\nCOMMIT=$COMMIT" > /version.env
 
 COPY requirements.txt /tmp/requirements.txt
 
 RUN apk update \
- && apk add --no-cache --virtual build-deps gcc g++ python3-dev musl-dev \
+ && apk add --no-cache --virtual build-deps gcc g++ python3-dev musl-dev pkgconfig \
- && apk add --no-cache curl postgresql postgresql-dev mariadb-connector-c-dev sqlite-dev \
+ && apk add --no-cache curl postgresql postgresql-dev mariadb-dev sqlite-dev \
  && pip install --no-cache-dir --upgrade uvicorn \
- && pip install --no-cache-dir psycopg2==2.9.5 mysqlclient==2.1.1 pysqlite3==0.5.0 \
+ && pip install --no-cache-dir psycopg2==2.9.10 mysqlclient==2.2.7 pysqlite3==0.5.4 \
  && pip install --no-cache-dir -r /tmp/requirements.txt \
  && apk del build-deps
 
 COPY app /app
-COPY version.env /version.env
 COPY README.md /README.md
 
 HEALTHCHECK --start-period=30s --interval=10s --timeout=5s --retries=3 CMD curl --insecure --fail https://localhost/-/health || exit 1

FAQ.md

@@ -1,17 +0,0 @@
-# FAQ
-
-## `Failed to acquire license from <ip> (Info: <license> - Error: The allowed time to process response has expired)`
-
-- Did your timezone settings are correct on fastapi-dls **and your guest**?
-
-- Did you download the client-token more than an hour ago?
-
-Please download a new client-token. The guest have to register within an hour after client-token was created.
-
-
-## `jose.exceptions.JWTError: Signature verification failed.`
-
-- Did you recreated `instance.public.pem` / `instance.private.pem`?
-
-Then you have to download a **new** client-token on each of your guests.
-

README.md

@@ -2,22 +2,37 @@
 
 Minimal Delegated License Service (DLS).
 
-Compatibility tested with official DLS 2.0.1.
+> [!note] Compatibility
+> Compatibility tested with official NLS 2.0.1, 2.1.0, 3.1.0, 3.3.1, 3.4.0. For Driver compatibility
+> see [compatibility matrix](#vgpu-software-compatibility-matrix).
+
+> [!warning] 18.x Drivers are not yet supported!
+> Drivers are only supported until **17.x releases**.
 
 This service can be used without internet connection.
 Only the clients need a connection to this service on configured port.
 
 **Official Links**
 
-- https://git.collinwebdesigns.de/oscar.krause/fastapi-dls
+* https://git.collinwebdesigns.de/oscar.krause/fastapi-dls (Private Git)
-- https://gitea.publichub.eu/oscar.krause/fastapi-dls
+* https://gitea.publichub.eu/oscar.krause/fastapi-dls (Public Git)
-- Docker Image `collinwebdesigns/fastapi-dls:latest`
+* https://hub.docker.com/r/collinwebdesigns/fastapi-dls (Docker-Hub `collinwebdesigns/fastapi-dls:latest`)
 
 *All other repositories are forks! (which  is no bad - just for information and bug reports)*
 
+[Releases & Release Notes](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/-/releases)
+
+**Further Reading**
+
+* [NVIDIA vGPU Guide](https://gitlab.com/polloloco/vgpu-proxmox) - This document serves as a guide to install NVIDIA vGPU host drivers on the latest Proxmox VE version
+* [vgpu_unlock](https://github.com/DualCoder/vgpu_unlock) - Unlock vGPU functionality for consumer-grade Nvidia GPUs.
+* [vGPU_Unlock Wiki](https://docs.google.com/document/d/1pzrWJ9h-zANCtyqRgS7Vzla0Y8Ea2-5z2HEi4X75d2Q) - Guide for `vgpu_unlock`
+* [Proxmox 8 vGPU in VMs and LXC Containers](https://medium.com/@dionisievldulrincz/proxmox-8-vgpu-in-vms-and-lxc-containers-4146400207a3) - Install *Merged Drivers* for using in Proxmox VMs and LXCs
+* [Proxmox All-In-One Installer Script](https://wvthoog.nl/proxmox-vgpu-v3/) - Also known as `proxmox-installer.sh`
+
 ---
 
-[[_TOC_]]
+[TOC]
 
 # Setup (Service)
 
@@ -25,32 +40,25 @@ Only the clients need a connection to this service on configured port.
 
 - 256mb ram
 - 4gb hdd
+- *maybe IPv6 must be disabled*
 
-Tested with Ubuntu 22.10 (from Proxmox templates), actually its consuming 100mb ram and 750mb hdd.
+Tested with Ubuntu 22.10 (EOL!) (from Proxmox templates), actually its consuming 100mb ram and 750mb hdd.
 
 **Prepare your system**
 
 - Make sure your timezone is set correct on you fastapi-dls server and your client
 
-**HA Setup Notes**
+This guide does not show how to install vGPU host drivers! Look at the official documentation packed with the driver
-
+releases.
-- only *failover mode* is supported by team-green (see *high availability* in official user guide)
-- make sure you're using same configuration on each node
-- use same `instance.private.pem` and `instance.private.key` on each node
-- add `cronjob` on each node with `curl -X GET --insecure https://localhost/-/ha/replicate`
-
-If you want to use *real* HA, you should use a proxy in front of this service and use a clustered database in backend.
-This is not documented and supported by me, but it *can* work. Please ask the community for help.
-Maybe the simplest solution for HA-ing this service is to use a Docker-Swarm with redundant storage and database.
 
 ## Docker
 
-Docker-Images are available here:
+Docker-Images are available here for Intel (x86), AMD (amd64) and ARM (arm64):
 
 - [Docker-Hub](https://hub.docker.com/repository/docker/collinwebdesigns/fastapi-dls): `collinwebdesigns/fastapi-dls:latest`
-- [GitLab-Registry](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry): `registry.git.collinwebdesigns.de/oscar.krause/fastapi-dls/main:latest`
+- [GitLab-Registry](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry): `registry.git.collinwebdesigns.de/oscar.krause/fastapi-dls:latest`
 
-The images include database drivers for `postgres`, `mysql`, `mariadb` and `sqlite`.
+The images include database drivers for `postgres`, `mariadb` and `sqlite`.
 
 **Run this on the Docker-Host**
 
@@ -76,7 +84,9 @@ docker run -e DLS_URL=`hostname -i` -e DLS_PORT=443 -p 443:443 -v $WORKING_DIR:/
 
 **Docker-Compose / Deploy stack**
 
-Goto [`docker-compose.yml`](docker-compose.yml) for more advanced example (with reverse proxy usage).
+See [`examples`](examples) directory for more advanced examples (with reverse proxy usage).
+
+> Adjust `REQUIRED` variables as needed
 
 ```yaml
 version: '3.9'
@@ -110,9 +120,10 @@ volumes:
   dls-db:
 ```
 
-## Debian/Ubuntu (manual method using `git clone` and python virtual environment)
+## Debian / Ubuntu / macOS (manual method using `git clone` and python virtual environment)
 
-Tested on `Debian 11 (bullseye)`, Ubuntu may also work.
+Tested on `Debian 11 (bullseye)`, `Debian 12 (bookworm)` and `macOS Ventura (13.6)`, Ubuntu may also work.
+**Please note that setup on macOS differs from Debian based systems.**
 
 **Make sure you are logged in as root.**
 
@@ -156,13 +167,15 @@ This is only to test whether the service starts successfully.
 
 ```shell
 cd /opt/fastapi-dls/app
-su - www-data -c "/opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fastapi-dls/app"
+sudo -u www-data /opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fastapi-dls/app
 # or
-sudo -u www-data -c "/opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fastapi-dls/app"
+su - www-data -c "/opt/fastapi-dls/venv/bin/uvicorn main:app --app-dir=/opt/fastapi-dls/app"
 ```
 
 **Create config file**
 
+> Adjust `DLS_URL` as needed (accessing from LAN won't work with 127.0.0.1)
+
 ```shell
 mkdir /etc/fastapi-dls
 cat <<EOF >/etc/fastapi-dls/env
@@ -258,15 +271,18 @@ This is only to test whether the service starts successfully.
 BASE_DIR=/opt/fastapi-dls
 SERVICE_USER=dls
 cd ${BASE_DIR}
+sudo -u ${SERVICE_USER} ${BASE_DIR}/venv/bin/uvicorn main:app --app-dir=${BASE_DIR}/app
+# or
 su - ${SERVICE_USER} -c "${BASE_DIR}/venv/bin/uvicorn main:app --app-dir=${BASE_DIR}/app"
 ```
 
 **Create config file**
 
+> Adjust `DLS_URL` as needed (accessing from LAN won't work with 127.0.0.1)
+
 ```shell
 BASE_DIR=/opt/fastapi-dls
 cat <<EOF >/etc/fastapi-dls/env
-# Adjust DSL_URL as needed (accessing from LAN won't work with 127.0.0.1)
 DLS_URL=127.0.0.1
 DLS_PORT=443
 LEASE_EXPIRE_DAYS=90
@@ -311,16 +327,20 @@ EOF
 Now you have to run `systemctl daemon-reload`. After that you can start service
 with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.
 
-## Debian/Ubuntu (using `dpkg`)
+## Debian / Ubuntu (using `dpkg` / `apt`)
 
 Packages are available here:
 
 - [GitLab-Registry](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/-/packages)
 
-Successful tested with:
+Successful tested with (**LTS Version**):
 
-- Debian 12 (Bookworm) (works but not recommended because it is currently in *testing* state)
+- **Debian 12 (Bookworm)** (EOL: June 06, 2026)
-- Ubuntu 22.10 (Kinetic Kudu)
+- *Ubuntu 22.10 (Kinetic Kudu)* (EOL: July 20, 2023)
+- *Ubuntu 23.04 (Lunar Lobster)* (EOL: January 2024)
+- *Ubuntu 23.10 (Mantic Minotaur)* (EOL: July 2024)
+- **Ubuntu 24.04 (Noble Numbat)** (EOL: Apr 2029)
+- *Ubuntu 24.10 (Oracular Oriole)* (EOL: Jul 2025)
 
 Not working with:
 
@@ -341,6 +361,7 @@ apt-get install -f --fix-missing
 ```
 
 Start with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.
+Now you have to edit `/etc/fastapi-dls/env` as needed.
 
 ## ArchLinux (using `pacman`)
 
@@ -362,6 +383,27 @@ pacman -U --noconfirm fastapi-dls.pkg.tar.zst
 ```
 
 Start with `systemctl start fastapi-dls.service` and enable autostart with `systemctl enable fastapi-dls.service`.
+Now you have to edit `/etc/default/fastapi-dls` as needed.
+
+## unRAID
+
+1. Download [this xml file](.UNRAID/FastAPI-DLS.xml)
+2. Put it in /boot/config/plugins/dockerMan/templates-user/
+3. Go to Docker page, scroll down to `Add Container`, click on Template list and choose `FastAPI-DLS`
+4. Open terminal/ssh, follow the instructions in overview description
+5. Setup your container `IP`, `Port`, `DLS_URL` and `DLS_PORT`
+6. Apply and let it boot up
+
+*Unraid users must also make sure they have Host access to custom networks enabled if unraid is the vgpu guest*.
+
+Continue [here](#unraid-guest) for docker guest setup.
+
+## NixOS
+
+Tanks to [@mrzenc](https://github.com/mrzenc) for [fastapi-dls-nixos](https://github.com/mrzenc/fastapi-dls-nixos).
+
+> [!note] Native NixOS-Package
+> There is a [pull request](https://github.com/NixOS/nixpkgs/pull/358647) which adds fastapi-dls into nixpkgs.
 
 ## Let's Encrypt Certificate (optional)
 
@@ -382,43 +424,35 @@ After first success you have to replace `--issue` with `--renew`.
 # Configuration
 
 | Variable                 | Default                                | Usage                                                                                                                               |
-|------------------------|----------------------------------------|--------------------------------------------------------------------------------------------------------------------|
+|--------------------------|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
 | `DEBUG`                  | `false`                                | Toggles `fastapi` debug mode                                                                                                        |
 | `DLS_URL`                | `localhost`                            | Used in client-token to tell guest driver where dls instance is reachable                                                           |
 | `DLS_PORT`               | `443`                                  | Used in client-token to tell guest driver where dls instance is reachable                                                           |
-| `HA_REPLICATE`         |                                        | `DLS_URL` + `DLS_PORT` of primary DLS instance, e.g. `dls-node:443` (for HA only **two** nodes are supported!) \*1 |
-| `HA_ROLE`              |                                        | `PRIMARY` or `SECONDARY`                                                                                           |
 | `TOKEN_EXPIRE_DAYS`      | `1`                                    | Client auth-token validity (used for authenticate client against api, **not `.tok` file!**)                                         |
 | `LEASE_EXPIRE_DAYS`      | `90`                                   | Lease time in days                                                                                                                  |
-| `LEASE_RENEWAL_PERIOD` | `0.15`                                 | The percentage of the lease period that must elapse before a licensed client can renew a license \*2               |
+| `LEASE_RENEWAL_PERIOD`   | `0.15`                                 | The percentage of the lease period that must elapse before a licensed client can renew a license \*1                                |
 | `DATABASE`               | `sqlite:///db.sqlite`                  | See [official SQLAlchemy docs](https://docs.sqlalchemy.org/en/14/core/engines.html)                                                 |
-| `CORS_ORIGINS`         | `https://{DLS_URL}`                    | Sets `Access-Control-Allow-Origin` header (comma separated string) \*3                                             |
+| `CORS_ORIGINS`           | `https://{DLS_URL}`                    | Sets `Access-Control-Allow-Origin` header (comma separated string) \*2                                                              |
 | `SITE_KEY_XID`           | `00000000-0000-0000-0000-000000000000` | Site identification uuid                                                                                                            |
 | `INSTANCE_REF`           | `10000000-0000-0000-0000-000000000001` | Instance identification uuid                                                                                                        |
 | `ALLOTMENT_REF`          | `20000000-0000-0000-0000-000000000001` | Allotment identification uuid                                                                                                       |
-| `INSTANCE_KEY_RSA`     | `<app-dir>/cert/instance.private.pem`  | Site-wide private RSA key for singing JWTs \*4                                                                     |
+| `INSTANCE_KEY_RSA`       | `<app-dir>/cert/instance.private.pem`  | Site-wide private RSA key for singing JWTs \*3                                                                                      |
-| `INSTANCE_KEY_PUB`     | `<app-dir>/cert/instance.public.pem`   | Site-wide public key \*4                                                                                           |
+| `INSTANCE_KEY_PUB`       | `<app-dir>/cert/instance.public.pem`   | Site-wide public key \*3                                                                                                            |
 
-\*1 If you want to use HA, this value should be point to `secondary` on `primary` and `primary` on `secondary`. Don't
+\*1 For example, if the lease period is one day and the renewal period is 20%, the client attempts to renew its license
-use same database for both instances!
-
-\*2 For example, if the lease period is one day and the renewal period is 20%, the client attempts to renew its license
 every 4.8 hours. If network connectivity is lost, the loss of connectivity is detected during license renewal and the
 client has 19.2 hours in which to re-establish connectivity before its license expires.
 
-\*3 Always use `https`, since guest-drivers only support secure connections!
+\*2 Always use `https`, since guest-drivers only support secure connections!
 
-\*4 If you recreate instance keys you need to **recreate client-token for each guest**!
+\*3 If you recreate your instance keys you need to **recreate client-token for each guest**!
 
 # Setup (Client)
 
 **The token file has to be copied! It's not enough to C&P file contents, because there can be special characters.**
 
-Successfully tested with this package versions:
+This guide does not show how to install vGPU guest drivers! Look at the official documentation packed with the driver
-
+releases.
-- `14.3` (Linux-Host: `510.108.03`, Linux-Guest: `510.108.03`, Windows-Guest: `513.91`)
-- `14.4` (Linux-Host: `510.108.03`, Linux-Guest: `510.108.03`, Windows-Guest: `514.08`)
-- `15.0` (Linux-Host: `525.60.12`, Linux-Guest: `525.60.13`, Windows-Guest: `527.41`)
 
 ## Linux
 
@@ -470,7 +504,7 @@ Restart-Service NVDisplay.ContainerLocalSystem
 Check licensing status:
 
 ```shell
-& 'C:\Program Files\NVIDIA Corporation\NVSMI\nvidia-smi.exe' -q  | Select-String "License"
+& 'nvidia-smi' -q  | Select-String "License"
 ```
 
 Output should be something like:
@@ -482,29 +516,44 @@ vGPU Software Licensed Product
 
 Done. For more information check [troubleshoot section](#troubleshoot).
 
-# Endpoints
+## unRAID Guest
 
-### `GET /`
+1. Make sure you create a folder in a linux filesystem (BTRFS/XFS/EXT4...), I recommend `/mnt/user/system/nvidia` (this is where docker and libvirt preferences are saved, so it's a good place to have that)
+2. Edit the script to put your `DLS_IP`, `DLS_PORT` and `TOKEN_PATH`, properly 
+3. Install `User Scripts` plugin from *Community Apps* (the Apps page, or google User Scripts Unraid if you're not using CA)
+4. Go to `Settings > Users Scripts > Add New Script`
+5. Give it a name  (the name must not contain spaces preferably)
+6. Click on the *gear icon* to the left of the script name then edit script
+7. Paste the script and save
+8. Set schedule to `At First Array Start Only`
+9. Click on Apply 
+
+# API Endpoints
+
+<details>
+  <summary>show</summary>
+
+**`GET /`**
 
 Redirect to `/-/readme`.
 
-### `GET /-/health`
+**`GET /-/health`**
 
 Status endpoint, used for *healthcheck*.
 
-### `GET /-/config`
+**`GET /-/config`**
 
 Shows current runtime environment variables and their values.
 
-### `GET /-/readme`
+**`GET /-/readme`**
 
 HTML rendered README.md.
 
-### `GET /-/manage`
+**`GET /-/manage`**
 
 Shows a very basic UI to delete origins or leases.
 
-### `GET /-/origins?leases=false`
+**`GET /-/origins?leases=false`**
 
 List registered origins.
 
@@ -512,11 +561,11 @@ List registered origins.
 |-----------------|---------|--------------------------------------|
 | `leases`        | `false` | Include referenced leases per origin |
 
-### `DELETE /-/origins`
+**`DELETE /-/origins`**
 
 Deletes all origins and their leases.
 
-### `GET /-/leases?origin=false`
+**`GET /-/leases?origin=false`**
 
 List current leases.
 
@@ -524,22 +573,29 @@ List current leases.
 |-----------------|---------|-------------------------------------|
 | `origin`        | `false` | Include referenced origin per lease |
 
-### `DELETE /-/lease/{lease_ref}`
+**`DELETE /-/lease/{lease_ref}`**
 
 Deletes an lease.
 
-### `GET /-/client-token`
+**`GET /-/client-token`**
 
 Generate client token, (see [installation](#installation)).
 
-### Others
+**Others**
 
 There are many other internal api endpoints for handling authentication and lease process.
+</details>
 
-# Troubleshoot
+# Troubleshoot / Debug
 
 **Please make sure that fastapi-dls and your guests are on the same timezone!**
 
+Maybe you have to disable IPv6 on the machine you are running FastAPI-DLS.
+
+## Docker
+
+Logs are available with `docker logs <container>`. To get the correct container-id use `docker container ls` or `docker ps`.
+
 ## Linux
 
 Logs are available with `journalctl -u nvidia-gridd -f`.
@@ -550,11 +606,26 @@ Logs are available in `C:\Users\Public\Documents\Nvidia\LoggingLog.NVDisplay.Con
 
 # Known Issues
 
+## Generic
+
+### `Failed to acquire license from <ip> (Info: <license> - Error: The allowed time to process response has expired)`
+
+- Did your timezone settings are correct on fastapi-dls **and your guest**?
+- Did you download the client-token more than an hour ago?
+
+Please download a new client-token. The guest have to register within an hour after client-token was created.
+
+### `jose.exceptions.JWTError: Signature verification failed.`
+
+- Did you recreate `instance.public.pem` / `instance.private.pem`?
+
+Then you have to download a **new** client-token on each of your guests.
+
 ## Linux
 
-### `uvicorn.error:Invalid HTTP request received.`
+### Invalid HTTP request
 
-This message can be ignored.
+This error message: `uvicorn.error:Invalid HTTP request received.` can be ignored.
 
 - Ref. https://github.com/encode/uvicorn/issues/441
 
@@ -597,7 +668,7 @@ only
 gets a valid local license.
 
 <details>
-  <summary>Log</summary>
+  <summary>Log example</summary>
 
 **Display-Container-LS**
 
@@ -663,7 +734,7 @@ The error message can safely be ignored (since we have no license limitation :P)
 <0>:End Logging
 ```
 
-#### log with nginx as reverse proxy (see [docker-compose.yml](docker-compose.yml))
+#### log with nginx as reverse proxy (see [docker-compose-http-and-https.yml](examples/docker-compose-http-and-https.yml))
 
 ```
 <1>:NLS initialized
@@ -680,8 +751,57 @@ The error message can safely be ignored (since we have no license limitation :P)
 
 </details>
 
+# vGPU Software Compatibility Matrix
+
+**18.x Drivers are not supported on FastAPI-DLS Versions < 1.6.0**
+
+<details>
+  <summary>Show Table</summary>
+
+Successfully tested with this package versions.
+
+| vGPU Suftware | Driver Branch | Linux vGPU Manager | Linux Driver | Windows Driver |  Release Date |      EOL Date |
+|:-------------:|:-------------:|--------------------|--------------|----------------|--------------:|--------------:|
+|    `17.5`     |     R550      | `550.144.02`       | `550.144.03` | `553.62`       |  January 2025 |     June 2025 |
+|    `17.4`     |     R550      | `550.127.06`       | `550.127.05` | `553.24`       |  October 2024 |               |
+|    `17.3`     |     R550      | `550.90.05`        | `550.90.07`  | `552.74`       |     July 2024 |               |
+|    `17.2`     |     R550      | `550.90.05`        | `550.90.07`  | `552.55`       |     June 2024 |               |
+|    `17.1`     |     R550      | `550.54.16`        | `550.54.15`  | `551.78`       |    March 2024 |               |
+|    `17.0`     |     R550      | `550.54.10`        | `550.54.14`  | `551.61`       | February 2024 |               |
+|    `16.9`     |     R535      | `535.230.02`       | `535.216.01` | `539.19`       |  October 2024 |     July 2026 |
+|    `16.8`     |     R535      | `535.216.01`       | `535.216.01` | `538.95`       |  October 2024 |               |
+|    `16.7`     |     R535      | `535.183.04`       | `535.183.06` | `538.78`       |     July 2024 |               |
+|    `16.6`     |     R535      | `535.183.04`       | `535.183.01` | `538.67`       |     June 2024 |               |
+|    `16.5`     |     R535      | `535.161.05`       | `535.161.08` | `538.46`       | February 2024 |               |
+|    `16.4`     |     R535      | `535.161.05`       | `535.161.07` | `538.33`       | February 2024 |               |
+|    `16.3`     |     R535      | `535.154.02`       | `535.154.05` | `538.15`       |  January 2024 |               |
+|    `16.2`     |     R535      | `535.129.03`       | `535.129.03` | `537.70`       |  October 2023 |               |
+|    `16.1`     |     R535      | `535.104.06`       | `535.104.05` | `537.13`       |   August 2023 |               |
+|    `16.0`     |     R535      | `535.54.06`        | `535.54.03`  | `536.22`       |     July 2023 |               |
+|    `15.4`     |     R525      | `525.147.01`       | `525.147.05` | `529.19`       |     June 2023 | December 2023 |
+|    `14.4`     |     R510      | `510.108.03`       | `510.108.03` | `514.08`       | December 2022 | February 2023 |
+
+</details>
+
+- https://docs.nvidia.com/grid/index.html
+- https://docs.nvidia.com/grid/gpus-supported-by-vgpu.html
+
+*To get the latest drivers, visit Nvidia or search in Discord-Channel `GPU Unlocking` (Server-ID: `829786927829745685`)
+on channel `licensing`
+
 # Credits
 
 Thanks to vGPU community and all who uses this project and report bugs.
 
-Special thanks to @samicrusader who created build file for ArchLinux and @cyrus who wrote the section for openSUSE.
+Special thanks to:
+
+- `samicrusader` who created build file for **ArchLinux**
+- `cyrus` who wrote the section for **openSUSE**
+- `midi` who wrote the section for **unRAID**
+- `polloloco` who wrote the *[NVIDIA vGPU Guide](https://gitlab.com/polloloco/vgpu-proxmox)*
+- `DualCoder` who creates the `vgpu_unlock` functionality [vgpu_unlock](https://github.com/DualCoder/vgpu_unlock)
+- `Krutav Shah` who wrote the [vGPU_Unlock Wiki](https://docs.google.com/document/d/1pzrWJ9h-zANCtyqRgS7Vzla0Y8Ea2-5z2HEi4X75d2Q/)
+- `Wim van 't Hoog` for the [Proxmox All-In-One Installer Script](https://wvthoog.nl/proxmox-vgpu-v3/)
+- `mrzenc` who wrote [fastapi-dls-nixos](https://github.com/mrzenc/fastapi-dls-nixos)
+
+And thanks to all people who contributed to all these libraries!

ROADMAP.md

@@ -0,0 +1,27 @@
+# Roadmap
+
+I am planning to implement the following features in the future.
+
+
+## HA - High Availability
+
+Support Failover-Mode (secondary ip address) as in official DLS.
+
+**Note**: There is no Load-Balancing / Round-Robin HA Mode supported! If you want to use that, consider to use 
+Docker-Swarm with shared/cluster database (e.g. postgres).
+
+*See [ha branch](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/-/tree/ha) for current status.*
+
+
+## UI - User Interface
+
+Add a user interface to manage origins and leases.
+
+*See [ui branch](https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/-/tree/ui) for current status.*
+
+
+## Config Database
+
+Instead of using environment variables, configuration files and manually create certificates, store configs and
+certificates in database (like origins and leases). Also, there should be provided a startup assistant to prefill 
+required attributes and create instance-certificates. This is more user-friendly and should improve fist setup.

app/main.py

@@ -1,47 +1,49 @@
 import logging
 from base64 import b64encode as b64enc
-from hashlib import sha256
-from uuid import uuid4
-from os.path import join, dirname
-from os import getenv as env
-
-from dotenv import load_dotenv
-from fastapi import FastAPI, BackgroundTasks
-from fastapi.requests import Request
-from json import loads as json_loads
-from datetime import datetime, timedelta
-from dateutil.relativedelta import relativedelta
 from calendar import timegm
+from contextlib import asynccontextmanager
+from datetime import datetime, timedelta, UTC
+from hashlib import sha256
+from json import loads as json_loads
+from os import getenv as env
+from os.path import join, dirname
+from uuid import uuid4
+
+from dateutil.relativedelta import relativedelta
+from dotenv import load_dotenv
+from fastapi import FastAPI
+from fastapi.requests import Request
 from jose import jws, jwk, jwt, JWTError
 from jose.constants import ALGORITHMS
-from starlette.middleware.cors import CORSMiddleware
-from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse
 from sqlalchemy import create_engine
 from sqlalchemy.orm import sessionmaker
+from starlette.middleware.cors import CORSMiddleware
+from starlette.responses import StreamingResponse, JSONResponse as JSONr, HTMLResponse as HTMLr, Response, RedirectResponse
 
-from util import load_key, load_file, ha_replicate
 from orm import Origin, Lease, init as db_init, migrate
+from util import PrivateKey, PublicKey, load_file
 
+# Load variables
 load_dotenv('../version.env')
 
+# Get current timezone
 TZ = datetime.now().astimezone().tzinfo
 
+# Load basic variables
 VERSION, COMMIT, DEBUG = env('VERSION', 'unknown'), env('COMMIT', 'unknown'), bool(env('DEBUG', False))
 
-config = dict(openapi_url=None, docs_url=None, redoc_url=None)  # dict(openapi_url='/-/openapi.json', docs_url='/-/docs', redoc_url='/-/redoc')
+# Database connection
-app = FastAPI(title='FastAPI-DLS', description='Minimal Delegated License Service (DLS).', version=VERSION, **config)
 db = create_engine(str(env('DATABASE', 'sqlite:///db.sqlite')))
 db_init(db), migrate(db)
 
-# everything prefixed with "INSTANCE_*" is used as "SERVICE_INSTANCE_*" or "SI_*" in official dls service
+# Load DLS variables (all prefixed with "INSTANCE_*" is used as "SERVICE_INSTANCE_*" or "SI_*" in official dls service)
 DLS_URL = str(env('DLS_URL', 'localhost'))
 DLS_PORT = int(env('DLS_PORT', '443'))
-HA_REPLICATE, HA_ROLE = env('HA_REPLICATE', None), env('HA_ROLE', None)  # only failover is supported
 SITE_KEY_XID = str(env('SITE_KEY_XID', '00000000-0000-0000-0000-000000000000'))
 INSTANCE_REF = str(env('INSTANCE_REF', '10000000-0000-0000-0000-000000000001'))
 ALLOTMENT_REF = str(env('ALLOTMENT_REF', '20000000-0000-0000-0000-000000000001'))
-INSTANCE_KEY_RSA = load_key(str(env('INSTANCE_KEY_RSA', join(dirname(__file__), 'cert/instance.private.pem'))))
+INSTANCE_KEY_RSA = PrivateKey.from_file(str(env('INSTANCE_KEY_RSA', join(dirname(__file__), 'cert/instance.private.pem'))))
-INSTANCE_KEY_PUB = load_key(str(env('INSTANCE_KEY_PUB', join(dirname(__file__), 'cert/instance.public.pem'))))
+INSTANCE_KEY_PUB = PublicKey.from_file(str(env('INSTANCE_KEY_PUB', join(dirname(__file__), 'cert/instance.public.pem'))))
 TOKEN_EXPIRE_DELTA = relativedelta(days=int(env('TOKEN_EXPIRE_DAYS', 1)), hours=int(env('TOKEN_EXPIRE_HOURS', 0)))
 LEASE_EXPIRE_DELTA = relativedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=int(env('LEASE_EXPIRE_HOURS', 0)))
 LEASE_RENEWAL_PERIOD = float(env('LEASE_RENEWAL_PERIOD', 0.15))
@@ -49,8 +51,42 @@ LEASE_RENEWAL_DELTA = timedelta(days=int(env('LEASE_EXPIRE_DAYS', 90)), hours=in
 CLIENT_TOKEN_EXPIRE_DELTA = relativedelta(years=12)
 CORS_ORIGINS = str(env('CORS_ORIGINS', '')).split(',') if (env('CORS_ORIGINS')) else [f'https://{DLS_URL}']
 
-jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.pem(), algorithm=ALGORITHMS.RS256)
-jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.pem(), algorithm=ALGORITHMS.RS256)
+
+# Logging
+LOG_LEVEL = logging.DEBUG if DEBUG else logging.INFO
+logging.basicConfig(format='[{levelname:^7}] [{module:^15}] {message}', style='{')
+logger = logging.getLogger(__name__)
+logger.setLevel(LOG_LEVEL)
+logging.getLogger('util').setLevel(LOG_LEVEL)
+logging.getLogger('NV').setLevel(LOG_LEVEL)
+
+
+# FastAPI
+@asynccontextmanager
+async def lifespan(_: FastAPI):
+    # on startup
+    logger.info(f'''
+    
+    Using timezone: {str(TZ)}. Make sure this is correct and match your clients!
+    
+    Your clients renew their license every {str(Lease.calculate_renewal(LEASE_RENEWAL_PERIOD, LEASE_RENEWAL_DELTA))}.
+    If the renewal fails, the license is {str(LEASE_RENEWAL_DELTA)} valid.
+    
+    Your client-token file (.tok) is valid for {str(CLIENT_TOKEN_EXPIRE_DELTA)}.
+    ''')
+
+    logger.info(f'Debug is {"enabled" if DEBUG else "disabled"}.')
+
+    yield
+
+    # on shutdown
+    logger.info(f'Shutting down ...')
+
+
+config = dict(openapi_url=None, docs_url=None, redoc_url=None)  # dict(openapi_url='/-/openapi.json', docs_url='/-/docs', redoc_url='/-/redoc')
+app = FastAPI(title='FastAPI-DLS', description='Minimal Delegated License Service (DLS).', version=VERSION, lifespan=lifespan, **config)
 
 app.debug = DEBUG
 app.add_middleware(
@@ -61,17 +97,16 @@ app.add_middleware(
     allow_headers=['*'],
 )
 
-logging.basicConfig()
-logger = logging.getLogger(__name__)
-logger.setLevel(logging.DEBUG if DEBUG else logging.INFO)
-
 
+# Helper
 def __get_token(request: Request) -> dict:
     authorization_header = request.headers.get('authorization')
     token = authorization_header.split(' ')[1]
     return jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
 
 
+# Endpoints
+
 @app.get('/', summary='Index')
 async def index():
     return RedirectResponse('/-/readme')
@@ -83,7 +118,7 @@ async def _index():
 
 
 @app.get('/-/health', summary='* Health')
-async def _health(request: Request):
+async def _health():
     return JSONr({'status': 'up'})
 
 
@@ -109,7 +144,7 @@ async def _config():
 @app.get('/-/readme', summary='* Readme')
 async def _readme():
     from markdown import markdown
-    content = load_file('../README.md').decode('utf-8')
+    content = load_file(join(dirname(__file__), '../README.md')).decode('utf-8')
     return HTMLr(markdown(text=content, extensions=['tables', 'fenced_code', 'md_in_html', 'nl2br', 'toc']))
 
 
@@ -187,6 +222,12 @@ async def _leases(request: Request, origin: bool = False):
     return JSONr(response)
 
 
+@app.delete('/-/leases/expired', summary='* Leases')
+async def _lease_delete_expired(request: Request):
+    Lease.delete_expired(db)
+    return Response(status_code=201)
+
+
 @app.delete('/-/lease/{lease_ref}', summary='* Lease')
 async def _lease_delete(request: Request, lease_ref: str):
     if Lease.delete(db, lease_ref) == 1:
@@ -197,39 +238,9 @@ async def _lease_delete(request: Request, lease_ref: str):
 # venv/lib/python3.9/site-packages/nls_core_service_instance/service_instance_token_manager.py
 @app.get('/-/client-token', summary='* Client-Token', description='creates a new messenger token for this service instance')
 async def _client_token():
-    cur_time = datetime.utcnow()
+    cur_time = datetime.now(UTC)
     exp_time = cur_time + CLIENT_TOKEN_EXPIRE_DELTA
 
-    if HA_REPLICATE is not None and HA_ROLE.lower() == "secondary":
-        return RedirectResponse(f'https://{HA_REPLICATE}/-/client-token')
-
-    idx_port, idx_node = 0, 0
-
-    def create_svc_port_set(port: int):
-        idx = idx_port
-        return {
-            "idx": idx,
-            "d_name": "DLS",
-            "svc_port_map": [{"service": "auth", "port": port}, {"service": "lease", "port": port}]
-        }
-
-    def create_node_url(url: str, svc_port_set_idx: int):
-        idx = idx_node
-        return {"idx": idx, "url": url, "url_qr": url, "svc_port_set_idx": svc_port_set_idx}
-
-    service_instance_configuration = {
-        "nls_service_instance_ref": INSTANCE_REF,
-        "svc_port_set_list": [create_svc_port_set(DLS_PORT)],
-        "node_url_list": [create_node_url(DLS_URL, idx_port)]
-    }
-    idx_port += 1
-    idx_node += 1
-
-    if HA_REPLICATE is not None and HA_ROLE.lower() == "primary":
-        SEC_URL, SEC_PORT, *invalid = HA_REPLICATE.split(':')
-        service_instance_configuration['svc_port_set_list'].append(create_svc_port_set(SEC_PORT))
-        service_instance_configuration['node_url_list'].append(create_node_url(SEC_URL, idx_port))
-
     payload = {
         "jti": str(uuid4()),
         "iss": "NLS Service Instance",
@@ -240,13 +251,23 @@ async def _client_token():
         "update_mode": "ABSOLUTE",
         "scope_ref_list": [ALLOTMENT_REF],
         "fulfillment_class_ref_list": [],
-        "service_instance_configuration": service_instance_configuration,
+        "service_instance_configuration": {
+            "nls_service_instance_ref": INSTANCE_REF,
+            "svc_port_set_list": [
+                {
+                    "idx": 0,
+                    "d_name": "DLS",
+                    "svc_port_map": [{"service": "auth", "port": DLS_PORT}, {"service": "lease", "port": DLS_PORT}]
+                }
+            ],
+            "node_url_list": [{"idx": 0, "url": DLS_URL, "url_qr": DLS_URL, "svc_port_set_idx": 0}]
+        },
         "service_instance_public_key_configuration": {
             "service_instance_public_key_me": {
-                "mod": hex(INSTANCE_KEY_PUB.public_key().n)[2:],
+                "mod": hex(INSTANCE_KEY_PUB.raw().public_numbers().n)[2:],
-                "exp": int(INSTANCE_KEY_PUB.public_key().e),
+                "exp": int(INSTANCE_KEY_PUB.raw().public_numbers().e),
             },
-            "service_instance_public_key_pem": INSTANCE_KEY_PUB.export_key().decode('utf-8'),
+            "service_instance_public_key_pem": INSTANCE_KEY_PUB.pem().decode('utf-8'),
             "key_retention_mode": "LATEST_ONLY"
         },
     }
@@ -260,74 +281,13 @@ async def _client_token():
     return response
 
 
-@app.get('/-/ha/replicate', summary='* HA replicate - trigger')
-async def _ha_replicate_to_ha(request: Request, background_tasks: BackgroundTasks):
-    if HA_REPLICATE is None or HA_ROLE is None:
-        logger.warning('HA replicate endpoint triggerd, but no value for "HA_REPLICATE" or "HA_ROLE" is set!')
-        return JSONr(status_code=503, content={'status': 503, 'detail': 'no value for "HA_REPLICATE" or "HA_ROLE" set'})
-
-    session = sessionmaker(bind=db)()
-    origins = [origin.serialize() for origin in session.query(Origin).all()]
-    leases = [lease.serialize(renewal_period=LEASE_RENEWAL_PERIOD, renewal_delta=LEASE_RENEWAL_DELTA) for lease in session.query(Lease).all()]
-
-    background_tasks.add_task(ha_replicate, logger, HA_REPLICATE, HA_ROLE, VERSION, DLS_URL, DLS_PORT, SITE_KEY_XID, INSTANCE_REF, origins, leases)
-    return JSONr(status_code=202, content=None)
-
-
-@app.put('/-/ha/replicate', summary='* HA replicate')
-async def _ha_replicate_by_ha(request: Request):
-    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
-
-    if HA_REPLICATE is None:
-        logger.warning(f'HA replicate endpoint triggerd, but no value for "HA_REPLICATE" is set!')
-        return JSONr(status_code=503, content={'status': 503, 'detail': 'no value for "HA_REPLICATE" set'})
-
-    version = j.get('VERSION')
-    if version != VERSION:
-        logger.error(f'Version missmatch on HA replication task!')
-        return JSONr(status_code=503, content={'status': 503, 'detail': 'Missmatch for "VERSION"'})
-
-    site_key_xid = j.get('SITE_KEY_XID')
-    if site_key_xid != SITE_KEY_XID:
-        logger.error(f'Site-Key missmatch on HA replication task!')
-        return JSONr(status_code=503, content={'status': 503, 'detail': 'Missmatch for "SITE_KEY_XID"'})
-
-    instance_ref = j.get('INSTANCE_REF')
-    if instance_ref != INSTANCE_REF:
-        logger.error(f'Version missmatch on HA replication task!')
-        return JSONr(status_code=503, content={'status': 503, 'detail': 'Missmatch for "INSTANCE_REF"'})
-
-    sync_timestamp, max_seconds_behind = datetime.fromisoformat(j.get('sync_timestamp')), 30
-    if sync_timestamp <= cur_time - timedelta(seconds=max_seconds_behind):
-        logger.error(f'Request time more than {max_seconds_behind}s behind!')
-        return JSONr(status_code=503, content={'status': 503, 'detail': 'Request time behind'})
-
-    origins, leases = j.get('origins'), j.get('leases')
-    for origin in origins:
-        origin_ref = origin.get('origin_ref')
-        logging.info(f'> [    ha    ]: origin {origin_ref}')
-        data = Origin.deserialize(origin)
-        Origin.create_or_update(db, data)
-
-    for lease in leases:
-        lease_ref = lease.get('lease_ref')
-        x = Lease.find_by_lease_ref(db, lease_ref)
-        if x is not None and x.lease_updated > sync_timestamp:
-            continue
-        logging.info(f'> [    ha    ]: lease {lease_ref}')
-        data = Lease.deserialize(lease)
-        Lease.create_or_update(db, data)
-
-    return JSONr(status_code=202, content=None)
-
-
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_origins_controller.py
 @app.post('/auth/v1/origin', description='find or create an origin')
 async def auth_v1_origin(request: Request):
-    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
 
     origin_ref = j.get('candidate_origin_ref')
-    logging.info(f'> [  origin  ]: {origin_ref}: {j}')
+    logger.info(f'> [  origin  ]: {origin_ref}: {j}')
 
     data = Origin(
         origin_ref=origin_ref,
@@ -354,10 +314,10 @@ async def auth_v1_origin(request: Request):
 # venv/lib/python3.9/site-packages/nls_services_auth/test/test_origins_controller.py
 @app.post('/auth/v1/origin/update', description='update an origin evidence')
 async def auth_v1_origin_update(request: Request):
-    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
 
     origin_ref = j.get('origin_ref')
-    logging.info(f'> [  update  ]: {origin_ref}: {j}')
+    logger.info(f'> [  update  ]: {origin_ref}: {j}')
 
     data = Origin(
         origin_ref=origin_ref,
@@ -381,10 +341,10 @@ async def auth_v1_origin_update(request: Request):
 # venv/lib/python3.9/site-packages/nls_core_auth/auth.py - CodeResponse
 @app.post('/auth/v1/code', description='get an authorization code')
 async def auth_v1_code(request: Request):
-    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
 
     origin_ref = j.get('origin_ref')
-    logging.info(f'> [   code   ]: {origin_ref}: {j}')
+    logger.info(f'> [   code   ]: {origin_ref}: {j}')
 
     delta = relativedelta(minutes=15)
     expires = cur_time + delta
@@ -413,15 +373,15 @@ async def auth_v1_code(request: Request):
 # venv/lib/python3.9/site-packages/nls_core_auth/auth.py - TokenResponse
 @app.post('/auth/v1/token', description='exchange auth code and verifier for token')
 async def auth_v1_token(request: Request):
-    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
 
     try:
-        payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key)
+        payload = jwt.decode(token=j.get('auth_code'), key=jwt_decode_key, algorithms=ALGORITHMS.RS256)
     except JWTError as e:
         return JSONr(status_code=400, content={'status': 400, 'title': 'invalid token', 'detail': str(e)})
 
     origin_ref = payload.get('origin_ref')
-    logging.info(f'> [   auth   ]: {origin_ref}: {j}')
+    logger.info(f'> [   auth   ]: {origin_ref}: {j}')
 
     # validate the code challenge
     challenge = b64enc(sha256(j.get('code_verifier').encode('utf-8')).digest()).rstrip(b'=').decode('utf-8')
@@ -455,7 +415,7 @@ async def auth_v1_token(request: Request):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 @app.post('/leasing/v1/lessor', description='request multiple leases (borrow) for current origin')
 async def leasing_v1_lessor(request: Request):
-    j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.utcnow()
+    j, token, cur_time = json_loads((await request.body()).decode('utf-8')), __get_token(request), datetime.now(UTC)
 
     try:
         token = __get_token(request)
@@ -464,7 +424,7 @@ async def leasing_v1_lessor(request: Request):
 
     origin_ref = token.get('origin_ref')
     scope_ref_list = j.get('scope_ref_list')
-    logging.info(f'> [  create  ]: {origin_ref}: create leases for scope_ref_list {scope_ref_list}')
+    logger.info(f'> [  create  ]: {origin_ref}: create leases for scope_ref_list {scope_ref_list}')
 
     lease_result_list = []
     for scope_ref in scope_ref_list:
@@ -503,12 +463,12 @@ async def leasing_v1_lessor(request: Request):
 # venv/lib/python3.9/site-packages/nls_dal_service_instance_dls/schema/service_instance/V1_0_21__product_mapping.sql
 @app.get('/leasing/v1/lessor/leases', description='get active leases for current origin')
 async def leasing_v1_lessor_lease(request: Request):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    token, cur_time = __get_token(request), datetime.now(UTC)
 
     origin_ref = token.get('origin_ref')
 
     active_lease_list = list(map(lambda x: x.lease_ref, Lease.find_by_origin_ref(db, origin_ref)))
-    logging.info(f'> [  leases  ]: {origin_ref}: found {len(active_lease_list)} active leases')
+    logger.info(f'> [  leases  ]: {origin_ref}: found {len(active_lease_list)} active leases')
 
     response = {
         "active_lease_list": active_lease_list,
@@ -523,10 +483,10 @@ async def leasing_v1_lessor_lease(request: Request):
 # venv/lib/python3.9/site-packages/nls_core_lease/lease_single.py
 @app.put('/leasing/v1/lease/{lease_ref}', description='renew a lease')
 async def leasing_v1_lease_renew(request: Request, lease_ref: str):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    token, cur_time = __get_token(request), datetime.now(UTC)
 
     origin_ref = token.get('origin_ref')
-    logging.info(f'> [  renew   ]: {origin_ref}: renew {lease_ref}')
+    logger.info(f'> [  renew   ]: {origin_ref}: renew {lease_ref}')
 
     entity = Lease.find_by_origin_ref_and_lease_ref(db, origin_ref, lease_ref)
     if entity is None:
@@ -550,10 +510,10 @@ async def leasing_v1_lease_renew(request: Request, lease_ref: str):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_single_controller.py
 @app.delete('/leasing/v1/lease/{lease_ref}', description='release (return) a lease')
 async def leasing_v1_lease_delete(request: Request, lease_ref: str):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    token, cur_time = __get_token(request), datetime.now(UTC)
 
     origin_ref = token.get('origin_ref')
-    logging.info(f'> [  return  ]: {origin_ref}: return {lease_ref}')
+    logger.info(f'> [  return  ]: {origin_ref}: return {lease_ref}')
 
     entity = Lease.find_by_lease_ref(db, lease_ref)
     if entity.origin_ref != origin_ref:
@@ -576,13 +536,13 @@ async def leasing_v1_lease_delete(request: Request, lease_ref: str):
 # venv/lib/python3.9/site-packages/nls_services_lease/test/test_lease_multi_controller.py
 @app.delete('/leasing/v1/lessor/leases', description='release all leases')
 async def leasing_v1_lessor_lease_remove(request: Request):
-    token, cur_time = __get_token(request), datetime.utcnow()
+    token, cur_time = __get_token(request), datetime.now(UTC)
 
     origin_ref = token.get('origin_ref')
 
     released_lease_list = list(map(lambda x: x.lease_ref, Lease.find_by_origin_ref(db, origin_ref)))
     deletions = Lease.cleanup(db, origin_ref)
-    logging.info(f'> [  remove  ]: {origin_ref}: removed {deletions} leases')
+    logger.info(f'> [  remove  ]: {origin_ref}: removed {deletions} leases')
 
     response = {
         "released_lease_list": released_lease_list,
@@ -596,7 +556,7 @@ async def leasing_v1_lessor_lease_remove(request: Request):
 
 @app.post('/leasing/v1/lessor/shutdown', description='shutdown all leases')
 async def leasing_v1_lessor_shutdown(request: Request):
-    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.utcnow()
+    j, cur_time = json_loads((await request.body()).decode('utf-8')), datetime.now(UTC)
 
     token = j.get('token')
     token = jwt.decode(token=token, key=jwt_decode_key, algorithms=ALGORITHMS.RS256, options={'verify_aud': False})
@@ -604,7 +564,7 @@ async def leasing_v1_lessor_shutdown(request: Request):
 
     released_lease_list = list(map(lambda x: x.lease_ref, Lease.find_by_origin_ref(db, origin_ref)))
     deletions = Lease.cleanup(db, origin_ref)
-    logging.info(f'> [ shutdown ]: {origin_ref}: removed {deletions} leases')
+    logger.info(f'> [ shutdown ]: {origin_ref}: removed {deletions} leases')
 
     response = {
         "released_lease_list": released_lease_list,
@@ -616,34 +576,6 @@ async def leasing_v1_lessor_shutdown(request: Request):
     return JSONr(response)
 
 
-@app.on_event('startup')
-async def app_on_startup():
-    logger.info(f'''
-    Using timezone: {str(TZ)}. Make sure this is correct and match your clients!
-    
-    Your clients renew their license every {str(Lease.calculate_renewal(LEASE_RENEWAL_PERIOD, LEASE_RENEWAL_DELTA))}.
-    If the renewal fails, the license is {str(LEASE_RENEWAL_DELTA)} valid.
-    
-    Your client-token file (.tok) is valid for {str(CLIENT_TOKEN_EXPIRE_DELTA)}.
-    ''')
-
-    if HA_REPLICATE is not None and HA_ROLE is not None:
-        from hashlib import sha1
-
-        sha1digest = sha1(INSTANCE_KEY_RSA.export_key()).hexdigest()
-        fingerprint_key = ':'.join(sha1digest[i: i + 2] for i in range(0, len(sha1digest), 2))
-        sha1digest = sha1(INSTANCE_KEY_PUB.export_key()).hexdigest()
-        fingerprint_pub = ':'.join(sha1digest[i: i + 2] for i in range(0, len(sha1digest), 2))
-
-        logger.info(f'''
-    HA mode is enabled. Make sure theses fingerprints matches on all your nodes:
-      - INSTANCE_KEY_RSA: "{str(fingerprint_key)}"
-      - INSTANCE_KEY_PUB: "{str(fingerprint_pub)}"
-    
-    This node ({HA_ROLE}) listens to "https://{DLS_URL}:{DLS_PORT}" and replicates to "https://{HA_REPLICATE}".
-        ''')
-
-
 if __name__ == '__main__':
     import uvicorn
 
@@ -655,7 +587,7 @@ if __name__ == '__main__':
     #
     ###
 
-    logging.info(f'> Starting dev-server ...')
+    logger.info(f'> Starting dev-server ...')
 
     ssl_keyfile = join(dirname(__file__), 'cert/webserver.key')
     ssl_certfile = join(dirname(__file__), 'cert/webserver.crt')

app/orm.py

@@ -1,10 +1,12 @@
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone, UTC
-from dateutil.relativedelta import relativedelta
 
+from dateutil.relativedelta import relativedelta
 from sqlalchemy import Column, VARCHAR, CHAR, ForeignKey, DATETIME, update, and_, inspect, text
 from sqlalchemy.engine import Engine
 from sqlalchemy.orm import sessionmaker, declarative_base
 
+from util import DriverMatrix
+
 Base = declarative_base()
 
 
@@ -23,6 +25,8 @@ class Origin(Base):
         return f'Origin(origin_ref={self.origin_ref}, hostname={self.hostname})'
 
     def serialize(self) -> dict:
+        _ = DriverMatrix().find(self.guest_driver_version)
+
         return {
             'origin_ref': self.origin_ref,
             # 'service_instance_xid': self.service_instance_xid,
@@ -30,18 +34,9 @@ class Origin(Base):
             'guest_driver_version': self.guest_driver_version,
             'os_platform': self.os_platform,
             'os_version': self.os_version,
+            '$driver': _ if _ is not None else None,
         }
 
-    @staticmethod
-    def deserialize(j) -> "Origin":
-        return Origin(
-            origin_ref=j.get('origin_ref'),
-            hostname=j.get('hostname'),
-            guest_driver_version=j.get('guest_driver_version'),
-            os_platform=j.get('os_platform'),
-            os_version=j.get('os_version'),
-        )
-
     @staticmethod
     def create_statement(engine: Engine):
         from sqlalchemy.schema import CreateTable
@@ -71,7 +66,17 @@ class Origin(Base):
         if origin_refs is None:
             deletions = session.query(Origin).delete()
         else:
-            deletions = session.query(Origin).filter(Origin.origin_ref in origin_refs).delete()
+            deletions = session.query(Origin).filter(Origin.origin_ref.in_(origin_refs)).delete()
+        session.commit()
+        session.close()
+        return deletions
+
+    @staticmethod
+    def delete_expired(engine: Engine) -> int:
+        session = sessionmaker(bind=engine)()
+        origins = session.query(Origin).join(Lease, Origin.origin_ref == Lease.origin_ref, isouter=True).filter(Lease.lease_ref.is_(None)).all()
+        origin_refs = [origin.origin_ref for origin in origins]
+        deletions = session.query(Origin).filter(Origin.origin_ref.in_(origin_refs)).delete()
         session.commit()
         session.close()
         return deletions
@@ -99,22 +104,12 @@ class Lease(Base):
             'lease_ref': self.lease_ref,
             'origin_ref': self.origin_ref,
             # 'scope_ref': self.scope_ref,
-            'lease_created': self.lease_created.isoformat(),
+            'lease_created': self.lease_created.replace(tzinfo=timezone.utc).isoformat(),
-            'lease_expires': self.lease_expires.isoformat(),
+            'lease_expires': self.lease_expires.replace(tzinfo=timezone.utc).isoformat(),
-            'lease_updated': self.lease_updated.isoformat(),
+            'lease_updated': self.lease_updated.replace(tzinfo=timezone.utc).isoformat(),
-            'lease_renewal': lease_renewal.isoformat(),
+            'lease_renewal': lease_renewal.replace(tzinfo=timezone.utc).isoformat(),
         }
 
-    @staticmethod
-    def deserialize(j) -> "Lease":
-        return Lease(
-            lease_ref=j.get('lease_ref'),
-            origin_ref=j.get('origin_ref'),
-            lease_created=datetime.fromisoformat(j.get('lease_created')),
-            lease_expires=datetime.fromisoformat(j.get('lease_expires')),
-            lease_updated=datetime.fromisoformat(j.get('lease_updated')),
-        )
-
     @staticmethod
     def create_statement(engine: Engine):
         from sqlalchemy.schema import CreateTable
@@ -180,6 +175,14 @@ class Lease(Base):
         session.close()
         return deletions
 
+    @staticmethod
+    def delete_expired(engine: Engine) -> int:
+        session = sessionmaker(bind=engine)()
+        deletions = session.query(Lease).filter(Lease.lease_expires <= datetime.now(UTC)).delete()
+        session.commit()
+        session.close()
+        return deletions
+
     @staticmethod
     def calculate_renewal(renewal_period: float, delta: timedelta) -> timedelta:
         """

app/util.py

@@ -1,54 +1,132 @@
-def load_file(filename) -> bytes:
+import logging
+from json import load as json_load
+
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey, generate_private_key
+from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key
+
+logging.basicConfig()
+
+
+def load_file(filename: str) -> bytes:
+    log = logging.getLogger(f'{__name__}')
+    log.debug(f'Loading contents of file "{filename}')
     with open(filename, 'rb') as file:
         content = file.read()
     return content
 
 
-def load_key(filename) -> "RsaKey":
+class PrivateKey:
+
+    def __init__(self, data: bytes):
+        self.__key = load_pem_private_key(data, password=None)
+
+    @staticmethod
+    def from_file(filename: str) -> "PrivateKey":
+        log = logging.getLogger(__name__)
+        log.debug(f'Importing RSA-Private-Key from "{filename}"')
+
+        with open(filename, 'rb') as f:
+            data = f.read()
+
+        return PrivateKey(data=data.strip())
+
+    def raw(self) -> RSAPrivateKey:
+        return self.__key
+
+    def pem(self) -> bytes:
+        return self.__key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption()
+        )
+
+    def public_key(self) -> "PublicKey":
+        data = self.__key.public_key().public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo
+        )
+        return PublicKey(data=data)
+
+    @staticmethod
+    def generate(public_exponent: int = 65537, key_size: int = 2048) -> "PrivateKey":
+        log = logging.getLogger(__name__)
+        log.debug(f'Generating RSA-Key')
+        key = generate_private_key(public_exponent=public_exponent, key_size=key_size)
+        data = key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption()
+        )
+        return PrivateKey(data=data)
+
+
+class PublicKey:
+
+    def __init__(self, data: bytes):
+        self.__key = load_pem_public_key(data)
+
+    @staticmethod
+    def from_file(filename: str) -> "PublicKey":
+        log = logging.getLogger(__name__)
+        log.debug(f'Importing RSA-Public-Key from "{filename}"')
+
+        with open(filename, 'rb') as f:
+            data = f.read()
+
+        return PublicKey(data=data.strip())
+
+    def raw(self) -> RSAPublicKey:
+        return self.__key
+
+    def pem(self) -> bytes:
+        return self.__key.public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo
+        )
+
+
+class DriverMatrix:
+    __DRIVER_MATRIX_FILENAME = 'static/driver_matrix.json'
+    __DRIVER_MATRIX: None | dict = None  # https://docs.nvidia.com/grid/ => "Driver Versions"
+
+    def __init__(self):
+        self.log = logging.getLogger(self.__class__.__name__)
+
+        if DriverMatrix.__DRIVER_MATRIX is None:
+            self.__load()
+
+    def __load(self):
         try:
-        # Crypto | Cryptodome on Debian
+            file = open(DriverMatrix.__DRIVER_MATRIX_FILENAME)
-        from Crypto.PublicKey import RSA
+            DriverMatrix.__DRIVER_MATRIX = json_load(file)
-        from Crypto.PublicKey.RSA import RsaKey
+            file.close()
-    except ModuleNotFoundError:
+            self.log.debug(f'Successfully loaded "{DriverMatrix.__DRIVER_MATRIX_FILENAME}".')
-        from Cryptodome.PublicKey import RSA
+        except Exception as e:
-        from Cryptodome.PublicKey.RSA import RsaKey
+            DriverMatrix.__DRIVER_MATRIX = {}  # init empty dict to not try open file everytime, just when restarting app
+            # self.log.warning(f'Failed to load "{NV.__DRIVER_MATRIX_FILENAME}": {e}')
 
-    return RSA.import_key(extern_key=load_file(filename), passphrase=None)
+    @staticmethod
+    def find(version: str) -> dict | None:
+        if DriverMatrix.__DRIVER_MATRIX is None:
+            return None
+        for idx, (key, branch) in enumerate(DriverMatrix.__DRIVER_MATRIX.items()):
+            for release in branch.get('$releases'):
+                linux_driver = release.get('Linux Driver')
+                windows_driver = release.get('Windows Driver')
+                if version == linux_driver or version == windows_driver:
+                    tmp = branch.copy()
+                    tmp.pop('$releases')
 
+                    is_latest = release.get('vGPU Software') == branch.get('Latest Release in Branch')
 
-def generate_key() -> "RsaKey":
+                    return {
-    try:
+                        'software_branch': branch.get('vGPU Software Branch'),
-        # Crypto | Cryptodome on Debian
+                        'branch_version': release.get('vGPU Software'),
-        from Crypto.PublicKey import RSA
+                        'driver_branch': branch.get('Driver Branch'),
-        from Crypto.PublicKey.RSA import RsaKey
+                        'branch_status': branch.get('vGPU Branch Status'),
-    except ModuleNotFoundError:
+                        'release_date': release.get('Release Date'),
-        from Cryptodome.PublicKey import RSA
+                        'eol': branch.get('EOL Date') if is_latest else None,
-        from Cryptodome.PublicKey.RSA import RsaKey
+                        'is_latest': is_latest,
-
-    return RSA.generate(bits=2048)
-
-
-def ha_replicate(logger: "logging.Logger", ha_replicate: str, ha_role: str, version: str, dls_url: str, dls_port: int, site_key_xid: str, instance_ref: str, origins: list, leases: list) -> bool:
-    from datetime import datetime
-    import httpx
-
-    if f'{dls_url}:{dls_port}' == ha_replicate:
-        logger.error(f'Failed to replicate this node ({ha_role}) to "{ha_replicate}": can\'t replicate to itself')
-        return False
-
-    data = {
-        'VERSION': str(version),
-        'HA_REPLICATE': f'{dls_url}:{dls_port}',
-        'SITE_KEY_XID': str(site_key_xid),
-        'INSTANCE_REF': str(instance_ref),
-        'origins': origins,
-        'leases': leases,
-        'sync_timestamp': datetime.utcnow().isoformat(),
                     }
-
+        return None
-    r = httpx.put(f'https://{ha_replicate}/-/ha/replicate', json=data, verify=False)
-    if r.status_code == 202:
-        logger.info(f'Successfully replicated this node ({ha_role}) to "{ha_replicate}".')
-        return True
-    logger.error(f'Failed to replicate this node ({ha_role}) to "{ha_replicate}": {r.status_code} - {r.content}')
-    return False

doc/Database.md

@@ -1,26 +0,0 @@
-# Database structure
-
-## `request_routing.service_instance`
-
-| xid                                    | org_name                 |
-|----------------------------------------|--------------------------|
-| `10000000-0000-0000-0000-000000000000` | `lic-000000000000000000` |
-
-- `xid` is used as `SERVICE_INSTANCE_XID`
-
-## `request_routing.license_allotment_service_instance`
-
-| xid                                    | service_instance_xid                   | license_allotment_xid                  |
-|----------------------------------------|----------------------------------------|----------------------------------------|
-| `90000000-0000-0000-0000-000000000001` | `10000000-0000-0000-0000-000000000000` | `80000000-0000-0000-0000-000000000001` |
-
-- `xid` is only a primary-key and never used as foreign-key or reference
-- `license_allotment_xid` must be used to fetch `xid`'s from `request_routing.license_allotment_reference`
-
-## `request_routing.license_allotment_reference`
-
-| xid                                    | license_allotment_xid                  |
-|----------------------------------------|----------------------------------------|
-| `20000000-0000-0000-0000-000000000001` | `80000000-0000-0000-0000-000000000001` | 
-
-- `xid` is used as `scope_ref_list` on token request

doc/Reverse Engineering Notes.md

@@ -1,177 +0,0 @@
-# Reverse Engineering Notes
-
-# Usefully commands
-
-## Check licensing status
-
-- `nvidia-smi -q | grep "License"`
-
-**Output**
-
-```
-vGPU Software Licensed Product
-        License Status                    : Licensed (Expiry: 2023-1-14 12:59:52 GMT)
-```
-
-## Track licensing progress
-
-- NVIDIA Grid Log: `journalctl -u nvidia-gridd -f`
-
-```
-systemd[1]: Started NVIDIA Grid Daemon.
-nvidia-gridd[2986]: Configuration parameter ( ServerAddress  ) not set
-nvidia-gridd[2986]: vGPU Software package (0)
-nvidia-gridd[2986]: Ignore service provider and node-locked licensing
-nvidia-gridd[2986]: NLS initialized
-nvidia-gridd[2986]: Acquiring license. (Info: license.nvidia.space; NVIDIA RTX Virtual Workstation)
-nvidia-gridd[2986]: License acquired successfully. (Info: license.nvidia.space, NVIDIA RTX Virtual Workstation; Expiry: 2023-1-29 22:3:0 GMT)
-```
-
-# DLS-Container File-System (Docker)
-
-## Configuration data
-
-Most variables and configs are stored in `/var/lib/docker/volumes/configurations/_data`.
-
-Files can be modified with `docker cp <container-id>:/venv/... /opt/localfile/...` and back.
-(May you need to fix permissions with `docker exec -u 0 <container-id> chown nonroot:nonroot /venv/...`)
-
-## Dive / Docker image inspector
-
-- `dive dls:appliance`
-
-The source code is stored in `/venv/lib/python3.9/site-packages/nls_*`.
-
-Image-Reference:
-
-```
-Tags:   (unavailable)
-Id:     d1c7976a5d2b3681ff6c5a30f8187e4015187a83f3f285ba4a37a45458bd6b98
-Digest: sha256:311223c5af7a298ec1104f5dc8c3019bfb0e1f77256dc3d995244ffb295a97
-1f
-Command:
-#(nop) ADD file:c1900d3e3a29c29a743a8da86c437006ec5d2aa873fb24e48033b6bf492bb37b in /
-```
-
-## Private Key (Site-Key)
-
-- `/etc/dls/config/decryptor/decryptor`
-
-```shell
- docker exec -it <container-id> /etc/dls/config/decryptor/decryptor > /tmp/private-key.pem
-```
-
-```
------BEGIN RSA PRIVATE KEY-----
-...
------END RSA PRIVATE KEY-----
-``` 
-
-## Site Key Uri - `/etc/dls/config/site_key_uri.bin`
-
-```
-base64-content...
-```
-
-## DB Password - `/etc/dls/config/dls_db_password.bin`
-
-```
-base64-content...
-```
-
-**Decrypt database password**
-
-```
-cd /var/lib/docker/volumes/configurations/_data
-cat dls_db_password.bin | base64 -d > dls_db_password.bin.raw
-openssl rsautl -decrypt -inkey /tmp/private-key.pem -in dls_db_password.bin.raw
-```
-
-# Database
-
-- It's enough to manipulate database licenses. There must not be changed any line of code to bypass licensing
-  validations.
-
-# Logging / Stack Trace
-
-- https://docs.nvidia.com/license-system/latest/nvidia-license-system-user-guide/index.html#troubleshooting-dls-instance
-
-**Failed licensing log**
-
-```
-{
-    "activity": 100,
-    "context": {
-        "SERVICE_INSTANCE_ID": "b43d6e46-d6d0-4943-8b8d-c66a5f6e0d38",
-        "SERVICE_INSTANCE_NAME": "DEFAULT_2022-12-14_12:48:30",
-        "description": "borrow failed: NotFoundError(no pool features found for: NVIDIA RTX Virtual Workstation)",
-        "event_type": null,
-        "function_name": "_evt",
-        "lineno": 54,
-        "module_name": "nls_dal_lease_dls.event",
-        "operation_id": "e72a8ca7-34cc-4e11-b80c-273592085a24",
-        "origin_ref": "3f7f5a50-a26b-425b-8d5e-157f63e72b1c",
-        "service_name": "nls_services_lease"
-    },
-    "detail": {
-        "oc": {
-            "license_allotment_xid": "10c4317f-7c4c-11ed-a524-0e4252a7e5f1",
-            "origin_ref": "3f7f5a50-a26b-425b-8d5e-157f63e72b1c",
-            "service_instance_xid": "b43d6e46-d6d0-4943-8b8d-c66a5f6e0d38"
-        },
-        "operation_id": "e72a8ca7-34cc-4e11-b80c-273592085a24"
-    },
-    "id": "0cc9e092-3b92-4652-8d9e-7622ef85dc79",
-    "metadata": {},
-    "ts": "2022-12-15T10:25:36.827661Z"
-}
-
-{
-    "activity": 400,
-    "context": {
-        "SERVICE_INSTANCE_ID": "b43d6e46-d6d0-4943-8b8d-c66a5f6e0d38",
-        "SERVICE_INSTANCE_NAME": "DEFAULT_2022-12-14_12:48:30",
-        "description": "lease_multi_create failed: no pool features found for: NVIDIA RTX Virtual Workstation",
-        "event_by": "system",
-        "function_name": "lease_multi_create",
-        "level": "warning",
-        "lineno": 157,
-        "module_name": "nls_services_lease.controllers.lease_multi_controller",
-        "operation_id": "e72a8ca7-34cc-4e11-b80c-273592085a24",
-        "service_name": "nls_services_lease"
-    },
-    "detail": {
-        "_msg": "lease_multi_create failed: no pool features found for: NVIDIA RTX Virtual Workstation",
-        "exec_info": ["NotFoundError", "NotFoundError(no pool features found for: NVIDIA RTX Virtual Workstation)", "  File \"/venv/lib/python3.9/site-packages/nls_services_lease/controllers/lease_multi_controller.py\", line 127, in lease_multi_create\n    data = _leaseMulti.lease_multi_create(event_args)\n  File \"/venv/lib/python3.9/site-packages/nls_core_lease/lease_multi.py\", line 208, in lease_multi_create\n    raise e\n  File \"/venv/lib/python3.9/site-packages/nls_core_lease/lease_multi.py\", line 184, in lease_multi_create\n    self._try_proposals(oc, mlr, results, detail)\n  File \"/venv/lib/python3.9/site-packages/nls_core_lease/lease_multi.py\", line 219, in _try_proposals\n    lease = self._leases.create(creator)\n  File \"/venv/lib/python3.9/site-packages/nls_dal_lease_dls/leases.py\", line 230, in create\n    features = self._get_features(creator)\n  File \"/venv/lib/python3.9/site-packages/nls_dal_lease_dls/leases.py\", line 148, in _get_features\n    self._explain_not_available(cur, creator)\n  File \"/venv/lib/python3.9/site-packages/nls_dal_lease_dls/leases.py\", line 299, in _explain_not_available\n    raise NotFoundError(f'no pool features found for: {lcc.product_name}')\n"],
-        "operation_id": "e72a8ca7-34cc-4e11-b80c-273592085a24"
-    },
-    "id": "282801b9-d612-40a5-9145-b56d8e420dac",
-    "metadata": {},
-    "ts": "2022-12-15T10:25:36.831673Z"
-}
-
-```
-
-**Stack Trace**
-
-```
-"NotFoundError", "NotFoundError(no pool features found for: NVIDIA RTX Virtual Workstation)", "  File \"/venv/lib/python3.9/site-packages/nls_services_lease/controllers/lease_multi_controller.py\", line 127, in lease_multi_create
-    data = _leaseMulti.lease_multi_create(event_args)
-  File \"/venv/lib/python3.9/site-packages/nls_core_lease/lease_multi.py\", line 208, in lease_multi_create
-    raise e
-  File \"/venv/lib/python3.9/site-packages/nls_core_lease/lease_multi.py\", line 184, in lease_multi_create
-    self._try_proposals(oc, mlr, results, detail)
-  File \"/venv/lib/python3.9/site-packages/nls_core_lease/lease_multi.py\", line 219, in _try_proposals
-    lease = self._leases.create(creator)
-  File \"/venv/lib/python3.9/site-packages/nls_dal_lease_dls/leases.py\", line 230, in create
-    features = self._get_features(creator)
-  File \"/venv/lib/python3.9/site-packages/nls_dal_lease_dls/leases.py\", line 148, in _get_features
-    self._explain_not_available(cur, creator)
-  File \"/venv/lib/python3.9/site-packages/nls_dal_lease_dls/leases.py\", line 299, in _explain_not_available
-    raise NotFoundError(f'no pool features found for: {lcc.product_name}')
-"
-```
-
-# Nginx
-
-- NGINX uses `/opt/certs/cert.pem` and `/opt/certs/key.pem`  

docker-compose.yml

@@ -1,9 +1,10 @@
 version: '3.9'
 
 x-dls-variables: &dls-variables
+  TZ: Europe/Berlin # REQUIRED, set your timezone correctly on fastapi-dls AND YOUR CLIENTS !!!
   DLS_URL: localhost # REQUIRED, change to your ip or hostname
-  DLS_PORT: 443  # must match nginx listen & exposed port
+  DLS_PORT: 443
-  LEASE_EXPIRE_DAYS: 90
+  LEASE_EXPIRE_DAYS: 90  # 90 days is maximum
   DATABASE: sqlite:////app/database/db.sqlite
   DEBUG: false
 
@@ -13,108 +14,16 @@ services:
     restart: always
     environment:
       <<: *dls-variables
-    volumes:
-      - /etc/timezone:/etc/timezone:ro
-      - /opt/docker/fastapi-dls/cert:/app/cert  # instance.private.pem, instance.public.pem
-      - db:/app/database
-    entrypoint: ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--app-dir", "/app", "--proxy-headers"]
-    healthcheck:
-      test: ["CMD", "curl", "--fail", "http://localhost:8000/-/health"]
-      interval: 10s
-      timeout: 5s
-      retries: 3
-      start_period: 30s
-  proxy:
-    image: nginx
     ports:
-      # thees are ports where nginx (!) is listen to
+      - "443:443"
-      - "80:80"  # for "/leasing/v1/lessor/shutdown" used by windows guests, can't be changed!
-      - "443:443"  # first part must match "DLS_PORT"
     volumes:
-      - /etc/timezone:/etc/timezone:ro
+      - /opt/docker/fastapi-dls/cert:/app/cert
-      - /opt/docker/fastapi-dls/cert:/opt/cert
+      - dls-db:/app/database
-    healthcheck:
+    logging: # optional, for those who do not need logs
-      test: ["CMD", "curl", "--insecure", "--fail", "https://localhost/-/health"]
+      driver: "json-file"
-      interval: 10s
+      options:
-      timeout: 5s
+        max-file: 5
-      retries: 3
+        max-size: 10m
-      start_period: 30s
-    command: |
-      bash -c "bash -s <<\"EOF\"
-      cat > /etc/nginx/nginx.conf <<\"EON\"
-      daemon off;
-      user root;
-      worker_processes auto;
-      
-      events {
-        worker_connections 1024;
-      }
-      
-      http {
-        gzip on;
-        gzip_disable "msie6";
-        include /etc/nginx/mime.types;
-      
-        upstream dls-backend {
-          server dls:8000;  # must match dls listen port
-        }
-      
-        server {
-          listen 443 ssl http2 default_server;
-          listen [::]:443 ssl http2 default_server;
-      
-          root /var/www/html;
-          index index.html;
-          server_name _;
-      
-          ssl_certificate "/opt/cert/webserver.crt";
-          ssl_certificate_key "/opt/cert/webserver.key";
-          ssl_session_cache shared:SSL:1m;
-          ssl_session_timeout  10m;
-          ssl_protocols TLSv1.3 TLSv1.2;
-          # ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305";
-          # ssl_ciphers PROFILE=SYSTEM;
-          ssl_prefer_server_ciphers on;
-      
-          location / {
-            proxy_set_header Host $$http_host;
-            proxy_set_header X-Real-IP $$remote_addr;
-            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $$scheme;
-            proxy_pass http://dls-backend$$request_uri;
-          }
-      
-          location = /-/health {
-            access_log off;
-            add_header 'Content-Type' 'application/json';
-            return 200 '{\"status\":\"up\",\"service\":\"nginx\"}';
-          }
-        }
-      
-        server {
-          listen 80;
-          listen [::]:80;
-      
-          root /var/www/html;
-          index index.html;
-          server_name _;
-      
-          location /leasing/v1/lessor/shutdown {
-            proxy_set_header Host $$http_host;
-            proxy_set_header X-Real-IP $$remote_addr;
-            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $$scheme;
-            proxy_pass http://dls-backend/leasing/v1/lessor/shutdown;
-          }
-      
-          location / {
-            return 301 https://$$host$$request_uri;
-          }
-        }
-      }
-      EON
-      nginx
-      EOF"
 
 volumes:
-  db:
+  dls-db:

examples/docker-compose-http-and-https.yml

@@ -0,0 +1,120 @@
+version: '3.9'
+
+x-dls-variables: &dls-variables
+  DLS_URL: localhost  # REQUIRED, change to your ip or hostname
+  DLS_PORT: 443  # must match nginx listen & exposed port
+  LEASE_EXPIRE_DAYS: 90
+  DATABASE: sqlite:////app/database/db.sqlite
+  DEBUG: false
+
+services:
+  dls:
+    image: collinwebdesigns/fastapi-dls:latest
+    restart: always
+    environment:
+      <<: *dls-variables
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /opt/docker/fastapi-dls/cert:/app/cert  # instance.private.pem, instance.public.pem
+      - db:/app/database
+    entrypoint: ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--app-dir", "/app", "--proxy-headers"]
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "http://localhost:8000/-/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+  proxy:
+    image: nginx
+    ports:
+      # thees are ports where nginx (!) is listen to
+      - "80:80"  # for "/leasing/v1/lessor/shutdown" used by windows guests, can't be changed!
+      - "443:443"  # first part must match "DLS_PORT"
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /opt/docker/fastapi-dls/cert:/opt/cert
+    healthcheck:
+      test: ["CMD", "curl", "--insecure", "--fail", "https://localhost/-/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+    command: |
+      bash -c "bash -s <<\"EOF\"
+      cat > /etc/nginx/nginx.conf <<\"EON\"
+      daemon off;
+      user root;
+      worker_processes auto;
+      
+      events {
+        worker_connections 1024;
+      }
+      
+      http {
+        gzip on;
+        gzip_disable "msie6";
+        include /etc/nginx/mime.types;
+      
+        upstream dls-backend {
+          server dls:8000;  # must match dls listen port
+        }
+      
+        server {
+          listen 443 ssl http2 default_server;
+          listen [::]:443 ssl http2 default_server;
+      
+          root /var/www/html;
+          index index.html;
+          server_name _;
+      
+          ssl_certificate "/opt/cert/webserver.crt";
+          ssl_certificate_key "/opt/cert/webserver.key";
+          ssl_session_cache shared:SSL:1m;
+          ssl_session_timeout  10m;
+          ssl_protocols TLSv1.3 TLSv1.2;
+          # ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305";
+          # ssl_ciphers PROFILE=SYSTEM;
+          ssl_prefer_server_ciphers on;
+      
+          location / {
+            proxy_set_header Host $$http_host;
+            proxy_set_header X-Real-IP $$remote_addr;
+            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $$scheme;
+            proxy_pass http://dls-backend$$request_uri;
+          }
+      
+          location = /-/health {
+            access_log off;
+            add_header 'Content-Type' 'application/json';
+            return 200 '{\"status\":\"up\",\"service\":\"nginx\"}';
+          }
+        }
+      
+        server {
+          listen 80;
+          listen [::]:80;
+      
+          root /var/www/html;
+          index index.html;
+          server_name _;
+      
+          location /leasing/v1/lessor/shutdown {
+            proxy_set_header Host $$http_host;
+            proxy_set_header X-Real-IP $$remote_addr;
+            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $$scheme;
+            proxy_pass http://dls-backend/leasing/v1/lessor/shutdown;
+          }
+      
+          location / {
+            return 301 https://$$host$$request_uri;
+          }
+        }
+      }
+      EON
+      nginx
+      EOF"
+
+volumes:
+  db:

requirements.txt

@@ -1,9 +1,8 @@
-fastapi==0.92.0
+fastapi==0.115.12
-uvicorn[standard]==0.20.0
+uvicorn[standard]==0.34.1
-python-jose==3.3.0
+python-jose[cryptography]==3.4.0
-pycryptodome==3.17
+cryptography==44.0.2
-python-dateutil==2.8.2
+python-dateutil==2.9.0
-sqlalchemy==2.0.3
+sqlalchemy==2.0.40
-markdown==3.4.1
+markdown==3.8
-python-dotenv==0.21.1
+python-dotenv==1.1.0
-httpx==0.23.3

test/create_driver_matrix_json.py

@@ -0,0 +1,123 @@
+import logging
+
+logging.basicConfig()
+logger = logging.getLogger(__name__)
+logger.setLevel(logging.INFO)
+
+URL = 'https://docs.nvidia.com/vgpu/index.html'
+
+BRANCH_STATUS_KEY = 'vGPU Branch Status'
+VGPU_KEY, GRID_KEY, DRIVER_BRANCH_KEY = 'vGPU Software', 'vGPU Software', 'Driver Branch'
+LINUX_VGPU_MANAGER_KEY, LINUX_DRIVER_KEY = 'Linux vGPU Manager', 'Linux Driver'
+WINDOWS_VGPU_MANAGER_KEY, WINDOWS_DRIVER_KEY = 'Windows vGPU Manager', 'Windows Driver'
+ALT_VGPU_MANAGER_KEY = 'vGPU Manager'
+RELEASE_DATE_KEY, LATEST_KEY, EOL_KEY = 'Release Date', 'Latest Release in Branch', 'EOL Date'
+JSON_RELEASES_KEY = '$releases'
+
+
+def __driver_versions(html: 'BeautifulSoup'):
+    def __strip(_: str) -> str:
+        # removes content after linebreak (e.g. "Hello\n World" to "Hello")
+        _ = _.strip()
+        tmp = _.split('\n')
+        if len(tmp) > 0:
+            return tmp[0]
+        return _
+
+    # find wrapper for "DriverVersions" and find tables
+    data = html.find('div', {'id': 'driver-versions'})
+    items = data.find_all('bsp-accordion', {'class': 'Accordion-items-item'})
+    for item in items:
+        software_branch = item.find('div', {'class': 'Accordion-items-item-title'}).text.strip()
+        software_branch = software_branch.replace(' Releases', '')
+        matrix_key = software_branch.lower()
+
+        branch_status = item.find('a', href=True, string='Branch status')
+        branch_status = branch_status.next_sibling.replace(':', '').strip()
+
+        # driver version info from table-heads (ths) and table-rows (trs)
+        table = item.find('table')
+        ths, trs = table.find_all('th'), table.find_all('tr')
+        headers, releases = [header.text.strip() for header in ths], []
+        for trs in trs:
+            tds = trs.find_all('td')
+            if len(tds) == 0:  # skip empty
+                continue
+            # create dict with table-heads as key and cell content as value
+            x = {headers[i]: __strip(cell.text) for i, cell in enumerate(tds)}
+            x.setdefault(BRANCH_STATUS_KEY, branch_status)
+            releases.append(x)
+
+        # add to matrix
+        MATRIX.update({matrix_key: {JSON_RELEASES_KEY: releases}})
+
+
+def __debug():
+    # print table head
+    s = f'{VGPU_KEY:^13} | {LINUX_VGPU_MANAGER_KEY:^21} | {LINUX_DRIVER_KEY:^21} | {WINDOWS_VGPU_MANAGER_KEY:^21} | {WINDOWS_DRIVER_KEY:^21} | {RELEASE_DATE_KEY:>21} | {BRANCH_STATUS_KEY:^21}'
+    print(s)
+
+    # iterate over dict & format some variables to not overload table
+    for idx, (key, branch) in enumerate(MATRIX.items()):
+        for release in branch.get(JSON_RELEASES_KEY):
+            version = release.get(VGPU_KEY, release.get(GRID_KEY, ''))
+            linux_manager = release.get(LINUX_VGPU_MANAGER_KEY, release.get(ALT_VGPU_MANAGER_KEY, ''))
+            linux_driver = release.get(LINUX_DRIVER_KEY)
+            windows_manager = release.get(WINDOWS_VGPU_MANAGER_KEY, release.get(ALT_VGPU_MANAGER_KEY, ''))
+            windows_driver = release.get(WINDOWS_DRIVER_KEY)
+            release_date = release.get(RELEASE_DATE_KEY)
+            is_latest = release.get(VGPU_KEY) == branch.get(LATEST_KEY)
+            branch_status = __parse_branch_status(release.get(BRANCH_STATUS_KEY, ''))
+
+            version = f'{version} *' if is_latest else version
+            s = f'{version:<13} | {linux_manager:<21} | {linux_driver:<21} | {windows_manager:<21} | {windows_driver:<21} | {release_date:>21} | {branch_status:^21}'
+            print(s)
+
+
+def __parse_branch_status(string: str) -> str:
+    string = string.replace('Production Branch', 'Prod. -')
+    string = string.replace('Long-Term Support Branch', 'LTS -')
+
+    string = string.replace('supported until', '')
+
+    string = string.replace('EOL since', 'EOL - ')
+    string = string.replace('EOL from', 'EOL -')
+
+    return string
+
+
+def __dump(filename: str):
+    import json
+
+    file = open(filename, 'w')
+    json.dump(MATRIX, file)
+    file.close()
+
+
+if __name__ == '__main__':
+    MATRIX = {}
+
+    try:
+        import httpx
+        from bs4 import BeautifulSoup
+    except Exception as e:
+        logger.error(f'Failed to import module: {e}')
+        logger.info('Run "pip install beautifulsoup4 httpx"')
+        exit(1)
+
+    r = httpx.get(URL)
+    if r.status_code != 200:
+        logger.error(f'Error loading "{URL}" with status code {r.status_code}.')
+        exit(2)
+
+    # parse html
+    soup = BeautifulSoup(r.text, features='html.parser')
+
+    # build matrix
+    __driver_versions(soup)
+
+    # debug output
+    __debug()
+
+    # dump data to file
+    __dump('../app/static/driver_matrix.json')

test/main.py

@@ -1,7 +1,8 @@
+import sys
 from base64 import b64encode as b64enc
-from hashlib import sha256
 from calendar import timegm
-from datetime import datetime
+from datetime import datetime, UTC
+from hashlib import sha256
 from os.path import dirname, join
 from uuid import uuid4, UUID
 
@@ -9,14 +10,13 @@ from dateutil.relativedelta import relativedelta
 from jose import jwt, jwk
 from jose.constants import ALGORITHMS
 from starlette.testclient import TestClient
-import sys
 
 # add relative path to use packages as they were in the app/ dir
 sys.path.append('../')
 sys.path.append('../app')
 
 from app import main
-from app.util import load_key
+from util import PrivateKey, PublicKey
 
 client = TestClient(main.app)
 
@@ -25,11 +25,11 @@ ORIGIN_REF, ALLOTMENT_REF, SECRET = str(uuid4()), '20000000-0000-0000-0000-00000
 # INSTANCE_KEY_RSA = generate_key()
 # INSTANCE_KEY_PUB = INSTANCE_KEY_RSA.public_key()
 
-INSTANCE_KEY_RSA = load_key(str(join(dirname(__file__), '../app/cert/instance.private.pem')))
+INSTANCE_KEY_RSA = PrivateKey.from_file(str(join(dirname(__file__), '../app/cert/instance.private.pem')))
-INSTANCE_KEY_PUB = load_key(str(join(dirname(__file__), '../app/cert/instance.public.pem')))
+INSTANCE_KEY_PUB = PublicKey.from_file(str(join(dirname(__file__), '../app/cert/instance.public.pem')))
 
-jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+jwt_encode_key = jwk.construct(INSTANCE_KEY_RSA.pem(), algorithm=ALGORITHMS.RS256)
-jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.export_key().decode('utf-8'), algorithm=ALGORITHMS.RS256)
+jwt_decode_key = jwk.construct(INSTANCE_KEY_PUB.pem(), algorithm=ALGORITHMS.RS256)
 
 
 def __bearer_token(origin_ref: str) -> str:
@@ -106,6 +106,7 @@ def test_auth_v1_origin():
     assert response.json().get('origin_ref') == ORIGIN_REF
 
 
+
 def auth_v1_origin_update():
     payload = {
         "registration_pending": False,
@@ -141,7 +142,7 @@ def test_auth_v1_code():
 
 
 def test_auth_v1_token():
-    cur_time = datetime.utcnow()
+    cur_time = datetime.now(UTC)
     access_expires_on = cur_time + relativedelta(hours=1)
 
     payload = {
@@ -153,8 +154,7 @@ def test_auth_v1_token():
         "kid": "00000000-0000-0000-0000-000000000000"
     }
     payload = {
-        "auth_code": jwt.encode(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')},
+        "auth_code": jwt.encode(payload, key=jwt_encode_key, headers={'kid': payload.get('kid')}, algorithm=ALGORITHMS.RS256),
-                                algorithm=ALGORITHMS.RS256),
         "code_verifier": SECRET,
     }
 
@@ -187,8 +187,6 @@ def test_leasing_v1_lessor():
     assert len(lease_result_list[0]['lease']['ref']) == 36
     assert str(UUID(lease_result_list[0]['lease']['ref'])) == lease_result_list[0]['lease']['ref']
 
-    return lease_result_list[0]['lease']['ref']
-
 
 def test_leasing_v1_lessor_lease():
     response = client.get('/leasing/v1/lessor/leases', headers={'authorization': __bearer_token(ORIGIN_REF)})
@@ -231,7 +229,23 @@ def test_leasing_v1_lease_delete():
 
 
 def test_leasing_v1_lessor_lease_remove():
-    lease_ref = test_leasing_v1_lessor()
+    # see "test_leasing_v1_lessor()"
+    payload = {
+        'fulfillment_context': {
+            'fulfillment_class_ref_list': []
+        },
+        'lease_proposal_list': [{
+            'license_type_qualifiers': {'count': 1},
+            'product': {'name': 'NVIDIA RTX Virtual Workstation'}
+        }],
+        'proposal_evaluation_mode': 'ALL_OF',
+        'scope_ref_list': [ALLOTMENT_REF]
+    }
+
+    response = client.post('/leasing/v1/lessor', json=payload, headers={'authorization': __bearer_token(ORIGIN_REF)})
+    lease_result_list = response.json().get('lease_result_list')
+    lease_ref = lease_result_list[0]['lease']['ref']
+    #
 
     response = client.delete('/leasing/v1/lessor/leases', headers={'authorization': __bearer_token(ORIGIN_REF)})
     assert response.status_code == 200

version.env

@@ -1 +0,0 @@
-VERSION=1.3.5