Add libvirt-client to Docker image

.. using server-side API tokens

Dockerfile

@@ -1,17 +1,8 @@
 FROM python:3.8-alpine as build
 
-RUN apk add --no-cache \
-    build-base \
-    gcc \
-    gettext \
-    git \
-    jpeg-dev \
-    libffi-dev \
-    libjpeg \
-    musl-dev \
-    postgresql-dev \
-    python3-dev \
-    zlib-dev
+RUN apk add gettext git gcc python3-dev musl-dev \
+    libffi-dev zlib-dev jpeg-dev libjpeg postgresql-dev build-base \
+    --virtual .build-dependencies
 
 RUN mkdir -p /app/{code,venv}
 WORKDIR /app/code
@@ -26,14 +17,7 @@ RUN pipenv install --deploy --verbose
 
 FROM python:3.8-alpine
 
-RUN apk add --no-cache \
-    cloud-utils \
-    libjpeg \
-    libpq \
-    libstdc++ \
-    libvirt-client \
-    openssh-client \
-    virt-install
+RUN apk add --no-cache libpq libstdc++ libjpeg libvirt-client
 
 COPY . /app/code/
 WORKDIR /app/code

capsulflask/__init__.py

@@ -26,27 +26,12 @@ class StdoutMockFlaskMail:
     def send(self, message: Message):
       current_app.logger.info(f"Email would have been sent if configured:\n\nto: {','.join(message.recipients)}\nsubject: {message.subject}\nbody:\n\n{message.body}\n\n")
 
-
 load_dotenv(find_dotenv())
 
-for var_name in [
-  "SPOKE_HOST_TOKEN", "HUB_TOKEN", "STRIPE_SECRET_KEY",
-  "BTCPAY_PRIVATE_KEY", "MAIL_PASSWORD"
-]:
-  var = os.environ.get(f"{var_name}_FILE")
-  if not var:
-    continue
-
-  if not os.path.isfile(var):
-    continue
-
-  with open(var) as secret_file:
-    os.environ[var_name] = secret_file.read().rstrip('\n')
-  del os.environ[f"{var_name}_FILE"]
-
 app = Flask(__name__)
 
 app.config.from_mapping(
+  
   BASE_URL=os.environ.get("BASE_URL", default="http://localhost:5000"),
   SECRET_KEY=os.environ.get("SECRET_KEY", default="dev"),
   HUB_MODE_ENABLED=os.environ.get("HUB_MODE_ENABLED", default="True").lower() in ['true', '1', 't', 'y', 'yes'],
@@ -168,7 +153,6 @@ is_running_server = ('flask run' in command_line) or ('gunicorn' in command_line
 app.logger.info(f"is_running_server: {is_running_server}")
 
 if app.config['HUB_MODE_ENABLED']:
-
   if app.config['HUB_MODEL'] == "capsul-flask":
     app.config['HUB_MODEL'] = hub_model.CapsulFlaskHub()
 
@@ -190,7 +174,9 @@ if app.config['HUB_MODE_ENABLED']:
   from capsulflask import db
   db.init_app(app, is_running_server)
 
-  from capsulflask import auth, landing, console, payment, metrics, cli, hub_api, admin
+  from capsulflask import (
+    auth, landing, console, payment, metrics, cli, hub_api, publicapi, admin
+  )
 
   app.register_blueprint(landing.bp)
   app.register_blueprint(auth.bp)
@@ -200,13 +186,13 @@ if app.config['HUB_MODE_ENABLED']:
   app.register_blueprint(cli.bp)
   app.register_blueprint(hub_api.bp)
   app.register_blueprint(admin.bp)
+  app.register_blueprint(publicapi.bp)
 
   app.add_url_rule("/", endpoint="index")
 
 
 
 if app.config['SPOKE_MODE_ENABLED']:
-
   if app.config['SPOKE_MODEL'] == "shell-scripts":
     app.config['SPOKE_MODEL'] = spoke_model.ShellScriptSpoke()
   else:
@@ -234,10 +220,6 @@ def override_url_for():
   return dict(url_for=url_for_with_cache_bust)
 
 
-@app.context_processor
-def load_config_vars():
-  return dict(config=app.config)
-
 def url_for_with_cache_bust(endpoint, **values):
   """
   Add a query parameter based on the hash of the file, this acts as a cache bust

capsulflask/auth.py

@@ -1,3 +1,4 @@
+from base64 import b64decode
 import functools
 import re
 
@@ -24,6 +25,15 @@ def account_required(view):
 
     @functools.wraps(view)
     def wrapped_view(**kwargs):
+        api_token = request.headers.get('authorization', None)
+        if api_token is not None:
+            email = get_model().authenticate_token(b64decode(api_token).decode('utf-8'))
+
+            if email is not None:
+                session.clear()
+                session["account"] = email
+                session["csrf-token"] = generate()
+
         if session.get("account") is None or session.get("csrf-token") is None :
             return redirect(url_for("auth.login"))
 
@@ -56,7 +66,7 @@ def login():
         if not email:
             errors.append("email is required")
         elif len(email.strip()) < 6 or email.count('@') != 1 or email.count('.') == 0: 
-	        errors.append("enter a valid email address")
+            errors.append("enter a valid email address")
 
         if len(errors) == 0:
             result = get_model().login(email)

capsulflask/console.py

@@ -1,7 +1,9 @@
+from base64 import b64encode
+from datetime import datetime, timedelta
+import json
 import re
 import sys
-import json
-from datetime import datetime, timedelta
+
 from flask import Blueprint
 from flask import flash
 from flask import current_app
@@ -98,7 +100,6 @@ def index():
 @bp.route("/<string:id>", methods=("GET", "POST"))
 @account_required
 def detail(id):
-
   duration=request.args.get('duration')
   if not duration:
     duration = "5m"
@@ -188,6 +189,72 @@ def detail(id):
       duration=duration
     )
 
+def _create(vm_sizes, operating_systems, public_keys_for_account, server_data):
+  errors = list()
+
+  size = server_data.get("size")
+  os = server_data.get("os")
+  posted_keys_count = int(server_data.get("ssh_authorized_key_count"))
+
+  if not size:
+    errors.append("Size is required")
+  elif size not in vm_sizes:
+    errors.append(f"Invalid size {size}")
+
+  if not os:
+    errors.append("OS is required")
+  elif os not in operating_systems:
+    errors.append(f"Invalid os {os}")
+
+  posted_keys = list()
+
+  if posted_keys_count > 1000:
+    errors.append("something went wrong with ssh keys")
+  else:
+    for i in range(0, posted_keys_count):
+      if f"ssh_key_{i}" in server_data:
+        posted_name = server_data.get(f"ssh_key_{i}")
+        key = None
+        for x in public_keys_for_account:
+          if x['name'] == posted_name:
+            key = x
+        if key:
+          posted_keys.append(key)
+        else:
+          errors.append(f"SSH Key \"{posted_name}\" doesn't exist")
+
+  if len(posted_keys) == 0:
+    errors.append("At least one SSH Public Key is required")
+
+  capacity_avaliable = current_app.config["HUB_MODEL"].capacity_avaliable(
+    vm_sizes[size]['memory_mb']*1024*1024
+  )
+
+  if not capacity_avaliable:
+    errors.append("""
+      host(s) at capacity. no capsuls can be created at this time. sorry. 
+    """)
+
+  if len(errors) == 0:
+    id = make_capsul_id()
+    get_model().create_vm(
+      email=session["account"], 
+      id=id, 
+      size=size, 
+      os=os,
+      ssh_authorized_keys=list(map(lambda x: x["name"], posted_keys))
+    )
+    current_app.config["HUB_MODEL"].create(
+      email = session["account"],
+      id=id,
+      template_image_file_name=operating_systems[os]['template_image_file_name'],
+      vcpus=vm_sizes[size]['vcpus'],
+      memory_mb=vm_sizes[size]['memory_mb'],
+      ssh_authorized_keys=list(map(lambda x: x["content"], posted_keys))
+    )
+    return id, errors
+
+  return None, errors
 
 @bp.route("/create", methods=("GET", "POST"))
 @account_required
@@ -197,67 +264,18 @@ def create():
   public_keys_for_account = get_model().list_ssh_public_keys_for_account(session["account"])
   account_balance = get_account_balance(get_vms(), get_payments(), datetime.utcnow())
   capacity_avaliable = current_app.config["HUB_MODEL"].capacity_avaliable(512*1024*1024)
-  errors = list()
 
   if request.method == "POST":
     if "csrf-token" not in request.form or request.form['csrf-token'] != session['csrf-token']:
       return abort(418, f"u want tea")
-
-    size = request.form["size"]
-    os = request.form["os"]
-    if not size:
-      errors.append("Size is required")
-    elif size not in vm_sizes:
-      errors.append(f"Invalid size {size}")
-
-    if not os:
-      errors.append("OS is required")
-    elif os not in operating_systems:
-      errors.append(f"Invalid os {os}")
-
-    posted_keys_count = int(request.form["ssh_authorized_key_count"])
-    posted_keys = list()
-
-    if posted_keys_count > 1000:
-      errors.append("something went wrong with ssh keys")
-    else:
-      for i in range(0, posted_keys_count):
-        if f"ssh_key_{i}" in request.form:
-          posted_name = request.form[f"ssh_key_{i}"]
-          key = None
-          for x in public_keys_for_account:
-            if x['name'] == posted_name:
-              key = x
-          if key:
-            posted_keys.append(key)
-          else:
-            errors.append(f"SSH Key \"{posted_name}\" doesn't exist")
-
-    if len(posted_keys) == 0:
-      errors.append("At least one SSH Public Key is required")
-
-    capacity_avaliable = current_app.config["HUB_MODEL"].capacity_avaliable(vm_sizes[size]['memory_mb']*1024*1024)
-
-    if not capacity_avaliable:
-      errors.append("""
-        host(s) at capacity. no capsuls can be created at this time. sorry. 
-      """)
-
+    id, errors = _create(
+      vm_sizes, 
+      operating_systems,
+      public_keys_for_account,
+      request.form)
     if len(errors) == 0: 
-      id = make_capsul_id()
-      # we can't create the vm record in the DB yet because its IP address needs to be allocated first.
-      # so it will be created when the allocation happens inside the hub_api.
-      current_app.config["HUB_MODEL"].create(
-        email = session["account"],
-        id=id,
-        os=os,
-        size=size,
-        template_image_file_name=operating_systems[os]['template_image_file_name'],
-        vcpus=vm_sizes[size]['vcpus'],
-        memory_mb=vm_sizes[size]['memory_mb'],
-        ssh_authorized_keys=list(map(lambda x: dict(name=x['name'], content=x['content']), posted_keys)) 
-      )
-      
+      for error in errors:
+        flash(error)
       return redirect(f"{url_for('console.index')}?created={id}")
   
   affordable_vm_sizes = dict()
@@ -268,9 +286,6 @@ def create():
     if vm_size["dollars_per_month"] <= account_balance+0.25:
       affordable_vm_sizes[key] = vm_size
 
-  for error in errors:
-    flash(error)
-
   if not capacity_avaliable:
     current_app.logger.warning(f"when capsul capacity is restored, send an email to {session['account']}")
 
@@ -287,23 +302,25 @@ def create():
     vm_sizes=affordable_vm_sizes
   )
 
-@bp.route("/ssh", methods=("GET", "POST"))
+@bp.route("/keys", methods=("GET", "POST"))
 @account_required
-def ssh_public_keys():
+def ssh_api_keys():
   errors = list()
 
+  token = None
+
   if request.method == "POST":
     if "csrf-token" not in request.form or request.form['csrf-token'] != session['csrf-token']:
       return abort(418, f"u want tea")
       
-    method = request.form["method"]
-    content = None
-    if method == "POST":
+    action = request.form["action"]
+
+    if action == 'upload_ssh_key':
+      content = None
       content = request.form["content"].replace("\r", " ").replace("\n", " ").strip()
         
-    name = request.form["name"]
-    if not name or len(name.strip()) < 1:
-      if method == "POST":
+      name = request.form["name"]
+      if not name or len(name.strip()) < 1:
         parts = re.split(" +", content)
         if len(parts) > 2 and len(parts[2].strip()) > 0:
           name = parts[2].strip()
@@ -311,10 +328,9 @@ def ssh_public_keys():
           name = parts[0].strip()
       else:
         errors.append("Name is required")
-    if not re.match(r"^[0-9A-Za-z_@:. -]+$", name):
-      errors.append(f"Key name '{name}' must match \"^[0-9A-Za-z_@:. -]+$\"")
+      if not re.match(r"^[0-9A-Za-z_@:. -]+$", name):
+        errors.append(f"Key name '{name}' must match \"^[0-9A-Za-z_@:. -]+$\"")
 
-    if method == "POST":
       if not content or len(content.strip()) < 1:
         errors.append("Content is required")
       else:
@@ -327,24 +343,36 @@ def ssh_public_keys():
       if len(errors) == 0:
         get_model().create_ssh_public_key(session["account"], name, content)
 
-    elif method == "DELETE":
+    elif action == "delete_ssh_key":
+      get_model().delete_ssh_public_key(session["account"], name)
 
-      if len(errors) == 0:
-        get_model().delete_ssh_public_key(session["account"], name)
+    elif action == "generate_api_token":
+      name = request.form["name"]
+      if name == '':
+          name = datetime.utcnow().strftime('%y-%m-%d %H:%M:%S')
+      token = b64encode(
+        get_model().generate_api_token(session["account"], name).encode('utf-8')
+      ).decode('utf-8')
+
+    elif action == "delete_api_token":
+      get_model().delete_api_token(session["account"], request.form["id"])
 
   for error in errors:
     flash(error)
 
-  keys_list=list(map(
+  ssh_keys_list=list(map(
     lambda x: dict(name=x['name'], content=f"{x['content'][:20]}...{x['content'][len(x['content'])-20:]}"), 
     get_model().list_ssh_public_keys_for_account(session["account"])
   ))
 
+  api_tokens_list = get_model().list_api_tokens(session["account"])
+
   return render_template(
-    "ssh-public-keys.html", 
+    "keys.html", 
     csrf_token = session["csrf-token"],
-    ssh_public_keys=keys_list, 
-    has_ssh_public_keys=len(keys_list) > 0
+    api_tokens=api_tokens_list, 
+    ssh_public_keys=ssh_keys_list,
+    generated_api_token=token,
   )
 
 def get_vms():
@@ -368,7 +396,6 @@ def get_vm_months_float(vm, as_of):
   return days / average_number_of_days_in_a_month
 
 def get_account_balance(vms, payments, as_of):
-
   vm_cost_dollars = 0.0
   for vm in vms:
     vm_months = get_vm_months_float(vm, as_of)
@@ -381,7 +408,6 @@ def get_account_balance(vms, payments, as_of):
 @bp.route("/account-balance")
 @account_required
 def account_balance():
-
   payment_sessions = get_model().list_payment_sessions_for_account(session['account'])
   for payment_session in payment_sessions:
     if payment_session['type'] == 'btcpay':

capsulflask/db.py

@@ -33,7 +33,7 @@ def init_app(app, is_running_server):
     result = re.search(r"^\d+_(up|down)", filename)
     if not result:
       app.logger.error(f"schemaVersion {filename} must match ^\\d+_(up|down). exiting.")
-      exit(1)
+      continue
     key = result.group()
     with open(join(schemaMigrationsPath, filename), 'rb') as file:
       schemaMigrations[key] = file.read().decode("utf8")
@@ -128,4 +128,3 @@ def close_db(e=None):
   if db_model is not None:
     db_model.cursor.close()
     current_app.config['PSYCOPG2_CONNECTION_POOL'].putconn(db_model.connection)
-

capsulflask/db_model.py

@@ -1,8 +1,8 @@
-
 import re
 
 # I was never able to get this type hinting to work correctly 
 # from psycopg2.extensions import connection as Psycopg2Connection, cursor as Psycopg2Cursor
+import hashlib
 from nanoid import generate
 from flask import current_app
 from typing import List
@@ -17,7 +17,6 @@ class DBModel:
     self.cursor = cursor
 
 
-
   #     ------    LOGIN     ---------     
 
 
@@ -44,6 +43,16 @@ class DBModel:
 
     return (token, ignoreCaseMatches)
 
+  def authenticate_token(self, token):
+    m = hashlib.md5()
+    m.update(token.encode('utf-8'))
+    hash_token = m.hexdigest()
+    self.cursor.execute("SELECT email FROM api_tokens WHERE token = %s", (hash_token, ))
+    result = self.cursor.fetchall()
+    if len(result) == 1:
+      return result[0]
+    return None
+    
   def consume_token(self, token):
     self.cursor.execute("SELECT email FROM login_tokens WHERE token = %s and created > (NOW() - INTERVAL '20 min')", (token, ))
     row = self.cursor.fetchone()
@@ -132,6 +141,32 @@ class DBModel:
     self.cursor.execute( "DELETE FROM ssh_public_keys where email = %s AND name = %s", (email, name) )
     self.connection.commit()
 
+  def list_api_tokens(self, email):
+    self.cursor.execute(
+      "SELECT id, token, name, created FROM api_tokens WHERE email = %s", 
+      (email, )
+    )
+    return list(map(
+      lambda x: dict(id=x[0], token=x[1], name=x[2], created=x[3]), 
+      self.cursor.fetchall()
+    ))
+
+  def generate_api_token(self, email, name):
+    token = generate()
+    m = hashlib.md5()
+    m.update(token.encode('utf-8'))
+    hash_token = m.hexdigest()
+    self.cursor.execute(
+      "INSERT INTO api_tokens (email, name, token) VALUES (%s, %s, %s)", 
+      (email, name, hash_token)
+    )
+    self.connection.commit()
+    return token
+
+  def delete_api_token(self, email, id_):
+    self.cursor.execute( "DELETE FROM api_tokens where email = %s AND id = %s", (email, id_))
+    self.connection.commit()
+
   def list_vms_for_account(self, email):
     self.cursor.execute(""" 
       SELECT vms.id, vms.public_ipv4, vms.public_ipv6, vms.size, vms.os, vms.created, vms.deleted, vm_sizes.dollars_per_month
@@ -479,8 +514,3 @@ class DBModel:
     #cursor.close()
 
     return to_return
-      
-
-
-
-

capsulflask/hub_api.py

@@ -160,10 +160,7 @@ def can_claim_create(payload, host_id) -> (str, str):
   if allocated_network_name is None or allocated_ipv4_address is None:
     return "", f"host \"{host_id}\" does not have any avaliable IP addresses on any of its networks."
 
-  # payload["network_name"] = allocated_network_name
-  # hard-code the network name for now until we can fix the phantom dhcp lease issues.
-
-  payload["network_name"] = 'public3'
+  payload["network_name"] = allocated_network_name
   payload["public_ipv4"] = allocated_ipv4_address
 
   return payload, ""

capsulflask/hub_model.py

@@ -215,12 +215,11 @@ class CapsulFlaskHub(VirtualizationInterface):
         # no need to do anything here since if it cant be parsed then generic_operation will handle it.
         pass
       
-    if error_message != "":
-      raise ValueError(f"create capsul operation {operation_id} on {assigned_hosts} failed with {error_message}")
-      
     if number_of_assigned != 1:
       assigned_hosts_string = ", ".join(assigned_hosts)
       raise ValueError(f"expected create capsul operation {operation_id} to be assigned to one host, it was assigned to {number_of_assigned} ({assigned_hosts_string})")
+    if error_message != "":
+      raise ValueError(f"create capsul operation {operation_id} on {assigned_hosts_string} failed with {error_message}")
       
 
   def destroy(self, email: str, id: str):

capsulflask/payment.py

@@ -48,10 +48,6 @@ def validate_dollars():
 def btcpay_payment():
   errors = list()
 
-  if current_app.config['BTCPAY_PRIVATE_KEY'] == "":
-    flash("BTCPay is not enabled on this server")
-    return redirect(url_for("console.account_balance"))
-
   if request.method == "POST":
     result = validate_dollars()
     errors = result[0]

capsulflask/publicapi.py

@@ -0,0 +1,40 @@
+import datetime
+
+from flask import Blueprint
+from flask import current_app
+from flask import jsonify
+from flask import request
+from flask import session
+from nanoid import generate
+
+from capsulflask.auth import account_required
+from capsulflask.db import get_model
+
+bp = Blueprint("publicapi", __name__, url_prefix="/api")
+
+@bp.route("/capsul/create", methods=["POST"])
+@account_required
+def capsul_create():
+    email = session["account"]
+    
+    from .console import _create,get_account_balance, get_payments, get_vms
+
+    vm_sizes = get_model().vm_sizes_dict()
+    operating_systems = get_model().operating_systems_dict()
+    public_keys_for_account = get_model().list_ssh_public_keys_for_account(session["account"])
+    account_balance = get_account_balance(get_vms(), get_payments(), datetime.datetime.utcnow())
+    capacity_avaliable = current_app.config["HUB_MODEL"].capacity_avaliable(512*1024*1024)
+
+    request.json['ssh_authorized_key_count'] = 1
+
+    id, errors = _create(
+      vm_sizes, 
+      operating_systems,
+      public_keys_for_account,
+      request.json)
+
+    if id is not None:
+        return jsonify(
+            id=id,
+        )
+    return jsonify(errors=errors)

capsulflask/schema_migrations/17_down_api_tokens.py

@@ -0,0 +1,2 @@
+DROP TABLE api_keys;
+UPDATE schemaversion SET version = 16;

capsulflask/schema_migrations/17_up_api_tokens.py

@@ -0,0 +1,9 @@
+CREATE TABLE api_tokens (
+  id                 SERIAL PRIMARY KEY,
+  email              TEXT REFERENCES accounts(email) ON DELETE RESTRICT,
+  name               TEXT NOT NULL,
+  created            TIMESTAMP NOT NULL DEFAULT NOW(),
+  token              TEXT NOT NULL
+);
+
+UPDATE schemaversion SET version = 17;

capsulflask/schema_migrations/19_down_api_tokens.py

@@ -0,0 +1,2 @@
+DROP TABLE api_keys;
+UPDATE schemaversion SET version = 16;

capsulflask/schema_migrations/19_up_api_tokens.py

@@ -0,0 +1,9 @@
+CREATE TABLE api_tokens (
+  id                 SERIAL PRIMARY KEY,
+  email              TEXT REFERENCES accounts(email) ON DELETE RESTRICT,
+  name               TEXT NOT NULL,
+  created            TIMESTAMP NOT NULL DEFAULT NOW(),
+  token              TEXT NOT NULL
+);
+
+UPDATE schemaversion SET version = 17;

capsulflask/shell_scripts/capacity-avaliable.sh

@@ -3,7 +3,7 @@
 # check available RAM and IPv4s
 
 ram_bytes_to_allocate="$1"
-ram_bytes_available="$(($(grep Available /proc/meminfo | grep -o '[0-9]*') * 1024))"
+ram_bytes_available=$(grep -E "^(size|memory_available_bytes)" /proc/spl/kstat/zfs/arcstats | awk '{sum+=$3} END {printf "%.0f", sum}')
 ram_bytes_remainder="$((ram_bytes_available - ram_bytes_to_allocate))"
 
 if echo "$ram_bytes_to_allocate" | grep -vqE "^[0-9]+$"; then
@@ -11,8 +11,8 @@ if echo "$ram_bytes_to_allocate" | grep -vqE "^[0-9]+$"; then
   exit 1
 fi
 
-# 0.25GB
-if [ "$ram_bytes_remainder" -le $((1 * 1024 * 1024 * 1024 / 4)) ]; then
+# 20GB
+if [ "$ram_bytes_remainder" -le $((20 * 1024 * 1024 * 1024)) ]; then
   echo "VM is requesting more RAM than $(hostname -f) has available."
   echo "Bytes requested: $ram_bytes_to_allocate"
   echo "Bytes available: $ram_bytes_available"

capsulflask/shell_scripts/create.sh

@@ -6,7 +6,6 @@
 
 vmname="$1"
 template_file="/tank/img/$2"
-qemu_tank_dir="/tank"
 vcpus="$3"
 memory="$4"
 pubkeys="$5"
@@ -51,40 +50,40 @@ if echo "$public_ipv4" | grep -vqE "^[0-9.]+$"; then
   exit 1
 fi
 
-disk="$vmname.qcow2"
-cdrom="$vmname.iso"
-xml="$vmname.xml"
+disk="/tank/vm/$vmname.qcow2"
+cdrom="/tank/vm/$vmname.iso"
+xml="/tank/vm/$vmname.xml"
 
 if [ -f /tank/vm/$vmname.qcow2 ]; then
     echo "Randomly generated name matched an existing VM! Odds are like one in a billion. Buy a lotto ticket."
     exit 1
 fi
 
-cp "$template_file" "/tank/vm/$disk"
+cp "$template_file" "$disk"
 cp /tank/config/cyberia-cloudinit.yml /tmp/cloudinit.yml
 echo "$pubkeys" | while IFS= read -r line; do
   echo "      - $line" >> /tmp/cloudinit.yml
 done
 
-cloud-localds "/tank/vm/$cdrom" /tmp/cloudinit.yml
+cloud-localds "$cdrom" /tmp/cloudinit.yml
 
-qemu-img resize "/tank/vm/$disk" "$root_volume_size"
+qemu-img resize "$disk" "$root_volume_size"
 virt-install \
     --memory "$memory" \
     --vcpus "$vcpus" \
     --name "$vmname" \
-    --disk "$qemu_tank_dir/vm/$disk",bus=virtio \
-    --disk "$qemu_tank_dir/vm/$cdrom",device=cdrom \
+    --disk "$disk",bus=virtio \
+    --disk "$cdrom",device=cdrom \
     --os-type Linux \
     --os-variant generic \
     --virt-type kvm \
     --graphics vnc,listen=127.0.0.1 \
-    --network network=$network_name,model=virtio \
+    --network network=$network_name,filterref=clean-traffic,model=virtio \
     --import \
-    --print-xml > "/tank/vm/$xml"
+    --print-xml > "$xml"
 
-chmod 0600 "/tank/vm/$xml" "/tank/vm/$disk" "/tank/vm/$cdrom"
-virsh define "/tank/vm/$xml"
+chmod 0600 "$xml" "$disk" "$cdrom"
+virsh define "$xml"
 virsh start "$vmname"
 
 echo "success"

capsulflask/templates/account-balance.html

@@ -46,9 +46,7 @@
             <a href="/payment/stripe">Add funds with Credit/Debit (stripe)</a>
             <ul><li>notice: stripe will load nonfree javascript </li></ul>
           </li>
-          {% if config['BTCPAY_PRIVATE_KEY'] != "" %}
           <li><a href="/payment/btcpay">Add funds with Bitcoin/Litecoin/Monero (btcpay)</a></li>
-          {% endif %}
     
           <li>Cash: email <a href="mailto:treasurer@cyberia.club">treasurer@cyberia.club</a></li>
         </ul>

capsulflask/templates/base.html

@@ -13,7 +13,7 @@
 <nav>
   <div class="row justify-space-between half-margin">
     <div>
-      🦉 <a href="/"><b>YOLOCOLO</b></a>
+      <a href="/"><b>Capsul</b></a>💊
     </div>
     <div>
       &nbsp;
@@ -27,10 +27,11 @@
   <div class="row justify-center half-margin wrap nav-links">
     <a href="/pricing">Pricing</a>
     <a href="/faq">FAQ</a>
+    <a href="/changelog">Changelog</a>
 
     {% if session["account"] %} 
       <a href="/console">Capsuls</a>
-      <a href="/console/ssh">SSH Public Keys</a>
+      <a href="/console/keys">SSH &amp; API Keys</a>
       <a href="/console/account-balance">Account Balance</a>
     {% endif %}
 
@@ -46,12 +47,11 @@
 </main>
 {% block subcontent %}{% endblock %}
 <footer>
-  This server runs <a
-    href="https://giit.cyberia.club/~forest/capsul-flask">capsul-flask</a> by
-  Cyberia Computer Club, available under the <a
-    href="https://creativecommons.org/licenses/by-sa/4.0/">Attribution-ShareAlike
-    4.0 International</a> licence.<br/><br/>
-  <a href="https://git.autonomic.zone/3wordchant/capsul-flask/src/branch/yolocolo/capsulflask{% block pagesource %}{% endblock %}">View page source</a>
+  (c) Attribution-ShareAlike 4.0 International <br/>
+  &nbsp;&nbsp;&nbsp;&nbsp;A service by Cyberia Computer Club 2020-<span class="bigtext">∞</span> <br/>
+  <br/>
+  <br/>
+  <a href="https://giit.cyberia.club/~forest/capsul-flask/tree/master/capsulflask{% block pagesource %}{% endblock %}">View page source</a>
 </footer>
 </body>
 </html>

capsulflask/templates/capsul-detail.html

@@ -101,7 +101,7 @@
       </div>
       <div class="row justify-start">
         <label class="align" for="ssh_authorized_keys">SSH Authorized Keys</label>
-        <a id="ssh_authorized_keys" href="/console/ssh">{{ vm['ssh_authorized_keys'] }}</a>
+        <a id="ssh_authorized_keys" href="/console/keys">{{ vm['ssh_authorized_keys'] }}</a>
       </div>
       
     </div>

capsulflask/templates/create-capsul.html

@@ -31,7 +31,7 @@
     <p>(At least one month of funding is required)</p>
   {% elif no_ssh_public_keys %}
     <p>You don't have any ssh public keys yet.</p> 
-    <p>You must <a href="/console/ssh">upload one</a> before you can create a Capsul.</p>
+    <p>You must <a href="/console/keys">upload one</a> before you can create a Capsul.</p>
   {% elif not capacity_avaliable %}
     <p>Host(s) at capacity. No capsuls can be created at this time. sorry. </p> 
   {% else %}

capsulflask/templates/faq.html

@@ -10,32 +10,81 @@
 <p>
  <ul>
    <li>
-     What is this?
-     <p>
-      This is a <strong>technical demo</strong> of <a
-       href="https://giit.cyberia.club/~forest/capsul-flask">Capsul</a>, for the
-      as-yet-untitled <a href="https://coops.tech">Cotech</a> server hosting
-      initiative, which you can <a
-      href="https://community.coops.tech/t/call-for-input-v2-co-op-vps-survey/2802/9">read
-     about on the Cotech forum</a>.
-     </p>
+     Which instance type should I buy?
+     <p>There are no hard rules for this sort of thing, but here are some guidelines:</p>
+     <p>f1-xs: blog, vpn, bot, cgit</p>
+     <p>f1-s: a bot, owncloud, gitea, popular blog</p>
+     <p>f1-m: docker host, build system</p>
+     <p>f1-l: large webservice, rotund java app</p>
+     <p>f1-x: gitlab (wow such memory very devops</p>
+     <p>f1-xx: something gargantuan</p>
    </li>
    <li>
-     What do you mean, "technical demo"?
-     <p>No backups</p>
-     <p>No service level agreement</p>
-     <p>"Best effort" support</p>
+     How do I log in?
+     <p>ssh to the ip provided to you using the cyberian user.</p>
+     <pre class='code'>$ ssh cyberian@1.2.3.4</pre>
    </li>
    <li>
-     Where can I get this, but, more reliable?
-     <p>Cyberia, the authors of this platform, run the canonical instance, <a
-      href="https://capsul.org">Capsul.org</a>, on hardware they own. Please
-     send them your money! (cash, crypto, or card accepted).</p>
+     How do I change to the root user?
+     <p>The cyberian user has passwordless sudo access by default. This should work:</p>
+     <pre class='code'>
+# Linux
+$ sudo su -
+
+# OpenBSD
+$ doas su -</pre>
    </li>
    <li>
-     How do I use this system?
-     <p>Please see <a href="https://capsul.org/faq">the official Capsul FAQ
-       page</a>.</p>
+     Do you offer reverse DNS?
+     <p>We do, but right now it's a manual process. Shoot us an email and we'll get it done.</p>
+   </li>
+   <li>
+    What if I don't pay / don't maintain my payments?
+    <p>Your VM will eventually be deleted.
+       Capsul will send you a few inoffensive reminders as that termination date approaches.
+    </p>
+   </li>
+   <li>
+    Besides my virtual machines and payments, what information do you keep about me?
+     <p>We associate an email address with every VM so that we can track payment and respond to support requests.</p>
+     <p>If you pay with a credit card, Stripe stores some additional details about you that we literally cannot delete.</p>
+   </li>
+   <li>
+     What can I do with my VM?
+     <p>Make it into a mailserver, a tor relay, a VPN host, whatever you'd like - we do have one small request, though.</p>
+     <p>Crypto mining on capsul is currently considered obnoxious behavior, because the hashrates on our CPUs is so low and because mining crypto consumes entire processor cores that could have otherwise been shared between many dozens of other users.</p>
+     <p>In the future, if we have plentiful CPU resources, we may come out with a tier more suitable for mining - maybe a high cpu tier or similar, where each VM gets a full dedicated core and sharing them is not anticipated.</p>
+     <p>We will never snoop on your traffic or inspect what's going on inside of our customer virtual machines - we don't want to. We hope that you'll extend us a similar courtesy and try not to use too much of our shared CPU resources. Capsul is currently a shared (resource-wise) world, and we all must live in it together!</p>
+     <p>Also, mandatory: our systems exist within the USA, and as such those systems are bound by US law.</p>
+   </li>
+   <li>
+     Can you recover my passwords/insert new keys?
+     <p>Can we? Technically yes. Will we? No, never. It would violate the trust that our users have in us.
+     We have no interest in touching client VMs after they're running.
+     We promise to keep your machines running smoothly.
+     If you lose access to your VM, that's on you.</p>
+   </li>
+   <li>
+     Do you offer refunds?
+     <p>Not now, but email us and we can probably figure something out.</p>
+   </li>
+   <li>
+    Where do the VMs run? Is it on a machine that you guys own/control?
+     <p>Capsul runs on a server named Baikal which Cyberia built from scratch & mailed to a datacenter
+      in Georgia called CyberWurx. CyberWurx staff installed it for us in a rack space that
+      Cyberia pays for. </p>
+   </li>
+   <li>
+     Do you offer support?
+     <p>Yep, see <a href="/support">our support page</a>.</p>
+   </li>
+   <li>
+     Do you have an SLA?
+     <p>No, but we normally respond pretty quickly.</p>
+   </li>
+   <li>
+    Will you implement feature X?
+    <p>Maybe! Email <a href="mailto:ops@cyberia.club">ops@cyberia.club</a> and ask us about it.</p>
    </li>
  </ul>
 </p>

capsulflask/templates/index.html

@@ -1,26 +1,31 @@
 {% extends 'base.html' %}
 
-{% block content %}
-  <h1>
-  <pre>
-             _                 _
- _   _  ___ | | ___   ___ ___ | | ___
-| | | |/ _ \| |/ _ \ / __/ _ \| |/ _ \
-| |_| | (_) | | (_) | (_| (_) | | (_) |
- \__, |\___/|_|\___/ \___\___/|_|\___/
- |___/
 
+{% block content %}
+  <h1>CAPSUL</h1>
+  <pre>
+       .-.  
+      /:::\ 
+     /::::/ 
+    / `-:/  
+   /    /   
+   \   /    
+    `"`     
   </pre>
-  <span>Co-operative hosting using <a href="https://cyberia.club">Cyberia</a>'s Capsul</span>
+  <span>Simple, fast, private compute by <a href="https://cyberia.club">cyberia.club</a></span>
 {% endblock %}
 
 {% block subcontent %}
 <p>
  <ul>
-   <li>Sign up for an account!</li>
-   <li>Add some funds!</li>
-   <li>Create a VPS!</li>
-   <li>Give your feedback!</li>
+   <li>Low friction: simply log in with your email address and fund your account with Credit/Debit or Cryptocurrency</li>
+   <li>All root disks are backed up at no charge</li>
+   <li>All storage is fast, local, and solid-state</li>
+   <li>All network connections are low latency</li>
+   <li>Supported by amazing volunteers from Cyberia</li>
+   <li>Upfront prices, no confusing billing</li>
+   <li>Operated by a Minnesota non-profit organization that will never exploit you</li>
+   <li>We donate a portion of our proceeds to likeminded hacker groups around the globe</li>
  </ul>           
 </p>
 {% endblock %}

capsulflask/templates/keys.html

@@ -1,17 +1,18 @@
 {% extends 'base.html' %}
 
-{% block title %}SSH Public Keys{% endblock %}
+{% block title %}SSH & API Keys{% endblock %}
 
 {% block content %}
 <div class="row third-margin">
   <h1>SSH PUBLIC KEYS</h1>
 </div>
 <div class="row third-margin"><div>
-  {% if has_ssh_public_keys %} <hr/> {% endif %}
+    {% if ssh_public_keys|length > 0 %} <hr/> {% endif %}
   
   {% for ssh_public_key in ssh_public_keys %}
     <form method="post">
       <input type="hidden" name="method" value="DELETE"></input> 
+      <input type="hidden" name="action" value="delete_ssh_key"></input>
       <input type="hidden" name="name" value="{{ ssh_public_key['name'] }}"></input> 
       <input type="hidden" name="csrf-token" value="{{ csrf_token }}"/>
       <div class="row">
@@ -22,13 +23,14 @@
     </form>
   {% endfor %}
 
-  {% if has_ssh_public_keys %} <hr/> {% endif %}
+  {% if ssh_public_keys|length > 0 %} <hr/> {% endif %}
 
   <div class="third-margin">
     <h1>UPLOAD A NEW SSH PUBLIC KEY</h1>
   </div>
   <form method="post">
     <input type="hidden" name="method" value="POST"></input>
+    <input type="hidden" name="action" value="upload_ssh_key"></input>
     <input type="hidden" name="csrf-token" value="{{ csrf_token }}"/>
     <div class="row justify-start">
       <label class="align" for="content">File Contents</label>
@@ -54,6 +56,51 @@
     </div>
   </form>
 </div></div>
+<hr/>
+<div class="row third-margin">
+  <h1>API KEYS</h1>
+</div>
+<div class="row third-margin"><div>
+  {% if generated_api_token %}
+    <hr/>
+    Generated key:
+    <span class="code">{{ generated_api_token }}</span>
+  {% endif %}
+  {% if api_tokens|length >0 %} <hr/>{% endif %}
+  {% for api_token in api_tokens %}
+    <form method="post">
+      <input type="hidden" name="method" value="DELETE"></input> 
+      <input type="hidden" name="action" value="delete_api_token"></input>
+      <input type="hidden" name="id" value="{{ api_token['id'] }}"></input> 
+      <input type="hidden" name="csrf-token" value="{{ csrf_token }}"/>
+      <div class="row">
+        <span class="code">{{ api_token['name'] }}</span>
+        created {{ api_token['created'].strftime("%b %d %Y") }}
+        <input type="submit" value="Delete">
+      </div>
+    </form>
+  {% endfor %}
+  {% if api_tokens|length >0 %} <hr/>{% endif %}
+
+  <div class="third-margin">
+    <h1>GENERATE A NEW API KEY</h1>
+  </div>
+  <form method="post">
+    <input type="hidden" name="method" value="POST"></input>
+    <input type="hidden" name="action" value="generate_api_token"></input>
+    <input type="hidden" name="csrf-token" value="{{ csrf_token }}"/>
+    <div class="smalltext">
+      <p>Generate a new API key, to integrate with other systems.</p>
+    </div>
+    <div class="row justify-start">
+      <label class="align" for="name">Key Name</label>
+      <input type="text" id="name" name="name"></input> (defaults to creation time)
+    </div>
+    <div class="row justify-end">
+      <input type="submit" value="Generate">
+    </div>
+  </form>
+</div></div>
 {% endblock %}
 
 {% block pagesource %}/templates/ssh-public-keys.html{% endblock %}

capsulflask/templates/pricing.html

@@ -7,17 +7,26 @@
     <h1>CAPSUL TYPES & PRICING</h1>
   </div>
   <div class="row half-margin">
-    <p>
-      Rates for this service isn't set yet. You can see Cyberia's Capsul pricing
-      on <a href="https://capsul.org/pricing">their website</a>.
-    </p>
-  </div>
-  <div>
     <pre>
-      SUPPORTED OPERATING SYSTEMS:
+    type     monthly*  cpus  mem     ssd   net*
+    -----    -------   ----  ---     ---   ---
+    f1-xs    $5.00     1     512M    25G   .5TB
+    f1-s     $7.50     1     1024M   25G   1TB
+    f1-m     $12.50    1     2048M   25G   2TB
+    f1-l     $20.00    2     3072M   25G   3TB
+    f1-x     $27.50    3     4096M   25G   4TB
+    f1-xx    $50.00    4     8192M   25G   5TB
 
-      {% for os_id, os in operating_systems.items() %}   - {{ os.description }} 
-      {% endfor %}
-    </pre>
+    * net is calculated as a per-month average
+    * vms are billed for a minimum of 24 hours upon creation
+    * all VMs come standard with one public IPv4 address
+  
+    
+    SUPPORTED OPERATING SYSTEMS:
+
+
+    {% for os_id, os in operating_systems.items() %}   - {{ os.description }} 
+    {% endfor %}
+  </pre>
   </div>
 {% endblock %}

capsulflask/templates/support.html

@@ -7,14 +7,20 @@
     <h1>SUPPORT</h1>
   </div>
   <div class="row half-margin">
-    <a href="mailto:yolocolo@doesthisthing.work?subject=Please%20help!">yolocolo@doesthisthing.work</a> 
+    <a href="mailto:support@cyberia.club?subject=Please%20help!">support@cyberia.club</a> 
   </div>
 {% endblock %}
 
 {% block subcontent %}
 <p>
-  You can also find us on Matrix: <a
-    href="https://matrix.to/#/#untitled-hosting.public:autonomic.zone">#untitled-hosting.public:autonomic.zone</a>.
+  Note: We maintain a searchable archive of all support emails at 
+  <a href="https://lists.cyberia.club/~cyberia/support">https://lists.cyberia.club/~cyberia/support</a>
+</p>
+<p>
+  If you do not want your mail to appear in a public archive, email <a href="mailto:capsul@cyberia.club?subject=Please%20help!">capsul@cyberia.club</a> instead.
+</p>
+<p>
+  Please describe your problem or feature request, and we will do our best to get back to you promptly. Thank you very much.
 </p>
 {% endblock %}
 

docker-compose.yml

@@ -7,26 +7,17 @@ services:
     build: .
     volumes:
       - "./:/app/code"
-      - "../tank:/tank"
-      - "/var/run/libvirt/libvirt-sock:/var/run/libvirt/libvirt-sock"
     depends_on:
       - db
     ports:
       - "5000:5000"
     environment:
       - "POSTGRES_CONNECTION_PARAMETERS=host=db port=5432 user=capsul password=capsul dbname=capsul"
-      - SPOKE_MODEL=shell-scripts
-        #- FLASK_DEBUG=1
-      - BASE_URL=http://localhost:5000
-      - ADMIN_PANEL_ALLOW_EMAIL_ADDRESSES=3wc.capsul@doesthisthing.work
-      - VIRSH_DEFAULT_CONNECT_URI=qemu:///system
     # The image uses gunicorn by default, let's override it with Flask's
     # built-in development server
     command: ["flask", "run", "-h", "0.0.0.0", "-p", "5000"]
-    devices:
-      - "/dev/kvm:/dev/kvm"
   db:
-    image: "postgres:9.6.5-alpine"
+    image: "postgres:9.6.5"
     volumes:
       - "postgres:/var/lib/postgresql/data"
     environment: