Fix API 🙈

.. using server-side API tokens

.drone.yml

@@ -0,0 +1,13 @@
+---
+kind: pipeline
+name: publish docker image
+steps:
+  - name: build and publish
+    image: plugins/docker
+    settings:
+      username:
+        from_secret: docker_reg_username_3wc
+      password:
+        from_secret: docker_reg_passwd_3wc
+      repo: 3wordchant/capsul-flask
+      tags: ${DRONE_COMMIT_BRANCH}

Dockerfile

@@ -0,0 +1,48 @@
+FROM python:3.8-alpine as build
+
+RUN apk add --no-cache \
+    build-base \
+    gcc \
+    gettext \
+    git \
+    jpeg-dev \
+    libffi-dev \
+    libjpeg \
+    musl-dev \
+    postgresql-dev \
+    python3-dev \
+    zlib-dev
+
+RUN mkdir -p /app/{code,venv}
+WORKDIR /app/code
+COPY Pipfile Pipfile.lock /app/code/
+
+RUN python3 -m venv /app/venv
+RUN pip install pipenv setuptools
+ENV PATH="/app/venv/bin:$PATH" VIRTUAL_ENV="/app/venv"
+RUN pip install wheel cppy
+# Install dependencies into the virtual environment with Pipenv
+RUN pipenv install --deploy --verbose
+
+FROM python:3.8-alpine
+
+RUN apk add --no-cache \
+    cloud-utils \
+    libjpeg \
+    libpq \
+    libstdc++ \
+    libvirt-client \
+    openssh-client \
+    virt-install
+
+COPY . /app/code/
+WORKDIR /app/code
+
+COPY --from=build /app/venv /app/venv
+ENV PATH="/app/venv/bin:$PATH" VIRTUAL_ENV="/app/venv"
+
+CMD ["gunicorn", "--bind", "0.0.0.0:5000", "-k", "gevent", "--worker-connections", "1000", "app:app"]
+
+VOLUME /app/code
+
+EXPOSE 5000

capsulflask/__init__.py

@@ -27,8 +27,24 @@ class StdoutMockFlaskMail:
     def send(self, message: Message):
       current_app.logger.info(f"Email would have been sent if configured:\n\nto: {','.join(message.recipients)}\nsubject: {message.subject}\nbody:\n\n{message.body}\n\n")
 
+
 load_dotenv(find_dotenv())
 
+for var_name in [
+  "SPOKE_HOST_TOKEN", "HUB_TOKEN", "STRIPE_SECRET_KEY",
+  "BTCPAY_PRIVATE_KEY", "MAIL_PASSWORD"
+]:
+  var = os.environ.get(f"{var_name}_FILE")
+  if not var:
+    continue
+
+  if not os.path.isfile(var):
+    continue
+
+  with open(var) as secret_file:
+    os.environ[var_name] = secret_file.read().rstrip('\n')
+  del os.environ[f"{var_name}_FILE"]
+
 app = Flask(__name__)
 
 app.config.from_mapping(
@@ -166,7 +182,6 @@ if app.config['THEME'] != "":
   app.jinja_loader = my_loader
 
 if app.config['HUB_MODE_ENABLED']:
-
   if app.config['HUB_MODEL'] == "capsul-flask":
     app.config['HUB_MODEL'] = hub_model.CapsulFlaskHub()
 
@@ -188,7 +203,9 @@ if app.config['HUB_MODE_ENABLED']:
   from capsulflask import db
   db.init_app(app, is_running_server)
 
-  from capsulflask import auth, landing, console, payment, metrics, cli, hub_api, admin
+  from capsulflask import (
+    auth, landing, console, payment, metrics, cli, hub_api, publicapi, admin
+  )
 
   app.register_blueprint(landing.bp)
   app.register_blueprint(auth.bp)
@@ -198,13 +215,13 @@ if app.config['HUB_MODE_ENABLED']:
   app.register_blueprint(cli.bp)
   app.register_blueprint(hub_api.bp)
   app.register_blueprint(admin.bp)
+  app.register_blueprint(publicapi.bp)
 
   app.add_url_rule("/", endpoint="index")
 
 
 
 if app.config['SPOKE_MODE_ENABLED']:
-
   if app.config['SPOKE_MODEL'] == "shell-scripts":
     app.config['SPOKE_MODEL'] = spoke_model.ShellScriptSpoke()
   else:

capsulflask/auth.py

@@ -1,3 +1,4 @@
+from base64 import b64decode
 import functools
 import re
 
@@ -24,6 +25,15 @@ def account_required(view):
 
     @functools.wraps(view)
     def wrapped_view(**kwargs):
+        api_token = request.headers.get('authorization', None)
+        if api_token is not None:
+            email = get_model().authenticate_token(b64decode(api_token).decode('utf-8'))
+
+            if email is not None:
+                session.clear()
+                session["account"] = email
+                session["csrf-token"] = generate()
+
         if session.get("account") is None or session.get("csrf-token") is None :
             return redirect(url_for("auth.login"))
 
@@ -56,7 +66,7 @@ def login():
         if not email:
             errors.append("email is required")
         elif len(email.strip()) < 6 or email.count('@') != 1 or email.count('.') == 0: 
-	        errors.append("enter a valid email address")
+            errors.append("enter a valid email address")
 
         if len(errors) == 0:
             result = get_model().login(email)

capsulflask/console.py

@@ -1,7 +1,9 @@
+from base64 import b64encode
+from datetime import datetime, timedelta
+import json
 import re
 import sys
-import json
-from datetime import datetime, timedelta
+
 from flask import Blueprint
 from flask import flash
 from flask import current_app
@@ -98,7 +100,6 @@ def index():
 @bp.route("/<string:id>", methods=("GET", "POST"))
 @account_required
 def detail(id):
-
   duration=request.args.get('duration')
   if not duration:
     duration = "5m"
@@ -188,6 +189,70 @@ def detail(id):
       duration=duration
     )
 
+def _create(email, vm_sizes, operating_systems, public_keys_for_account, affordable_vm_sizes, server_data):
+  errors = list()
+
+  size = server_data.get("size")
+  os = server_data.get("os")
+  posted_keys_count = int(server_data.get("ssh_authorized_key_count"))
+
+  if not size:
+    errors.append("Size is required")
+  elif size not in vm_sizes:
+    errors.append(f"Invalid size {size}")
+  elif size not in affordable_vm_sizes:
+    errors.append(f"Your account must have enough credit to run an {size} for 1 month before you will be allowed to create it")
+
+
+  if not os:
+    errors.append("OS is required")
+  elif os not in operating_systems:
+    errors.append(f"Invalid os {os}")
+
+  posted_keys = list()
+
+  if posted_keys_count > 1000:
+    errors.append("something went wrong with ssh keys")
+  else:
+    for i in range(0, posted_keys_count):
+      if f"ssh_key_{i}" in server_data:
+        posted_name = server_data.get(f"ssh_key_{i}")
+        key = None
+        for x in public_keys_for_account:
+          if x['name'] == posted_name:
+            key = x
+        if key:
+          posted_keys.append(key)
+        else:
+          errors.append(f"SSH Key \"{posted_name}\" doesn't exist")
+
+  if len(posted_keys) == 0:
+    errors.append("At least one SSH Public Key is required")
+
+  capacity_avaliable = current_app.config["HUB_MODEL"].capacity_avaliable(
+    vm_sizes[size]['memory_mb']*1024*1024
+  )
+
+  if not capacity_avaliable:
+    errors.append("""
+      host(s) at capacity. no capsuls can be created at this time. sorry. 
+    """)
+
+  if len(errors) == 0:
+    id = make_capsul_id()
+    current_app.config["HUB_MODEL"].create(
+      email = email,
+      id=id,
+      os=os,
+      size=size,
+      template_image_file_name=operating_systems[os]['template_image_file_name'],
+      vcpus=vm_sizes[size]['vcpus'],
+      memory_mb=vm_sizes[size]['memory_mb'],
+      ssh_authorized_keys=list(map(lambda x: dict(name=x['name'], content=x['content']), posted_keys))
+    )
+    return id, errors
+
+  return None, errors
 
 @bp.route("/create", methods=("GET", "POST"))
 @account_required
@@ -210,64 +275,14 @@ def create():
   if request.method == "POST":
     if "csrf-token" not in request.form or request.form['csrf-token'] != session['csrf-token']:
       return abort(418, f"u want tea")
-
-    size = request.form["size"]
-    os = request.form["os"]
-    if not size:
-      errors.append("Size is required")
-    elif size not in vm_sizes:
-      errors.append(f"Invalid size {size}")
-    elif size not in affordable_vm_sizes:
-      errors.append(f"Your account must have enough credit to run an {size} for 1 month before you will be allowed to create it")
-
-    if not os:
-      errors.append("OS is required")
-    elif os not in operating_systems:
-      errors.append(f"Invalid os {os}")
-
-    posted_keys_count = int(request.form["ssh_authorized_key_count"])
-    posted_keys = list()
-
-    if posted_keys_count > 1000:
-      errors.append("something went wrong with ssh keys")
-    else:
-      for i in range(0, posted_keys_count):
-        if f"ssh_key_{i}" in request.form:
-          posted_name = request.form[f"ssh_key_{i}"]
-          key = None
-          for x in public_keys_for_account:
-            if x['name'] == posted_name:
-              key = x
-          if key:
-            posted_keys.append(key)
-          else:
-            errors.append(f"SSH Key \"{posted_name}\" doesn't exist")
-
-    if len(posted_keys) == 0:
-      errors.append("At least one SSH Public Key is required")
-
-    capacity_avaliable = current_app.config["HUB_MODEL"].capacity_avaliable(vm_sizes[size]['memory_mb']*1024*1024)
-
-    if not capacity_avaliable:
-      errors.append("""
-        host(s) at capacity. no capsuls can be created at this time. sorry. 
-      """)
-
+    id, errors = _create(
+      session['account'],
+      vm_sizes, 
+      operating_systems,
+      public_keys_for_account,
+      affordable_vm_sizes,
+      request.form)
     if len(errors) == 0: 
-      id = make_capsul_id()
-      # we can't create the vm record in the DB yet because its IP address needs to be allocated first.
-      # so it will be created when the allocation happens inside the hub_api.
-      current_app.config["HUB_MODEL"].create(
-        email = session["account"],
-        id=id,
-        os=os,
-        size=size,
-        template_image_file_name=operating_systems[os]['template_image_file_name'],
-        vcpus=vm_sizes[size]['vcpus'],
-        memory_mb=vm_sizes[size]['memory_mb'],
-        ssh_authorized_keys=list(map(lambda x: dict(name=x['name'], content=x['content']), posted_keys)) 
-      )
-      
       return redirect(f"{url_for('console.index')}?created={id}")
   
 
@@ -290,23 +305,25 @@ def create():
     vm_sizes=affordable_vm_sizes
   )
 
-@bp.route("/ssh", methods=("GET", "POST"))
+@bp.route("/keys", methods=("GET", "POST"))
 @account_required
-def ssh_public_keys():
+def ssh_api_keys():
   errors = list()
 
+  token = None
+
   if request.method == "POST":
     if "csrf-token" not in request.form or request.form['csrf-token'] != session['csrf-token']:
       return abort(418, f"u want tea")
       
-    method = request.form["method"]
-    content = None
-    if method == "POST":
+    action = request.form["action"]
+
+    if action == 'upload_ssh_key':
+      content = None
       content = request.form["content"].replace("\r", " ").replace("\n", " ").strip()
         
-    name = request.form["name"]
-    if not name or len(name.strip()) < 1:
-      if method == "POST":
+      name = request.form["name"]
+      if not name or len(name.strip()) < 1:
         parts = re.split(" +", content)
         if len(parts) > 2 and len(parts[2].strip()) > 0:
           name = parts[2].strip()
@@ -314,10 +331,9 @@ def ssh_public_keys():
           name = parts[0].strip()
       else:
         errors.append("Name is required")
-    if not re.match(r"^[0-9A-Za-z_@:. -]+$", name):
-      errors.append(f"Key name '{name}' must match \"^[0-9A-Za-z_@:. -]+$\"")
+      if not re.match(r"^[0-9A-Za-z_@:. -]+$", name):
+        errors.append(f"Key name '{name}' must match \"^[0-9A-Za-z_@:. -]+$\"")
 
-    if method == "POST":
       if not content or len(content.strip()) < 1:
         errors.append("Content is required")
       else:
@@ -330,24 +346,36 @@ def ssh_public_keys():
       if len(errors) == 0:
         get_model().create_ssh_public_key(session["account"], name, content)
 
-    elif method == "DELETE":
+    elif action == "delete_ssh_key":
+      get_model().delete_ssh_public_key(session["account"], name)
 
-      if len(errors) == 0:
-        get_model().delete_ssh_public_key(session["account"], name)
+    elif action == "generate_api_token":
+      name = request.form["name"]
+      if name == '':
+          name = datetime.utcnow().strftime('%y-%m-%d %H:%M:%S')
+      token = b64encode(
+        get_model().generate_api_token(session["account"], name).encode('utf-8')
+      ).decode('utf-8')
+
+    elif action == "delete_api_token":
+      get_model().delete_api_token(session["account"], request.form["id"])
 
   for error in errors:
     flash(error)
 
-  keys_list=list(map(
+  ssh_keys_list=list(map(
     lambda x: dict(name=x['name'], content=f"{x['content'][:20]}...{x['content'][len(x['content'])-20:]}"), 
     get_model().list_ssh_public_keys_for_account(session["account"])
   ))
 
+  api_tokens_list = get_model().list_api_tokens(session["account"])
+
   return render_template(
-    "ssh-public-keys.html", 
+    "keys.html", 
     csrf_token = session["csrf-token"],
-    ssh_public_keys=keys_list, 
-    has_ssh_public_keys=len(keys_list) > 0
+    api_tokens=api_tokens_list, 
+    ssh_public_keys=ssh_keys_list,
+    generated_api_token=token,
   )
 
 def get_vms():
@@ -371,7 +399,6 @@ def get_vm_months_float(vm, as_of):
   return days / average_number_of_days_in_a_month
 
 def get_account_balance(vms, payments, as_of):
-
   vm_cost_dollars = 0.0
   for vm in vms:
     vm_months = get_vm_months_float(vm, as_of)
@@ -384,7 +411,6 @@ def get_account_balance(vms, payments, as_of):
 @bp.route("/account-balance")
 @account_required
 def account_balance():
-
   payment_sessions = get_model().list_payment_sessions_for_account(session['account'])
   for payment_session in payment_sessions:
     if payment_session['type'] == 'btcpay':

capsulflask/db.py

@@ -33,7 +33,7 @@ def init_app(app, is_running_server):
     result = re.search(r"^\d+_(up|down)", filename)
     if not result:
       app.logger.error(f"schemaVersion {filename} must match ^\\d+_(up|down). exiting.")
-      exit(1)
+      continue
     key = result.group()
     with open(join(schemaMigrationsPath, filename), 'rb') as file:
       schemaMigrations[key] = file.read().decode("utf8")
@@ -43,7 +43,7 @@ def init_app(app, is_running_server):
   hasSchemaVersionTable = False
   actionWasTaken = False
   schemaVersion = 0
-  desiredSchemaVersion = 18
+  desiredSchemaVersion = 19
 
   cursor = connection.cursor()
 
@@ -128,4 +128,3 @@ def close_db(e=None):
   if db_model is not None:
     db_model.cursor.close()
     current_app.config['PSYCOPG2_CONNECTION_POOL'].putconn(db_model.connection)
-

capsulflask/db_model.py

@@ -1,8 +1,8 @@
-
 import re
 
 # I was never able to get this type hinting to work correctly 
 # from psycopg2.extensions import connection as Psycopg2Connection, cursor as Psycopg2Cursor
+import hashlib
 from nanoid import generate
 from flask import current_app
 from typing import List
@@ -17,7 +17,6 @@ class DBModel:
     self.cursor = cursor
 
 
-
   #     ------    LOGIN     ---------     
 
 
@@ -44,6 +43,16 @@ class DBModel:
 
     return (token, ignoreCaseMatches)
 
+  def authenticate_token(self, token):
+    m = hashlib.md5()
+    m.update(token.encode('utf-8'))
+    hash_token = m.hexdigest()
+    self.cursor.execute("SELECT email FROM api_tokens WHERE token = %s", (hash_token, ))
+    result = self.cursor.fetchall()
+    if len(result) == 1:
+      return result[0]
+    return None
+    
   def consume_token(self, token):
     self.cursor.execute("SELECT email FROM login_tokens WHERE token = %s and created > (NOW() - INTERVAL '20 min')", (token, ))
     row = self.cursor.fetchone()
@@ -132,6 +141,32 @@ class DBModel:
     self.cursor.execute( "DELETE FROM ssh_public_keys where email = %s AND name = %s", (email, name) )
     self.connection.commit()
 
+  def list_api_tokens(self, email):
+    self.cursor.execute(
+      "SELECT id, token, name, created FROM api_tokens WHERE email = %s", 
+      (email, )
+    )
+    return list(map(
+      lambda x: dict(id=x[0], token=x[1], name=x[2], created=x[3]), 
+      self.cursor.fetchall()
+    ))
+
+  def generate_api_token(self, email, name):
+    token = generate()
+    m = hashlib.md5()
+    m.update(token.encode('utf-8'))
+    hash_token = m.hexdigest()
+    self.cursor.execute(
+      "INSERT INTO api_tokens (email, name, token) VALUES (%s, %s, %s)", 
+      (email, name, hash_token)
+    )
+    self.connection.commit()
+    return token
+
+  def delete_api_token(self, email, id_):
+    self.cursor.execute( "DELETE FROM api_tokens where email = %s AND id = %s", (email, id_))
+    self.connection.commit()
+
   def list_vms_for_account(self, email):
     self.cursor.execute(""" 
       SELECT vms.id, vms.public_ipv4, vms.public_ipv6, vms.size, vms.os, vms.created, vms.deleted, vm_sizes.dollars_per_month
@@ -479,8 +514,3 @@ class DBModel:
     #cursor.close()
 
     return to_return
-      
-
-
-
-

capsulflask/hub_model.py

@@ -44,6 +44,7 @@ class MockHub(VirtualizationInterface):
     validate_capsul_id(id)
     current_app.logger.info(f"mock create: {id} for {email}")
     sleep(1)
+
     get_model().create_vm(
       email=email, 
       id=id, 
@@ -197,6 +198,10 @@ class CapsulFlaskHub(VirtualizationInterface):
     validate_capsul_id(id)
     online_hosts = get_model().get_online_hosts()
     #current_app.logger.debug(f"hub_model.create(): ${len(online_hosts)} hosts")
+
+    current_app.logger.error(f'{email}, {id} {os} {size} {template_image_file_name} {vcpus} {memory_mb}')
+    current_app.logger.error(f'{ssh_authorized_keys}')
+    
     payload = json.dumps(dict(
       type="create", 
       email=email, 
@@ -228,11 +233,12 @@ class CapsulFlaskHub(VirtualizationInterface):
         # no need to do anything here since if it cant be parsed then generic_operation will handle it.
         pass
 
+    if error_message != "":
+      raise ValueError(f"create capsul operation {operation_id} on {assigned_hosts} failed with {error_message}")
+      
     if number_of_assigned != 1:
       assigned_hosts_string = ", ".join(assigned_hosts)
       raise ValueError(f"expected create capsul operation {operation_id} to be assigned to one host, it was assigned to {number_of_assigned} ({assigned_hosts_string})")
-    if error_message != "":
-      raise ValueError(f"create capsul operation {operation_id} on {assigned_hosts_string} failed with {error_message}")
       
 
   def destroy(self, email: str, id: str):

capsulflask/publicapi.py

@@ -0,0 +1,50 @@
+import datetime
+
+from flask import Blueprint
+from flask import current_app
+from flask import jsonify
+from flask import request
+from flask import session
+from nanoid import generate
+
+from capsulflask.auth import account_required
+from capsulflask.db import get_model
+
+bp = Blueprint("publicapi", __name__, url_prefix="/api")
+
+@bp.route("/capsul/create", methods=["POST"])
+@account_required
+def capsul_create():
+    email = session["account"][0]
+    
+    from .console import _create, get_account_balance, get_payments, get_vms
+
+    vm_sizes = get_model().vm_sizes_dict()
+    operating_systems = get_model().operating_systems_dict()
+    public_keys_for_account = get_model().list_ssh_public_keys_for_account(session["account"])
+    account_balance = get_account_balance(get_vms(), get_payments(), datetime.datetime.utcnow())
+    capacity_avaliable = current_app.config["HUB_MODEL"].capacity_avaliable(512*1024*1024)
+
+    affordable_vm_sizes = dict()
+    for key, vm_size in vm_sizes.items():
+      # if a user deposits $7.50 and then creates an f1-s vm which costs 7.50 a month, 
+      # then they have to delete the vm and re-create it, they will not be able to, they will have to pay again.
+      # so for UX it makes a lot of sense to give a small margin of 25 cents for usability sake
+      if vm_size["dollars_per_month"] <= account_balance+0.25:
+        affordable_vm_sizes[key] = vm_size
+
+    request.json['ssh_authorized_key_count'] = 1
+
+    id, errors = _create(
+      email,
+      vm_sizes, 
+      operating_systems,
+      public_keys_for_account,
+      affordable_vm_sizes,
+      request.json)
+
+    if id is not None:
+        return jsonify(
+            id=id,
+        )
+    return jsonify(errors=errors)

capsulflask/schema_migrations/19_down_api_tokens.py

@@ -0,0 +1,2 @@
+DROP TABLE api_keys;
+UPDATE schemaversion SET version = 18;

capsulflask/schema_migrations/19_up_api_tokens.py

@@ -0,0 +1,9 @@
+CREATE TABLE api_tokens (
+  id                 SERIAL PRIMARY KEY,
+  email              TEXT REFERENCES accounts(email) ON DELETE RESTRICT,
+  name               TEXT NOT NULL,
+  created            TIMESTAMP NOT NULL DEFAULT NOW(),
+  token              TEXT NOT NULL
+);
+
+UPDATE schemaversion SET version = 19;

capsulflask/shell_scripts/capacity-avaliable.sh

@@ -3,7 +3,7 @@
 # check available RAM and IPv4s
 
 ram_bytes_to_allocate="$1"
-ram_bytes_available=$(grep -E "^(size|memory_available_bytes)" /proc/spl/kstat/zfs/arcstats | awk '{sum+=$3} END {printf "%.0f", sum}')
+ram_bytes_available="$(($(grep Available /proc/meminfo | grep -o '[0-9]*') * 1024))"
 ram_bytes_remainder="$((ram_bytes_available - ram_bytes_to_allocate))"
 
 if echo "$ram_bytes_to_allocate" | grep -vqE "^[0-9]+$"; then
@@ -11,8 +11,8 @@ if echo "$ram_bytes_to_allocate" | grep -vqE "^[0-9]+$"; then
   exit 1
 fi
 
-# 20GB
-if [ "$ram_bytes_remainder" -le $((20 * 1024 * 1024 * 1024)) ]; then
+# 0.25GB
+if [ "$ram_bytes_remainder" -le $((1 * 1024 * 1024 * 1024 / 4)) ]; then
   echo "VM is requesting more RAM than $(hostname -f) has available."
   echo "Bytes requested: $ram_bytes_to_allocate"
   echo "Bytes available: $ram_bytes_available"

capsulflask/shell_scripts/create.sh

@@ -6,6 +6,7 @@
 
 vmname="$1"
 template_file="/tank/img/$2"
+qemu_tank_dir="/tank"
 vcpus="$3"
 memory="$4"
 pubkeys="$5"
@@ -50,40 +51,40 @@ if echo "$public_ipv4" | grep -vqE "^[0-9.]+$"; then
   exit 1
 fi
 
-disk="/tank/vm/$vmname.qcow2"
-cdrom="/tank/vm/$vmname.iso"
-xml="/tank/vm/$vmname.xml"
+disk="$vmname.qcow2"
+cdrom="$vmname.iso"
+xml="$vmname.xml"
 
 if [ -f /tank/vm/$vmname.qcow2 ]; then
     echo "Randomly generated name matched an existing VM! Odds are like one in a billion. Buy a lotto ticket."
     exit 1
 fi
 
-cp "$template_file" "$disk"
+cp "$template_file" "/tank/vm/$disk"
 cp /tank/config/cyberia-cloudinit.yml /tmp/cloudinit.yml
 echo "$pubkeys" | while IFS= read -r line; do
   echo "      - $line" >> /tmp/cloudinit.yml
 done
 
-cloud-localds "$cdrom" /tmp/cloudinit.yml
+cloud-localds "/tank/vm/$cdrom" /tmp/cloudinit.yml
 
-qemu-img resize "$disk" "$root_volume_size"
+qemu-img resize "/tank/vm/$disk" "$root_volume_size"
 virt-install \
     --memory "$memory" \
     --vcpus "$vcpus" \
     --name "$vmname" \
-    --disk "$disk",bus=virtio \
-    --disk "$cdrom",device=cdrom \
+    --disk "$qemu_tank_dir/vm/$disk",bus=virtio \
+    --disk "$qemu_tank_dir/vm/$cdrom",device=cdrom \
     --os-type Linux \
     --os-variant generic \
     --virt-type kvm \
     --graphics vnc,listen=127.0.0.1 \
-    --network network=$network_name,filterref=clean-traffic,model=virtio \
+    --network network=$network_name,model=virtio \
     --import \
-    --print-xml > "$xml"
+    --print-xml > "/tank/vm/$xml"
 
-chmod 0600 "$xml" "$disk" "$cdrom"
-virsh define "$xml"
+chmod 0600 "/tank/vm/$xml" "/tank/vm/$disk" "/tank/vm/$cdrom"
+virsh define "/tank/vm/$xml"
 virsh start "$vmname"
 
 echo "success"

capsulflask/static/style.css

@@ -1,8 +1,8 @@
 html {
-  color: #bdc7b8;
+  color: #241e1e;
   font: calc(0.40rem + 1vmin) monospace;
   overflow-y: scroll;
-  background-color: #241e1e;
+  background-color: #bdc7b8;
 }
 
 body {
@@ -19,8 +19,8 @@ body {
 }
 
 a {
-  color:#6CF;
-  text-shadow: 1px 1px 0px #000c;
+  color:#00517a;
+  text-shadow: 1px 1px 0px #eee;
 }
 
 a.no-shadow {
@@ -28,7 +28,7 @@ a.no-shadow {
 }
 
 a:hover, a:active, a:visited {
-  color: #b5bd68;
+  color: #323417;
 } 
 
 .nav-links  a {
@@ -59,11 +59,11 @@ h1, h2, h3, h4, h5 {
   margin: initial;
   padding: initial;
   text-transform: uppercase;
-  text-shadow: 2px 2px 0px #0007;
+  text-shadow: 2px 2px 0px #eee;
 }
 
 main {
-  border: 1px dashed #bdc7b8;
+  border: 1px dashed #241e1e;
   padding: 1rem;
   margin-bottom: 2em;
 
@@ -143,7 +143,7 @@ input, textarea, select, label {
 input, select, textarea {
   outline: 0;
   padding: 0.25em 0.5em;
-  color: #bdc7b8;
+  color: #241e1e;
   background-color: #bdc7b805;
 }
 

capsulflask/templates/base.html

@@ -31,7 +31,7 @@
 
     {% if session["account"] %} 
       <a href="/console">Capsuls</a>
-      <a href="/console/ssh">SSH Public Keys</a>
+      <a href="/console/keys">SSH &amp; API Keys</a>
       <a href="/console/account-balance">Account Balance</a>
     {% endif %}
 

capsulflask/templates/capsul-detail.html

@@ -101,7 +101,7 @@
       </div>
       <div class="row justify-start">
         <label class="align" for="ssh_authorized_keys">SSH Authorized Keys</label>
-        <a id="ssh_authorized_keys" href="/console/ssh">{{ vm['ssh_authorized_keys'] }}</a>
+        <a id="ssh_authorized_keys" href="/console/keys">{{ vm['ssh_authorized_keys'] }}</a>
       </div>
       
     </div>

capsulflask/templates/create-capsul.html

@@ -31,7 +31,7 @@
     <p>(At least one month of funding is required)</p>
   {% elif no_ssh_public_keys %}
     <p>You don't have any ssh public keys yet.</p> 
-    <p>You must <a href="/console/ssh">upload one</a> before you can create a Capsul.</p>
+    <p>You must <a href="/console/keys">upload one</a> before you can create a Capsul.</p>
   {% elif not capacity_avaliable %}
     <p>Host(s) at capacity. No capsuls can be created at this time. sorry. </p> 
   {% else %}

capsulflask/templates/keys.html

@@ -1,17 +1,18 @@
 {% extends 'base.html' %}
 
-{% block title %}SSH Public Keys{% endblock %}
+{% block title %}SSH & API Keys{% endblock %}
 
 {% block content %}
 <div class="row third-margin">
   <h1>SSH PUBLIC KEYS</h1>
 </div>
 <div class="row third-margin"><div>
-  {% if has_ssh_public_keys %} <hr/> {% endif %}
+    {% if ssh_public_keys|length > 0 %} <hr/> {% endif %}
   
   {% for ssh_public_key in ssh_public_keys %}
     <form method="post">
       <input type="hidden" name="method" value="DELETE"></input> 
+      <input type="hidden" name="action" value="delete_ssh_key"></input>
       <input type="hidden" name="name" value="{{ ssh_public_key['name'] }}"></input> 
       <input type="hidden" name="csrf-token" value="{{ csrf_token }}"/>
       <div class="row">
@@ -22,13 +23,14 @@
     </form>
   {% endfor %}
 
-  {% if has_ssh_public_keys %} <hr/> {% endif %}
+  {% if ssh_public_keys|length > 0 %} <hr/> {% endif %}
 
   <div class="third-margin">
     <h1>UPLOAD A NEW SSH PUBLIC KEY</h1>
   </div>
   <form method="post">
     <input type="hidden" name="method" value="POST"></input>
+    <input type="hidden" name="action" value="upload_ssh_key"></input>
     <input type="hidden" name="csrf-token" value="{{ csrf_token }}"/>
     <div class="row justify-start">
       <label class="align" for="content">File Contents</label>
@@ -54,6 +56,51 @@
     </div>
   </form>
 </div></div>
+<hr/>
+<div class="row third-margin">
+  <h1>API KEYS</h1>
+</div>
+<div class="row third-margin"><div>
+  {% if generated_api_token %}
+    <hr/>
+    Generated key:
+    <span class="code">{{ generated_api_token }}</span>
+  {% endif %}
+  {% if api_tokens|length >0 %} <hr/>{% endif %}
+  {% for api_token in api_tokens %}
+    <form method="post">
+      <input type="hidden" name="method" value="DELETE"></input> 
+      <input type="hidden" name="action" value="delete_api_token"></input>
+      <input type="hidden" name="id" value="{{ api_token['id'] }}"></input> 
+      <input type="hidden" name="csrf-token" value="{{ csrf_token }}"/>
+      <div class="row">
+        <span class="code">{{ api_token['name'] }}</span>
+        created {{ api_token['created'].strftime("%b %d %Y") }}
+        <input type="submit" value="Delete">
+      </div>
+    </form>
+  {% endfor %}
+  {% if api_tokens|length >0 %} <hr/>{% endif %}
+
+  <div class="third-margin">
+    <h1>GENERATE A NEW API KEY</h1>
+  </div>
+  <form method="post">
+    <input type="hidden" name="method" value="POST"></input>
+    <input type="hidden" name="action" value="generate_api_token"></input>
+    <input type="hidden" name="csrf-token" value="{{ csrf_token }}"/>
+    <div class="smalltext">
+      <p>Generate a new API key, to integrate with other systems.</p>
+    </div>
+    <div class="row justify-start">
+      <label class="align" for="name">Key Name</label>
+      <input type="text" id="name" name="name"></input> (defaults to creation time)
+    </div>
+    <div class="row justify-end">
+      <input type="submit" value="Generate">
+    </div>
+  </form>
+</div></div>
 {% endblock %}
 
 {% block pagesource %}/templates/ssh-public-keys.html{% endblock %}

capsulflask/theme/yolocolo/base.html

@@ -2,7 +2,7 @@
 <head>
   <!-- Namecoin Address: N2aVL6pHtBp7EtNGb3jpsL2L2NyjBNbiB1 -->
   <link href="{{ url_for('static', filename='favicon.yolocolo.ico') }}" rel="icon">
-  <title>{% block title %}{% endblock %}{% if self.title() %} - {% endif %}Capsul</title>
+  <title>{% block title %}{% endblock %}{% if self.title() %} - {% endif %}Serverscoop</title>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width,initial-scale=1.0">
   <meta name="Description" content="Cyberia Capsul">
@@ -14,7 +14,7 @@
 <nav>
   <div class="row justify-space-between half-margin">
     <div>
-      🦉 <a href="/"><b>YOLOCOLO</b></a>
+      🍞 <a href="/"><b>serverscoop</b></a>
     </div>
     <div>
       &nbsp;
@@ -31,7 +31,7 @@
 
     {% if session["account"] %} 
       <a href="/console">Capsuls</a>
-      <a href="/console/ssh">SSH Public Keys</a>
+      <a href="/console/keys">SSH &amp; API Keys</a>
       <a href="/console/account-balance">Account Balance</a>
     {% endif %}
 
@@ -49,9 +49,7 @@
 <footer>
   This server runs <a
     href="https://giit.cyberia.club/~forest/capsul-flask">capsul-flask</a> by
-  Cyberia Computer Club, available under the <a
-    href="https://creativecommons.org/licenses/by-sa/4.0/">Attribution-ShareAlike
-    4.0 International</a> licence.<br/><br/>
+  Cyberia Computer Club, available under the GNU AFFERO GENERAL PUBLIC LICENSE.<br/><br/>
   <a href="https://git.autonomic.zone/3wordchant/capsul-flask/src/branch/yolocolo/capsulflask{% block pagesource %}{% endblock %}">View page source</a>
 </footer>
 </body>

capsulflask/theme/yolocolo/index.html

@@ -3,13 +3,11 @@
 {% block content %}
   <h1>
   <pre>
-             _                 _
- _   _  ___ | | ___   ___ ___ | | ___
-| | | |/ _ \| |/ _ \ / __/ _ \| |/ _ \
-| |_| | (_) | | (_) | (_| (_) | | (_) |
- \__, |\___/|_|\___/ \___\___/|_|\___/
- |___/
-
+ ___  ___ _ ____   _____ _ __ ___  ___ ___   ___  _ __  
+/ __|/ _ \ '__\ \ / / _ \ '__/ __|/ __/ _ \ / _ \| '_ \ 
+\__ \  __/ |   \ V /  __/ |  \__ \ (_| (_) | (_) | |_) |
+|___/\___|_|    \_/ \___|_|  |___/\___\___/ \___/| .__/ 
+                                                 |_|    
   </pre>
   <span>Co-operative hosting using <a href="https://cyberia.club">Cyberia</a>'s Capsul</span>
 {% endblock %}

docker-compose.yml

@@ -0,0 +1,36 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: 3wordchant/capsul-flask:latest
+    build: .
+    volumes:
+      - "./:/app/code"
+      - "../tank:/tank"
+      # - "/var/run/libvirt/libvirt-sock:/var/run/libvirt/libvirt-sock"
+    depends_on:
+      - db
+    ports:
+      - "5000:5000"
+    environment:
+      - "POSTGRES_CONNECTION_PARAMETERS=host=db port=5432 user=capsul password=capsul dbname=capsul"
+      - SPOKE_MODEL=shell-scripts
+        #- FLASK_DEBUG=1
+      - BASE_URL=http://localhost:5000
+      - ADMIN_PANEL_ALLOW_EMAIL_ADDRESSES=3wc.capsul@doesthisthing.work
+      - VIRSH_DEFAULT_CONNECT_URI=qemu:///system
+    # The image uses gunicorn by default, let's override it with Flask's
+    # built-in development server
+    command: ["flask", "run", "-h", "0.0.0.0", "-p", "5000"]
+  db:
+    image: "postgres:9.6.5-alpine"
+    volumes:
+      - "postgres:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_USER: capsul
+      POSTGRES_PASSWORD: capsul
+      POSTGRES_DB: capsul
+
+volumes:
+  postgres: