portacode 1.4.12.dev1__py3-none-any.whl → 1.4.15.dev3__py3-none-any.whl

portacode/connection/handlers/proxmox_infra.py

@@ -7,15 +7,20 @@ import json
 import logging
 import os
 import secrets
+import shlex
+import re
+import select
 import shutil
 import stat
 import subprocess
 import sys
+import tempfile
 import time
 import threading
+import urllib.request
 from datetime import datetime
 from pathlib import Path
-from typing import Any, Callable, Dict, Iterable, List, Optional, Tuple
+from typing import Any, Callable, Dict, Iterable, List, Optional, Sequence, Tuple
 
 import platformdirs
 
@@ -38,12 +43,15 @@ BRIDGE_IP = SUBNET_CIDR.split("/", 1)[0]
 DHCP_START = "10.10.0.100"
 DHCP_END = "10.10.0.200"
 DNS_SERVER = "1.1.1.1"
+CLOUDFLARE_DEB_URL = "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb"
 IFACES_PATH = Path("/etc/network/interfaces")
 SYSCTL_PATH = Path("/etc/sysctl.d/99-portacode-forward.conf")
 UNIT_DIR = Path("/etc/systemd/system")
 _MANAGED_CONTAINERS_CACHE_TTL_S = 30.0
 _MANAGED_CONTAINERS_CACHE: Dict[str, Any] = {"timestamp": 0.0, "summary": None}
 _MANAGED_CONTAINERS_CACHE_LOCK = threading.Lock()
+_CLOUDFLARE_TUNNEL_PROCESSES: Dict[str, subprocess.Popen] = {}
+_CLOUDFLARE_TUNNELS_LOCK = threading.Lock()
 
 ProgressCallback = Callable[[int, int, Dict[str, Any], str, Optional[Dict[str, Any]]], None]
 
@@ -261,7 +269,10 @@ def _ensure_bridge(bridge: str = DEFAULT_BRIDGE) -> Dict[str, Any]:
         apt = shutil.which("apt-get")
         if not apt:
             raise RuntimeError("dnsmasq is missing and apt-get unavailable to install it")
-        _call_subprocess([apt, "update"], check=True)
+        update = _call_subprocess([apt, "update"], check=False)
+        if update.returncode not in (0, 100):
+            msg = update.stderr or update.stdout or f"exit status {update.returncode}"
+            raise RuntimeError(f"apt-get update failed: {msg}")
         _call_subprocess([apt, "install", "-y", "dnsmasq"], check=True)
     _write_bridge_config(bridge)
     _ensure_sysctl()
@@ -274,6 +285,25 @@ def _ensure_bridge(bridge: str = DEFAULT_BRIDGE) -> Dict[str, Any]:
     return {"applied": True, "bridge": bridge, "message": f"Bridge {bridge} configured"}
 
 
+def _ensure_cloudflared_installed() -> None:
+    if shutil.which("cloudflared"):
+        return
+    apt = shutil.which("apt-get")
+    if not apt:
+        raise RuntimeError("cloudflared is missing and apt-get is unavailable to install it")
+    download_dir = Path(tempfile.mkdtemp())
+    deb_path = download_dir / "cloudflared.deb"
+    try:
+        urllib.request.urlretrieve(CLOUDFLARE_DEB_URL, deb_path)
+        try:
+            _call_subprocess(["dpkg", "-i", str(deb_path)], check=True)
+        except subprocess.CalledProcessError:
+            _call_subprocess([apt, "install", "-f", "-y"], check=True)
+            _call_subprocess(["dpkg", "-i", str(deb_path)], check=True)
+    finally:
+        shutil.rmtree(download_dir, ignore_errors=True)
+
+
 def _verify_connectivity(timeout: float = 5.0) -> bool:
     try:
         _call_subprocess(["/bin/ping", "-c", "2", "1.1.1.1"], check=True, timeout=timeout)
@@ -350,6 +380,7 @@ def _build_managed_containers_summary(records: List[Dict[str, Any]]) -> Dict[str
                 "cpu_share": cpu_share,
                 "created_at": record.get("created_at"),
                 "status": status,
+                "tunnel": record.get("tunnel"),
             }
         )
 
@@ -428,7 +459,12 @@ def _friendly_step_label(step_name: str) -> str:
     return normalized.capitalize()
 
 
-def _build_bootstrap_steps(user: str, password: str, ssh_key: str) -> List[Dict[str, Any]]:
+def _build_bootstrap_steps(
+    user: str,
+    password: str,
+    ssh_key: str,
+    include_portacode_connect: bool = True,
+) -> List[Dict[str, Any]]:
     steps = [
         {
             "name": "apt_update",
@@ -465,11 +501,14 @@ def _build_bootstrap_steps(user: str, password: str, ssh_key: str) -> List[Dict[
             "cmd": f"install -d -m 700 /home/{user}/.ssh && echo '{ssh_key}' >> /home/{user}/.ssh/authorized_keys && chown -R {user}:{user} /home/{user}/.ssh",
             "retries": 0,
         })
-    steps.extend([
-        {"name": "pip_upgrade", "cmd": "python3 -m pip install --upgrade pip", "retries": 0},
-        {"name": "install_portacode", "cmd": "python3 -m pip install --upgrade portacode", "retries": 0},
-        {"name": "portacode_connect", "type": "portacode_connect", "timeout_s": 30},
-    ])
+    steps.extend(
+        [
+            {"name": "pip_upgrade", "cmd": "python3 -m pip install --upgrade pip", "retries": 0},
+            {"name": "install_portacode", "cmd": "python3 -m pip install --upgrade portacode", "retries": 0},
+        ]
+    )
+    if include_portacode_connect:
+        steps.append({"name": "portacode_connect", "type": "portacode_connect", "timeout_s": 30})
     return steps
 
 
@@ -579,6 +618,89 @@ def _remove_container_record(vmid: int) -> None:
         _invalidate_managed_containers_cache()
 
 
+def _update_container_tunnel(vmid: int, tunnel: Optional[Dict[str, Any]]) -> None:
+    record = _read_container_record(vmid)
+    if tunnel:
+        record["tunnel"] = tunnel
+    else:
+        record.pop("tunnel", None)
+    _write_container_record(vmid, record)
+
+
+def _ensure_cloudflare_token(config: Dict[str, Any]) -> str:
+    cloudflare = config.get("cloudflare") or {}
+    token = cloudflare.get("api_token")
+    if not token:
+        raise RuntimeError("Cloudflare API token is not configured.")
+    return token
+
+
+def _launch_container_tunnel(proxmox: Any, node: str, vmid: int, tunnel: Dict[str, Any]) -> Dict[str, Any]:
+    port = int(tunnel.get("container_port") or 0)
+    if not port:
+        raise ValueError("container_port is required to create a tunnel.")
+    requested_hostname = tunnel.get("url") or None
+    protocol = (tunnel.get("protocol") or "http").lower()
+    ip_address = _resolve_container_ip(proxmox, node, vmid)
+    target_url = f"{protocol}://{ip_address}:{port}"
+    name = tunnel.get("name") or _build_tunnel_name(vmid, port)
+    _stop_cloudflare_process(name)
+    proc, assigned_url = _start_cloudflare_process(name, target_url, hostname=requested_hostname)
+    if not assigned_url:
+        raise RuntimeError("Failed to determine Cloudflare hostname for the tunnel.")
+    updated = {
+        "name": name,
+        "container_port": port,
+        "url": assigned_url,
+        "protocol": protocol,
+        "status": "running",
+        "pid": proc.pid,
+        "target_ip": ip_address,
+        "target_url": target_url,
+        "last_updated": datetime.utcnow().isoformat() + "Z",
+    }
+    _update_container_tunnel(vmid, updated)
+    return updated
+
+
+def _stop_container_tunnel(vmid: int) -> None:
+    try:
+        record = _read_container_record(vmid)
+    except FileNotFoundError:
+        return
+    tunnel = record.get("tunnel")
+    if not tunnel:
+        return
+    name = tunnel.get("name") or _build_tunnel_name(vmid, int(tunnel.get("container_port") or 0))
+    stopped = _stop_cloudflare_process(name)
+    if not stopped and tunnel.get("status") == "stopped":
+        return
+    tunnel_update = {
+        **tunnel,
+        "status": "stopped",
+        "pid": None,
+        "last_updated": datetime.utcnow().isoformat() + "Z",
+    }
+    _update_container_tunnel(vmid, tunnel_update)
+
+
+def _remove_container_tunnel_state(vmid: int) -> None:
+    _stop_container_tunnel(vmid)
+    _update_container_tunnel(vmid, None)
+
+
+def _ensure_container_tunnel_running(proxmox: Any, node: str, vmid: int) -> None:
+    try:
+        record = _read_container_record(vmid)
+    except FileNotFoundError:
+        return
+    tunnel = record.get("tunnel")
+    if not tunnel:
+        return
+    _ensure_cloudflare_token(_load_config())
+    _launch_container_tunnel(proxmox, node, vmid, tunnel)
+
+
 def _build_container_payload(message: Dict[str, Any], config: Dict[str, Any]) -> Dict[str, Any]:
     templates = config.get("templates") or []
     default_template = templates[0] if templates else ""
@@ -590,7 +712,7 @@ def _build_container_payload(message: Dict[str, Any], config: Dict[str, Any]) ->
     hostname = (message.get("hostname") or "").strip()
     disk_gib = int(max(round(_validate_positive_number(message.get("disk_gib") or message.get("disk"), 3)), 1))
     ram_mib = int(max(round(_validate_positive_number(message.get("ram_mib") or message.get("ram"), 2048)), 1))
-    cpus = _validate_positive_number(message.get("cpus"), 1)
+    cpus = _validate_positive_number(message.get("cpus"), 0.2)
     storage = message.get("storage") or config.get("default_storage") or ""
     if not storage:
         raise ValueError("Storage pool could not be determined.")
@@ -679,6 +801,184 @@ def _run_pct_check(vmid: int, cmd: str) -> Dict[str, Any]:
     return res
 
 
+def _run_pct_exec(vmid: int, command: Sequence[str]) -> subprocess.CompletedProcess[str]:
+    return _call_subprocess(["pct", "exec", str(vmid), "--", *command])
+
+
+def _run_pct_exec_check(vmid: int, command: Sequence[str]) -> subprocess.CompletedProcess[str]:
+    res = _run_pct_exec(vmid, command)
+    if res.returncode != 0:
+        raise RuntimeError(res.stderr or res.stdout or f"pct exec {' '.join(command)} failed")
+    return res
+
+
+def _run_pct_push(vmid: int, src: str, dest: str) -> subprocess.CompletedProcess[str]:
+    return _call_subprocess(["pct", "push", str(vmid), src, dest])
+
+
+def _build_tunnel_name(vmid: int, port: int) -> str:
+    return f"portacode-ct{vmid}-{port}"
+
+
+def _get_cloudflared_binary() -> str:
+    binary = shutil.which("cloudflared")
+    if not binary:
+        raise RuntimeError(
+            "cloudflared is required for Cloudflare tunnels but was not found on PATH. "
+            "Install cloudflared and run 'cloudflared tunnel login' before creating tunnels."
+        )
+    return binary
+
+
+def _drain_stream(stream: Optional[Any]) -> None:
+    if stream is None:
+        return
+    try:
+        for _ in iter(stream.readline, ""):
+            continue
+    except Exception:
+        pass
+    finally:
+        try:
+            stream.close()
+        except Exception:
+            pass
+
+
+def _await_quick_tunnel_url(proc: subprocess.Popen, timeout: float = 15.0) -> Optional[str]:
+    if not proc.stdout:
+        return None
+    cf_re = re.compile(r"https://[A-Za-z0-9\-.]+\.cfargotunnel\.com")
+    deadline = time.time() + timeout
+    while time.time() < deadline:
+        ready, _, _ = select.select([proc.stdout], [], [], 1)
+        if not ready:
+            continue
+        line = proc.stdout.readline()
+        if not line:
+            continue
+        match = cf_re.search(line)
+        if match:
+            return match.group(0)
+    return None
+
+
+def _start_cloudflare_process(name: str, target_url: str, hostname: Optional[str] = None) -> Tuple[subprocess.Popen, Optional[str]]:
+    binary = _get_cloudflared_binary()
+    cmd = [
+        binary,
+        "tunnel",
+        "--url",
+        target_url,
+        "--no-autoupdate",
+    ]
+    if hostname:
+        cmd.extend(["--hostname", hostname])
+        stdout_target = subprocess.DEVNULL
+    else:
+        stdout_target = subprocess.PIPE
+    proc = subprocess.Popen(
+        cmd,
+        stdout=stdout_target,
+        stderr=subprocess.PIPE,
+        text=True,
+    )
+    with _CLOUDFLARE_TUNNELS_LOCK:
+        _CLOUDFLARE_TUNNEL_PROCESSES[name] = proc
+    assigned_url = hostname
+    if not hostname:
+        assigned_url = _await_quick_tunnel_url(proc)
+        threading.Thread(target=_drain_stream, args=(proc.stdout,), daemon=True).start()
+    threading.Thread(target=_drain_stream, args=(proc.stderr,), daemon=True).start()
+    return proc, assigned_url
+
+
+def _stop_cloudflare_process(name: str) -> bool:
+    with _CLOUDFLARE_TUNNELS_LOCK:
+        proc = _CLOUDFLARE_TUNNEL_PROCESSES.pop(name, None)
+    if not proc:
+        return False
+    try:
+        proc.terminate()
+        proc.wait(timeout=5)
+    except subprocess.TimeoutExpired:
+        proc.kill()
+        proc.wait()
+    return True
+
+
+def _resolve_container_ip(proxmox: Any, node: str, vmid: int) -> str:
+    status = proxmox.nodes(node).lxc(vmid).status.current.get()
+    if status:
+        ip_field = status.get("ip")
+        if isinstance(ip_field, list):
+            for entry in ip_field:
+                if isinstance(entry, str) and "." in entry:
+                    return entry.split("/")[0]
+        elif isinstance(ip_field, str) and "." in ip_field:
+            return ip_field.split("/")[0]
+    res = _run_pct_exec(vmid, ["ip", "-4", "-o", "addr", "show", "eth0"])
+    line = res.stdout.splitlines()[0] if res.stdout else ""
+    parts = line.split()
+    if len(parts) >= 4:
+        addr = parts[3]
+        return addr.split("/")[0]
+    raise RuntimeError("Unable to determine container IP address")
+
+
+def _push_bytes_to_container(
+    vmid: int, user: str, path: str, data: bytes, mode: int = 0o600
+) -> None:
+    logger.debug("Preparing to push %d bytes to container vmid=%s path=%s for user=%s", len(data), vmid, path, user)
+    tmp_path: Optional[str] = None
+    try:
+        parent = Path(path).parent
+        parent_str = parent.as_posix()
+        if parent_str not in {"", ".", "/"}:
+            _run_pct_exec_check(vmid, ["mkdir", "-p", parent_str])
+            _run_pct_exec_check(vmid, ["chown", "-R", f"{user}:{user}", parent_str])
+
+        with tempfile.NamedTemporaryFile(delete=False) as tmp:
+            tmp.write(data)
+            tmp.flush()
+            os.fsync(tmp.fileno())
+            tmp_path = tmp.name
+
+        push_res = _run_pct_push(vmid, tmp_path, path)
+        if push_res.returncode != 0:
+            raise RuntimeError(push_res.stderr or push_res.stdout or f"pct push returned {push_res.returncode}")
+
+        _run_pct_exec_check(vmid, ["chown", f"{user}:{user}", path])
+        _run_pct_exec_check(vmid, ["chmod", format(mode, "o"), path])
+        logger.debug("Successfully pushed %d bytes to vmid=%s path=%s", len(data), vmid, path)
+    except Exception as exc:
+        logger.error("Failed to write to container vmid=%s path=%s for user=%s: %s", vmid, path, user, exc)
+        raise
+    finally:
+        if tmp_path:
+            try:
+                os.remove(tmp_path)
+            except OSError as cleanup_exc:
+                logger.warning("Failed to remove temporary file %s: %s", tmp_path, cleanup_exc)
+
+
+def _resolve_portacode_key_dir(vmid: int, user: str) -> str:
+    data_dir_cmd = f"su - {user} -c 'echo -n ${{XDG_DATA_HOME:-$HOME/.local/share}}'"
+    data_home = _run_pct_check(vmid, data_dir_cmd)["stdout"].strip()
+    portacode_dir = f"{data_home}/portacode"
+    _run_pct_exec_check(vmid, ["mkdir", "-p", portacode_dir])
+    _run_pct_exec_check(vmid, ["chown", "-R", f"{user}:{user}", portacode_dir])
+    return f"{portacode_dir}/keys"
+
+
+def _deploy_device_keypair(vmid: int, user: str, private_key: str, public_key: str) -> None:
+    key_dir = _resolve_portacode_key_dir(vmid, user)
+    priv_path = f"{key_dir}/id_portacode"
+    pub_path = f"{key_dir}/id_portacode.pub"
+    _push_bytes_to_container(vmid, user, priv_path, private_key.encode(), mode=0o600)
+    _push_bytes_to_container(vmid, user, pub_path, public_key.encode(), mode=0o644)
+
+
 def _portacode_connect_and_read_key(vmid: int, user: str, timeout_s: int = 10) -> Dict[str, Any]:
     cmd = ["pct", "exec", str(vmid), "--", "bash", "-lc", f"su - {user} -c 'portacode connect'"]
     proc = subprocess.Popen(cmd, text=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
@@ -702,15 +1002,22 @@ def _portacode_connect_and_read_key(vmid: int, user: str, timeout_s: int = 10) -
 
     last_pub = last_priv = None
     stable = 0
+    history: List[Dict[str, Any]] = []
+
+    process_exited = False
+    exit_out = exit_err = ""
     while time.time() - start < timeout_s:
         if proc.poll() is not None:
-            out, err = proc.communicate(timeout=1)
-            return {
-                "ok": False,
-                "error": "portacode connect exited before keys were created",
-                "stdout": (out or "").strip(),
-                "stderr": (err or "").strip(),
-            }
+            process_exited = True
+            exit_out, exit_err = proc.communicate(timeout=1)
+            history.append(
+                {
+                    "timestamp_s": round(time.time() - start, 2),
+                    "status": "process_exited",
+                    "returncode": proc.returncode,
+                }
+            )
+            break
         pub_size = file_size(pub_path)
         priv_size = file_size(priv_path)
         if pub_size and priv_size:
@@ -720,21 +1027,60 @@ def _portacode_connect_and_read_key(vmid: int, user: str, timeout_s: int = 10) -
                 stable = 0
             last_pub, last_priv = pub_size, priv_size
             if stable >= 1:
+                history.append(
+                    {
+                        "timestamp_s": round(time.time() - start, 2),
+                        "pub_size": pub_size,
+                        "priv_size": priv_size,
+                        "stable": stable,
+                    }
+                )
                 break
+        history.append(
+            {
+                "timestamp_s": round(time.time() - start, 2),
+                "pub_size": pub_size,
+                "priv_size": priv_size,
+                "stable": stable,
+            }
+        )
         time.sleep(1)
 
-    if stable < 1:
+    final_pub = file_size(pub_path)
+    final_priv = file_size(priv_path)
+    if final_pub and final_priv:
+        key_res = _run_pct(vmid, f"su - {user} -c 'cat {pub_path}'")
+        if not process_exited:
+            proc.terminate()
+            try:
+                proc.wait(timeout=3)
+            except subprocess.TimeoutExpired:
+                proc.kill()
+        return {
+            "ok": True,
+            "public_key": key_res["stdout"].strip(),
+            "history": history,
+        }
+
+    if not process_exited:
         proc.terminate()
         try:
             proc.wait(timeout=3)
         except subprocess.TimeoutExpired:
             proc.kill()
-        out, err = proc.communicate(timeout=1)
+        exit_out, exit_err = proc.communicate(timeout=1)
+        history.append(
+            {
+                "timestamp_s": round(time.time() - start, 2),
+                "status": "timeout_waiting_for_keys",
+            }
+        )
         return {
             "ok": False,
             "error": "timed out waiting for portacode key files",
-            "stdout": (out or "").strip(),
-            "stderr": (err or "").strip(),
+            "stdout": (exit_out or "").strip(),
+            "stderr": (exit_err or "").strip(),
+            "history": history,
         }
 
     proc.terminate()
@@ -747,6 +1093,7 @@ def _portacode_connect_and_read_key(vmid: int, user: str, timeout_s: int = 10) -
     return {
         "ok": True,
         "public_key": key_res["stdout"].strip(),
+        "history": history,
     }
 
 
@@ -833,6 +1180,7 @@ def _bootstrap_portacode(
     progress_callback: Optional[ProgressCallback] = None,
     start_index: int = 1,
     total_steps: Optional[int] = None,
+    default_public_key: Optional[str] = None,
 ) -> Tuple[str, List[Dict[str, Any]]]:
     actual_steps = steps if steps is not None else _build_bootstrap_steps(user, password, ssh_key)
     results, ok = _run_setup_steps(
@@ -844,14 +1192,44 @@ def _bootstrap_portacode(
         total_steps=total_steps,
     )
     if not ok:
+        details = results[-1] if results else {}
+        summary = details.get("error_summary") or details.get("stderr") or details.get("stdout") or details.get("name")
+        history = details.get("history")
+        history_snippet = ""
+        if isinstance(history, list) and history:
+            history_snippet = f" history={history[-3:]}"
+        command = details.get("cmd")
+        command_text = ""
+        if command:
+            if isinstance(command, (list, tuple)):
+                command_text = shlex.join(str(entry) for entry in command)
+            else:
+                command_text = str(command)
+        command_suffix = f" command={command_text}" if command_text else ""
+        if summary:
+            logger.warning(
+                "Portacode bootstrap failure summary=%s%s%s",
+                summary,
+                f" history_len={len(history)}" if history else "",
+                f" command={command_text}" if command_text else "",
+            )
+            raise RuntimeError(
+                f"Portacode bootstrap steps failed: {summary}{history_snippet}{command_suffix}"
+            )
         raise RuntimeError("Portacode bootstrap steps failed.")
     key_step = next((entry for entry in results if entry.get("name") == "portacode_connect"), None)
-    public_key = key_step.get("public_key") if key_step else None
+    public_key = key_step.get("public_key") if key_step else default_public_key
     if not public_key:
         raise RuntimeError("Portacode connect did not return a public key.")
     return public_key, results
 
 
+def _build_cloudflare_snapshot(cloudflare_config: Dict[str, Any] | None) -> Dict[str, Any]:
+    if not cloudflare_config:
+        return {"configured": False}
+    return {"configured": bool(cloudflare_config.get("api_token"))}
+
+
 def build_snapshot(config: Dict[str, Any]) -> Dict[str, Any]:
     network = config.get("network", {})
     base_network = {
@@ -859,8 +1237,13 @@ def build_snapshot(config: Dict[str, Any]) -> Dict[str, Any]:
         "message": network.get("message"),
         "bridge": network.get("bridge", DEFAULT_BRIDGE),
     }
+    cloudflare_snapshot = _build_cloudflare_snapshot(config.get("cloudflare"))
     if not config:
-        return {"configured": False, "network": base_network}
+        return {
+            "configured": False,
+            "network": base_network,
+            "cloudflare": cloudflare_snapshot,
+        }
     return {
         "configured": True,
         "host": config.get("host"),
@@ -871,18 +1254,54 @@ def build_snapshot(config: Dict[str, Any]) -> Dict[str, Any]:
         "templates": config.get("templates") or [],
         "last_verified": config.get("last_verified"),
         "network": base_network,
+        "cloudflare": cloudflare_snapshot,
     }
 
 
-def configure_infrastructure(token_identifier: str, token_value: str, verify_ssl: bool = False) -> Dict[str, Any]:
+def _resolve_proxmox_credentials(
+    token_identifier: Optional[str],
+    token_value: Optional[str],
+    existing: Dict[str, Any],
+) -> Tuple[str, str, str]:
+    if token_identifier:
+        if not token_value:
+            raise ValueError("token_value is required when providing a new token_identifier")
+        user, token_name = _parse_token(token_identifier)
+        return user, token_name, token_value
+    if existing and existing.get("user") and existing.get("token_name") and existing.get("token_value"):
+        return existing["user"], existing["token_name"], existing["token_value"]
+    raise ValueError("Proxmox token identifier and value are required when no existing configuration is available")
+
+
+def _build_cloudflare_config(existing: Dict[str, Any], api_token: Optional[str]) -> Dict[str, Any]:
+    cloudflare: Dict[str, Any] = dict(existing.get("cloudflare", {}) or {})
+    if api_token:
+        cloudflare["api_token"] = api_token
+    if cloudflare.get("api_token"):
+        cloudflare["configured"] = True
+    elif "configured" in cloudflare:
+        cloudflare.pop("configured", None)
+    return cloudflare
+
+
+def configure_infrastructure(
+    token_identifier: Optional[str] = None,
+    token_value: Optional[str] = None,
+    verify_ssl: Optional[bool] = None,
+    cloudflare_api_token: Optional[str] = None,
+) -> Dict[str, Any]:
     ProxmoxAPI = _ensure_proxmoxer()
-    user, token_name = _parse_token(token_identifier)
+    existing = _load_config()
+    user, token_name, resolved_token_value = _resolve_proxmox_credentials(
+        token_identifier, token_value, existing
+    )
+    actual_verify_ssl = verify_ssl if verify_ssl is not None else existing.get("verify_ssl", False)
     client = ProxmoxAPI(
         DEFAULT_HOST,
         user=user,
         token_name=token_name,
-        token_value=token_value,
-        verify_ssl=verify_ssl,
+        token_value=resolved_token_value,
+        verify_ssl=actual_verify_ssl,
         timeout=30,
     )
     node = _pick_node(client)
@@ -890,35 +1309,36 @@ def configure_infrastructure(token_identifier: str, token_value: str, verify_ssl
     storages = client.nodes(node).storage.get()
     default_storage = _pick_storage(storages)
     templates = _list_templates(client, node, storages)
-    network: Dict[str, Any] = {}
-    try:
-        network = _ensure_bridge()
-        # Wait for network convergence before validating connectivity
-        time.sleep(2)
-        if _verify_connectivity():
+    network = dict(existing.get("network", {}) or {})
+    _ensure_cloudflared_installed()
+    if not network.get("applied"):
+        try:
+            network = _ensure_bridge()
+            # Wait for network convergence before validating connectivity
+            time.sleep(2)
+            if not _verify_connectivity():
+                raise RuntimeError("Connectivity check failed; bridge reverted")
             network["health"] = "healthy"
-        else:
-            network = {"applied": False, "bridge": DEFAULT_BRIDGE, "message": "Connectivity check failed; bridge reverted"}
+        except Exception as exc:
+            logger.warning("Bridge setup failed; reverting previous changes: %s", exc)
             _revert_bridge()
-    except PermissionError as exc:
-        network = {"applied": False, "message": str(exc), "bridge": DEFAULT_BRIDGE}
-        logger.warning("Bridge setup skipped: %s", exc)
-    except Exception as exc:  # pragma: no cover - best effort
-        network = {"applied": False, "message": str(exc), "bridge": DEFAULT_BRIDGE}
-        logger.warning("Bridge setup failed: %s", exc)
+            raise
     config = {
         "host": DEFAULT_HOST,
         "node": node,
         "user": user,
         "token_name": token_name,
-        "token_value": token_value,
-        "verify_ssl": verify_ssl,
+        "token_value": resolved_token_value,
+        "verify_ssl": actual_verify_ssl,
         "default_storage": default_storage,
         "templates": templates,
         "last_verified": datetime.utcnow().isoformat() + "Z",
         "network": network,
         "node_status": status,
     }
+    cloudflare = _build_cloudflare_config(existing, cloudflare_api_token)
+    if cloudflare:
+        config["cloudflare"] = cloudflare
     _save_config(config)
     snapshot = build_snapshot(config)
     snapshot["node_status"] = status
@@ -968,7 +1388,7 @@ def _instantiate_container(proxmox: Any, node: str, payload: Dict[str, Any]) ->
             rootfs=rootfs,
             memory=int(payload["ram_mib"]),
             swap=int(payload.get("swap_mb", 0)),
-            cores=int(payload.get("cpus", 1)),
+            cores=max(int(payload.get("cores", 1)), 1),
             cpuunits=int(payload.get("cpuunits", 256)),
             net0=payload["net0"],
             unprivileged=int(payload.get("unprivileged", 1)),
@@ -992,8 +1412,17 @@ class CreateProxmoxContainerHandler(SyncHandler):
     def execute(self, message: Dict[str, Any]) -> Dict[str, Any]:
         logger.info("create_proxmox_container command received")
         request_id = message.get("request_id")
+        device_id = message.get("device_id")
+        device_public_key = (message.get("device_public_key") or "").strip()
+        device_private_key = (message.get("device_private_key") or "").strip()
+        has_device_keypair = bool(device_public_key and device_private_key)
         bootstrap_user, bootstrap_password, bootstrap_ssh_key = _get_provisioning_user_info(message)
-        bootstrap_steps = _build_bootstrap_steps(bootstrap_user, bootstrap_password, bootstrap_ssh_key)
+        bootstrap_steps = _build_bootstrap_steps(
+            bootstrap_user,
+            bootstrap_password,
+            bootstrap_ssh_key,
+            include_portacode_connect=not has_device_keypair,
+        )
         total_steps = 3 + len(bootstrap_steps) + 2
         current_step_index = 1
 
@@ -1154,9 +1583,102 @@ class CreateProxmoxContainerHandler(SyncHandler):
             progress_callback=_bootstrap_progress_callback,
             start_index=current_step_index,
             total_steps=total_steps,
+            default_public_key=device_public_key if has_device_keypair else None,
         )
         current_step_index += len(bootstrap_steps)
 
+        service_installed = False
+        if has_device_keypair:
+            logger.info(
+                "deploying dashboard-provided Portacode keypair (device_id=%s) into container %s",
+                device_id,
+                vmid,
+            )
+            _deploy_device_keypair(
+                vmid,
+                payload["username"],
+                device_private_key,
+                device_public_key,
+            )
+            service_installed = True
+            service_start_index = current_step_index
+
+            auth_step_name = "setup_device_authentication"
+            auth_label = "Setting up device authentication"
+            _emit_progress_event(
+                self,
+                step_index=service_start_index,
+                total_steps=total_steps,
+                step_name=auth_step_name,
+                step_label=auth_label,
+                status="in_progress",
+                message="Notifying the server of the new device…",
+                phase="service",
+                request_id=request_id,
+            )
+            _emit_progress_event(
+                self,
+                step_index=service_start_index,
+                total_steps=total_steps,
+                step_name=auth_step_name,
+                step_label=auth_label,
+                status="completed",
+                message="Authentication metadata recorded.",
+                phase="service",
+                request_id=request_id,
+            )
+
+            install_step = service_start_index + 1
+            install_label = "Launching Portacode service"
+            _emit_progress_event(
+                self,
+                step_index=install_step,
+                total_steps=total_steps,
+                step_name="launch_portacode_service",
+                step_label=install_label,
+                status="in_progress",
+                message="Running sudo portacode service install…",
+                phase="service",
+                request_id=request_id,
+            )
+
+            cmd = f"su - {payload['username']} -c 'sudo -S portacode service install'"
+            res = _run_pct(vmid, cmd, input_text=payload["password"] + "\n")
+
+            if res["returncode"] != 0:
+                _emit_progress_event(
+                    self,
+                    step_index=install_step,
+                    total_steps=total_steps,
+                    step_name="launch_portacode_service",
+                    step_label=install_label,
+                    status="failed",
+                    message=f"{install_label} failed: {res.get('stderr') or res.get('stdout')}",
+                    phase="service",
+                    request_id=request_id,
+                    details={
+                        "stderr": res.get("stderr"),
+                        "stdout": res.get("stdout"),
+                    },
+                )
+                raise RuntimeError(res.get("stderr") or res.get("stdout") or "Service install failed")
+
+            _emit_progress_event(
+                self,
+                step_index=install_step,
+                total_steps=total_steps,
+                step_name="launch_portacode_service",
+                step_label=install_label,
+                status="completed",
+                message="Portacode service install finished.",
+                phase="service",
+                request_id=request_id,
+            )
+
+            logger.info("create_proxmox_container: portacode service install completed inside ct %s", vmid)
+
+            current_step_index += 2
+
         return {
             "event": "proxmox_container_created",
             "success": True,
@@ -1173,6 +1695,8 @@ class CreateProxmoxContainerHandler(SyncHandler):
                 "cpus": payload["cpus"],
             },
             "setup_steps": steps,
+            "device_id": device_id,
+            "service_installed": service_installed,
         }
 
 
@@ -1298,6 +1822,10 @@ class StartProxmoxContainerHandler(SyncHandler):
 
         status, elapsed = _start_container(proxmox, node, vmid)
         _update_container_record(vmid, {"status": "running"})
+        try:
+            _ensure_container_tunnel_running(proxmox, node, vmid)
+        except Exception as exc:
+            raise RuntimeError(f"Failed to start Cloudflare tunnel for container {vmid}: {exc}") from exc
 
         infra = get_infra_snapshot()
         return {
@@ -1327,6 +1855,7 @@ class StopProxmoxContainerHandler(SyncHandler):
         _ensure_container_managed(proxmox, node, vmid)
 
         status, elapsed = _stop_container(proxmox, node, vmid)
+        _stop_container_tunnel(vmid)
         final_status = status.get("status") or "stopped"
         _update_container_record(vmid, {"status": final_status})
 
@@ -1362,8 +1891,13 @@ class RemoveProxmoxContainerHandler(SyncHandler):
         node = _get_node_from_config(config)
         _ensure_container_managed(proxmox, node, vmid)
 
+        _stop_container_tunnel(vmid)
         stop_status, stop_elapsed = _stop_container(proxmox, node, vmid)
         delete_status, delete_elapsed = _delete_container(proxmox, node, vmid)
+        try:
+            _update_container_tunnel(vmid, None)
+        except FileNotFoundError:
+            pass
         _remove_container_record(vmid)
 
         infra = get_infra_snapshot()
@@ -1382,6 +1916,134 @@ class RemoveProxmoxContainerHandler(SyncHandler):
         }
 
 
+class CreateCloudflareTunnelHandler(SyncHandler):
+    """Create a Cloudflare tunnel for a container."""
+
+    @property
+    def command_name(self) -> str:
+        return "create_cloudflare_tunnel"
+
+    def execute(self, message: Dict[str, Any]) -> Dict[str, Any]:
+        vmid = _parse_ctid(message)
+        container_port = int(message.get("container_port") or 0)
+        if container_port <= 0:
+            raise ValueError("container_port is required and must be greater than zero.")
+        hostname = (message.get("cloudflare_url") or message.get("hostname") or "").strip()
+        hostname = hostname or None
+        protocol = (message.get("protocol") or "http").strip().lower()
+        if protocol not in {"http", "https", "tcp"}:
+            raise ValueError("protocol must be one of http, https, or tcp.")
+        config = _ensure_infra_configured()
+        _ensure_cloudflare_token(config)
+        proxmox = _connect_proxmox(config)
+        node = _get_node_from_config(config)
+        _ensure_container_managed(proxmox, node, vmid)
+        status = proxmox.nodes(node).lxc(vmid).status.current.get().get("status")
+        if status != "running":
+            raise RuntimeError("Container must be running to create a tunnel.")
+        tunnel = {
+            "container_port": container_port,
+            "protocol": protocol,
+        }
+        if hostname:
+            tunnel["url"] = hostname
+        created = _launch_container_tunnel(proxmox, node, vmid, tunnel)
+        infra = get_infra_snapshot()
+        host_url = created.get("url")
+        response_message = f"Created Cloudflare tunnel for container {vmid}."
+        if host_url:
+            response_message = f"{response_message[:-1]} -> {host_url}."
+        response = {
+            "event": "cloudflare_tunnel_created",
+            "ctid": str(vmid),
+            "success": True,
+            "message": response_message,
+            "tunnel": created,
+            "infra": infra,
+        }
+        device_id = message.get("device_id")
+        if device_id:
+            response["device_id"] = device_id
+        return response
+
+
+class UpdateCloudflareTunnelHandler(SyncHandler):
+    """Update an existing Cloudflare tunnel for a container."""
+
+    @property
+    def command_name(self) -> str:
+        return "update_cloudflare_tunnel"
+
+    def execute(self, message: Dict[str, Any]) -> Dict[str, Any]:
+        vmid = _parse_ctid(message)
+        config = _ensure_infra_configured()
+        _ensure_cloudflare_token(config)
+        proxmox = _connect_proxmox(config)
+        node = _get_node_from_config(config)
+        _ensure_container_managed(proxmox, node, vmid)
+        record = _read_container_record(vmid)
+        tunnel = record.get("tunnel")
+        if not tunnel:
+            raise RuntimeError("No Cloudflare tunnel configured for this container.")
+        container_port = int(message.get("container_port") or tunnel.get("container_port") or 0)
+        if container_port <= 0:
+            raise ValueError("container_port must be greater than zero.")
+        hostname = (message.get("cloudflare_url") or tunnel.get("url") or "").strip()
+        hostname = hostname or None
+        protocol = (message.get("protocol") or tunnel.get("protocol") or "http").strip().lower()
+        if protocol not in {"http", "https", "tcp"}:
+            raise ValueError("protocol must be one of http, https, or tcp.")
+        updated_tunnel = {
+            "container_port": container_port,
+            "protocol": protocol,
+        }
+        if hostname:
+            updated_tunnel["url"] = hostname
+        result = _launch_container_tunnel(proxmox, node, vmid, updated_tunnel)
+        infra = get_infra_snapshot()
+        host_url = result.get("url")
+        response_message = f"Updated Cloudflare tunnel for container {vmid}."
+        if host_url:
+            response_message = f"{response_message[:-1]} -> {host_url}."
+        response = {
+            "event": "cloudflare_tunnel_updated",
+            "ctid": str(vmid),
+            "success": True,
+            "message": response_message,
+            "tunnel": result,
+            "infra": infra,
+        }
+        device_id = message.get("device_id")
+        if device_id:
+            response["device_id"] = device_id
+        return response
+
+
+class RemoveCloudflareTunnelHandler(SyncHandler):
+    """Remove any Cloudflare tunnel associated with a container."""
+
+    @property
+    def command_name(self) -> str:
+        return "remove_cloudflare_tunnel"
+
+    def execute(self, message: Dict[str, Any]) -> Dict[str, Any]:
+        vmid = _parse_ctid(message)
+        _remove_container_tunnel_state(vmid)
+        infra = get_infra_snapshot()
+        response = {
+            "event": "cloudflare_tunnel_removed",
+            "ctid": str(vmid),
+            "success": True,
+            "message": f"Removed Cloudflare tunnel state for container {vmid}.",
+            "tunnel": None,
+            "infra": infra,
+        }
+        device_id = message.get("device_id")
+        if device_id:
+            response["device_id"] = device_id
+        return response
+
+
 class ConfigureProxmoxInfraHandler(SyncHandler):
     @property
     def command_name(self) -> str:
@@ -1390,10 +2052,13 @@ class ConfigureProxmoxInfraHandler(SyncHandler):
     def execute(self, message: Dict[str, Any]) -> Dict[str, Any]:
         token_identifier = message.get("token_identifier")
         token_value = message.get("token_value")
-        verify_ssl = bool(message.get("verify_ssl"))
-        if not token_identifier or not token_value:
-            raise ValueError("token_identifier and token_value are required")
-        snapshot = configure_infrastructure(token_identifier, token_value, verify_ssl=verify_ssl)
+        verify_ssl = message.get("verify_ssl")
+        snapshot = configure_infrastructure(
+            token_identifier=token_identifier,
+            token_value=token_value,
+            verify_ssl=verify_ssl,
+            cloudflare_api_token=message.get("cloudflare_api_token"),
+        )
         return {
             "event": "proxmox_infra_configured",
             "success": True,