Compare revisions

3f0294c3 · 3f0294c3 · 3f0294c3 · 3f0294c3 · 3f0294c3
--- a/tasks/services.yml
+++ b/tasks/services.yml
 ---
-
 - name: "Create {{ funkwhale_systemd_service_name }}-* systemd file"
  become: true
+  when: funkwhale_systemd_managed
  template:
    src: "funkwhale-process.service.j2"
    dest: "/etc/systemd/system/{{ funkwhale_systemd_service_name }}-{{ item.name }}.service"
@@ -12,7 +12,7 @@
      command: "{{ funkwhale_install_path }}/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO"
    - name: server
      description: Funkwhale application server
-      command: "{{ funkwhale_install_path }}/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}"
+      command: "{{ funkwhale_install_path }}/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT} {{ funkwhale_gunicorn_extra_args }}"
    - name: beat
      description: Funkwhale celery beat process
      command: "{{ funkwhale_install_path }}/virtualenv/bin/celery -A funkwhale_api.taskapp beat -l INFO"
@@ -21,6 +21,7 @@

 - name: "Create {{ funkwhale_systemd_service_name }} systemd target file"
  become: true
+  when: funkwhale_systemd_managed
  template:
    src: "{{ funkwhale_systemd_service_name }}.target.j2"
    dest: "/etc/systemd/system/{{ funkwhale_systemd_service_name }}.target"
@@ -30,6 +31,7 @@

 - name: "Start and enable {{ funkwhale_systemd_service_name }}-* services"
  become: true
+  when: funkwhale_systemd_managed
  systemd:
    name: "{{ item }}"
    enabled: true

--- a/templates/env.j2
+++ b/templates/env.j2
@@ -10,7 +10,7 @@ FUNKWHALE_WEB_WORKERS={{ funkwhale_web_workers }}
 REVERSE_PROXY_TYPE=nginx

 {% if funkwhale_database_managed %}
-DATABASE_URL=postgresql://{{ funkwhale_database_user }}@:5432/{{ funkwhale_database_name }}
+DATABASE_URL=postgresql://{{ funkwhale_database_user }}{%- if funkwhale_database_password is defined -%}:{{ funkwhale_database_password }}{%- endif -%}@{%- if funkwhale_database_host_app != 'localhost' -%}{{ funkwhale_database_host_app }}{%- endif -%}:{{ funkwhale_database_port }}/{{ funkwhale_database_name }}
 {% else %}
 DATABASE_URL={{ funkwhale_database_url }}
 {% endif %}

--- a/templates/funkwhale_proxy.conf.j2
+++ b/templates/funkwhale_proxy.conf.j2
 # global proxy conf
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
+
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto $scheme;
-proxy_set_header X-Forwarded-Host $host:$server_port;
-proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+{% if not funkwhale_nginx_tls_termination -%}
+proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
+proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
 proxy_redirect off;
+{% endif -%}

 # websocket support
 proxy_http_version 1.1;
 proxy_set_header Upgrade $http_upgrade;
-proxy_set_header Connection $connection_upgrade;
+proxy_set_header Connection $funkwhale_connection_upgrade;
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
 # {{ ansible_managed }}
-{% if funkwhale_protocol == 'https' -%}
+# This template was based on Funkwhale's nginx.template at ae2402618846d414cb1b4e7237c4ce43d8c8837c
+
+upstream funkwhale-api {
+    server {{ funkwhale_api_ip }}:{{ funkwhale_api_port }};
+}
+
+{% if funkwhale_nginx_tls_termination -%}
 server {
    listen 80;
    listen [::]:80;
    server_name {{ funkwhale_hostname }};
-    location / { return 301 https://$host$request_uri; }
+
+    location /.well-known/ {
+        allow all;
+        include /etc/nginx/funkwhale_proxy.conf;
+        proxy_pass   http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/.well-known/;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 {% endif -%}

-# required for websocket support
-map $http_upgrade $connection_upgrade {
+# Required for websocket support.
+map $http_upgrade $funkwhale_connection_upgrade {
    default upgrade;
    ''      close;
 }

 server {
-    listen {% if funkwhale_protocol == 'https' %}443 ssl{% else %}80{% endif %} http2;
-    listen [::]:{% if funkwhale_protocol == 'https' %}443 ssl{% else -%}80{% endif %} http2;
+    listen {% if funkwhale_nginx_tls_termination %}443 ssl http2{% else %}80{% endif %};
+    listen [::]:{% if funkwhale_nginx_tls_termination %}443 ssl http2{% else -%}80{% endif %};
+    charset     utf-8;
    server_name {{ funkwhale_hostname }};
-    {% if funkwhale_protocol == 'https' -%}
+    {% if funkwhale_nginx_tls_termination -%}
    {% if funkwhale_ssl_key_path -%}
    ssl_certificate {{ funkwhale_ssl_cert_path }};
    ssl_certificate_key {{ funkwhale_ssl_key_path }};
    {% else -%}
    ssl_certificate /etc/letsencrypt/live/{{ funkwhale_hostname }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ funkwhale_hostname }}/privkey.pem;
-    {% endif -%}
-    # from https://cipherli.st/
-    ssl_prefer_server_ciphers on;
-    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
-    ssl_ecdh_curve secp384r1;
-    ssl_session_timeout  10m;
+    {% endif -%} {# funkwhale_ssl_key_path #}
+
+    {% if funkwhale_nginx_tls_configure_ciphers -%}
+    # Many of these are overridden by matching settings outside of any server{} block!
+    # https://github.com/mozilla/ssl-config-generator/issues/76
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    # https://ssl-config.mozilla.org/#server=nginx&config=modern
+    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
+    ssl_protocols TLSv1.3;
+    ssl_prefer_server_ciphers off;
    ssl_stapling on;
    ssl_stapling_verify on;
-    add_header Strict-Transport-Security "max-age=63072000; preload";
-    {% endif -%}
+    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+    {% endif -%} {# funkwhale_nginx_tls_configure_ciphers #}
+    add_header Strict-Transport-Security "max-age=31536000" always;
+    {% endif -%} {# funkwhale_nginx_tls_termination #}

+    {% if funkwhale_nginx_csp_policy -%}
+    add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}";
+    {% endif -%}
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Service-Worker-Allowed "/";

    root {{ funkwhale_frontend_path }};

    # compression settings
+    {% if funkwhale_nginx_use_compression -%}
    gzip on;
    gzip_comp_level    5;
    gzip_min_length    256;
@@ -66,70 +95,111 @@ server {
        text/vtt
        text/x-component
        text/x-cross-domain-policy;
-
+    {% else -%}
+    gzip off;
+    {% endif -%}
    # end of compression settings
-    location / {
+
+    location /api/ {
        include /etc/nginx/funkwhale_proxy.conf;
-        # this is needed if you have file import via upload enabled
+        # This is needed if you have file import via upload enabled.
        client_max_body_size {{ funkwhale_nginx_max_body_size }};
-        proxy_pass   http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/;
+        proxy_pass   http://funkwhale-api;
+    }
+    {% if funkwhale_disable_django_admin -%}
+    location /api/admin/ {
+        # disable access to API admin dashboard
+        return 403;
    }
+    {% endif -%}

-    location /front/ {
+    location / {
        alias {{ funkwhale_frontend_path }}/;
-        expires 30d;
+        expires 1d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+        add_header Service-Worker-Allowed "/";
+        try_files $uri $uri/ /index.html;
+    }
+
+    location ~ "/(front/)?embed.html" {
+        add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+        alias {{ funkwhale_frontend_path }}/embed.html;
+        expires 1d;
    }

    location /federation/ {
        include /etc/nginx/funkwhale_proxy.conf;
-        proxy_pass   http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/federation/;
+        proxy_pass   http://funkwhale-api;
    }

-    # You can comment this if you do not plan to use the Subsonic API
+    # You can comment this if you do not plan to use the Subsonic API.
    location /rest/ {
        include /etc/nginx/funkwhale_proxy.conf;
-        proxy_pass   http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/api/subsonic/rest/;
+        proxy_pass   http://funkwhale-api/api/subsonic/rest/;
    }

    location /.well-known/ {
+        allow all;
        include /etc/nginx/funkwhale_proxy.conf;
-        proxy_pass   http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/.well-known/;
+        proxy_pass   http://funkwhale-api;
    }

-    location /media/ {
-        alias {{ funkwhale_media_path }}/;
+    # Allow direct access to only specific subdirectories in /media
+    location /media/__sized__/ {
+        alias {{ funkwhale_media_path }}/__sized__/;
+        add_header Access-Control-Allow-Origin '*';
+    }
+
+    # Allow direct access to only specific subdirectories in /media
+    location /media/attachments/ {
+        alias {{ funkwhale_media_path }}/attachments/;
+        add_header Access-Control-Allow-Origin '*';
+    }
+
+    # Allow direct access to only specific subdirectories in /media
+    location /media/dynamic_preferences/ {
+        alias {{ funkwhale_media_path }}/dynamic_preferences/;
+        add_header Access-Control-Allow-Origin '*';
    }

    {% if funkwhale_external_storage_enabled -%}
-    # Comment the previous location and uncomment this one if you're storing
-    # media files in a S3 bucket
+    # This is an internal location that is used to serve
+    # media (uploaded) files once correct permission / authentication
+    # has been checked on API side.
    location ~ /_protected/media/(.+) {
        internal;
-        proxy_pass $1;
+        # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
+        proxy_set_header Authorization "";                                  # S3
+        proxy_pass $1;                                                      # S3
+        add_header Access-Control-Allow-Origin '*';
    }
    {% else -%}
-    location /_protected/media {
-        # this is an internal location that is used to serve
-        # audio files once correct permission / authentication
-        # has been checked on API side
+    location /_protected/media/ {
        internal;
-        alias   {{ funkwhale_media_path }};
+        alias   {{ funkwhale_media_path }}/;
+        add_header Access-Control-Allow-Origin '*';
    }
-    {% endif -%}
+    {% endif %}

-    location /_protected/music {
-        # this is an internal location that is used to serve
-        # audio files once correct permission / authentication
-        # has been checked on API side
-        # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
+    location /_protected/music/ {
+        # This is an internal location that is used to serve
+        # local music files once correct permission / authentication
+        # has been checked on API side.
        internal;
-        alias   {{ funkwhale_music_path }};
+        alias   {{ funkwhale_music_path }}/;
+        add_header Access-Control-Allow-Origin '*';
    }

    location /staticfiles/ {
        # django static files
        alias {{ funkwhale_static_path }}/;
    }
+
+    location /manifest.json {
+        return 302 /api/v1/instance/spa-manifest.json;
+    }
+{{ funkwhale_nginx_additional_config }}
 }
--- a/upgrade.sh
+++ b/upgrade.sh
@@ -14,7 +14,8 @@ skip_confirm="${SKIP_CONFIRM-}"
 is_dry_run=${DRY_RUN-false}
 base_path="/srv/funkwhale"
 ansible_conf_path="$base_path/ansible"
-ansible_bin_path="$HOME/.local/bin"
+ansible_venv_path="$HOME/.local/ansible"
+ansible_bin_path="$ansible_venv_path/bin"
 ansible_funkwhale_role_version="${ANSIBLE_FUNKWHALE_ROLE_VERSION-master}"
 funkwhale_systemd_after=""
 total_steps="4"
@@ -48,6 +49,9 @@ yesno_prompt() {
 }

 do_upgrade() {
+    if [ ! -f "$ansible_bin_path/ansible" ]; then
+      ansible_bin_path="$HOME/.local/bin"
+    fi
    echo '[Beginning upgrade]'
    playbook_path="$ansible_conf_path/playbook.yml"
    echo "[1/$total_steps] Retrieving currently installed version from $playbook_path"
@@ -100,6 +104,14 @@ do_upgrade() {
        echo "  $playbook_command"
        $playbook_command
    fi
+    echo "[3/$total_steps] Adding $ansible_conf_path/reconfigure script"
+    cat <<EOF >$ansible_conf_path/reconfigure
+#!/bin/sh
+# reapply playbook with existing parameter
+# Useful if you changed some variables in playbook.yml
+exec $ansible_bin_path/ansible-playbook  -i $ansible_conf_path/inventory.ini $ansible_conf_path/playbook.yml -u root $ansible_flags
+EOF
+    chmod +x $ansible_conf_path/reconfigure
    echo
    echo "Upgrade to $funkwhale_version complete!"
    exit
No results found