Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found
Select Git revision

Target

Select target project
  • funkwhale/ansible
  • lfuelling/ansible
  • kevit/ansible
  • theorangepotato/ansible
  • popindavibe/ansible
  • xenofem/ansible
  • kippix/ansible
  • half-duplex/ansible
  • barslmn/ansible
  • sofubi/ansible
  • DannyBoy/ansible
11 results
Select Git revision
Show changes
Commits on Source (13)
Show whitespace changes
Inline Side-by-side
.gitlab-ci.yml
View file @ 3f0294c3
......@@ -8,7 +8,7 @@ variables:
pre-commit:
stage: test
image: python:3.11
image: python:3.12
variables:
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
PRE_COMMIT_HOME: "$CI_PROJECT_DIR/.cache/pre-commit"
......@@ -26,8 +26,10 @@ test-install-script:
image: $TEST_IMAGE
parallel:
matrix:
- TEST_IMAGE: ["debian:10", "ubuntu:focal", "ubuntu:jammy", "debian:11"]
- TEST_IMAGE: ["ubuntu:focal", "ubuntu:jammy", "debian:11", "debian:12"]
interruptible: true
variables:
FUNKWHALE_CLI_USER_PASSWORD: supersecurepassword
before_script:
- apt-get update && apt-get install -y curl
- |
......@@ -43,9 +45,17 @@ test-install-script:
- |
set -x
export ANSIBLE_FUNKWHALE_ROLE_PATH=$(pwd)
printf 'test.deployment\ntest\ncontact@test.deployment\nY\nN\n\n\n\N\n\n\n' | bash install.sh
printf 'test.deployment\ntest1234\ncontact@test.deployment\nY\nN\n\n\n\N\n\n\n' | bash install.sh
tags:
- docker
test-install-script-develop:
extends: test-install-script
variables:
FUNKWHALE_VERSION: develop
before_script:
- apt-get update && apt-get install -y curl
pages:
stage: deploy
image: buildpack-deps
......
README.md
View file @ 3f0294c3
......@@ -95,7 +95,7 @@ _On some hosts, you may need to install the `python-apt` package for check mode
This command will show you the changes that would be applied to your system. If you are comfortable with them,
rerun the same command without the `--check` flag.
Once installation is complete, run `/srv/funkwhale/virtualenv/bin/python /srv/funkwhale/api/manage.py createsuperuser` to create your admin account.
Once installation is complete, run `/srv/funkwhale/virtualenv/bin/funkwhale-manage createsuperuser` to create your admin account.
## Role Variables
......@@ -109,7 +109,7 @@ Once installation is complete, run `/srv/funkwhale/virtualenv/bin/python /srv/fu
**Optional variables**
| name | Default | Description |
| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `funkwhale_api_ip` | `127.0.0.1` | IP address with which to bind the Funkwhale server |
| `funkwhale_api_port` | `5000` | Port with which to bind the Funkwhale server |
| `funkwhale_config_path` | `/srv/funkwhale/config` | Path to Funkwhale's configuration directory |
......@@ -129,12 +129,12 @@ Once installation is complete, run `/srv/funkwhale/virtualenv/bin/python /srv/fu
| `funkwhale_nginx_additional_config` | `""` | Additional nginx configuration to add to the Funkwhale `server{}` block |
| `funkwhale_nginx_managed` | `true` | If `true`, will install and configure nginx |
| `funkwhale_nginx_tls_termination` | `true` | If `false`, disable SSL in nginx |
| `funkwhale_nginx_tls_configure_ciphers` | `true` | Set TLS ciphers, curves, etc, overriding any settings in http{} |
| `funkwhale_nginx_max_body_size` | `100M` | Value of nginx's `max_body_size` parameter to use |
| `funkwhale_protocol` | `https` | If set to `https`, will configure Funkwhale and Nginx to work behind HTTPS. Use `http` to completely disable SSL. |
| `funkwhale_redis_managed` | `true` | If `true`, will install and configure redis |
| `funkwhale_ssl_cert_path` | `` | Path to an existing SSL certificate to use (use in combination with `funkwhale_letsencrypt_enabled: false`) | | `funkwhale_ssl_key_path` |`` | Path to an existing SSL key to use (use in combination with `funkwhale_letsencrypt_enabled: false`) |
| `funkwhale_ssl_cert_path` | `""` | Path to an existing SSL certificate to use (use in combination with `funkwhale_letsencrypt_enabled: false`) |
| `funkwhale_ssl_key_path` | `""` | Path to an existing SSL key to use (use in combination with `funkwhale_letsencrypt_enabled: false`) |
| `funkwhale_static_path` | `/srv/funkwhale/data/static` | Path where Funkwhale static files should be stored |
| `funkwhale_systemd_managed` | `true` | If `true`, will configure Funkwhale systemd services |
| `funkwhale_systemd_after` | `redis.service postgresql.service` | Configuration used for Systemd `After=` directive. Modify it if you have a database or redis server on a separate host |
......@@ -142,7 +142,7 @@ Once installation is complete, run `/srv/funkwhale/virtualenv/bin/python /srv/fu
| `funkwhale_username` | `funkwhale` | Username of the system user and owner of Funkwhale data, files and configuration |
| `funkwhale_version` | `latest` | The version to install/upgrade to. You can also use `develop` to run the development branch |
| `funkwhale_custom_pip_packages` | `[]` | A list of additional python packages to download |
| `funkwhale_custom_settings` | `` | Some Python code to append to`api/config/settings/production.py`. Use funkwhale_custom_settings: | ` for multiline code. |
| `funkwhale_custom_settings` | `""` | Some Python code to append to `api/config/settings/production.py`. Use `funkwhale_custom_settings: \| ` for multiline code. |
**Installing from source**
......
defaults/main.yml
View file @ 3f0294c3
......@@ -40,7 +40,7 @@ funkwhale_letsencrypt_certbot_flags:
funkwhale_letsencrypt_enabled: true
funkwhale_letsencrypt_skip_cert: false
funkwhale_nginx_csp_policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"
funkwhale_nginx_csp_policy: "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"
funkwhale_redis_managed: true
funkwhale_api_ip: 127.0.0.1
funkwhale_api_port: 5000
......
install.sh
View file @ 3f0294c3
......@@ -20,7 +20,7 @@ min_python_version_major="3"
min_python_version_minor="5"
base_path="/srv/funkwhale"
ansible_conf_path="$base_path/ansible"
ansible_bin_path="$HOME/.local/bin"
ansible_venv_path="$HOME/.local/ansible"
ansible_funkwhale_role_version="${ANSIBLE_FUNKWHALE_ROLE_VERSION-master}"
ansible_funkwhale_role_path="${ANSIBLE_FUNKWHALE_ROLE_PATH-}"
funkwhale_systemd_after=""
......@@ -216,9 +216,11 @@ do_install() {
init_ansible() {
echo "[2/$total_steps] Installing ansible dependencies..."
install_packages curl git python3-pip python3-apt python3-psycopg2 sudo locales locales-all
install_packages curl git python3-pip python3-venv python3-apt python3-psycopg2 sudo locales locales-all
echo "[2/$total_steps] Installing Ansible..."
pip3 install --user ansible=="$ansible_version"
python3 -m venv $ansible_venv_path
$ansible_venv_path/bin/pip3 install --upgrade pip
$ansible_venv_path/bin/pip3 install ansible=="$ansible_version"
echo "[2/$total_steps] Creating ansible configuration files in $ansible_conf_path..."
mkdir -p "$ansible_conf_path"
......@@ -287,7 +289,7 @@ EOF
#!/bin/sh
# reapply playbook with existing parameter
# Useful if you changed some variables in playbook.yml
exec $ansible_bin_path/ansible-playbook -i $ansible_conf_path/inventory.ini $ansible_conf_path/playbook.yml -u root $ansible_flags
exec $ansible_venv_path/bin/ansible-playbook -i $ansible_conf_path/inventory.ini $ansible_conf_path/playbook.yml -u root $ansible_flags
EOF
chmod +x ./reconfigure
if [ "$funkwhale_redis_managed" = "false" ]; then
......@@ -306,7 +308,7 @@ EOF
EOF
if [ "$ansible_funkwhale_role_path" = '' ]; then
echo "[2/$total_steps] Downloading Funkwhale playbook dependencies"
$ansible_bin_path/ansible-galaxy install -r requirements.yml -f
$ansible_venv_path/bin/ansible-galaxy install -r requirements.yml -f
else
echo "[2/$total_steps] Skipping playbook dependencies, using local role instead"
fi
......@@ -314,7 +316,7 @@ EOF
run_playbook() {
cd "$ansible_conf_path"
echo "[3/$total_steps] Installing Funkwhale using ansible playbook in $ansible_conf_path..."
playbook_command="$ansible_bin_path/ansible-playbook -i $ansible_conf_path/inventory.ini $ansible_conf_path/playbook.yml -u root $ansible_flags"
playbook_command="$ansible_venv_path/bin/ansible-playbook -i $ansible_conf_path/inventory.ini $ansible_conf_path/playbook.yml -u root $ansible_flags"
if [ "$is_dry_run" = "true" ]; then
playbook_command="$playbook_command --check"
echo "[3/$total_steps] Skipping playbook because DRY_RUN=true"
......@@ -332,19 +334,20 @@ configure_server() {
cat <<EOF >$base_path/manage
#!/bin/sh
set -eu
sudo -u funkwhale -E $base_path/virtualenv/bin/python $base_path/api/manage.py \$@
sudo -u funkwhale -E $base_path/virtualenv/bin/funkwhale-manage \$@
EOF
chmod +x $base_path/manage
if [ -z "$funkwhale_admin_username" ]; then
echo "[4/$total_steps] Skipping superuser account creation"
else
echo "[4/$total_steps] Creating superuser account…"
if [ -z "$FUNKWHALE_CLI_USER_PASSWORD" ]; then
echo " Please input the password for the admin account password"
LOGLEVEL=error sudo -u funkwhale -E $base_path/virtualenv/bin/python \
$base_path/api/manage.py createsuperuser \
fi
LOGLEVEL=error sudo -u funkwhale -E \
$base_path/virtualenv/bin/funkwhale-manage fw users create --superuser \
--email $funkwhale_admin_email \
--username $funkwhale_admin_username \
-v 0
--username $funkwhale_admin_username
fi
}
......
tasks/funkwhale.yml
View file @ 3f0294c3
......@@ -100,7 +100,7 @@
become_user: "{{ funkwhale_username }}"
when: funkwhale_frontend_managed and not funkwhale_install_from_source
unarchive:
src: https://dev.funkwhale.audio/funkwhale/funkwhale/builds/artifacts/{{ funkwhale_install_version }}/download?job=build_front
src: https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/{{ funkwhale_install_version }}/download?job=build_front
dest: "{{ funkwhale_install_path }}"
remote_src: true
notify:
......@@ -111,7 +111,7 @@
become_user: "{{ funkwhale_username }}"
when: not funkwhale_install_from_source
unarchive:
src: https://dev.funkwhale.audio/funkwhale/funkwhale/builds/artifacts/{{ funkwhale_install_version }}/download?job=build_api
src: https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/{{ funkwhale_install_version }}/download?job=build_api
dest: "{{ funkwhale_install_path }}"
remote_src: true
notify:
......@@ -279,7 +279,7 @@
block: "{{ funkwhale_custom_settings }}"
- name: "Collect static files"
command: "{{ funkwhale_install_path }}/virtualenv/bin/python api/manage.py collectstatic --no-input"
command: "{{ funkwhale_install_path }}/virtualenv/bin/funkwhale-manage collectstatic --no-input"
become: true
become_user: "{{ funkwhale_username }}"
args:
......@@ -288,6 +288,6 @@
- name: "Apply database migrations"
become: true
become_user: "{{ funkwhale_username }}"
command: "{{ funkwhale_install_path }}/virtualenv/bin/python api/manage.py migrate --no-input"
command: "{{ funkwhale_install_path }}/virtualenv/bin/funkwhale-manage migrate --no-input"
args:
chdir: "{{ funkwhale_install_path }}"
tasks/nginx.yml
View file @ 3f0294c3
......@@ -15,30 +15,35 @@
# from https://gist.github.com/mattiaslundberg/ba214a35060d3c8603e9b1ec8627d349
- name: Check if certbot is already installed
stat:
path: "/usr/bin/certbot"
register: "certbot_installed"
- name: Install snapd
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled and not certbot_installed.stat.exists
become: true
package:
name: snapd
state: present
- name: Prepare snapd for certbot installation
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled and not certbot_installed.stat.exists
become: true
command: snap install core
- name: Refresh core snap before installing certbot
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled and not certbot_installed.stat.exists
become: true
command: snap refresh core
- name: Install certbot snap
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled and not certbot_installed.stat.exists
become: true
command: snap install --classic certbot
- name: Link certbot snap installation
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled and not certbot_installed.stat.exists
become: true
file:
src: /snap/bin/certbot
......
templates/funkwhale_proxy.conf.j2
View file @ 3f0294c3
# global proxy conf
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
{% if not funkwhale_nginx_tls_termination -%}
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_redirect off;
{% endif -%}
# websocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Connection $funkwhale_connection_upgrade;
templates/nginx.conf.j2
View file @ 3f0294c3
# {{ ansible_managed }}
# This template was based on Funkwhale's nginx.template at ae2402618846d414cb1b4e7237c4ce43d8c8837c
upstream funkwhale-api {
server {{ funkwhale_api_ip }}:{{ funkwhale_api_port }};
}
{% if funkwhale_nginx_tls_termination -%}
server {
listen 80;
listen [::]:80;
server_name {{ funkwhale_hostname }};
location / { return 301 https://$host$request_uri; }
location /.well-known/ {
allow all;
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/.well-known/;
}
location / {
return 301 https://$host$request_uri;
}
}
{% endif -%}
# Required for websocket support.
map $http_upgrade $funkwhale_connection_upgrade {
default upgrade;
'' close;
}
server {
listen {% if funkwhale_nginx_tls_termination %}443 ssl http2{% else %}80{% endif %};
listen [::]:{% if funkwhale_nginx_tls_termination %}443 ssl http2{% else -%}80{% endif %};
charset utf-8;
server_name {{ funkwhale_hostname }};
{% if funkwhale_nginx_tls_termination -%}
{% if funkwhale_ssl_key_path -%}
......@@ -19,25 +41,31 @@ server {
{% else -%}
ssl_certificate /etc/letsencrypt/live/{{ funkwhale_hostname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ funkwhale_hostname }}/privkey.pem;
{% endif -%}
{% endif -%} {# funkwhale_ssl_key_path #}
{% if funkwhale_nginx_tls_configure_ciphers -%}
# from https://cipherli.st/
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
# Many of these are overridden by matching settings outside of any server{} block!
# https://github.com/mozilla/ssl-config-generator/issues/76
ssl_ecdh_curve X25519:prime256v1:secp384r1;
# https://ssl-config.mozilla.org/#server=nginx&config=modern
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
{% endif -%}
add_header Strict-Transport-Security "max-age=63072000; preload";
{% endif -%}
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
{% endif -%} {# funkwhale_nginx_tls_configure_ciphers #}
add_header Strict-Transport-Security "max-age=31536000" always;
{% endif -%} {# funkwhale_nginx_tls_termination #}
{% if funkwhale_nginx_csp_policy -%}
# Security-related headers
add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}";
{% endif -%}
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Service-Worker-Allowed "/";
root {{ funkwhale_frontend_path }};
......@@ -72,79 +100,106 @@ server {
{% endif -%}
# end of compression settings
location / {
location /api/ {
include /etc/nginx/funkwhale_proxy.conf;
# this is needed if you have file import via upload enabled
# This is needed if you have file import via upload enabled.
client_max_body_size {{ funkwhale_nginx_max_body_size }};
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/;
proxy_pass http://funkwhale-api;
}
{% if funkwhale_disable_django_admin -%}
location /api/admin/ {
# disable access to API admin dashboard
return 403;
}
{% endif -%}
location /front/ {
location / {
alias {{ funkwhale_frontend_path }}/;
expires 30d;
expires 1d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
add_header Service-Worker-Allowed "/";
try_files $uri $uri/ /index.html;
}
location ~ "/(front/)?embed.html" {
add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
alias {{ funkwhale_frontend_path }}/embed.html;
expires 1d;
}
location /federation/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/federation/;
proxy_pass http://funkwhale-api;
}
# You can comment this if you do not plan to use the Subsonic API
# You can comment this if you do not plan to use the Subsonic API.
location /rest/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/api/subsonic/rest/;
proxy_pass http://funkwhale-api/api/subsonic/rest/;
}
location /.well-known/ {
allow all;
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/.well-known/;
proxy_pass http://funkwhale-api;
}
location /media/ {
alias {{ funkwhale_media_path }}/;
# Allow direct access to only specific subdirectories in /media
location /media/__sized__/ {
alias {{ funkwhale_media_path }}/__sized__/;
add_header Access-Control-Allow-Origin '*';
}
# Allow direct access to only specific subdirectories in /media
location /media/attachments/ {
alias {{ funkwhale_media_path }}/attachments/;
add_header Access-Control-Allow-Origin '*';
}
# Allow direct access to only specific subdirectories in /media
location /media/dynamic_preferences/ {
alias {{ funkwhale_media_path }}/dynamic_preferences/;
add_header Access-Control-Allow-Origin '*';
}
{% if funkwhale_external_storage_enabled -%}
# Comment the previous location and uncomment this one if you're storing
# media files in a S3 bucket
# This is an internal location that is used to serve
# media (uploaded) files once correct permission / authentication
# has been checked on API side.
location ~ /_protected/media/(.+) {
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
proxy_set_header Authorization "";
internal;
proxy_pass $1;
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
proxy_set_header Authorization ""; # S3
proxy_pass $1; # S3
add_header Access-Control-Allow-Origin '*';
}
{% else -%}
location /_protected/media {
# this is an internal location that is used to serve
# audio files once correct permission / authentication
# has been checked on API side
location /_protected/media/ {
internal;
alias {{ funkwhale_media_path }};
alias {{ funkwhale_media_path }}/;
add_header Access-Control-Allow-Origin '*';
}
{% endif %}
location /_protected/music {
# this is an internal location that is used to serve
# audio files once correct permission / authentication
# has been checked on API side
# Set this to the same value as your MUSIC_DIRECTORY_PATH setting
location /_protected/music/ {
# This is an internal location that is used to serve
# local music files once correct permission / authentication
# has been checked on API side.
internal;
alias {{ funkwhale_music_path }};
alias {{ funkwhale_music_path }}/;
add_header Access-Control-Allow-Origin '*';
}
location /staticfiles/ {
# django static files
alias {{ funkwhale_static_path }}/;
}
{% if funkwhale_disable_django_admin -%}
location /api/admin/ {
# disable access to API admin dashboard
return 403;
location /manifest.json {
return 302 /api/v1/instance/spa-manifest.json;
}
{% endif -%}
{{ funkwhale_nginx_additional_config }}
}
upgrade.sh
View file @ 3f0294c3
......@@ -14,7 +14,8 @@ skip_confirm="${SKIP_CONFIRM-}"
is_dry_run=${DRY_RUN-false}
base_path="/srv/funkwhale"
ansible_conf_path="$base_path/ansible"
ansible_bin_path="$HOME/.local/bin"
ansible_venv_path="$HOME/.local/ansible"
ansible_bin_path="$ansible_venv_path/bin"
ansible_funkwhale_role_version="${ANSIBLE_FUNKWHALE_ROLE_VERSION-master}"
funkwhale_systemd_after=""
total_steps="4"
......@@ -48,6 +49,9 @@ yesno_prompt() {
}
do_upgrade() {
if [ ! -f "$ansible_bin_path/ansible" ]; then
ansible_bin_path="$HOME/.local/bin"
fi
echo '[Beginning upgrade]'
playbook_path="$ansible_conf_path/playbook.yml"
echo "[1/$total_steps] Retrieving currently installed version from $playbook_path"
......