Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found
Select Git revision

Target

Select target project
  • funkwhale/ansible
  • lfuelling/ansible
  • kevit/ansible
  • theorangepotato/ansible
  • popindavibe/ansible
  • xenofem/ansible
  • kippix/ansible
  • half-duplex/ansible
  • barslmn/ansible
  • sofubi/ansible
  • DannyBoy/ansible
11 results
Select Git revision
  • db-issues
  • master
  • ubuntu-compat
3 results
Show changes
Commits on Source (13)
...@@ -8,7 +8,7 @@ variables: ...@@ -8,7 +8,7 @@ variables:
pre-commit: pre-commit:
stage: test stage: test
image: python:3.11 image: python:3.12
variables: variables:
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip" PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
PRE_COMMIT_HOME: "$CI_PROJECT_DIR/.cache/pre-commit" PRE_COMMIT_HOME: "$CI_PROJECT_DIR/.cache/pre-commit"
...@@ -26,8 +26,10 @@ test-install-script: ...@@ -26,8 +26,10 @@ test-install-script:
image: $TEST_IMAGE image: $TEST_IMAGE
parallel: parallel:
matrix: matrix:
- TEST_IMAGE: ["debian:10", "ubuntu:focal", "ubuntu:jammy", "debian:11"] - TEST_IMAGE: ["ubuntu:focal", "ubuntu:jammy", "debian:11", "debian:12"]
interruptible: true interruptible: true
variables:
FUNKWHALE_CLI_USER_PASSWORD: supersecurepassword
before_script: before_script:
- apt-get update && apt-get install -y curl - apt-get update && apt-get install -y curl
- | - |
...@@ -43,9 +45,17 @@ test-install-script: ...@@ -43,9 +45,17 @@ test-install-script:
- | - |
set -x set -x
export ANSIBLE_FUNKWHALE_ROLE_PATH=$(pwd) export ANSIBLE_FUNKWHALE_ROLE_PATH=$(pwd)
printf 'test.deployment\ntest\ncontact@test.deployment\nY\nN\n\n\n\N\n\n\n' | bash install.sh printf 'test.deployment\ntest1234\ncontact@test.deployment\nY\nN\n\n\n\N\n\n\n' | bash install.sh
tags: tags:
- docker - docker
test-install-script-develop:
extends: test-install-script
variables:
FUNKWHALE_VERSION: develop
before_script:
- apt-get update && apt-get install -y curl
pages: pages:
stage: deploy stage: deploy
image: buildpack-deps image: buildpack-deps
......
...@@ -95,7 +95,7 @@ _On some hosts, you may need to install the `python-apt` package for check mode ...@@ -95,7 +95,7 @@ _On some hosts, you may need to install the `python-apt` package for check mode
This command will show you the changes that would be applied to your system. If you are comfortable with them, This command will show you the changes that would be applied to your system. If you are comfortable with them,
rerun the same command without the `--check` flag. rerun the same command without the `--check` flag.
Once installation is complete, run `/srv/funkwhale/virtualenv/bin/python /srv/funkwhale/api/manage.py createsuperuser` to create your admin account. Once installation is complete, run `/srv/funkwhale/virtualenv/bin/funkwhale-manage createsuperuser` to create your admin account.
## Role Variables ## Role Variables
...@@ -109,7 +109,7 @@ Once installation is complete, run `/srv/funkwhale/virtualenv/bin/python /srv/fu ...@@ -109,7 +109,7 @@ Once installation is complete, run `/srv/funkwhale/virtualenv/bin/python /srv/fu
**Optional variables** **Optional variables**
| name | Default | Description | | name | Default | Description |
| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `funkwhale_api_ip` | `127.0.0.1` | IP address with which to bind the Funkwhale server | | `funkwhale_api_ip` | `127.0.0.1` | IP address with which to bind the Funkwhale server |
| `funkwhale_api_port` | `5000` | Port with which to bind the Funkwhale server | | `funkwhale_api_port` | `5000` | Port with which to bind the Funkwhale server |
| `funkwhale_config_path` | `/srv/funkwhale/config` | Path to Funkwhale's configuration directory | | `funkwhale_config_path` | `/srv/funkwhale/config` | Path to Funkwhale's configuration directory |
...@@ -129,12 +129,12 @@ Once installation is complete, run `/srv/funkwhale/virtualenv/bin/python /srv/fu ...@@ -129,12 +129,12 @@ Once installation is complete, run `/srv/funkwhale/virtualenv/bin/python /srv/fu
| `funkwhale_nginx_additional_config` | `""` | Additional nginx configuration to add to the Funkwhale `server{}` block | | `funkwhale_nginx_additional_config` | `""` | Additional nginx configuration to add to the Funkwhale `server{}` block |
| `funkwhale_nginx_managed` | `true` | If `true`, will install and configure nginx | | `funkwhale_nginx_managed` | `true` | If `true`, will install and configure nginx |
| `funkwhale_nginx_tls_termination` | `true` | If `false`, disable SSL in nginx | | `funkwhale_nginx_tls_termination` | `true` | If `false`, disable SSL in nginx |
| `funkwhale_nginx_tls_configure_ciphers` | `true` | Set TLS ciphers, curves, etc, overriding any settings in http{} | | `funkwhale_nginx_tls_configure_ciphers` | `true` | Set TLS ciphers, curves, etc, overriding any settings in http{} |
| `funkwhale_nginx_max_body_size` | `100M` | Value of nginx's `max_body_size` parameter to use | | `funkwhale_nginx_max_body_size` | `100M` | Value of nginx's `max_body_size` parameter to use |
| `funkwhale_protocol` | `https` | If set to `https`, will configure Funkwhale and Nginx to work behind HTTPS. Use `http` to completely disable SSL. | | `funkwhale_protocol` | `https` | If set to `https`, will configure Funkwhale and Nginx to work behind HTTPS. Use `http` to completely disable SSL. |
| `funkwhale_redis_managed` | `true` | If `true`, will install and configure redis | | `funkwhale_redis_managed` | `true` | If `true`, will install and configure redis |
| `funkwhale_ssl_cert_path` | `` | Path to an existing SSL certificate to use (use in combination with `funkwhale_letsencrypt_enabled: false`) | | `funkwhale_ssl_key_path` |`` | Path to an existing SSL key to use (use in combination with `funkwhale_letsencrypt_enabled: false`) | | `funkwhale_ssl_cert_path` | `""` | Path to an existing SSL certificate to use (use in combination with `funkwhale_letsencrypt_enabled: false`) |
| `funkwhale_ssl_key_path` | `""` | Path to an existing SSL key to use (use in combination with `funkwhale_letsencrypt_enabled: false`) |
| `funkwhale_static_path` | `/srv/funkwhale/data/static` | Path where Funkwhale static files should be stored | | `funkwhale_static_path` | `/srv/funkwhale/data/static` | Path where Funkwhale static files should be stored |
| `funkwhale_systemd_managed` | `true` | If `true`, will configure Funkwhale systemd services | | `funkwhale_systemd_managed` | `true` | If `true`, will configure Funkwhale systemd services |
| `funkwhale_systemd_after` | `redis.service postgresql.service` | Configuration used for Systemd `After=` directive. Modify it if you have a database or redis server on a separate host | | `funkwhale_systemd_after` | `redis.service postgresql.service` | Configuration used for Systemd `After=` directive. Modify it if you have a database or redis server on a separate host |
...@@ -142,7 +142,7 @@ Once installation is complete, run `/srv/funkwhale/virtualenv/bin/python /srv/fu ...@@ -142,7 +142,7 @@ Once installation is complete, run `/srv/funkwhale/virtualenv/bin/python /srv/fu
| `funkwhale_username` | `funkwhale` | Username of the system user and owner of Funkwhale data, files and configuration | | `funkwhale_username` | `funkwhale` | Username of the system user and owner of Funkwhale data, files and configuration |
| `funkwhale_version` | `latest` | The version to install/upgrade to. You can also use `develop` to run the development branch | | `funkwhale_version` | `latest` | The version to install/upgrade to. You can also use `develop` to run the development branch |
| `funkwhale_custom_pip_packages` | `[]` | A list of additional python packages to download | | `funkwhale_custom_pip_packages` | `[]` | A list of additional python packages to download |
| `funkwhale_custom_settings` | `` | Some Python code to append to`api/config/settings/production.py`. Use funkwhale_custom_settings: | ` for multiline code. | | `funkwhale_custom_settings` | `""` | Some Python code to append to `api/config/settings/production.py`. Use `funkwhale_custom_settings: \| ` for multiline code. |
**Installing from source** **Installing from source**
......
...@@ -40,7 +40,7 @@ funkwhale_letsencrypt_certbot_flags: ...@@ -40,7 +40,7 @@ funkwhale_letsencrypt_certbot_flags:
funkwhale_letsencrypt_enabled: true funkwhale_letsencrypt_enabled: true
funkwhale_letsencrypt_skip_cert: false funkwhale_letsencrypt_skip_cert: false
funkwhale_nginx_csp_policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:" funkwhale_nginx_csp_policy: "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'"
funkwhale_redis_managed: true funkwhale_redis_managed: true
funkwhale_api_ip: 127.0.0.1 funkwhale_api_ip: 127.0.0.1
funkwhale_api_port: 5000 funkwhale_api_port: 5000
......
...@@ -20,7 +20,7 @@ min_python_version_major="3" ...@@ -20,7 +20,7 @@ min_python_version_major="3"
min_python_version_minor="5" min_python_version_minor="5"
base_path="/srv/funkwhale" base_path="/srv/funkwhale"
ansible_conf_path="$base_path/ansible" ansible_conf_path="$base_path/ansible"
ansible_bin_path="$HOME/.local/bin" ansible_venv_path="$HOME/.local/ansible"
ansible_funkwhale_role_version="${ANSIBLE_FUNKWHALE_ROLE_VERSION-master}" ansible_funkwhale_role_version="${ANSIBLE_FUNKWHALE_ROLE_VERSION-master}"
ansible_funkwhale_role_path="${ANSIBLE_FUNKWHALE_ROLE_PATH-}" ansible_funkwhale_role_path="${ANSIBLE_FUNKWHALE_ROLE_PATH-}"
funkwhale_systemd_after="" funkwhale_systemd_after=""
...@@ -216,9 +216,11 @@ do_install() { ...@@ -216,9 +216,11 @@ do_install() {
init_ansible() { init_ansible() {
echo "[2/$total_steps] Installing ansible dependencies..." echo "[2/$total_steps] Installing ansible dependencies..."
install_packages curl git python3-pip python3-apt python3-psycopg2 sudo locales locales-all install_packages curl git python3-pip python3-venv python3-apt python3-psycopg2 sudo locales locales-all
echo "[2/$total_steps] Installing Ansible..." echo "[2/$total_steps] Installing Ansible..."
pip3 install --user ansible=="$ansible_version" python3 -m venv $ansible_venv_path
$ansible_venv_path/bin/pip3 install --upgrade pip
$ansible_venv_path/bin/pip3 install ansible=="$ansible_version"
echo "[2/$total_steps] Creating ansible configuration files in $ansible_conf_path..." echo "[2/$total_steps] Creating ansible configuration files in $ansible_conf_path..."
mkdir -p "$ansible_conf_path" mkdir -p "$ansible_conf_path"
...@@ -287,7 +289,7 @@ EOF ...@@ -287,7 +289,7 @@ EOF
#!/bin/sh #!/bin/sh
# reapply playbook with existing parameter # reapply playbook with existing parameter
# Useful if you changed some variables in playbook.yml # Useful if you changed some variables in playbook.yml
exec $ansible_bin_path/ansible-playbook -i $ansible_conf_path/inventory.ini $ansible_conf_path/playbook.yml -u root $ansible_flags exec $ansible_venv_path/bin/ansible-playbook -i $ansible_conf_path/inventory.ini $ansible_conf_path/playbook.yml -u root $ansible_flags
EOF EOF
chmod +x ./reconfigure chmod +x ./reconfigure
if [ "$funkwhale_redis_managed" = "false" ]; then if [ "$funkwhale_redis_managed" = "false" ]; then
...@@ -306,7 +308,7 @@ EOF ...@@ -306,7 +308,7 @@ EOF
EOF EOF
if [ "$ansible_funkwhale_role_path" = '' ]; then if [ "$ansible_funkwhale_role_path" = '' ]; then
echo "[2/$total_steps] Downloading Funkwhale playbook dependencies" echo "[2/$total_steps] Downloading Funkwhale playbook dependencies"
$ansible_bin_path/ansible-galaxy install -r requirements.yml -f $ansible_venv_path/bin/ansible-galaxy install -r requirements.yml -f
else else
echo "[2/$total_steps] Skipping playbook dependencies, using local role instead" echo "[2/$total_steps] Skipping playbook dependencies, using local role instead"
fi fi
...@@ -314,7 +316,7 @@ EOF ...@@ -314,7 +316,7 @@ EOF
run_playbook() { run_playbook() {
cd "$ansible_conf_path" cd "$ansible_conf_path"
echo "[3/$total_steps] Installing Funkwhale using ansible playbook in $ansible_conf_path..." echo "[3/$total_steps] Installing Funkwhale using ansible playbook in $ansible_conf_path..."
playbook_command="$ansible_bin_path/ansible-playbook -i $ansible_conf_path/inventory.ini $ansible_conf_path/playbook.yml -u root $ansible_flags" playbook_command="$ansible_venv_path/bin/ansible-playbook -i $ansible_conf_path/inventory.ini $ansible_conf_path/playbook.yml -u root $ansible_flags"
if [ "$is_dry_run" = "true" ]; then if [ "$is_dry_run" = "true" ]; then
playbook_command="$playbook_command --check" playbook_command="$playbook_command --check"
echo "[3/$total_steps] Skipping playbook because DRY_RUN=true" echo "[3/$total_steps] Skipping playbook because DRY_RUN=true"
...@@ -332,19 +334,20 @@ configure_server() { ...@@ -332,19 +334,20 @@ configure_server() {
cat <<EOF >$base_path/manage cat <<EOF >$base_path/manage
#!/bin/sh #!/bin/sh
set -eu set -eu
sudo -u funkwhale -E $base_path/virtualenv/bin/python $base_path/api/manage.py \$@ sudo -u funkwhale -E $base_path/virtualenv/bin/funkwhale-manage \$@
EOF EOF
chmod +x $base_path/manage chmod +x $base_path/manage
if [ -z "$funkwhale_admin_username" ]; then if [ -z "$funkwhale_admin_username" ]; then
echo "[4/$total_steps] Skipping superuser account creation" echo "[4/$total_steps] Skipping superuser account creation"
else else
echo "[4/$total_steps] Creating superuser account…" echo "[4/$total_steps] Creating superuser account…"
if [ -z "$FUNKWHALE_CLI_USER_PASSWORD" ]; then
echo " Please input the password for the admin account password" echo " Please input the password for the admin account password"
LOGLEVEL=error sudo -u funkwhale -E $base_path/virtualenv/bin/python \ fi
$base_path/api/manage.py createsuperuser \ LOGLEVEL=error sudo -u funkwhale -E \
$base_path/virtualenv/bin/funkwhale-manage fw users create --superuser \
--email $funkwhale_admin_email \ --email $funkwhale_admin_email \
--username $funkwhale_admin_username \ --username $funkwhale_admin_username
-v 0
fi fi
} }
......
...@@ -100,7 +100,7 @@ ...@@ -100,7 +100,7 @@
become_user: "{{ funkwhale_username }}" become_user: "{{ funkwhale_username }}"
when: funkwhale_frontend_managed and not funkwhale_install_from_source when: funkwhale_frontend_managed and not funkwhale_install_from_source
unarchive: unarchive:
src: https://dev.funkwhale.audio/funkwhale/funkwhale/builds/artifacts/{{ funkwhale_install_version }}/download?job=build_front src: https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/{{ funkwhale_install_version }}/download?job=build_front
dest: "{{ funkwhale_install_path }}" dest: "{{ funkwhale_install_path }}"
remote_src: true remote_src: true
notify: notify:
...@@ -111,7 +111,7 @@ ...@@ -111,7 +111,7 @@
become_user: "{{ funkwhale_username }}" become_user: "{{ funkwhale_username }}"
when: not funkwhale_install_from_source when: not funkwhale_install_from_source
unarchive: unarchive:
src: https://dev.funkwhale.audio/funkwhale/funkwhale/builds/artifacts/{{ funkwhale_install_version }}/download?job=build_api src: https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/{{ funkwhale_install_version }}/download?job=build_api
dest: "{{ funkwhale_install_path }}" dest: "{{ funkwhale_install_path }}"
remote_src: true remote_src: true
notify: notify:
...@@ -279,7 +279,7 @@ ...@@ -279,7 +279,7 @@
block: "{{ funkwhale_custom_settings }}" block: "{{ funkwhale_custom_settings }}"
- name: "Collect static files" - name: "Collect static files"
command: "{{ funkwhale_install_path }}/virtualenv/bin/python api/manage.py collectstatic --no-input" command: "{{ funkwhale_install_path }}/virtualenv/bin/funkwhale-manage collectstatic --no-input"
become: true become: true
become_user: "{{ funkwhale_username }}" become_user: "{{ funkwhale_username }}"
args: args:
...@@ -288,6 +288,6 @@ ...@@ -288,6 +288,6 @@
- name: "Apply database migrations" - name: "Apply database migrations"
become: true become: true
become_user: "{{ funkwhale_username }}" become_user: "{{ funkwhale_username }}"
command: "{{ funkwhale_install_path }}/virtualenv/bin/python api/manage.py migrate --no-input" command: "{{ funkwhale_install_path }}/virtualenv/bin/funkwhale-manage migrate --no-input"
args: args:
chdir: "{{ funkwhale_install_path }}" chdir: "{{ funkwhale_install_path }}"
...@@ -15,30 +15,35 @@ ...@@ -15,30 +15,35 @@
# from https://gist.github.com/mattiaslundberg/ba214a35060d3c8603e9b1ec8627d349 # from https://gist.github.com/mattiaslundberg/ba214a35060d3c8603e9b1ec8627d349
- name: Check if certbot is already installed
stat:
path: "/usr/bin/certbot"
register: "certbot_installed"
- name: Install snapd - name: Install snapd
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled and not certbot_installed.stat.exists
become: true become: true
package: package:
name: snapd name: snapd
state: present state: present
- name: Prepare snapd for certbot installation - name: Prepare snapd for certbot installation
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled and not certbot_installed.stat.exists
become: true become: true
command: snap install core command: snap install core
- name: Refresh core snap before installing certbot - name: Refresh core snap before installing certbot
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled and not certbot_installed.stat.exists
become: true become: true
command: snap refresh core command: snap refresh core
- name: Install certbot snap - name: Install certbot snap
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled and not certbot_installed.stat.exists
become: true become: true
command: snap install --classic certbot command: snap install --classic certbot
- name: Link certbot snap installation - name: Link certbot snap installation
when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled when: funkwhale_nginx_managed and funkwhale_letsencrypt_enabled and not certbot_installed.stat.exists
become: true become: true
file: file:
src: /snap/bin/certbot src: /snap/bin/certbot
......
# global proxy conf # global proxy conf
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
{% if not funkwhale_nginx_tls_termination -%} {% if not funkwhale_nginx_tls_termination -%}
proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_redirect off; proxy_redirect off;
{% endif -%} {% endif -%}
# websocket support # websocket support
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection $funkwhale_connection_upgrade;
# {{ ansible_managed }} # {{ ansible_managed }}
# This template was based on Funkwhale's nginx.template at ae2402618846d414cb1b4e7237c4ce43d8c8837c
upstream funkwhale-api {
server {{ funkwhale_api_ip }}:{{ funkwhale_api_port }};
}
{% if funkwhale_nginx_tls_termination -%} {% if funkwhale_nginx_tls_termination -%}
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name {{ funkwhale_hostname }}; server_name {{ funkwhale_hostname }};
location / { return 301 https://$host$request_uri; }
location /.well-known/ {
allow all;
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/.well-known/;
}
location / {
return 301 https://$host$request_uri;
}
} }
{% endif -%} {% endif -%}
# Required for websocket support.
map $http_upgrade $funkwhale_connection_upgrade {
default upgrade;
'' close;
}
server { server {
listen {% if funkwhale_nginx_tls_termination %}443 ssl http2{% else %}80{% endif %}; listen {% if funkwhale_nginx_tls_termination %}443 ssl http2{% else %}80{% endif %};
listen [::]:{% if funkwhale_nginx_tls_termination %}443 ssl http2{% else -%}80{% endif %}; listen [::]:{% if funkwhale_nginx_tls_termination %}443 ssl http2{% else -%}80{% endif %};
charset utf-8;
server_name {{ funkwhale_hostname }}; server_name {{ funkwhale_hostname }};
{% if funkwhale_nginx_tls_termination -%} {% if funkwhale_nginx_tls_termination -%}
{% if funkwhale_ssl_key_path -%} {% if funkwhale_ssl_key_path -%}
...@@ -19,25 +41,31 @@ server { ...@@ -19,25 +41,31 @@ server {
{% else -%} {% else -%}
ssl_certificate /etc/letsencrypt/live/{{ funkwhale_hostname }}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/{{ funkwhale_hostname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ funkwhale_hostname }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ funkwhale_hostname }}/privkey.pem;
{% endif -%} {% endif -%} {# funkwhale_ssl_key_path #}
{% if funkwhale_nginx_tls_configure_ciphers -%} {% if funkwhale_nginx_tls_configure_ciphers -%}
# from https://cipherli.st/ # Many of these are overridden by matching settings outside of any server{} block!
ssl_prefer_server_ciphers on; # https://github.com/mozilla/ssl-config-generator/issues/76
ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_ecdh_curve secp384r1; # https://ssl-config.mozilla.org/#server=nginx&config=modern
ssl_session_timeout 10m; ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
{% endif -%} ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
add_header Strict-Transport-Security "max-age=63072000; preload"; {% endif -%} {# funkwhale_nginx_tls_configure_ciphers #}
{% endif -%} add_header Strict-Transport-Security "max-age=31536000" always;
{% endif -%} {# funkwhale_nginx_tls_termination #}
{% if funkwhale_nginx_csp_policy -%} {% if funkwhale_nginx_csp_policy -%}
# Security-related headers
add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}"; add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}";
{% endif -%} {% endif -%}
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Service-Worker-Allowed "/";
root {{ funkwhale_frontend_path }}; root {{ funkwhale_frontend_path }};
...@@ -72,79 +100,106 @@ server { ...@@ -72,79 +100,106 @@ server {
{% endif -%} {% endif -%}
# end of compression settings # end of compression settings
location / { location /api/ {
include /etc/nginx/funkwhale_proxy.conf; include /etc/nginx/funkwhale_proxy.conf;
# this is needed if you have file import via upload enabled # This is needed if you have file import via upload enabled.
client_max_body_size {{ funkwhale_nginx_max_body_size }}; client_max_body_size {{ funkwhale_nginx_max_body_size }};
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/; proxy_pass http://funkwhale-api;
} }
{% if funkwhale_disable_django_admin -%}
location /api/admin/ {
# disable access to API admin dashboard
return 403;
}
{% endif -%}
location /front/ { location / {
alias {{ funkwhale_frontend_path }}/; alias {{ funkwhale_frontend_path }}/;
expires 30d; expires 1d;
add_header Pragma public; add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate"; add_header Cache-Control "public, must-revalidate, proxy-revalidate";
add_header Service-Worker-Allowed "/"; add_header Service-Worker-Allowed "/";
try_files $uri $uri/ /index.html;
}
location ~ "/(front/)?embed.html" {
add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
alias {{ funkwhale_frontend_path }}/embed.html;
expires 1d;
} }
location /federation/ { location /federation/ {
include /etc/nginx/funkwhale_proxy.conf; include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/federation/; proxy_pass http://funkwhale-api;
} }
# You can comment this if you do not plan to use the Subsonic API # You can comment this if you do not plan to use the Subsonic API.
location /rest/ { location /rest/ {
include /etc/nginx/funkwhale_proxy.conf; include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/api/subsonic/rest/; proxy_pass http://funkwhale-api/api/subsonic/rest/;
} }
location /.well-known/ { location /.well-known/ {
allow all;
include /etc/nginx/funkwhale_proxy.conf; include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/.well-known/; proxy_pass http://funkwhale-api;
} }
location /media/ { # Allow direct access to only specific subdirectories in /media
alias {{ funkwhale_media_path }}/; location /media/__sized__/ {
alias {{ funkwhale_media_path }}/__sized__/;
add_header Access-Control-Allow-Origin '*';
}
# Allow direct access to only specific subdirectories in /media
location /media/attachments/ {
alias {{ funkwhale_media_path }}/attachments/;
add_header Access-Control-Allow-Origin '*';
}
# Allow direct access to only specific subdirectories in /media
location /media/dynamic_preferences/ {
alias {{ funkwhale_media_path }}/dynamic_preferences/;
add_header Access-Control-Allow-Origin '*';
} }
{% if funkwhale_external_storage_enabled -%} {% if funkwhale_external_storage_enabled -%}
# Comment the previous location and uncomment this one if you're storing # This is an internal location that is used to serve
# media files in a S3 bucket # media (uploaded) files once correct permission / authentication
# has been checked on API side.
location ~ /_protected/media/(.+) { location ~ /_protected/media/(.+) {
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
proxy_set_header Authorization "";
internal; internal;
proxy_pass $1; # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
proxy_set_header Authorization ""; # S3
proxy_pass $1; # S3
add_header Access-Control-Allow-Origin '*';
} }
{% else -%} {% else -%}
location /_protected/media { location /_protected/media/ {
# this is an internal location that is used to serve
# audio files once correct permission / authentication
# has been checked on API side
internal; internal;
alias {{ funkwhale_media_path }}; alias {{ funkwhale_media_path }}/;
add_header Access-Control-Allow-Origin '*';
} }
{% endif %} {% endif %}
location /_protected/music { location /_protected/music/ {
# this is an internal location that is used to serve # This is an internal location that is used to serve
# audio files once correct permission / authentication # local music files once correct permission / authentication
# has been checked on API side # has been checked on API side.
# Set this to the same value as your MUSIC_DIRECTORY_PATH setting
internal; internal;
alias {{ funkwhale_music_path }}; alias {{ funkwhale_music_path }}/;
add_header Access-Control-Allow-Origin '*';
} }
location /staticfiles/ { location /staticfiles/ {
# django static files # django static files
alias {{ funkwhale_static_path }}/; alias {{ funkwhale_static_path }}/;
} }
{% if funkwhale_disable_django_admin -%}
location /api/admin/ { location /manifest.json {
# disable access to API admin dashboard return 302 /api/v1/instance/spa-manifest.json;
return 403;
} }
{% endif -%}
{{ funkwhale_nginx_additional_config }} {{ funkwhale_nginx_additional_config }}
} }
...@@ -14,7 +14,8 @@ skip_confirm="${SKIP_CONFIRM-}" ...@@ -14,7 +14,8 @@ skip_confirm="${SKIP_CONFIRM-}"
is_dry_run=${DRY_RUN-false} is_dry_run=${DRY_RUN-false}
base_path="/srv/funkwhale" base_path="/srv/funkwhale"
ansible_conf_path="$base_path/ansible" ansible_conf_path="$base_path/ansible"
ansible_bin_path="$HOME/.local/bin" ansible_venv_path="$HOME/.local/ansible"
ansible_bin_path="$ansible_venv_path/bin"
ansible_funkwhale_role_version="${ANSIBLE_FUNKWHALE_ROLE_VERSION-master}" ansible_funkwhale_role_version="${ANSIBLE_FUNKWHALE_ROLE_VERSION-master}"
funkwhale_systemd_after="" funkwhale_systemd_after=""
total_steps="4" total_steps="4"
...@@ -48,6 +49,9 @@ yesno_prompt() { ...@@ -48,6 +49,9 @@ yesno_prompt() {
} }
do_upgrade() { do_upgrade() {
if [ ! -f "$ansible_bin_path/ansible" ]; then
ansible_bin_path="$HOME/.local/bin"
fi
echo '[Beginning upgrade]' echo '[Beginning upgrade]'
playbook_path="$ansible_conf_path/playbook.yml" playbook_path="$ansible_conf_path/playbook.yml"
echo "[1/$total_steps] Retrieving currently installed version from $playbook_path" echo "[1/$total_steps] Retrieving currently installed version from $playbook_path"
......