Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
A
ansible
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container registry
Model registry
Operate
Environments
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
funkwhale
ansible
Compare revisions
master to master
Compare revisions
Changes are shown as if the
source
revision was being merged into the
target
revision.
Learn more about comparing revisions.
Source
funkwhale/ansible
Select target project
No results found
master
Select Git revision
Branches
ansible-installation-migrate
fix-artifact-download
master
renovate/python-3.x
test-debian-12
test-develop
6 results
Swap
Target
DannyBoy/ansible
Select target project
funkwhale/ansible
lfuelling/ansible
kevit/ansible
theorangepotato/ansible
popindavibe/ansible
xenofem/ansible
kippix/ansible
half-duplex/ansible
barslmn/ansible
sofubi/ansible
DannyBoy/ansible
11 results
master
Select Git revision
Branches
db-issues
master
ubuntu-compat
3 results
Show changes
Only incoming changes from source
Include changes to target since source was created
Compare
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
templates/nginx.conf.j2
+98
-43
98 additions, 43 deletions
templates/nginx.conf.j2
upgrade.sh
+5
-1
5 additions, 1 deletion
upgrade.sh
with
103 additions
and
44 deletions
templates/nginx.conf.j2
View file @
3f0294c3
# {{ ansible_managed }}
# This template was based on Funkwhale's nginx.template at ae2402618846d414cb1b4e7237c4ce43d8c8837c
upstream funkwhale-api {
server {{ funkwhale_api_ip }}:{{ funkwhale_api_port }};
}
{% if funkwhale_nginx_tls_termination -%}
server {
listen 80;
listen [::]:80;
server_name {{ funkwhale_hostname }};
location / { return 301 https://$host$request_uri; }
location /.well-known/ {
allow all;
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/.well-known/;
}
location / {
return 301 https://$host$request_uri;
}
}
{% endif -%}
# Required for websocket support.
map $http_upgrade $funkwhale_connection_upgrade {
default upgrade;
'' close;
}
server {
listen {% if funkwhale_nginx_tls_termination %}443 ssl http2{% else %}80{% endif %};
listen [::]:{% if funkwhale_nginx_tls_termination %}443 ssl http2{% else -%}80{% endif %};
charset utf-8;
server_name {{ funkwhale_hostname }};
{% if funkwhale_nginx_tls_termination -%}
{% if funkwhale_ssl_key_path -%}
...
...
@@ -19,25 +41,31 @@ server {
{% else -%}
ssl_certificate /etc/letsencrypt/live/{{ funkwhale_hostname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ funkwhale_hostname }}/privkey.pem;
{% endif -%}
{% endif -%} {# funkwhale_ssl_key_path #}
{% if funkwhale_nginx_tls_configure_ciphers -%}
#
from https://cipherli.st/
ssl_prefer_server_ciphers on;
ssl_
ciphers EECDH+AESGCM:EDH+AESGCM
;
ssl_ecdh_curve secp384r1;
ssl_session_timeout
10m
;
#
Many of these are overridden by matching settings outside of any server{} block!
# https://github.com/mozilla/ssl-config-generator/issues/76
ssl_
ecdh_curve X25519:prime256v1:secp384r1
;
# https://ssl-config.mozilla.org/#server=nginx&config=modern
ssl_session_timeout
1d
;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
{% endif -%}
add_header Strict-Transport-Security "max-age=63072000; preload";
{% endif -%}
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
{% endif -%} {# funkwhale_nginx_tls_configure_ciphers #}
add_header Strict-Transport-Security "max-age=31536000" always;
{% endif -%} {# funkwhale_nginx_tls_termination #}
{% if funkwhale_nginx_csp_policy -%}
# Security-related headers
add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}";
{% endif -%}
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Service-Worker-Allowed "/";
root {{ funkwhale_frontend_path }};
...
...
@@ -72,79 +100,106 @@ server {
{% endif -%}
# end of compression settings
location / {
location /
api/
{
include /etc/nginx/funkwhale_proxy.conf;
#
t
his is needed if you have file import via upload enabled
#
T
his is needed if you have file import via upload enabled
.
client_max_body_size {{ funkwhale_nginx_max_body_size }};
proxy_pass http://
{{
funkwhale
_
api
_ip }}:{{ funkwhale_api_port }}/
;
proxy_pass http://funkwhale
-
api;
}
{% if funkwhale_disable_django_admin -%}
location /api/admin/ {
# disable access to API admin dashboard
return 403;
}
{% endif -%}
location /
front/
{
location / {
alias {{ funkwhale_frontend_path }}/;
expires
30
d;
expires
1
d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
add_header Service-Worker-Allowed "/";
try_files $uri $uri/ /index.html;
}
location ~ "/(front/)?embed.html" {
add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
alias {{ funkwhale_frontend_path }}/embed.html;
expires 1d;
}
location /federation/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://
{{
funkwhale
_api_ip }}:{{ funkwhale_api_port }}/federation/
;
proxy_pass http://funkwhale
-api
;
}
# You can comment this if you do not plan to use the Subsonic API
# You can comment this if you do not plan to use the Subsonic API
.
location /rest/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://
{{
funkwhale
_api_ip }}:{{ funkwhale_api_port }}
/api/subsonic/rest/;
proxy_pass http://funkwhale
-api
/api/subsonic/rest/;
}
location /.well-known/ {
allow all;
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://
{{
funkwhale
_
api
_ip }}:{{ funkwhale_api_port }}/.well-known/
;
proxy_pass http://funkwhale
-
api;
}
location /media/ {
alias {{ funkwhale_media_path }}/;
# Allow direct access to only specific subdirectories in /media
location /media/__sized__/ {
alias {{ funkwhale_media_path }}/__sized__/;
add_header Access-Control-Allow-Origin '*';
}
# Allow direct access to only specific subdirectories in /media
location /media/attachments/ {
alias {{ funkwhale_media_path }}/attachments/;
add_header Access-Control-Allow-Origin '*';
}
# Allow direct access to only specific subdirectories in /media
location /media/dynamic_preferences/ {
alias {{ funkwhale_media_path }}/dynamic_preferences/;
add_header Access-Control-Allow-Origin '*';
}
{% if funkwhale_external_storage_enabled -%}
# Comment the previous location and uncomment this one if you're storing
# media files in a S3 bucket
# This is an internal location that is used to serve
# media (uploaded) files once correct permission / authentication
# has been checked on API side.
location ~ /_protected/media/(.+) {
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
proxy_set_header Authorization "";
internal;
proxy_pass $1;
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
proxy_set_header Authorization ""; # S3
proxy_pass $1; # S3
add_header Access-Control-Allow-Origin '*';
}
{% else -%}
location /_protected/media {
# this is an internal location that is used to serve
# audio files once correct permission / authentication
# has been checked on API side
location /_protected/media/ {
internal;
alias {{ funkwhale_media_path }};
alias {{ funkwhale_media_path }}/;
add_header Access-Control-Allow-Origin '*';
}
{% endif %}
location /_protected/music {
# this is an internal location that is used to serve
# audio files once correct permission / authentication
# has been checked on API side
# Set this to the same value as your MUSIC_DIRECTORY_PATH setting
location /_protected/music/ {
# This is an internal location that is used to serve
# local music files once correct permission / authentication
# has been checked on API side.
internal;
alias {{ funkwhale_music_path }};
alias {{ funkwhale_music_path }}/;
add_header Access-Control-Allow-Origin '*';
}
location /staticfiles/ {
# django static files
alias {{ funkwhale_static_path }}/;
}
{% if funkwhale_disable_django_admin -%}
location /api/admin/ {
# disable access to API admin dashboard
return 403;
location /manifest.json {
return 302 /api/v1/instance/spa-manifest.json;
}
{% endif -%}
{{ funkwhale_nginx_additional_config }}
}
This diff is collapsed.
Click to expand it.
upgrade.sh
View file @
3f0294c3
...
...
@@ -14,7 +14,8 @@ skip_confirm="${SKIP_CONFIRM-}"
is_dry_run
=
${
DRY_RUN
-false
}
base_path
=
"/srv/funkwhale"
ansible_conf_path
=
"
$base_path
/ansible"
ansible_bin_path
=
"
$HOME
/.local/bin"
ansible_venv_path
=
"
$HOME
/.local/ansible"
ansible_bin_path
=
"
$ansible_venv_path
/bin"
ansible_funkwhale_role_version
=
"
${
ANSIBLE_FUNKWHALE_ROLE_VERSION
-master
}
"
funkwhale_systemd_after
=
""
total_steps
=
"4"
...
...
@@ -48,6 +49,9 @@ yesno_prompt() {
}
do_upgrade
()
{
if
[
!
-f
"
$ansible_bin_path
/ansible"
]
;
then
ansible_bin_path
=
"
$HOME
/.local/bin"
fi
echo
'[Beginning upgrade]'
playbook_path
=
"
$ansible_conf_path
/playbook.yml"
echo
"[1/
$total_steps
] Retrieving currently installed version from
$playbook_path
"
...
...
This diff is collapsed.
Click to expand it.
Prev
1
2
Next