Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found
Select Git revision
  • ansible-installation-migrate
  • fix-artifact-download
  • master
  • renovate/python-3.x
  • test-debian-12
  • test-develop
6 results

Target

Select target project
  • funkwhale/ansible
  • lfuelling/ansible
  • kevit/ansible
  • theorangepotato/ansible
  • popindavibe/ansible
  • xenofem/ansible
  • kippix/ansible
  • half-duplex/ansible
  • barslmn/ansible
  • sofubi/ansible
  • DannyBoy/ansible
11 results
Select Git revision
  • db-issues
  • master
  • ubuntu-compat
3 results
Show changes
# {{ ansible_managed }}
# This template was based on Funkwhale's nginx.template at ae2402618846d414cb1b4e7237c4ce43d8c8837c
upstream funkwhale-api {
server {{ funkwhale_api_ip }}:{{ funkwhale_api_port }};
}
{% if funkwhale_nginx_tls_termination -%}
server {
listen 80;
listen [::]:80;
server_name {{ funkwhale_hostname }};
location / { return 301 https://$host$request_uri; }
location /.well-known/ {
allow all;
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/.well-known/;
}
location / {
return 301 https://$host$request_uri;
}
}
{% endif -%}
# Required for websocket support.
map $http_upgrade $funkwhale_connection_upgrade {
default upgrade;
'' close;
}
server {
listen {% if funkwhale_nginx_tls_termination %}443 ssl http2{% else %}80{% endif %};
listen [::]:{% if funkwhale_nginx_tls_termination %}443 ssl http2{% else -%}80{% endif %};
charset utf-8;
server_name {{ funkwhale_hostname }};
{% if funkwhale_nginx_tls_termination -%}
{% if funkwhale_ssl_key_path -%}
......@@ -19,25 +41,31 @@ server {
{% else -%}
ssl_certificate /etc/letsencrypt/live/{{ funkwhale_hostname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ funkwhale_hostname }}/privkey.pem;
{% endif -%}
{% endif -%} {# funkwhale_ssl_key_path #}
{% if funkwhale_nginx_tls_configure_ciphers -%}
# from https://cipherli.st/
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
# Many of these are overridden by matching settings outside of any server{} block!
# https://github.com/mozilla/ssl-config-generator/issues/76
ssl_ecdh_curve X25519:prime256v1:secp384r1;
# https://ssl-config.mozilla.org/#server=nginx&config=modern
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
{% endif -%}
add_header Strict-Transport-Security "max-age=63072000; preload";
{% endif -%}
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
{% endif -%} {# funkwhale_nginx_tls_configure_ciphers #}
add_header Strict-Transport-Security "max-age=31536000" always;
{% endif -%} {# funkwhale_nginx_tls_termination #}
{% if funkwhale_nginx_csp_policy -%}
# Security-related headers
add_header Content-Security-Policy "{{ funkwhale_nginx_csp_policy }}";
{% endif -%}
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Service-Worker-Allowed "/";
root {{ funkwhale_frontend_path }};
......@@ -72,79 +100,106 @@ server {
{% endif -%}
# end of compression settings
location / {
location /api/ {
include /etc/nginx/funkwhale_proxy.conf;
# this is needed if you have file import via upload enabled
# This is needed if you have file import via upload enabled.
client_max_body_size {{ funkwhale_nginx_max_body_size }};
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/;
proxy_pass http://funkwhale-api;
}
{% if funkwhale_disable_django_admin -%}
location /api/admin/ {
# disable access to API admin dashboard
return 403;
}
{% endif -%}
location /front/ {
location / {
alias {{ funkwhale_frontend_path }}/;
expires 30d;
expires 1d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
add_header Service-Worker-Allowed "/";
try_files $uri $uri/ /index.html;
}
location ~ "/(front/)?embed.html" {
add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
alias {{ funkwhale_frontend_path }}/embed.html;
expires 1d;
}
location /federation/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/federation/;
proxy_pass http://funkwhale-api;
}
# You can comment this if you do not plan to use the Subsonic API
# You can comment this if you do not plan to use the Subsonic API.
location /rest/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/api/subsonic/rest/;
proxy_pass http://funkwhale-api/api/subsonic/rest/;
}
location /.well-known/ {
allow all;
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://{{ funkwhale_api_ip }}:{{ funkwhale_api_port }}/.well-known/;
proxy_pass http://funkwhale-api;
}
location /media/ {
alias {{ funkwhale_media_path }}/;
# Allow direct access to only specific subdirectories in /media
location /media/__sized__/ {
alias {{ funkwhale_media_path }}/__sized__/;
add_header Access-Control-Allow-Origin '*';
}
# Allow direct access to only specific subdirectories in /media
location /media/attachments/ {
alias {{ funkwhale_media_path }}/attachments/;
add_header Access-Control-Allow-Origin '*';
}
# Allow direct access to only specific subdirectories in /media
location /media/dynamic_preferences/ {
alias {{ funkwhale_media_path }}/dynamic_preferences/;
add_header Access-Control-Allow-Origin '*';
}
{% if funkwhale_external_storage_enabled -%}
# Comment the previous location and uncomment this one if you're storing
# media files in a S3 bucket
# This is an internal location that is used to serve
# media (uploaded) files once correct permission / authentication
# has been checked on API side.
location ~ /_protected/media/(.+) {
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
proxy_set_header Authorization "";
internal;
proxy_pass $1;
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
proxy_set_header Authorization ""; # S3
proxy_pass $1; # S3
add_header Access-Control-Allow-Origin '*';
}
{% else -%}
location /_protected/media {
# this is an internal location that is used to serve
# audio files once correct permission / authentication
# has been checked on API side
location /_protected/media/ {
internal;
alias {{ funkwhale_media_path }};
alias {{ funkwhale_media_path }}/;
add_header Access-Control-Allow-Origin '*';
}
{% endif %}
location /_protected/music {
# this is an internal location that is used to serve
# audio files once correct permission / authentication
# has been checked on API side
# Set this to the same value as your MUSIC_DIRECTORY_PATH setting
location /_protected/music/ {
# This is an internal location that is used to serve
# local music files once correct permission / authentication
# has been checked on API side.
internal;
alias {{ funkwhale_music_path }};
alias {{ funkwhale_music_path }}/;
add_header Access-Control-Allow-Origin '*';
}
location /staticfiles/ {
# django static files
alias {{ funkwhale_static_path }}/;
}
{% if funkwhale_disable_django_admin -%}
location /api/admin/ {
# disable access to API admin dashboard
return 403;
location /manifest.json {
return 302 /api/v1/instance/spa-manifest.json;
}
{% endif -%}
{{ funkwhale_nginx_additional_config }}
}
......@@ -14,7 +14,8 @@ skip_confirm="${SKIP_CONFIRM-}"
is_dry_run=${DRY_RUN-false}
base_path="/srv/funkwhale"
ansible_conf_path="$base_path/ansible"
ansible_bin_path="$HOME/.local/bin"
ansible_venv_path="$HOME/.local/ansible"
ansible_bin_path="$ansible_venv_path/bin"
ansible_funkwhale_role_version="${ANSIBLE_FUNKWHALE_ROLE_VERSION-master}"
funkwhale_systemd_after=""
total_steps="4"
......@@ -48,6 +49,9 @@ yesno_prompt() {
}
do_upgrade() {
if [ ! -f "$ansible_bin_path/ansible" ]; then
ansible_bin_path="$HOME/.local/bin"
fi
echo '[Beginning upgrade]'
playbook_path="$ansible_conf_path/playbook.yml"
echo "[1/$total_steps] Retrieving currently installed version from $playbook_path"
......