hackity hack hack
This commit is contained in:
parent
87af051569
commit
1bc48ef99d
27
abra.sh
27
abra.sh
|
@ -1,5 +1,5 @@
|
||||||
export NGINX_CONFIG_VERSION=v1
|
export NGINX_CONFIG_VERSION=v7
|
||||||
export APP_ENTRYPOINT_VERSION=v1
|
export APP_ENTRYPOINT_VERSION=v4
|
||||||
|
|
||||||
secrets() {
|
secrets() {
|
||||||
docker context use default > /dev/null 2>&1
|
docker context use default > /dev/null 2>&1
|
||||||
|
@ -12,10 +12,33 @@ secrets() {
|
||||||
|
|
||||||
migrate(){
|
migrate(){
|
||||||
# run against the "api" service
|
# run against the "api" service
|
||||||
|
|
||||||
|
export DJANGO_SECRET_KEY=$(cat /run/secrets/django_secret_key)
|
||||||
|
|
||||||
|
DATABASE_PASSWORD=$(cat /run/secrets/db_password)
|
||||||
|
export DATABASE_URL="postgres://funkwhale:$DATABASE_PASSWORD@db:5432/funkwhale"
|
||||||
|
|
||||||
python manage.py migrate
|
python manage.py migrate
|
||||||
}
|
}
|
||||||
|
|
||||||
admin() {
|
admin() {
|
||||||
# run against the "api" service
|
# run against the "api" service
|
||||||
|
|
||||||
|
export DJANGO_SECRET_KEY=$(cat /run/secrets/django_secret_key)
|
||||||
|
|
||||||
|
DATABASE_PASSWORD=$(cat /run/secrets/db_password)
|
||||||
|
export DATABASE_URL="postgres://funkwhale:$DATABASE_PASSWORD@db:5432/funkwhale"
|
||||||
|
|
||||||
python manage.py createsuperuser
|
python manage.py createsuperuser
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static() {
|
||||||
|
# run against the "api" service
|
||||||
|
|
||||||
|
export DJANGO_SECRET_KEY=$(cat /run/secrets/django_secret_key)
|
||||||
|
|
||||||
|
DATABASE_PASSWORD=$(cat /run/secrets/db_password)
|
||||||
|
export DATABASE_URL="postgres://funkwhale:$DATABASE_PASSWORD@db:5432/funkwhale"
|
||||||
|
|
||||||
|
python manage.py collectstatic --no-input
|
||||||
|
}
|
||||||
|
|
48
compose.yml
48
compose.yml
|
@ -2,7 +2,7 @@
|
||||||
version: "3.8"
|
version: "3.8"
|
||||||
|
|
||||||
x-environment: &default-env
|
x-environment: &default-env
|
||||||
- CACHE_URL="redis://cache:6379/0"
|
- CACHE_URL=redis://cache:6379/0
|
||||||
- CELERYD_CONCURRENCY
|
- CELERYD_CONCURRENCY
|
||||||
- C_FORCE_ROOT=true
|
- C_FORCE_ROOT=true
|
||||||
- DATABASE_PASSWORD_FILE=/run/secrets/db_password
|
- DATABASE_PASSWORD_FILE=/run/secrets/db_password
|
||||||
|
@ -10,6 +10,7 @@ x-environment: &default-env
|
||||||
- DJANGO_SETTINGS_MODULE
|
- DJANGO_SETTINGS_MODULE
|
||||||
- DOMAIN
|
- DOMAIN
|
||||||
- FUNKWHALE_HOSTNAME
|
- FUNKWHALE_HOSTNAME
|
||||||
|
- FUNKWHALE_SPA_HTML_ROOT=/srv/funkwhale/front/dist/
|
||||||
- FUNKWHALE_WEB_WORKERS
|
- FUNKWHALE_WEB_WORKERS
|
||||||
- LOGLEVEL
|
- LOGLEVEL
|
||||||
- REVERSE_PROXY_TYPE
|
- REVERSE_PROXY_TYPE
|
||||||
|
@ -23,21 +24,24 @@ services:
|
||||||
app:
|
app:
|
||||||
image: nginx:1.20.0
|
image: nginx:1.20.0
|
||||||
environment: *default-env
|
environment: *default-env
|
||||||
networks:
|
configs:
|
||||||
- proxy
|
- source: nginx_config
|
||||||
- internal
|
target: /etc/nginx/nginx.conf
|
||||||
volumes:
|
volumes:
|
||||||
- music-data:/srv/funkwhale/data/music:ro
|
- music-data:/srv/funkwhale/data/music:ro
|
||||||
- media-data:/srv/funkwhale/data/media
|
- media-data:/srv/funkwhale/data/media
|
||||||
- static-data:/srv/funkwhale/data/static
|
- static-data:/srv/funkwhale/data/static
|
||||||
- frontend-data:/src/funkwhale/front/dist:ro
|
- frontend-data:/srv/funkwhale/front/dist:ro
|
||||||
|
networks:
|
||||||
|
- proxy
|
||||||
|
- internal
|
||||||
deploy:
|
deploy:
|
||||||
restart_policy:
|
restart_policy:
|
||||||
condition: on-failure
|
condition: on-failure
|
||||||
labels:
|
labels:
|
||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
|
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
|
||||||
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
|
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
|
||||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||||
- "coop-cloud.${STACK_NAME}.version="
|
- "coop-cloud.${STACK_NAME}.version="
|
||||||
|
@ -45,11 +49,16 @@ services:
|
||||||
celeryworker:
|
celeryworker:
|
||||||
image: funkwhale/funkwhale:1.2
|
image: funkwhale/funkwhale:1.2
|
||||||
depends_on:
|
depends_on:
|
||||||
- postgres
|
- db
|
||||||
- redis
|
- cache
|
||||||
command: celery -A funkwhale_api.taskapp worker -l INFO
|
|
||||||
environment: *default-env
|
environment: *default-env
|
||||||
secrets: *default-secrets
|
secrets: *default-secrets
|
||||||
|
configs:
|
||||||
|
- source: app_entrypoint
|
||||||
|
target: /docker-entrypoint.sh
|
||||||
|
mode: 0555
|
||||||
|
entrypoint: /docker-entrypoint.sh
|
||||||
|
command: celery -A funkwhale_api.taskapp worker -l INFO
|
||||||
volumes:
|
volumes:
|
||||||
- music-data:/srv/funkwhale/data/music:ro
|
- music-data:/srv/funkwhale/data/music:ro
|
||||||
- media-data:/srv/funkwhale/data/media
|
- media-data:/srv/funkwhale/data/media
|
||||||
|
@ -61,8 +70,13 @@ services:
|
||||||
environment: *default-env
|
environment: *default-env
|
||||||
secrets: *default-secrets
|
secrets: *default-secrets
|
||||||
depends_on:
|
depends_on:
|
||||||
- postgres
|
- db
|
||||||
- redis
|
- cache
|
||||||
|
configs:
|
||||||
|
- source: app_entrypoint
|
||||||
|
target: /docker-entrypoint.sh
|
||||||
|
mode: 0555
|
||||||
|
entrypoint: /docker-entrypoint.sh
|
||||||
command: celery -A funkwhale_api.taskapp beat --pidfile= -l INFO
|
command: celery -A funkwhale_api.taskapp beat --pidfile= -l INFO
|
||||||
networks:
|
networks:
|
||||||
- internal
|
- internal
|
||||||
|
@ -72,13 +86,19 @@ services:
|
||||||
environment: *default-env
|
environment: *default-env
|
||||||
secrets: *default-secrets
|
secrets: *default-secrets
|
||||||
depends_on:
|
depends_on:
|
||||||
- postgres
|
- db
|
||||||
- redis
|
- cache
|
||||||
volumes:
|
volumes:
|
||||||
- music-data:/srv/funkwhale/data/music:ro
|
- music-data:/srv/funkwhale/data/music:ro
|
||||||
- media-data:/srv/funkwhale/data/media
|
- media-data:/srv/funkwhale/data/media
|
||||||
- static-data:/srv/funkwhale/data/static
|
- static-data:/srv/funkwhale/data/static
|
||||||
- frontend-data:/src/funkwhale/front/dist
|
- frontend-data:/srv/funkwhale/front/dist
|
||||||
|
configs:
|
||||||
|
- source: app_entrypoint
|
||||||
|
target: /docker-entrypoint.sh
|
||||||
|
mode: 0555
|
||||||
|
entrypoint: /docker-entrypoint.sh
|
||||||
|
command: /app/compose/django/server.sh
|
||||||
networks:
|
networks:
|
||||||
- internal
|
- internal
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
|
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
@ -32,4 +31,4 @@ file_env "DJANGO_SECRET_KEY"
|
||||||
|
|
||||||
# upstream entrypoint
|
# upstream entrypoint
|
||||||
# https://dev.funkwhale.audio/funkwhale/funkwhale/-/blob/develop/api/Dockerfile
|
# https://dev.funkwhale.audio/funkwhale/funkwhale/-/blob/develop/api/Dockerfile
|
||||||
./compose/django/entrypoint.sh "$@"
|
/app/compose/django/entrypoint.sh "$@"
|
||||||
|
|
|
@ -1,9 +1,15 @@
|
||||||
map $http_upgrade $connection_upgrade {
|
user www-data;
|
||||||
default upgrade;
|
|
||||||
'' close;
|
events {
|
||||||
|
worker_connections 768;
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
|
map $http_upgrade $connection_upgrade {
|
||||||
|
default upgrade;
|
||||||
|
'' close;
|
||||||
|
}
|
||||||
|
|
||||||
upstream funkwhale-api {
|
upstream funkwhale-api {
|
||||||
server {{ env "STACK_NAME" }}_api:5000;
|
server {{ env "STACK_NAME" }}_api:5000;
|
||||||
}
|
}
|
||||||
|
@ -12,7 +18,6 @@ http {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
server_name {{ env "FUNKWHALE_HOSTNAME" }};
|
server_name {{ env "FUNKWHALE_HOSTNAME" }};
|
||||||
location / { return 301 https://$host$request_uri; }
|
|
||||||
|
|
||||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
|
||||||
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||||
|
@ -71,6 +76,7 @@ http {
|
||||||
add_header Pragma public;
|
add_header Pragma public;
|
||||||
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
|
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
|
||||||
}
|
}
|
||||||
|
|
||||||
location = /front/embed.html {
|
location = /front/embed.html {
|
||||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
|
||||||
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||||
|
@ -83,12 +89,34 @@ http {
|
||||||
}
|
}
|
||||||
|
|
||||||
location /federation/ {
|
location /federation/ {
|
||||||
include /etc/nginx/funkwhale_proxy.conf;
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Forwarded-Host $host:$server_port;
|
||||||
|
proxy_set_header X-Forwarded-Port $server_port;
|
||||||
|
proxy_redirect off;
|
||||||
|
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
proxy_pass http://funkwhale-api/federation/;
|
proxy_pass http://funkwhale-api/federation/;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /rest/ {
|
location /rest/ {
|
||||||
include /etc/nginx/funkwhale_proxy.conf;
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Forwarded-Host $host:$server_port;
|
||||||
|
proxy_set_header X-Forwarded-Port $server_port;
|
||||||
|
proxy_redirect off;
|
||||||
|
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
proxy_pass http://funkwhale-api/api/subsonic/rest/;
|
proxy_pass http://funkwhale-api/api/subsonic/rest/;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -104,6 +132,7 @@ http {
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection $connection_upgrade;
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
|
||||||
proxy_pass http://funkwhale-api/.well-known/;
|
proxy_pass http://funkwhale-api/.well-known/;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue