coop-cloud/funkwhale
coop-cloud
/
funkwhale
1
0
Fork 0
Code Issues 3 Pull Requests Projects Releases Wiki Activity

hackity hack hack

This commit is contained in:
decentral1se 2022-05-10 13:31:35 +02:00
parent 87af051569
commit 1bc48ef99d
Signed by: decentral1se
GPG Key ID: 03789458B3D0C410
4 changed files with 95 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
abra.sh
View File

@ -1,5 +1,5 @@
export NGINX_CONFIG_VERSION=v1 export NGINX_CONFIG_VERSION=v7
export APP_ENTRYPOINT_VERSION=v1 export APP_ENTRYPOINT_VERSION=v4
secrets() { secrets() {
docker context use default > /dev/null 2>&1 docker context use default > /dev/null 2>&1
@ -12,10 +12,33 @@ secrets() {
migrate(){ migrate(){
# run against the "api" service # run against the "api" service
export DJANGO_SECRET_KEY=$(cat /run/secrets/django_secret_key)
DATABASE_PASSWORD=$(cat /run/secrets/db_password)
export DATABASE_URL="postgres://funkwhale:$DATABASE_PASSWORD@db:5432/funkwhale"
python manage.py migrate python manage.py migrate
} }
admin() { admin() {
# run against the "api" service # run against the "api" service
export DJANGO_SECRET_KEY=$(cat /run/secrets/django_secret_key)
DATABASE_PASSWORD=$(cat /run/secrets/db_password)
export DATABASE_URL="postgres://funkwhale:$DATABASE_PASSWORD@db:5432/funkwhale"
python manage.py createsuperuser python manage.py createsuperuser
} }
static() {
# run against the "api" service
export DJANGO_SECRET_KEY=$(cat /run/secrets/django_secret_key)
DATABASE_PASSWORD=$(cat /run/secrets/db_password)
export DATABASE_URL="postgres://funkwhale:$DATABASE_PASSWORD@db:5432/funkwhale"
python manage.py collectstatic --no-input
}

48
compose.yml
View File

@ -2,7 +2,7 @@
version: "3.8" version: "3.8"
x-environment: &default-env x-environment: &default-env
- CACHE_URL="redis://cache:6379/0" - CACHE_URL=redis://cache:6379/0
- CELERYD_CONCURRENCY - CELERYD_CONCURRENCY
- C_FORCE_ROOT=true - C_FORCE_ROOT=true
- DATABASE_PASSWORD_FILE=/run/secrets/db_password - DATABASE_PASSWORD_FILE=/run/secrets/db_password
@ -10,6 +10,7 @@ x-environment: &default-env
- DJANGO_SETTINGS_MODULE - DJANGO_SETTINGS_MODULE
- DOMAIN - DOMAIN
- FUNKWHALE_HOSTNAME - FUNKWHALE_HOSTNAME
- FUNKWHALE_SPA_HTML_ROOT=/srv/funkwhale/front/dist/
- FUNKWHALE_WEB_WORKERS - FUNKWHALE_WEB_WORKERS
- LOGLEVEL - LOGLEVEL
- REVERSE_PROXY_TYPE - REVERSE_PROXY_TYPE
@ -23,21 +24,24 @@ services:
app: app:
image: nginx:1.20.0 image: nginx:1.20.0
environment: *default-env environment: *default-env
networks: configs:
- proxy - source: nginx_config
- internal target: /etc/nginx/nginx.conf
volumes: volumes:
- music-data:/srv/funkwhale/data/music:ro - music-data:/srv/funkwhale/data/music:ro
- media-data:/srv/funkwhale/data/media - media-data:/srv/funkwhale/data/media
- static-data:/srv/funkwhale/data/static - static-data:/srv/funkwhale/data/static
- frontend-data:/src/funkwhale/front/dist:ro - frontend-data:/srv/funkwhale/front/dist:ro
networks:
- proxy
- internal
deploy: deploy:
restart_policy: restart_policy:
condition: on-failure condition: on-failure
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})" - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
- "coop-cloud.${STACK_NAME}.version=" - "coop-cloud.${STACK_NAME}.version="
@ -45,11 +49,16 @@ services:
celeryworker: celeryworker:
image: funkwhale/funkwhale:1.2 image: funkwhale/funkwhale:1.2
depends_on: depends_on:
- postgres - db
- redis - cache
command: celery -A funkwhale_api.taskapp worker -l INFO
environment: *default-env environment: *default-env
secrets: *default-secrets secrets: *default-secrets
configs:
- source: app_entrypoint
target: /docker-entrypoint.sh
mode: 0555
entrypoint: /docker-entrypoint.sh
command: celery -A funkwhale_api.taskapp worker -l INFO
volumes: volumes:
- music-data:/srv/funkwhale/data/music:ro - music-data:/srv/funkwhale/data/music:ro
- media-data:/srv/funkwhale/data/media - media-data:/srv/funkwhale/data/media
@ -61,8 +70,13 @@ services:
environment: *default-env environment: *default-env
secrets: *default-secrets secrets: *default-secrets
depends_on: depends_on:
- postgres - db
- redis - cache
configs:
- source: app_entrypoint
target: /docker-entrypoint.sh
mode: 0555
entrypoint: /docker-entrypoint.sh
command: celery -A funkwhale_api.taskapp beat --pidfile= -l INFO command: celery -A funkwhale_api.taskapp beat --pidfile= -l INFO
networks: networks:
- internal - internal
@ -72,13 +86,19 @@ services:
environment: *default-env environment: *default-env
secrets: *default-secrets secrets: *default-secrets
depends_on: depends_on:
- postgres - db
- redis - cache
volumes: volumes:
- music-data:/srv/funkwhale/data/music:ro - music-data:/srv/funkwhale/data/music:ro
- media-data:/srv/funkwhale/data/media - media-data:/srv/funkwhale/data/media
- static-data:/srv/funkwhale/data/static - static-data:/srv/funkwhale/data/static
- frontend-data:/src/funkwhale/front/dist - frontend-data:/srv/funkwhale/front/dist
configs:
- source: app_entrypoint
target: /docker-entrypoint.sh
mode: 0555
entrypoint: /docker-entrypoint.sh
command: /app/compose/django/server.sh
networks: networks:
- internal - internal

3
entrypoint.sh.tmpl
View File

@ -1,4 +1,3 @@
#!/bin/bash #!/bin/bash
set -e set -e
@ -32,4 +31,4 @@ file_env "DJANGO_SECRET_KEY"
# upstream entrypoint # upstream entrypoint
# https://dev.funkwhale.audio/funkwhale/funkwhale/-/blob/develop/api/Dockerfile # https://dev.funkwhale.audio/funkwhale/funkwhale/-/blob/develop/api/Dockerfile
./compose/django/entrypoint.sh "$@" /app/compose/django/entrypoint.sh "$@"

41
nginx.conf.tmpl
View File

@ -1,9 +1,15 @@
map $http_upgrade $connection_upgrade { user www-data;
default upgrade;
'' close; events {
worker_connections 768;
} }
http { http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream funkwhale-api { upstream funkwhale-api {
server {{ env "STACK_NAME" }}_api:5000; server {{ env "STACK_NAME" }}_api:5000;
} }
@ -12,7 +18,6 @@ http {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name {{ env "FUNKWHALE_HOSTNAME" }}; server_name {{ env "FUNKWHALE_HOSTNAME" }};
location / { return 301 https://$host$request_uri; }
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
@ -71,6 +76,7 @@ http {
add_header Pragma public; add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate"; add_header Cache-Control "public, must-revalidate, proxy-revalidate";
} }
location = /front/embed.html { location = /front/embed.html {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
@ -83,12 +89,34 @@ http {
} }
location /federation/ { location /federation/ {
include /etc/nginx/funkwhale_proxy.conf; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Port $server_port;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://funkwhale-api/federation/; proxy_pass http://funkwhale-api/federation/;
} }
location /rest/ { location /rest/ {
include /etc/nginx/funkwhale_proxy.conf; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Port $server_port;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://funkwhale-api/api/subsonic/rest/; proxy_pass http://funkwhale-api/api/subsonic/rest/;
} }
@ -104,6 +132,7 @@ http {
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
proxy_pass http://funkwhale-api/.well-known/; proxy_pass http://funkwhale-api/.well-known/;
} }