secrets, more config cleanups

2022-05-10 11:41:11 +02:00 · 2022-05-10 11:41:11 +02:00 · 735aea9021
parent 6befed0a39
commit 735aea9021
4 changed files with 26 additions and 5 deletions
--- a/.env.sample
+++ b/.env.sample
@ -2,6 +2,9 @@ TYPE=funkwhale
 DOMAIN={{ .Domain }}
 LETS_ENCRYPT_ENV=production

+SECRET_DB_PASSWORD_VERSION=v1
+SECRET_DJANGO_SECRET_KEY_VERSION=v1
+
 # If you have any doubts about what a setting does,
 # check https://docs.funkwhale.audio/configuration.html#configuration-reference

--- a/compose.yml
+++ b/compose.yml
@ -7,6 +7,7 @@ x-environment:
    - CELERYD_CONCURRENCY
    - C_FORCE_ROOT=true
    - DATABASE_PASSWORD_FILE=/run/secrets/db_password
+    - DJANGO_SECRET_KEY_FILE=/run/secrets/django_secret_key
    - DJANGO_SETTINGS_MODULE
    - DOMAIN
    - FUNKWHALE_HOSTNAME
@ -15,6 +16,11 @@ x-environment:
    - REVERSE_PROXY_TYPE
    - STACK_NAME

+x-secrets:
+  &default-sec:
+    - db_password
+    - django_secret_key
+
 services:
  app:
    image: nginx:1.20.0
@ -45,6 +51,7 @@ services:
      - redis
    command: celery -A funkwhale_api.taskapp worker -l INFO
    environment: *default-env
+    secrets: *default-sec
    volumes:
      - music-data:/srv/funkwhale/data/music:ro
      - media-data:/srv/funkwhale/data/media
@ -54,6 +61,7 @@ services:
  celerybeat:
    image: funkwhale/funkwhale:1.2
    environment: *default-env
+    secrets: *default-sec
    depends_on:
      - postgres
      - redis
@ -64,12 +72,10 @@ services:
  api:
    image: funkwhale/funkwhale:1.2
    environment: *default-env
+    secrets: *default-sec
    depends_on:
      - postgres
      - redis
-    secrets:
-      - django_secret_key
-      - db_password
    volumes:
      - music-data:/srv/funkwhale/data/music:ro
      - media-data:/srv/funkwhale/data/media
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -26,7 +26,9 @@ file_env() {
 }

 file_env "DATABASE_PASSWORD"
-export DATABASE_URL=postgres://funkwhale:$DATABASE_PASSWORD@db:5432/funkwhale
+export DATABASE_URL="postgres://funkwhale:$DATABASE_PASSWORD@db:5432/funkwhale"
+
+file_env "DJANGO_SECRET_KEY"

 # upstream entrypoint
 # https://dev.funkwhale.audio/funkwhale/funkwhale/-/blob/develop/api/Dockerfile
--- a/nginx.conf.tmpl
+++ b/nginx.conf.tmpl
@ -93,7 +93,17 @@ http {
        }

        location /.well-known/ {
-            include /etc/nginx/funkwhale_proxy.conf;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host:$server_port;
+            proxy_set_header X-Forwarded-Port $server_port;
+            proxy_redirect off;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
            proxy_pass   http://funkwhale-api/.well-known/;
        }