From 8e37326073ac6941ea47197c8b6af9855f84d98d Mon Sep 17 00:00:00 2001 From: decentral1se Date: Tue, 10 May 2022 11:24:41 +0200 Subject: [PATCH] cleaning pass --- .env.sample | 140 ++---------------------------------------------- compose.yml | 30 ++++------- nginx.conf.tmpl | 18 +++---- 3 files changed, 23 insertions(+), 165 deletions(-) diff --git a/.env.sample b/.env.sample index b09a97a..4934b92 100644 --- a/.env.sample +++ b/.env.sample @@ -5,12 +5,6 @@ LETS_ENCRYPT_ENV=production # If you have any doubts about what a setting does, # check https://docs.funkwhale.audio/configuration.html#configuration-reference -# Set this variables to bind the API server to another interface/port -# example: FUNKWHALE_API_IP=0.0.0.0 -# example: FUNKWHALE_API_PORT=5678 -FUNKWHALE_API_IP=127.0.0.1 -FUNKWHALE_API_PORT=5000 - # The number of web workers to start in parallel. Higher means you can handle # more concurrent requests, but also leads to higher CPU/Memory usage FUNKWHALE_WEB_WORKERS=4 @@ -24,142 +18,18 @@ FUNKWHALE_PROTOCOL=https # Log level (debug, info, warning, error, critical) LOGLEVEL=error -# Configure e-mail sending using this variale -# By default, funkwhale will output e-mails sent to stdout -# here are a few examples for this setting -# EMAIL_CONFIG=consolemail:// # output e-mails to console (the default) -# EMAIL_CONFIG=dummymail:// # disable e-mail sending completely -# On a production instance, you'll usually want to use an external SMTP server: -# If `user` or `password` contain special characters (eg. -# `noreply@youremail.host` as `user`), be sure to urlencode them, using -# for example the command: -# `python3 -c 'import urllib.parse; print(urllib.parse.quote_plus -# ("noreply@youremail.host"))'` -# (returns `noreply%40youremail.host`) -# EMAIL_CONFIG=smtp://user:password@youremail.host:25 -# EMAIL_CONFIG=smtp+ssl://user:password@youremail.host:465 -# EMAIL_CONFIG=smtp+tls://user:password@youremail.host:587 - -# Make e-mail verification mandatory before using the service -# Doesn't apply to admins. -# ACCOUNT_EMAIL_VERIFICATION_ENFORCE=false - -# The e-mail address to use to send system e-mails. -# DEFAULT_FROM_EMAIL=noreply@yourdomain - # Depending on the reverse proxy used in front of your funkwhale instance, # the API will use different kind of headers to serve audio files # Allowed values: nginx, apache2 REVERSE_PROXY_TYPE=nginx -# API/Django configuration - -# Cache configuration -# Examples: -# CACHE_URL=redis://:/ -# CACHE_URL=redis://localhost:6379/0c -# With a password: -# CACHE_URL=redis://:password@localhost:6379/0 -# (the extra semicolon is important) -# Use the next one if you followed Debian installation guide -# -# CACHE_URL=redis://127.0.0.1:6379/0 -# -# If you want to use Redis over unix sockets, you'll actually need two variables: -# For the cache part: -# CACHE_URL=redis:///run/redis/redis.sock?db=0 -# For the Celery/asynchronous tasks part: -# CELERY_BROKER_URL=redis+socket:///run/redis/redis.sock?virtual_host=0 - -# Number of worker processes to execute. Defaults to 0, in which case it uses your number of CPUs -# Celery workers handle background tasks (such file imports or federation -# messaging). The more processes a worker gets, the more tasks -# can be processed in parallel. However, more processes also means -# a bigger memory footprint. +# Number of worker processes to execute. Defaults to 0, in which case it uses +# your number of CPUs Celery workers handle background tasks (such file imports +# or federation messaging). The more processes a worker gets, the more tasks +# can be processed in parallel. However, more processes also means a bigger +# memory footprint. # CELERYD_CONCURRENCY=0 -# Where media files (such as album covers or audio tracks) should be stored -# on your system? -# (Ensure this directory actually exists) -MEDIA_ROOT=/srv/funkwhale/data/media - -# Where static files (such as API css or icons) should be compiled -# on your system? -# (Ensure this directory actually exists) -STATIC_ROOT=/srv/funkwhale/data/static - # which settings module should django use? # You don't have to touch this unless you really know what you're doing DJANGO_SETTINGS_MODULE=config.settings.production - -# You don't have to edit this, but you can put the admin on another URL if you -# want to -# DJANGO_ADMIN_URL=^api/admin/ - -# In-place import settings -# You can safely leave those settings uncommented if you don't plan to use -# in place imports. -# Typical docker setup: -# MUSIC_DIRECTORY_PATH=/music # docker-only -# MUSIC_DIRECTORY_SERVE_PATH=/srv/funkwhale/data/music -# Typical non-docker setup: -# MUSIC_DIRECTORY_PATH=/srv/funkwhale/data/music -# # MUSIC_DIRECTORY_SERVE_PATH= # stays commented, not needed - -MUSIC_DIRECTORY_PATH=/srv/funkwhale/data/music -MUSIC_DIRECTORY_SERVE_PATH=/srv/funkwhale/data/music - -# LDAP settings -# Use the following options to allow authentication on your Funkwhale instance -# using a LDAP directory. -# Have a look at https://docs.funkwhale.audio/installation/ldap.html for -# detailed instructions. - -# LDAP_ENABLED=False -# LDAP_SERVER_URI=ldap://your.server:389 -# LDAP_BIND_DN=cn=admin,dc=domain,dc=com -# LDAP_BIND_PASSWORD=bindpassword -# LDAP_SEARCH_FILTER=(|(cn={0})(mail={0})) -# LDAP_START_TLS=False -# LDAP_ROOT_DN=dc=domain,dc=com - -FUNKWHALE_FRONTEND_PATH=/srv/funkwhale/front/dist - -# Nginx related configuration -NGINX_MAX_BODY_SIZE=100M - -## External storages configuration -# Funkwhale can store uploaded files on Amazon S3 and S3-compatible storages (such as Minio) -# Uncomment and fill the variables below - -AWS_ACCESS_KEY_ID= -AWS_SECRET_ACCESS_KEY= -AWS_STORAGE_BUCKET_NAME= -# An optional bucket subdirectory were you want to store the files. This is especially useful -# if you plan to use share the bucket with other services -# AWS_LOCATION= - -# If you use a S3-compatible storage such as minio, set the following variable -# the full URL to the storage server. Example: -# AWS_S3_ENDPOINT_URL=https://minio.mydomain.com -# AWS_S3_ENDPOINT_URL= - -# If you want to serve media directly from your S3 bucket rather than through a proxy, -# set this to false -# PROXY_MEDIA=false - -# If you are using Amazon S3 to serve media directly, you will need to specify your region -# name in order to access files. Example: -# AWS_S3_REGION_NAME=eu-west-2 -# AWS_S3_REGION_NAME= - -# If you are using Amazon S3, use this setting to configure how long generated URLs should stay -# valid. The default value is 3600 (60 minutes). The maximum accepted value is 604800 (7 days) -# AWS_QUERYSTRING_EXPIRE= - -# If you are using an S3-compatible object storage provider, and need to provide a default -# ACL for object uploads that is different from the default applied by boto3, you may -# override it here. Example: -# AWS_DEFAULT_ACL=public-read -# Available options can be found here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl -# AWS_DEFAULT_ACL= diff --git a/compose.yml b/compose.yml index f5e2e78..9f2e748 100644 --- a/compose.yml +++ b/compose.yml @@ -3,29 +3,17 @@ version: "3.8" x-environment: &default-env: - - DOMAIN - - LETS_ENCRYPT_ENV - - FUNKWHALE_API_IP - - FUNKWHALE_API_PORT - - FUNKWHALE_WEB_WORKERS - - FUNKWHALE_HOSTNAME - - FUNKWHALE_PROTOCOL - - LOGLEVEL - - ACCOUNT_EMAIL_VERIFICATION_ENFORCE - - DEFAULT_FROM_EMAIL - - REVERSE_PROXY_TYPE - - DATABASE_PASSWORD_FILE=/run/secrets/db_password - - CACHE_URL + - CACHE_URL=redis://cache:6379/0 - CELERYD_CONCURRENCY - - MEDIA_ROOT - - STATIC_ROOT - - DJANGO_SETTINGS_MODULE - - DJANGO_ADMIN_URL - - MUSIC_DIRECTORY_PATH - - MUSIC_DIRECTORY_SERVE_PATH - - FUNKWHALE_FRONTEND_PATH - - NGINX_MAX_BODY_SIZE - C_FORCE_ROOT=true + - DATABASE_PASSWORD_FILE=/run/secrets/db_password + - DJANGO_SETTINGS_MODULE + - DOMAIN + - FUNKWHALE_HOSTNAME + - FUNKWHALE_WEB_WORKERS + - LOGLEVEL + - REVERSE_PROXY_TYPE + - STACK_NAME services: app: diff --git a/nginx.conf.tmpl b/nginx.conf.tmpl index e2da0e2..1d1daf1 100644 --- a/nginx.conf.tmpl +++ b/nginx.conf.tmpl @@ -5,7 +5,7 @@ map $http_upgrade $connection_upgrade { http { upstream funkwhale-api { - server {{ env "FUNKWHALE_API_IP" }}:{{ env "FUNKWHALE_API_PORT" }}; + server {{ env "STACK_NAME" }}_api:5000; } server { @@ -18,7 +18,7 @@ http { add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header X-Frame-Options "SAMEORIGIN" always; - root {{ env "FUNKWHALE_FRONTEND_PATH" }}; + root /srv/funkwhale/front/dist; gzip on; gzip_comp_level 5; @@ -58,7 +58,7 @@ http { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - client_max_body_size {{ env "NGINX_MAX_BODY_SIZE" }}; + client_max_body_size 100M; proxy_pass http://funkwhale-api/; } @@ -66,7 +66,7 @@ http { add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Service-Worker-Allowed "/"; - alias {{ env "FUNKWHALE_FRONTEND_PATH" }}/; + alias /srv/funkwhale/front/dist; expires 30d; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; @@ -76,7 +76,7 @@ http { add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header X-Frame-Options "" always; - alias {{ env "FUNKWHALE_FRONTEND_PATH" }}/embed.html; + alias /srv/funkwhale/front/dist/embed.html; expires 30d; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; @@ -98,7 +98,7 @@ http { } location /media/ { - alias {{ env "MEDIA_ROOT" }}/; + alias /srv/funkwhale/data/media; } location /_protected/media/ { @@ -106,7 +106,7 @@ http { # audio files once correct permission / authentication # has been checked on API side internal; - alias {{ env "MEDIA_ROOT" }}; + alias /srv/funkwhale/data/media; } # Comment the previous location and uncomment this one if you're storing @@ -124,11 +124,11 @@ http { # has been checked on API side # Set this to the same value as your MUSIC_DIRECTORY_PATH setting internal; - alias {{ env "MUSIC_DIRECTORY_SERVE_PATH" }}; + alias /srv/funkwhale/data/music; } location /staticfiles/ { - alias {{ env "STATIC_ROOT" }}/; + alias /srv/funkwhale/data/static; } } }