From d4c1f0fdc5f08181e6a9c110305c5dd3fff82f5d Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Mon, 10 Sep 2018 23:11:52 +0200 Subject: [PATCH 1/7] set absolute path in MUSIC_DIRECTORY_PATH fix #31 --- conf/env.prod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/env.prod b/conf/env.prod index 44c58bb..0df39ed 100644 --- a/conf/env.prod +++ b/conf/env.prod @@ -26,7 +26,7 @@ # In-place import, see https://code.eliotberriot.com/funkwhale/funkwhale/tags/0.10 MUSIC_DIRECTORY_SERVE_PATH=__FINALPATH__/data/music -MUSIC_DIRECTORY_PATH=/music +MUSIC_DIRECTORY_PATH=__FINALPATH__/data/music # General configuration # --------------------- From 331300c6a9a0fc86d1767d3cbe39b8841f2449bf Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Wed, 26 Sep 2018 21:53:07 +0200 Subject: [PATCH 2/7] upgrade to 0.17 --- README.md | 2 +- conf/app-frontend.src | 4 ++-- conf/app.src | 4 ++-- conf/env.prod | 45 +++++++++++++++++++++++++++++++++++++------ manifest.json | 4 ++-- scripts/install | 2 +- scripts/upgrade | 2 ++ 7 files changed, 49 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 2431388..2677d34 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ A modern, convivial and free music server on YunoHost Installation requires a dedicated domain for now. I hope subpath installation will be possible in the future. -**Shipped version:** 0.16.3 (this is an Alpha version!) +**Shipped version:** 0.17.0 (this is an Alpha version!) ## Admin diff --git a/conf/app-frontend.src b/conf/app-frontend.src index 1fa7506..be8477c 100644 --- a/conf/app-frontend.src +++ b/conf/app-frontend.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://code.eliotberriot.com/funkwhale/funkwhale/-/jobs/artifacts/0.16.3/download?job=build_front -SOURCE_SUM=a75161e6cbf8e87ee534947f20c12e84f9ed121f10c9d9e63989703c002195a1 +SOURCE_URL=https://code.eliotberriot.com/funkwhale/funkwhale/-/jobs/10544/artifacts/download +SOURCE_SUM=7968f6c176a010eb30559024afff4400f5ffc0d92ff51c353cd09f2e8ab20c0d SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/conf/app.src b/conf/app.src index f37cd42..6a3d51e 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://code.eliotberriot.com/funkwhale/funkwhale/-/archive/0.16.3/funkwhale-0.16.3.tar.bz2 -SOURCE_SUM=6484c357fccc107a6950e4be80a9e349ec4ea962ac4df47d54c73c184786557a +SOURCE_URL=https://code.eliotberriot.com/funkwhale/funkwhale/-/archive/8bd1ed61481b42b83922c61bfee87c4f011b68d7/funkwhale-8bd1ed61481b42b83922c61bfee87c4f011b68d7.tar.bz2 +SOURCE_SUM=0027f3c63880b1b8773ac518ed463175d41bafa624479605a9627867c962f860 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.bz2 SOURCE_IN_SUBDIR=true diff --git a/conf/env.prod b/conf/env.prod index 0df39ed..5df5293 100644 --- a/conf/env.prod +++ b/conf/env.prod @@ -5,16 +5,19 @@ # following variables: # - DJANGO_SECRET_KEY # - DJANGO_ALLOWED_HOSTS -# - FUNKWHALE_URL +# - FUNKWHALE_HOSTNAME # - EMAIL_CONFIG and DEFAULT_FROM_EMAIL if you plan to send emails) # On non-docker setup **only**, you'll also have to tweak/uncomment those variables: # - DATABASE_URL # - CACHE_URL -# - STATIC_ROOT -# - MEDIA_ROOT # # You **don't** need to update those variables on pure docker setups. +# +# Additional options you may want to check: +# - MUSIC_DIRECTORY_PATH and MUSIC_DIRECTORY_SERVE_PATH if you plan to use +# in-place import +# # Docker only # ----------- @@ -24,9 +27,7 @@ # You can comment or ignore this if you're not using docker # FUNKWHALE_VERSION=latest -# In-place import, see https://code.eliotberriot.com/funkwhale/funkwhale/tags/0.10 -MUSIC_DIRECTORY_SERVE_PATH=__FINALPATH__/data/music -MUSIC_DIRECTORY_PATH=__FINALPATH__/data/music +# End of Docker-only configuration # General configuration # --------------------- @@ -107,3 +108,35 @@ DJANGO_SECRET_KEY=__KEY__ # This will help us detect and correct bugs RAVEN_ENABLED=false RAVEN_DSN=https://44332e9fdd3d42879c7d35bf8562c6a4:0062dc16a22b41679cd5765e5342f716@sentry.eliotberriot.com/5 + +# In-place import settings +# You can safely leave those settings uncommented if you don't plan to use +# in place imports. +# Typical docker setup: +# MUSIC_DIRECTORY_PATH=/srv/funkwhale/data/music +# MUSIC_DIRECTORY_SERVE_PATH=/music # docker-only +# Typical non-docker setup: +# MUSIC_DIRECTORY_PATH=/srv/funkwhale/data/music +# # MUSIC_DIRECTORY_SERVE_PATH= # stays commented, not needed + +MUSIC_DIRECTORY_SERVE_PATH=__FINALPATH__/data/music +MUSIC_DIRECTORY_PATH=__FINALPATH__/data/music + +# LDAP settings +# Use the following options to allow authentication on your Funkwhale instance +# using a LDAP directory. +# Have a look at https://docs.funkwhale.audio/installation/ldap.html for +# detailed instructions. + +# LDAP_ENABLED=False +# LDAP_SERVER_URI=ldap://your.server:389 +# LDAP_BIND_DN=cn=admin,dc=domain,dc=com +# LDAP_BIND_PASSWORD=bindpassword +# LDAP_SEARCH_FILTER=(|(cn={0})(mail={0})) +# LDAP_START_TLS=False +# LDAP_ROOT_DN=dc=domain,dc=com + +FUNKWHALE_FRONTEND_PATH=/srv/funkwhale/front/dist + +# Nginx related configuration +NGINX_MAX_BODY_SIZE=30M \ No newline at end of file diff --git a/manifest.json b/manifest.json index 8377be9..f61e26e 100644 --- a/manifest.json +++ b/manifest.json @@ -3,12 +3,12 @@ "id": "funkwhale", "packaging_format": 1, "requirements": { - "yunohost": ">= 3.0.0" + "yunohost": ">= 3.2.0" }, "description": { "en": "A modern, convivial and free music server" }, - "version": "0.16.3~ynh1", + "version": "0.17.0~ynh1", "url": "https://funkwhale.audio", "license": "BSD-3-Clause", "maintainer": { diff --git a/scripts/install b/scripts/install index 8685e9a..841cbb5 100644 --- a/scripts/install +++ b/scripts/install @@ -72,7 +72,7 @@ ynh_app_setting_set "$app" port "$port" ynh_install_app_dependencies build-essential curl ffmpeg \ libjpeg-dev libmagic-dev libpq-dev postgresql python3-dev python3-venv \ - redis-server \ + redis-server libldap2-dev libsasl2-dev \ `# add arm support` \ zlib1g-dev libffi-dev libssl-dev diff --git a/scripts/upgrade b/scripts/upgrade index 21f0f94..88c33b3 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -182,6 +182,8 @@ chmod +x "$final_path/load_env" python api/manage.py script create_actors --no-input # https://code.eliotberriot.com/funkwhale/funkwhale/tags/0.16 #image-thumbnails-manual-action-required python api/manage.py script create_image_variations --no-input + + python api/manage.py script migrate_to_user_libraries --no-input ) #================================================= From 636e3d1c7c721d0fdbc857fd2b6809351241c68d Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Sat, 20 Oct 2018 21:15:29 +0200 Subject: [PATCH 3/7] Use stable packages --- conf/app-frontend.src | 4 ++-- conf/app.src | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/conf/app-frontend.src b/conf/app-frontend.src index be8477c..50f94c8 100644 --- a/conf/app-frontend.src +++ b/conf/app-frontend.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://code.eliotberriot.com/funkwhale/funkwhale/-/jobs/10544/artifacts/download -SOURCE_SUM=7968f6c176a010eb30559024afff4400f5ffc0d92ff51c353cd09f2e8ab20c0d +SOURCE_URL=https://code.eliotberriot.com/funkwhale/funkwhale/-/jobs/artifacts/0.17/download?job=build_front +SOURCE_SUM=3578e1c60da578681c4e60a94dde1e18511f2455814c980b24748c87ffb8b4a2 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/conf/app.src b/conf/app.src index 6a3d51e..dceef94 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://code.eliotberriot.com/funkwhale/funkwhale/-/archive/8bd1ed61481b42b83922c61bfee87c4f011b68d7/funkwhale-8bd1ed61481b42b83922c61bfee87c4f011b68d7.tar.bz2 -SOURCE_SUM=0027f3c63880b1b8773ac518ed463175d41bafa624479605a9627867c962f860 +SOURCE_URL=https://code.eliotberriot.com/funkwhale/funkwhale/-/archive/0.17/funkwhale-0.17.tar.bz2 +SOURCE_SUM=100eb3dfa5285eb9886d05dd575251e24cf43525596083b3793e8f80e369db1b SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.bz2 SOURCE_IN_SUBDIR=true From 3e44180708dddbef360e25841b9cf7be6e144c95 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Sat, 20 Oct 2018 21:54:59 +0200 Subject: [PATCH 4/7] Add LDAP support --- README.md | 3 +++ conf/env.prod | 16 +++++++++------- manifest.json | 2 +- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 2677d34..923cf7a 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,9 @@ The admin interface is accessible with the address: your.domain.fr/api/admin * [x] [CLI Import](https://docs.funkwhale.audio/importing-music.html#from-music-directory-on-the-server) Remember to `source $final_path/venv/bin/activate`, then `source $final_path/load_env` before typinh using manage.py. * [x] ARM support +* end-user configuration required: + * [x] LDAP integration + * to be added: * [ ] Store files in HOME, see https://github.com/YunoHost-Apps/funkwhale_ynh/issues/15 diff --git a/conf/env.prod b/conf/env.prod index 5df5293..d682054 100644 --- a/conf/env.prod +++ b/conf/env.prod @@ -128,13 +128,15 @@ MUSIC_DIRECTORY_PATH=__FINALPATH__/data/music # Have a look at https://docs.funkwhale.audio/installation/ldap.html for # detailed instructions. -# LDAP_ENABLED=False -# LDAP_SERVER_URI=ldap://your.server:389 -# LDAP_BIND_DN=cn=admin,dc=domain,dc=com -# LDAP_BIND_PASSWORD=bindpassword -# LDAP_SEARCH_FILTER=(|(cn={0})(mail={0})) -# LDAP_START_TLS=False -# LDAP_ROOT_DN=dc=domain,dc=com +LDAP_ENABLED=True +LDAP_SERVER_URI=ldap://localhost:389 +# enable anonymous searches https://django-auth-ldap.readthedocs.io/en/latest/authentication.html?highlight=anonymous#search-bind +LDAP_BIND_DN='' +LDAP_BIND_PASSWORD='' +LDAP_SEARCH_FILTER=(|(uid={0})) +LDAP_START_TLS=False +LDAP_ROOT_DN=ou=users,dc=yunohost,dc=org +LDAP_USER_ATTR_MAP={"username":"uid"} FUNKWHALE_FRONTEND_PATH=/srv/funkwhale/front/dist diff --git a/manifest.json b/manifest.json index f61e26e..2314e12 100644 --- a/manifest.json +++ b/manifest.json @@ -8,7 +8,7 @@ "description": { "en": "A modern, convivial and free music server" }, - "version": "0.17.0~ynh1", + "version": "0.17.0~ynh2", "url": "https://funkwhale.audio", "license": "BSD-3-Clause", "maintainer": { From 6e9cba80111673a94a7cb433d572a0b4519abd49 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Sat, 20 Oct 2018 22:27:28 +0200 Subject: [PATCH 5/7] fix sso issues --- README.md | 2 +- scripts/install | 8 ++------ scripts/upgrade | 9 ++------- 3 files changed, 5 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 923cf7a..104616f 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Installation requires a dedicated domain for now. I hope subpath installation wi ## Admin -Admin password is **funkwhale**, login is the user you provided at installation. +The admin uses the login you provided at installation. The password is the same you use for YunoHost. The admin interface is accessible with the address: your.domain.fr/api/admin diff --git a/scripts/install b/scripts/install index 841cbb5..19ba6fb 100644 --- a/scripts/install +++ b/scripts/install @@ -226,15 +226,11 @@ chmod -R 755 "$final_path/front/dist/" # SETUP SSOWAT #================================================= -if [ "$is_public" -eq 0 ] -then # Remove the public access - ynh_app_setting_delete "$app" skipped_uris -fi # Make app public if necessary if [ "$is_public" -eq 1 ] then - # unprotected_uris allows SSO credentials to be passed anyway. - ynh_app_setting_set "$app" unprotected_uris "/" + # makes sure no SSO credentials to be passed + ynh_app_setting_set "$app" skipped_uris "/" fi #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 88c33b3..922ea4d 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -213,17 +213,12 @@ chmod -R 755 "$final_path/front/dist/" # SETUP SSOWAT #================================================= -if [ "$is_public" -eq 0 ] -then # Remove the public access - ynh_app_setting_delete "$app" skipped_uris -fi # Make app public if necessary if [ "$is_public" -eq 1 ] then - # unprotected_uris allows SSO credentials to be passed anyway - ynh_app_setting_set "$app" unprotected_uris "/" + # makes sure no SSO credentials to be passed + ynh_app_setting_set "$app" skipped_uris "/" fi - #================================================= # RELOAD NGINX #================================================= From 6d06ab4f2b12842afae2d4f0e59fab634158b0e7 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Sun, 21 Oct 2018 10:59:28 +0200 Subject: [PATCH 6/7] Move file structure to prevent backup of medias for upgrades --- check_process | 4 ++++ conf/env.prod | 8 +++---- conf/funkwhale-beat.service | 6 +++--- conf/funkwhale-server.service | 6 +++--- conf/funkwhale-worker.service | 6 +++--- conf/nginx.conf | 24 ++++++++++----------- scripts/backup | 10 ++++++++- scripts/install | 33 +++++++++++++++-------------- scripts/remove | 3 ++- scripts/restore | 13 +++++++++++- scripts/upgrade | 40 +++++++++++++++++++++++------------ 11 files changed, 95 insertions(+), 58 deletions(-) diff --git a/check_process b/check_process index 97543df..d63873f 100644 --- a/check_process +++ b/check_process @@ -17,6 +17,7 @@ setup_public=1 upgrade=1 upgrade=1 from_commit=11c81c1f503691272df5002dad8278bd82f34535 + upgrade=1 from_commit=80a5044d13a6782063fee2d7fb7a01832a6aa767 backup_restore=1 multi_instance=1 incorrect_path=0 @@ -41,4 +42,7 @@ Notification=all ;;; Upgrade options ; commit=11c81c1f503691272df5002dad8278bd82f34535 name=Upgrade from 0.15~ynh2 +manifest_arg=domain=DOMAIN&path=/&admin=USER&is_public=1 + ; commit=80a5044d13a6782063fee2d7fb7a01832a6aa767 + name=Upgrade from 0.16.3 manifest_arg=domain=DOMAIN&path=/&admin=USER&is_public=1 \ No newline at end of file diff --git a/conf/env.prod b/conf/env.prod index d682054..950fa59 100644 --- a/conf/env.prod +++ b/conf/env.prod @@ -79,12 +79,12 @@ CACHE_URL=redis://127.0.0.1:6379/__REDIS_DB__ # Where media files (such as album covers or audio tracks) should be stored # on your system? # (Ensure this directory actually exists) -MEDIA_ROOT=__FINALPATH__/data/media +MEDIA_ROOT=__FINALPATH__/media # Where static files (such as API css or icons) should be compiled # on your system? # (Ensure this directory actually exists) -STATIC_ROOT=__FINALPATH__/data/static +STATIC_ROOT=__FINALPATH__/code/data/static # Update it to match the domain that will be used to reach your funkwhale # instance @@ -119,8 +119,8 @@ RAVEN_DSN=https://44332e9fdd3d42879c7d35bf8562c6a4:0062dc16a22b41679cd5765e5342f # MUSIC_DIRECTORY_PATH=/srv/funkwhale/data/music # # MUSIC_DIRECTORY_SERVE_PATH= # stays commented, not needed -MUSIC_DIRECTORY_SERVE_PATH=__FINALPATH__/data/music -MUSIC_DIRECTORY_PATH=__FINALPATH__/data/music +MUSIC_DIRECTORY_SERVE_PATH=__FINALPATH__/import +MUSIC_DIRECTORY_PATH=__FINALPATH__/import # LDAP settings # Use the following options to allow authentication on your Funkwhale instance diff --git a/conf/funkwhale-beat.service b/conf/funkwhale-beat.service index ce2d2db..f210dc8 100644 --- a/conf/funkwhale-beat.service +++ b/conf/funkwhale-beat.service @@ -6,9 +6,9 @@ PartOf=__APP__.target [Service] User=__APP__ # adapt this depending on the path of your funkwhale installation -WorkingDirectory=__FINALPATH__/api -EnvironmentFile=__FINALPATH__/config/.env -ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp beat -l INFO +WorkingDirectory=__FINALPATH__/code/api +EnvironmentFile=__FINALPATH__/code/config/.env +ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp beat -l INFO [Install] WantedBy=multi-user.target \ No newline at end of file diff --git a/conf/funkwhale-server.service b/conf/funkwhale-server.service index a059cd1..a357f89 100644 --- a/conf/funkwhale-server.service +++ b/conf/funkwhale-server.service @@ -6,9 +6,9 @@ PartOf=__APP__.target [Service] User=__APP__ # adapt this depending on the path of your funkwhale installation -WorkingDirectory=__FINALPATH__/api -EnvironmentFile=__FINALPATH__/config/.env -ExecStart=__FINALPATH__/virtualenv/bin/daphne -b ${FUNKWHALE_API_IP} -p ${FUNKWHALE_API_PORT} config.asgi:application --proxy-headers +WorkingDirectory=__FINALPATH__/code/api +EnvironmentFile=__FINALPATH__/code/config/.env +ExecStart=__FINALPATH__/code/virtualenv/bin/daphne -b ${FUNKWHALE_API_IP} -p ${FUNKWHALE_API_PORT} config.asgi:application --proxy-headers [Install] WantedBy=multi-user.target diff --git a/conf/funkwhale-worker.service b/conf/funkwhale-worker.service index 6c39057..ebf88b0 100644 --- a/conf/funkwhale-worker.service +++ b/conf/funkwhale-worker.service @@ -6,9 +6,9 @@ PartOf=__APP__.target [Service] User=__APP__ # adapt this depending on the path of your funkwhale installation -WorkingDirectory=__FINALPATH__/api -EnvironmentFile=__FINALPATH__/config/.env -ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO +WorkingDirectory=__FINALPATH__/code/api +EnvironmentFile=__FINALPATH__/code/config/.env +ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO [Install] WantedBy=multi-user.target diff --git a/conf/nginx.conf b/conf/nginx.conf index b8547bd..5bc7be9 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,5 +1,5 @@ location / { - alias __FINALPATH__/front/dist/; + alias __FINALPATH__/code/front/dist/; if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; @@ -13,24 +13,24 @@ location @rewrites { } location /api/ { - include __FINALPATH__/deploy/funkwhale_proxy.conf; + include __FINALPATH__/code/deploy/funkwhale_proxy.conf; # this is needed if you have file import via upload enabled client_max_body_size 30M; proxy_pass http://127.0.0.1:__PORT__/api/; } location /federation/ { - include __FINALPATH__/deploy/funkwhale_proxy.conf; + include __FINALPATH__/code/deploy/funkwhale_proxy.conf; proxy_pass http://127.0.0.1:__PORT__/federation/; } location /.well-known/ { - include __FINALPATH__/deploy/funkwhale_proxy.conf; + include __FINALPATH__/code/deploy/funkwhale_proxy.conf; proxy_pass http://127.0.0.1:__PORT__/.well-known/; } location /media/ { - alias __FINALPATH__/data/media/; + alias __FINALPATH__/media/; } location __PATH__/_protected/media/ { @@ -38,7 +38,7 @@ location __PATH__/_protected/media/ { # audio files once correct permission / authentication # has been checked on API side internal; - alias __FINALPATH__/data/media/; + alias __FINALPATH__/media/; } # Transcoding logic and caching @@ -47,7 +47,7 @@ location __PATH__/_protected/media/ { # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache location = /transcode-auth { - include __FINALPATH__/deploy/funkwhale_proxy.conf; + include __FINALPATH__/code/deploy/funkwhale_proxy.conf; # needed so we can authenticate transcode requests, but still # cache the result internal; @@ -62,7 +62,7 @@ location = /transcode-auth { } location /api/v1/trackfiles/transcode/ { - include __FINALPATH__/deploy/funkwhale_proxy.conf; + include __FINALPATH__/code/deploy/funkwhale_proxy.conf; # this block deals with authenticating and caching transcoding # requests. Caching is heavily recommended as transcoding # is a CPU intensive process. @@ -82,15 +82,15 @@ location /api/v1/trackfiles/transcode/ { location /staticfiles/ { # django static files - alias __FINALPATH__/data/static/; + alias __FINALPATH__/code/data/static/; } location /rest/ { - include __FINALPATH__/deploy/funkwhale_proxy.conf; - proxy_pass http://127.0.0.1:__PORT__/api/subsonic/rest/; + include __FINALPATH__/code/deploy/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__/code/api/subsonic/rest/; } location /_protected/music { internal; - alias __FINALPATH__/data/music; + alias __FINALPATH__/import; } \ No newline at end of file diff --git a/scripts/backup b/scripts/backup index de806a9..a79cdd2 100644 --- a/scripts/backup +++ b/scripts/backup @@ -38,7 +38,15 @@ db_name=$(ynh_app_setting_get "$app" db_name) # BACKUP THE APP MAIN DIR #================================================= -ynh_backup "$final_path" +backup_core_only=$(ynh_app_setting_get "$app" backup_core_only) +# If backup_core_only have any value in the settings.yml file, do not backup the data directory +if [ -z "$backup_core_only" ] +then + ynh_backup "$final_path" +else + echo "Data dir will not be saved, because backup_core_only is set." >&2 + ynh_backup "$final_path/code" +fi #================================================= # BACKUP THE NGINX CONFIGURATION diff --git a/scripts/install b/scripts/install index 19ba6fb..34f805a 100644 --- a/scripts/install +++ b/scripts/install @@ -85,11 +85,12 @@ ynh_psql_test_if_first_run db_name=$(ynh_sanitize_dbid "$app") db_user=$db_name db_pwd=$(ynh_string_random) -# Initialize database and store postgres password for upgrade -ynh_psql_create_db "$db_name" "$db_user" "$db_pwd" ynh_app_setting_set "$app" db_name "$db_name" ynh_app_setting_set "$app" psqlpwd "$db_pwd" +# Initialize database and store postgres password for upgrade +ynh_psql_create_db "$db_name" "$db_user" "$db_pwd" + systemctl reload postgresql #================================================= @@ -98,12 +99,12 @@ systemctl reload postgresql ynh_app_setting_set "$app" final_path "$final_path" # Download, check integrity, uncompress and patch the source from app.src -ynh_setup_source "$final_path" -ynh_setup_source "$final_path" "app-frontend" +ynh_setup_source "$final_path/code" +ynh_setup_source "$final_path/code" "app-frontend" ( cd "$final_path" - mkdir -p config api data/static data/media data/music front + mkdir -p code/config code/api code/data/static media import code/front ) #================================================= @@ -138,22 +139,22 @@ ynh_system_user_create "$app" "$final_path" # PYTHON DEPENDENCIES #================================================= -python3 -m venv "$final_path/virtualenv" +python3 -m venv "$final_path/code/virtualenv" ( set +o nounset - source "${final_path}/virtualenv/bin/activate" + source "${final_path}/code/virtualenv/bin/activate" set -o nounset pip install --upgrade pip pip install --upgrade setuptools pip install wheel - pip install -r "${final_path}/api/requirements.txt" + pip install -r "${final_path}/code/api/requirements.txt" ) #================================================= # MODIFY THE CONFIG FILE #================================================= -configfile="$final_path/config/.env" +configfile="$final_path/code/config/.env" cp ../conf/env.prod "$configfile" @@ -172,12 +173,12 @@ ynh_replace_string "__DBNAME__" "$app" "$configfile" ynh_replace_string "__FINALPATH__" "$final_path" "$configfile" ynh_replace_string "__KEY__" "$key" "$configfile" -cat > "$final_path/load_env" <<'EOL' +cat > "$final_path/code/load_env" <<'EOL' #!/bin/bash -export $(cat "$final_path/config/.env" | grep -v ^# | xargs) +export $(cat "$final_path/code/config/.env" | grep -v ^# | xargs) EOL -chmod +x "$final_path/load_env" +chmod +x "$final_path/code/load_env" #================================================= # MODIFY THE CONFIG FILE @@ -186,10 +187,10 @@ chmod +x "$final_path/load_env" admin_mail=$(ynh_user_get_info "$admin" "mail") ( set +o nounset - source "${final_path}/virtualenv/bin/activate" - source "${final_path}/load_env" + source "${final_path}/code/virtualenv/bin/activate" + source "${final_path}/code/load_env" set -o nounset - cd "$final_path" + cd "$final_path/code/" # needed for enabling the 'unaccent' extension ynh_psql_execute_as_root "ALTER USER $db_user WITH SUPERUSER;" @@ -220,7 +221,7 @@ systemctl restart "$app".target #================================================= chown -R "$app": "$final_path" -chmod -R 755 "$final_path/front/dist/" +chmod -R 755 "$final_path/code/front/dist/" #================================================= # SETUP SSOWAT diff --git a/scripts/remove b/scripts/remove index e012c8a..c379bb5 100644 --- a/scripts/remove +++ b/scripts/remove @@ -28,12 +28,13 @@ redis_db=$(ynh_app_setting_get $app redis_db) # STOP AND REMOVE SERVICE #================================================= +systemctl stop "$app".target + # Remove the dedicated systemd config ynh_remove_systemd_config "$app-server" ynh_remove_systemd_config "$app-worker" ynh_remove_systemd_config "$app-beat" -systemctl stop "$app".target ynh_secure_remove "/etc/systemd/system/$app.target" #================================================= diff --git a/scripts/restore b/scripts/restore index 82c2252..094eb13 100644 --- a/scripts/restore +++ b/scripts/restore @@ -57,7 +57,18 @@ ynh_restore_file "/etc/nginx/conf.d/$domain.conf" # RESTORE THE APP MAIN DIR #================================================= -ynh_restore_file "$final_path" +backup_core_only=$(ynh_app_setting_get "$app" backup_core_only) + +# If backup_core_only have any value, then restore only code +if [ -z "$backup_core_only" ] +then + ynh_restore_file "$final_path/code" +else + ynh_restore_file "$final_path" +fi + +# Remove the option backup_core_only if it's in the settings.yml file +ynh_app_setting_delete "$app" backup_core_only #================================================= # RECREATE THE DEDICATED USER diff --git a/scripts/upgrade b/scripts/upgrade index 922ea4d..74f64ec 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -35,10 +35,21 @@ if [ -z "$redis_db" ]; then ynh_app_setting_set "$app" redis_db "$redis_db" fi +# make sure we have the last code organization +if [ ! -d "$final_path/code/" ]; then + mkdir "$final_path/code" + mv "$final_path/!(code)" "$final_path/code/" + mv "$final_path/code/data/media" "$final_path/media" + mv "$final_path/code/data/music" "$final_path/import" +fi + #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= +# Inform the backup/restore process that it should not save the data directory +ynh_app_setting_set "$app" backup_core_only 1 + # Backup the current version of the app ynh_backup_before_upgrade ynh_clean_setup () { @@ -63,12 +74,12 @@ path_url=$(ynh_normalize_url_path "$path_url") ynh_app_setting_set "$app" final_path "$final_path" # Download, check integrity, uncompress and patch the source from app.src -ynh_setup_source "$final_path" -ynh_setup_source "$final_path" "app-frontend" +ynh_setup_source "$final_path/code" +ynh_setup_source "$final_path/code" "app-frontend" ( cd "$final_path" - mkdir -p config api data/static data/media data/music front + mkdir -p code/config code/api code/data/static media import code/front ) #================================================= @@ -118,15 +129,15 @@ ynh_install_app_dependencies build-essential curl ffmpeg \ # PYTHON DEPENDENCIES #================================================= -python3 -m venv "$final_path/virtualenv" +python3 -m venv "$final_path/code/virtualenv" ( set +o nounset - source "${final_path}/virtualenv/bin/activate" + source "${final_path}/code/virtualenv/bin/activate" set -o nounset pip install --upgrade pip pip install --upgrade setuptools pip install wheel - pip install -r "${final_path}/api/requirements.txt" + pip install -r "${final_path}/code/api/requirements.txt" # https://code.eliotberriot.com/funkwhale/funkwhale/tags/0.16 pip uninstall django-cacheops --yes @@ -136,7 +147,7 @@ python3 -m venv "$final_path/virtualenv" # MODIFY THE CONFIG FILE #================================================= -configfile="$final_path/config/.env" +configfile="$final_path/code/config/.env" cp ../conf/env.prod "$configfile" @@ -153,12 +164,12 @@ ynh_replace_string "__DBNAME__" "$app" "$configfile" ynh_replace_string "__FINALPATH__" "$final_path" "$configfile" ynh_replace_string "__KEY__" "$key" "$configfile" -cat > "$final_path/load_env" <<'EOL' +cat > "$final_path/code/load_env" <<'EOL' #!/bin/bash -export $(cat "$final_path/config/.env" | grep -v ^# | xargs) +export $(cat "$final_path/code/config/.env" | grep -v ^# | xargs) EOL -chmod +x "$final_path/load_env" +chmod +x "$final_path/code/load_env" #================================================= # MIGRATE @@ -166,10 +177,10 @@ chmod +x "$final_path/load_env" ( set +o nounset - source "${final_path}/virtualenv/bin/activate" - source "${final_path}/load_env" + source "${final_path}/code/virtualenv/bin/activate" + source "${final_path}/code/load_env" set -o nounset - cd "$final_path" + cd "$final_path/code" # needed for enabling the 'unaccent' extension ynh_psql_execute_as_root "ALTER USER $db_user WITH SUPERUSER;" @@ -183,6 +194,7 @@ chmod +x "$final_path/load_env" # https://code.eliotberriot.com/funkwhale/funkwhale/tags/0.16 #image-thumbnails-manual-action-required python api/manage.py script create_image_variations --no-input + # https://docs.funkwhale.audio/upgrading/0.17.html#upgrade-instructions python api/manage.py script migrate_to_user_libraries --no-input ) @@ -207,7 +219,7 @@ systemctl restart "$app".target #================================================= chown -R "$app": "$final_path" -chmod -R 755 "$final_path/front/dist/" +chmod -R 755 "$final_path/code/front/dist/" #================================================= # SETUP SSOWAT From 57762eb804c7cdd06ff3fad1f91c33216abe56c8 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Sun, 21 Oct 2018 11:15:08 +0200 Subject: [PATCH 7/7] Add more security to systemd files --- conf/funkwhale-beat.service | 16 +++++++++++++++- conf/funkwhale-server.service | 18 ++++++++++++++++-- conf/funkwhale-worker.service | 18 ++++++++++++++++-- 3 files changed, 47 insertions(+), 5 deletions(-) diff --git a/conf/funkwhale-beat.service b/conf/funkwhale-beat.service index f210dc8..da75461 100644 --- a/conf/funkwhale-beat.service +++ b/conf/funkwhale-beat.service @@ -5,10 +5,24 @@ PartOf=__APP__.target [Service] User=__APP__ -# adapt this depending on the path of your funkwhale installation +Group=__APP__ WorkingDirectory=__FINALPATH__/code/api EnvironmentFile=__FINALPATH__/code/config/.env ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp beat -l INFO +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectSystem=strict +ProtectControlGroups=yes +ProtectKernelModules=yes +ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/ +ReadWritePaths=__FINALPATH__/media __FINALPATH__/import __FINALPATH__/code/api + +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=__APP__-beat + [Install] WantedBy=multi-user.target \ No newline at end of file diff --git a/conf/funkwhale-server.service b/conf/funkwhale-server.service index a357f89..2e5705d 100644 --- a/conf/funkwhale-server.service +++ b/conf/funkwhale-server.service @@ -5,10 +5,24 @@ PartOf=__APP__.target [Service] User=__APP__ -# adapt this depending on the path of your funkwhale installation +Group=__APP__ WorkingDirectory=__FINALPATH__/code/api EnvironmentFile=__FINALPATH__/code/config/.env ExecStart=__FINALPATH__/code/virtualenv/bin/daphne -b ${FUNKWHALE_API_IP} -p ${FUNKWHALE_API_PORT} config.asgi:application --proxy-headers +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectSystem=strict +ProtectControlGroups=yes +ProtectKernelModules=yes +ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/ +ReadWritePaths=__FINALPATH__/media __FINALPATH__/import + +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=__APP__-server + [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file diff --git a/conf/funkwhale-worker.service b/conf/funkwhale-worker.service index ebf88b0..2a8bfbf 100644 --- a/conf/funkwhale-worker.service +++ b/conf/funkwhale-worker.service @@ -5,10 +5,24 @@ PartOf=__APP__.target [Service] User=__APP__ -# adapt this depending on the path of your funkwhale installation +Group=__APP__ WorkingDirectory=__FINALPATH__/code/api EnvironmentFile=__FINALPATH__/code/config/.env ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectSystem=strict +ProtectControlGroups=yes +ProtectKernelModules=yes +ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/ +ReadWritePaths=__FINALPATH__/media __FINALPATH__/import + +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=__APP__-worker + [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file