diff --git a/README.md b/README.md index 8472a5c..0a8b29a 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Funkwhale is a community-driven project that lets you listen and share music and audio within a decentralized, open network. -**Shipped version:** 1.3.4~ynh1 +**Shipped version:** 1.4.0~ynh1 **Demo:** https://demo.funkwhale.audio diff --git a/README_fr.md b/README_fr.md index 88ba9cc..90cba06 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,7 +18,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po Funkwhale est un projet communautaire qui vous permet d'écouter et de partager de la musique et de l'audio au sein d'un réseau ouvert et décentralisé. -**Version incluse :** 1.3.4~ynh1 +**Version incluse :** 1.4.0~ynh1 **Démo :** https://demo.funkwhale.audio diff --git a/conf/funkwhale_proxy.conf b/conf/funkwhale_proxy.conf new file mode 100644 index 0000000..1f091b4 --- /dev/null +++ b/conf/funkwhale_proxy.conf @@ -0,0 +1,13 @@ +# global proxy conf +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $host:$server_port; +proxy_set_header X-Forwarded-Port $server_port; +proxy_redirect off; + +# websocket support +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; diff --git a/conf/nginx.conf b/conf/nginx.conf index 715112d..3f2f2d0 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,144 +1,118 @@ -root __INSTALL_DIR__/front/dist; -location /api/ { + # HSTS + more_set_headers "Strict-Transport-Security: max-age=31536000"; - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; + # General configs + root __INSTALL_DIR__/front/dist; + client_max_body_size 100M; + charset utf-8; - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - # this is needed if you have file import via upload enabled - client_max_body_size 100M; - proxy_pass http://127.0.0.1:__PORT__; -} - -location / { - alias __INSTALL_DIR__/front/dist/; - expires 1d; - try_files $uri $uri/ /index.html; -} - -location /embed.html { - more_set_headers "Content-Security-Policy: connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; - more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; - - alias __INSTALL_DIR__/front/dist/embed.html; - expires 1d; -} - -location /federation/ { - - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; - - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_pass http://127.0.0.1:__PORT__/federation/; -} - -# You can comment this if you do not plan to use the Subsonic API -location /rest/ { - - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; - - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_pass http://127.0.0.1:__PORT__/api/subsonic/rest/; -} - -location /.well-known/ { - - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; - - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_pass http://127.0.0.1:__PORT__; -} - -location /media/__sized__/ { - alias __DATA_DIR__/data/media/__sized__/; - more_set_headers "Access-Control-Allow-Origin: *"; -} - -location /media/attachments/ { - alias __DATA_DIR__/data/media/attachments/; - more_set_headers "Access-Control-Allow-Origin: *"; -} - -# This is an internal location that is used to serve -# media (uploaded) files once correct permission / authentication -# has been checked on API side. -# Comment the "NON-S3" commented lines and uncomment "S3" commented lines -# if you're storing media files in a S3 bucket. -location /_protected/media/ { - internal; - alias __DATA_DIR__/data/media/$1; # NON-S3 -# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. -# proxy_set_header Authorization ""; # S3 -# proxy_pass $1; # S3 - more_set_headers "Access-Control-Allow-Origin: *"; + location /api/ { + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; + # This is needed if you have file import via upload enabled. + client_max_body_size 100M; + proxy_pass http://127.0.0.1:__PORT__; } -location /_protected/music/ { - # this is an internal location that is used to serve - # audio files once correct permission / authentication - # has been checked on API side - # Set this to the same value as your MUSIC_DIRECTORY_PATH setting - internal; - alias __DATA_DIR__/data/music/; - more_set_headers "Access-Control-Allow-Origin: *"; -} + location ~ ^/library/(albums|tracks|artists|playlists)/ { + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } -# Allow direct access to /staticfiles -location /staticfiles/ { - alias __DATA_DIR__/data/static/; - more_set_headers "Access-Control-Allow-Origin: *"; -} + location /channels/ { + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } -# Allow direct access to only specific subdirectories in /media -location /media/dynamic_preferences/ { - alias __DATA_DIR__/data/media/dynamic_preferences/; - more_set_headers "Access-Control-Allow-Origin: *"; -} + location ~ ^/@(vite-plugin-pwa|vite|id)/ { + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; + alias __INSTALL_DIR__/front/dist/; + try_files $uri $uri/ /index.html; + } -location /manifest.json { - return 302 /api/v1/instance/spa-manifest.json; -} + location /@ { + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } + + location / { + expires 1d; + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; + alias __INSTALL_DIR__/front/dist/; + try_files $uri $uri/ /index.html; + } + + location ~ "/(front/)?embed.html" { + alias __INSTALL_DIR__/front/dist/embed.html; + more_set_headers "Content-Security-Policy: connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:"; + more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; + + expires 1d; + } + + location /federation/ { + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } + + # You can comment this if you do not plan to use the Subsonic API. + location /rest/ { + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__/api/subsonic/rest/; + } + + location /.well-known/ { + include /etc/nginx/conf.d/__DOMAIN__.d/funkwhale_proxy.conf; + proxy_pass http://127.0.0.1:__PORT__; + } + + # Allow direct access to only specific subdirectories in /media + location /media/__sized__/ { + alias __DATA_DIR__/data/media/__sized__/; + more_set_headers "Access-Control-Allow-Origin: *"; + } + + # Allow direct access to only specific subdirectories in /media + location /media/attachments/ { + alias __DATA_DIR__/data/media/attachments/; + more_set_headers "Access-Control-Allow-Origin: *"; + } + + # Allow direct access to only specific subdirectories in /media + location /media/dynamic_preferences/ { + alias __DATA_DIR__/data/media/dynamic_preferences/; + more_set_headers "Access-Control-Allow-Origin: *"; + } + + # This is an internal location that is used to serve + # media (uploaded) files once correct permission / authentication + # has been checked on API side. + # Comment the "NON-S3" commented lines and uncomment "S3" commented lines + # if you're storing media files in a S3 bucket. + location /_protected/media/ { + internal; + alias __DATA_DIR__/data/media/$1; # NON-S3 + # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. +# proxy_set_header Authorization ""; # S3 +# proxy_pass $1; # S3 + more_set_headers "Access-Control-Allow-Origin: *"; + } + + location /_protected/music/ { + # This is an internal location that is used to serve + # local music files once correct permission / authentication + # has been checked on API side. + # Set this to the same value as your MUSIC_DIRECTORY_PATH setting. + internal; + alias __DATA_DIR__/data/music/; + more_set_headers "Access-Control-Allow-Origin: *"; + } + + location /manifest.json { + # If the reverse proxy is terminating SSL, nginx gets confused and redirects to http, hence the full URL + return 302 https://__DOMAIN__/api/v1/instance/spa-manifest.json; + } + + location /staticfiles/ { + alias __DATA_DIR__/data/static/; + } diff --git a/manifest.toml b/manifest.toml index a478ab8..e2e9462 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,7 @@ name = "Funkwhale" description.en = "Convivial and modern music server" description.fr = "Serveur de musique moderne et convivial" -version = "1.3.4~ynh1" +version = "1.4.0~ynh1" maintainers = ["Thovi98"] @@ -44,15 +44,15 @@ ram.runtime = "50M" [resources] [resources.sources] [resources.sources.api] - url = "https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/1.3.4/download?job=build_api" - sha256 = "8a05e3cab5c698cb89a23e1cd8b95c0e0ce2a2bea1580e1ec59364a07a870cd5" + url = "https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/1.4.0/download?job=build_api" + sha256 = "e1c3d49da0e03545ff96f584d7c437fa333d7836b1a70c54b31ba5db3e1a2ae1" in_subdir = true extract = true format = "zip" [resources.sources.front] - url = "https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/1.3.4/download?job=build_front" - sha256 = "fbf0d25153dd16f9c9a70e6bb2b15238a091a9acb36fc1dc2e2766f761f2a17c" + url = "https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/1.4.0/download?job=build_front" + sha256 = "d0429566bcc3fa395b9c54b16b939bbc86009c174929910de345db149d3e9d6d" in_subdir = true extract = true format = "zip" diff --git a/scripts/backup b/scripts/backup index 13fa6d1..ed8efd6 100644 --- a/scripts/backup +++ b/scripts/backup @@ -31,7 +31,7 @@ ynh_backup --src_path="$data_dir" --is_big # BACKUP THE NGINX CONFIGURATION #================================================= -ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_backup --src_path="/etc/nginx/conf.d/$domain.d" #================================================= # BACKUP FAIL2BAN CONFIGURATION diff --git a/scripts/install b/scripts/install index e850264..c7f7b25 100644 --- a/scripts/install +++ b/scripts/install @@ -32,6 +32,7 @@ mkdir -p $install_dir/config ynh_script_progression --message="Configuring NGINX web server..." --weight=1 # Create a dedicated NGINX config +ynh_add_config --template="funkwhale_proxy.conf" --destination="/etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf" ynh_add_nginx_config #================================================= diff --git a/scripts/remove b/scripts/remove index e2c549b..104fb0f 100644 --- a/scripts/remove +++ b/scripts/remove @@ -56,6 +56,7 @@ ynh_secure_remove --file="/etc/systemd/system/$app.target" ynh_script_progression --message="Removing NGINX web server configuration..." --weight=1 # Remove the dedicated NGINX config +ynh_secure_remove --file="/etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf" ynh_remove_nginx_config #================================================= diff --git a/scripts/restore b/scripts/restore index a92c9cd..af8f55a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -39,7 +39,7 @@ chown -R $app:www-data "$data_dir/" #================================================= ynh_script_progression --message="Restoring the NGINX web server configuration..." --weight=1 -ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d" #================================================= # RESTORE THE POSTGRESQL DATABASE diff --git a/scripts/upgrade b/scripts/upgrade index cd7eb2d..2ff9135 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -49,6 +49,7 @@ fi ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=1 # Create a dedicated NGINX config +ynh_add_config --template="funkwhale_proxy.conf" --destination="/etc/nginx/conf.d/$domain.d/funkwhale_proxy.conf" ynh_add_nginx_config #================================================= diff --git a/tests.toml b/tests.toml index 8496494..ed0afbc 100644 --- a/tests.toml +++ b/tests.toml @@ -5,4 +5,5 @@ test_format = 1.0 test_upgrade_from.9058c1b.name = "1.3.1" test_upgrade_from.fefe575.name = "1.3.2" test_upgrade_from.13391bf.name = "1.3.3" + test_upgrade_from.006a760.name = "1.3.4"