diff --git a/README.md b/README.md index 0127b53..58a8694 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ A modern, convivial and free music server on YunoHost Installation requires a dedicated domain for now. I hope subpath installation will be possible in the future. -**Shipped version:** 0.19.1 (this is an Alpha version!) +**Shipped version:** 0.20.0 (this is an Alpha version!) ## Screenshots diff --git a/check_process b/check_process index 8e54ddb..a5bcf67 100644 --- a/check_process +++ b/check_process @@ -16,23 +16,14 @@ setup_private=1 setup_public=1 upgrade=1 + upgrade=1 from_commit=4d4bf0981e2d3a00eaae6b19bd54344fe55d6530 backup_restore=1 multi_instance=1 incorrect_path=0 port_already_use=0 change_url=0 ;;; Levels - Level 1=auto - Level 2=auto - Level 3=auto -# Level 4: https://github.com/YunoHost-Apps/funkwhale_ynh/issues/21 - Level 4=1 - Level 5=auto - Level 6=auto - Level 7=auto - Level 8=0 - Level 9=0 - Level 10=0 + ;;; Options Email=jean-baptiste@holcroft.fr Notification=all @@ -45,4 +36,7 @@ manifest_arg=domain=DOMAIN&path=/&admin=USER&is_public=1 manifest_arg=domain=DOMAIN&path=/&admin=USER&is_public=1 ; commit=99bae16efca321ce50ba9a98c62996169195e0ba name=Upgrade from 0.18.3 +manifest_arg=domain=DOMAIN&path=/&admin=USER&is_public=1 + ; commit=4d4bf0981e2d3a00eaae6b19bd54344fe55d6530 + name=Upgrade from 0.19.1 manifest_arg=domain=DOMAIN&path=/&admin=USER&is_public=1 diff --git a/conf/app-frontend.src b/conf/app-frontend.src index c705905..d2e7ef4 100644 --- a/conf/app-frontend.src +++ b/conf/app-frontend.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/0.19.1/download?job=build_front -SOURCE_SUM=5ee39dd1cca26b244c53b24539e01906d3d0b04c9df5290e0070290a38fd1c83 +SOURCE_URL=https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/0.20.0/download?job=build_front +SOURCE_SUM=b42e10e3c57103eb8e39a1987aebae819843bb90fd9d3116ac233df5d7c9091e SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/conf/app.src b/conf/app.src index c94e0e5..4a05ea0 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://dev.funkwhale.audio/funkwhale/funkwhale/-/archive/0.19.1/funkwhale-0.19.1.tar.gz -SOURCE_SUM=a5f2b8b51f4259b0964f7adeceeaadab6b39de3417b019b4ec505d5154adff82 +SOURCE_URL=https://dev.funkwhale.audio/funkwhale/funkwhale/-/archive/0.20.0/funkwhale-0.20.0.tar.gz +SOURCE_SUM=d010f9db31473b86cdbad7f1bab1b2df3326604e8b0db18acb7f56b77e75c048 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.bz2 SOURCE_IN_SUBDIR=true diff --git a/conf/funkwhale-server.service b/conf/funkwhale-server.service index a48c1f5..88c482d 100644 --- a/conf/funkwhale-server.service +++ b/conf/funkwhale-server.service @@ -9,8 +9,10 @@ Group=__APP__ WorkingDirectory=__FINALPATH__/code/api EnvironmentFile=__FINALPATH__/code/config/.env -ExecStart=__FINALPATH__/code/virtualenv/bin/daphne -b ${FUNKWHALE_API_IP} -p ${FUNKWHALE_API_PORT} config.asgi:application --proxy-headers \ - --verbosity 1 --access-log=/var/log/__APP__/server.log +ExecStart=__FINALPATH__/code/virtualenv/bin/gunicorn config.asgi:application \ + -w ${FUNKWHALE_WEB_WORKERS} \ + -k uvicorn.workers.UvicornWorker \ + -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT} #NoNewPrivileges=true #PrivateDevices=true @@ -27,4 +29,4 @@ StandardError=syslog SyslogIdentifier=__APP__-server [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/conf/nginx.conf b/conf/nginx.conf index 598f581..d8c830f 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -11,6 +11,14 @@ location /front/ { expires 30d; more_set_headers Pragma public; more_set_headers Cache-Control "public, must-revalidate, proxy-revalidate"; + more_set_headers Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + more_set_headers Referrer-Policy "strict-origin-when-cross-origin"; + more_set_headers X-Frame-Options "SAMEORIGIN"; +} + +location /front/embed.html { + more_set_headers X-Frame-Options "ALLOW"; + alias __FINALPATH__/front/dist/embed.html; } location /federation/ { diff --git a/manifest.json b/manifest.json index 5697050..1a77c80 100644 --- a/manifest.json +++ b/manifest.json @@ -5,7 +5,7 @@ "description": { "en": "A modern, convivial and free music server" }, - "version": "0.19.1~ynh2", + "version": "0.20.0~ynh1", "url": "https://funkwhale.audio", "license": "AGPL-3.0-or-later", "maintainer": { diff --git a/scripts/install b/scripts/install index 9e61390..bb0d178 100644 --- a/scripts/install +++ b/scripts/install @@ -160,17 +160,6 @@ ynh_replace_string --match_string="__DBNAME__" --replace_string="$app" ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$configfile" ynh_replace_string --match_string="__KEY__" --replace_string="$key" --target_file="$configfile" -loadfile="$final_path/code/load_env" - -cat > "$loadfile" <<'EOL' -#!/bin/bash -export $(cat "__FINALPATH__/code/config/.env" | grep -v ^# | xargs) -EOL - -chmod +x "$loadfile" - -ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$loadfile" - #================================================= # CONFIGURE ADMIN USER #================================================= @@ -179,7 +168,6 @@ admin_mail=$(ynh_user_get_info --username="$admin" --key="mail") ( set +o nounset source "${final_path}/code/virtualenv/bin/activate" - source "$loadfile" set -o nounset cd "$final_path/code/" diff --git a/scripts/upgrade b/scripts/upgrade index f3df721..3c1c93e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -77,6 +77,16 @@ ynh_abort_if_errors # Normalize the URL path syntax path_url=$(ynh_normalize_url_path "$path_url") +#================================================= +# CHECK THE PATH +#================================================= + +# see 0.20.0: https://docs.funkwhale.audio/changelog.html#automatically-load-env-file +loadfile="$final_path/code/load_env" +if [ -e "$loadfile" ] ; then + ynh_secure_remove --file="$loadfile" +fi + #================================================= # CLOSE A PORT #================================================= @@ -184,17 +194,6 @@ ynh_replace_string --match_string="__DBNAME__" --replace_string="$app" ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$configfile" ynh_replace_string --match_string="__KEY__" --replace_string="$key" --target_file="$configfile" -loadfile="$final_path/code/load_env" - -cat > "$loadfile" <<'EOL' -#!/bin/bash -export $(cat "__FINALPATH__/code/config/.env" | grep -v ^# | xargs) -EOL - -chmod +x "$loadfile" - -ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$loadfile" - #================================================= # MIGRATE #================================================= @@ -202,7 +201,6 @@ ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" ( set +o nounset source "${final_path}/code/virtualenv/bin/activate" - source "$loadfile" set -o nounset cd "$final_path/code" diff --git a/sources/extra_files/app/api/requirements/base.txt b/sources/extra_files/app/api/requirements/base.txt index e5a02f2..7c67ebf 100644 --- a/sources/extra_files/app/api/requirements/base.txt +++ b/sources/extra_files/app/api/requirements/base.txt @@ -1,5 +1,5 @@ # Bleeding edge Django -django>=2.2.1,<2.3 +django>=2.2.4,<2.3 # Configuration django-environ>=0.4,<0.5 @@ -29,7 +29,7 @@ celery>=4.3,<4.4 # Your custom requirements go here django-cors-headers>=2.5.3,<2.6 musicbrainzngs==0.6 -djangorestframework>=3.9,<3.10 +djangorestframework>=3.10,<3.11 djangorestframework-jwt>=1.11,<1.12 pendulum>=2,<3 persisting-theory>=0.2,<0.3 @@ -39,26 +39,30 @@ django-rest-auth>=0.9,<0.10 ipython>=7,<8 mutagen>=1.42,<1.43 - -django-taggit>=0.24,<0.25 pymemoize==1.0.3 -django-dynamic-preferences>=1.7,<1.8 +django-dynamic-preferences>=1.7.1,<1.8 raven>=6.10,<7 python-magic==0.4.15 # XXX: until https://github.com/django/channels/issues/1240 is fixed channels==2.1.6 -# suggestion by Eliot Berriot, this dep will be remove in next version anyway -# channels_redis>=2.3,<2.4 -channels_redis==2.3.2 - +channels_redis>=2.3,<2.4 daphne>=2.2,<2.3 +# uvicorn +gunicorn + +# YNH specific +uvicorn==0.8.6 +service_identity +# END YunoHost specific cryptography>=2,<3 # requests-http-signature==0.0.3 # clone until the branch is merged and released upstream git+https://github.com/EliotBerriot/requests-http-signature.git@signature-header-support django-cleanup==3.2.0 +requests>=2.22<2.23 +pyOpenSSL>=19<20 # for LDAP authentication python-ldap==3.2.0