diff --git a/conf/env.prod b/conf/env.prod index 71a56f8..d9cfba1 100644 --- a/conf/env.prod +++ b/conf/env.prod @@ -36,7 +36,7 @@ FUNKWHALE_API_IP=127.0.0.1 FUNKWHALE_API_PORT=__PORT__ # The number of web workers to start in parallel. Higher means you can handle # more concurrent requests, but also leads to higher CPU/Memory usage -FUNKWHALE_WEB_WORKERS=6 +FUNKWHALE_WEB_WORKERS=4 # Replace this by the definitive, public domain you will use for # your instance. It cannot be changed after initial deployment # without breaking your instance. @@ -44,7 +44,7 @@ FUNKWHALE_HOSTNAME=__DOMAIN__ FUNKWHALE_PROTOCOL=https # Log level (debug, info, warning, error, critical) -LOGLEVEL=error +LOGLEVEL=debug # Configure e-mail sending using this variale # By default, funkwhale will output e-mails sent to stdout @@ -140,7 +140,7 @@ DJANGO_SECRET_KEY=__KEY__ # # MUSIC_DIRECTORY_SERVE_PATH= # stays commented, not needed MUSIC_DIRECTORY_PATH=__DATA_DIR__/data/music -#MUSIC_DIRECTORY_SERVE_PATH=__DATA_DIR__/data/import +MUSIC_DIRECTORY_SERVE_PATH=__DATA_DIR__/data/music # LDAP settings # Use the following options to allow authentication on your Funkwhale instance diff --git a/conf/funkwhale-beat.service b/conf/funkwhale-beat.service index 2eddd2b..5913bbc 100644 --- a/conf/funkwhale-beat.service +++ b/conf/funkwhale-beat.service @@ -8,7 +8,11 @@ User=__APP__ Group=__APP__ WorkingDirectory=__INSTALL_DIR__/api EnvironmentFile=__INSTALL_DIR__/config/.env -ExecStart=__INSTALL_DIR__/venv/bin/celery -A funkwhale_api.taskapp beat -l INFO + +ExecStart=__INSTALL_DIR__/venv/bin/celery \ + --app funkwhale_api.taskapp \ + beat \ + --loglevel INFO # Sandboxing options to harden security # Depending on specificities of your service/app, you may need to tweak these diff --git a/conf/funkwhale-server.service b/conf/funkwhale-server.service index e55b0bb..ea18600 100644 --- a/conf/funkwhale-server.service +++ b/conf/funkwhale-server.service @@ -8,7 +8,16 @@ User=__APP__ Group=__APP__ WorkingDirectory=__INSTALL_DIR__/api EnvironmentFile=__INSTALL_DIR__/config/.env -ExecStart=__INSTALL_DIR__/venv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT} + +Type=notify +KillMode=mixed +ExecStart=__INSTALL_DIR__/venv/bin/gunicorn \ + config.asgi:application \ + --workers ${FUNKWHALE_WEB_WORKERS} \ + --worker-class uvicorn.workers.UvicornWorker \ + --bind ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT} +ExecReload=/bin/kill -s HUP $MAINPID + # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html diff --git a/conf/funkwhale-worker.service b/conf/funkwhale-worker.service index 2a91c6e..4cf8fde 100644 --- a/conf/funkwhale-worker.service +++ b/conf/funkwhale-worker.service @@ -7,8 +7,14 @@ PartOf=__APP__.target User=__APP__ Group=__APP__ WorkingDirectory=__INSTALL_DIR__/api +Environment="CELERYD_CONCURRENCY=0" EnvironmentFile=__INSTALL_DIR__/config/.env -ExecStart=__INSTALL_DIR__/venv/bin/celery -A funkwhale_api.taskapp worker -l INFO --concurrency=0 + +ExecStart=__INSTALL_DIR__/venv/bin/celery \ + --app funkwhale_api.taskapp \ + worker \ + --loglevel INFO \ + --concurrency=${CELERYD_CONCURRENCY} # Sandboxing options to harden security # Depending on specificities of your service/app, you may need to tweak these diff --git a/conf/funkwhale.target b/conf/funkwhale.target index 0a84441..e8bca5e 100644 --- a/conf/funkwhale.target +++ b/conf/funkwhale.target @@ -1,3 +1,6 @@ [Unit] Description=Funkwhale (__APP__) Wants=__APP__-server.service __APP__-worker.service __APP__-beat.service + +[Install] +WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index 21059df..4cdf499 100644 --- a/manifest.toml +++ b/manifest.toml @@ -19,11 +19,11 @@ code = "https://dev.funkwhale.audio/funkwhale/funkwhale" fund = "https://next.funkwhale.audio/donate/" [integration] -yunohost = ">= 11.1.19" +yunohost = ">= 11.1.21" architectures = "all" multi_instance = true -ldap = false -sso = false +ldap = true +sso = true disk = "50M" ram.build = "50M" ram.runtime = "50M" diff --git a/scripts/install b/scripts/install index b787df7..ddede42 100644 --- a/scripts/install +++ b/scripts/install @@ -46,7 +46,7 @@ ynh_add_nginx_config ynh_script_progression --message="Creating a data directory..." --weight=1 mkdir -p $data_dir/data -mkdir -p $data_dir/{static,media,music} +mkdir -p $data_dir/data/{static,media,music} chmod 750 "$data_dir" chmod -R o-rwx "$data_dir/" diff --git a/scripts/upgrade b/scripts/upgrade index a28a83a..a7a7ccb 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -33,6 +33,10 @@ ynh_systemd_action --action="stop" --service_name="${app}-worker" --log_path="sy if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Upgrading source files..." --weight=1 + + # Remove the old files + ynh_secure_remove --file="$install_dir/api" + ynh_secure_remove --file="$install_dir/api" # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir/api" --source_id="api" @@ -51,6 +55,15 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." - # Create a dedicated NGINX config ynh_add_nginx_config +#================================================= +# Assure correct permissions to $data_dir +#================================================= +ynh_script_progression --message="Assure correct permissions to $data_dir..." --weight=1 + +chmod 750 "$data_dir" +chmod -R o-rwx "$data_dir/" +chown -R $app:www-data "$data_dir/" + #================================================= # SPECIFIC UPGRADE #================================================= @@ -90,6 +103,7 @@ pushd $install_dir # needed for enabling the 'unaccent' extension ynh_psql_execute_as_root --sql="ALTER USER $db_user WITH SUPERUSER;" --database="$db_name" + ynh_exec_warn_less ynh_exec_as $app $install_dir/venv/bin/funkwhale-manage migrate ynh_psql_execute_as_root --sql="ALTER USER $db_user WITH NOSUPERUSER;" --database="$db_name" popd