diff --git a/README.md b/README.md index ae3a76c..259aafe 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Funkwhale is a community-driven project that lets you listen and share music and audio within a decentralized, open network. -**Shipped version:** 1.3.0~ynh2 +**Shipped version:** 1.3.0~ynh3 **Demo:** https://demo.funkwhale.audio diff --git a/README_fr.md b/README_fr.md index 3e21271..09e7082 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,7 +18,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po Funkwhale est un projet communautaire qui vous permet d'écouter et de partager de la musique et de l'audio au sein d'un réseau ouvert et décentralisé. -**Version incluse :** 1.3.0~ynh2 +**Version incluse :** 1.3.0~ynh3 **Démo :** https://demo.funkwhale.audio diff --git a/conf/env.prod b/conf/env.prod index 71a56f8..2bc8e2e 100644 --- a/conf/env.prod +++ b/conf/env.prod @@ -36,7 +36,7 @@ FUNKWHALE_API_IP=127.0.0.1 FUNKWHALE_API_PORT=__PORT__ # The number of web workers to start in parallel. Higher means you can handle # more concurrent requests, but also leads to higher CPU/Memory usage -FUNKWHALE_WEB_WORKERS=6 +FUNKWHALE_WEB_WORKERS=4 # Replace this by the definitive, public domain you will use for # your instance. It cannot be changed after initial deployment # without breaking your instance. @@ -140,7 +140,7 @@ DJANGO_SECRET_KEY=__KEY__ # # MUSIC_DIRECTORY_SERVE_PATH= # stays commented, not needed MUSIC_DIRECTORY_PATH=__DATA_DIR__/data/music -#MUSIC_DIRECTORY_SERVE_PATH=__DATA_DIR__/data/import +MUSIC_DIRECTORY_SERVE_PATH=__DATA_DIR__/data/music # LDAP settings # Use the following options to allow authentication on your Funkwhale instance diff --git a/conf/funkwhale-beat.service b/conf/funkwhale-beat.service index 2eddd2b..533ad7a 100644 --- a/conf/funkwhale-beat.service +++ b/conf/funkwhale-beat.service @@ -8,7 +8,11 @@ User=__APP__ Group=__APP__ WorkingDirectory=__INSTALL_DIR__/api EnvironmentFile=__INSTALL_DIR__/config/.env -ExecStart=__INSTALL_DIR__/venv/bin/celery -A funkwhale_api.taskapp beat -l INFO + +ExecStart=__INSTALL_DIR__/venv/bin/celery \ + --app funkwhale_api.taskapp \ + beat \ + --loglevel INFO # Sandboxing options to harden security # Depending on specificities of your service/app, you may need to tweak these @@ -45,4 +49,4 @@ CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file diff --git a/conf/funkwhale-server.service b/conf/funkwhale-server.service index e55b0bb..53f1052 100644 --- a/conf/funkwhale-server.service +++ b/conf/funkwhale-server.service @@ -6,9 +6,21 @@ PartOf=__APP__.target [Service] User=__APP__ Group=__APP__ +StandardOutput=append:/var/log/__APP__/__APP__.log WorkingDirectory=__INSTALL_DIR__/api EnvironmentFile=__INSTALL_DIR__/config/.env -ExecStart=__INSTALL_DIR__/venv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT} + +Type=notify +KillMode=mixed +ExecStart=__INSTALL_DIR__/venv/bin/gunicorn \ + config.asgi:application \ + --workers ${FUNKWHALE_WEB_WORKERS} \ + --worker-class uvicorn.workers.UvicornWorker \ + --bind ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT} + --timeout 120 + --error-logfile /var/log/__APP__/__APP__-worker.log +ExecReload=/bin/kill -s HUP $MAINPID + # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html @@ -23,4 +35,4 @@ CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file diff --git a/conf/funkwhale-worker.service b/conf/funkwhale-worker.service index 2a91c6e..c41df91 100644 --- a/conf/funkwhale-worker.service +++ b/conf/funkwhale-worker.service @@ -7,8 +7,14 @@ PartOf=__APP__.target User=__APP__ Group=__APP__ WorkingDirectory=__INSTALL_DIR__/api +Environment="CELERYD_CONCURRENCY=0" EnvironmentFile=__INSTALL_DIR__/config/.env -ExecStart=__INSTALL_DIR__/venv/bin/celery -A funkwhale_api.taskapp worker -l INFO --concurrency=0 + +ExecStart=__INSTALL_DIR__/venv/bin/celery \ + --app funkwhale_api.taskapp \ + worker \ + --loglevel INFO \ + --concurrency=${CELERYD_CONCURRENCY} # Sandboxing options to harden security # Depending on specificities of your service/app, you may need to tweak these @@ -45,4 +51,4 @@ CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target \ No newline at end of file diff --git a/conf/funkwhale.target b/conf/funkwhale.target index 0a84441..f65d03e 100644 --- a/conf/funkwhale.target +++ b/conf/funkwhale.target @@ -1,3 +1,6 @@ [Unit] Description=Funkwhale (__APP__) Wants=__APP__-server.service __APP__-worker.service __APP__-beat.service + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/conf/nginx.conf b/conf/nginx.conf index 686b45d..715112d 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -108,7 +108,7 @@ location /media/attachments/ { # has been checked on API side. # Comment the "NON-S3" commented lines and uncomment "S3" commented lines # if you're storing media files in a S3 bucket. -location ~ /_protected/media/(.+)/ { +location /_protected/media/ { internal; alias __DATA_DIR__/data/media/$1; # NON-S3 # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932. diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 808552c..72fed7a 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -6,6 +6,6 @@ To add a collection of music files to a library in your YunoHost installation of Funkwhale, create a symlink to your collection titled "music" in `__DATA_DIR__/data` ```console -foo@bar:~$sudo ln -s /your/music/collection __DATA_DIR__/data/music +sudo ln -s /your/music/collection __DATA_DIR__/data/music ``` The files can then be added to your library from the *uploading* tab in a music library under the heading **Import music from your server**. diff --git a/doc/ADMIN_fr.md b/doc/ADMIN_fr.md index eb21687..2af93fe 100644 --- a/doc/ADMIN_fr.md +++ b/doc/ADMIN_fr.md @@ -2,8 +2,10 @@ * Admin * L'administrateur utilise le login que vous avez fourni lors de l'installation. Le mot de passe est le même que celui que vous utilisez pour YunoHost. - * L'interface d'administration est accessible à l'adresse : __DOMAIN__/api/admin + * L'interface d'administration est accessible à l'adresse : `__DOMAIN__/api/admin` Pour ajouter une collection de fichiers musicaux à une bibliothèque dans votre installation YunoHost de Funkwhale, créez un lien symbolique vers votre collection intitulée "music" dans `__DATA_DIR__/data/`. -`foo@bar:~$sudo ln -s /your/music/collection __DATA_DIR__/data/music` +```console +sudo ln -s /votre/collection/de/musique __DATA_DIR__/data/music +``` Les fichiers peuvent ensuite être ajoutés à votre bibliothèque à partir de l'onglet *Envoi* dans une bibliothèque musicale sous la rubrique **Importer de la musique de votre serveur**. diff --git a/manifest.toml b/manifest.toml index 21059df..3dbae1c 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,7 @@ name = "Funkwhale" description.en = "Convivial and modern music server" description.fr = "Serveur de musique moderne et convivial" -version = "1.3.0~ynh2" +version = "1.3.0~ynh3" maintainers = ["Thovi98"] @@ -19,11 +19,11 @@ code = "https://dev.funkwhale.audio/funkwhale/funkwhale" fund = "https://next.funkwhale.audio/donate/" [integration] -yunohost = ">= 11.1.19" +yunohost = ">= 11.1.21" architectures = "all" multi_instance = true -ldap = false -sso = false +ldap = true +sso = true disk = "50M" ram.build = "50M" ram.runtime = "50M" diff --git a/scripts/change_url b/scripts/change_url index 8863bd4..aa87db4 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -47,9 +47,9 @@ ynh_exec_warn_less ynh_exec_as $app $install_dir/venv/bin/funkwhale-manage fix_f #================================================= ynh_script_progression --message="Starting a systemd service..." --weight=1 -ynh_systemd_action --service_name="$app-beat" --action="start" --log_path="/var/log/$app/$app.log" -ynh_systemd_action --service_name="$app-server" --action="start" --log_path="/var/log/$app/$app.log" -ynh_systemd_action --service_name="$app-worker" --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name="$app-beat" --action="start" --log_path="/var/log/$app/${app}-beat.log" +ynh_systemd_action --service_name="$app-server" --action="start" --log_path="/var/log/$app/${app}-server.log" +ynh_systemd_action --service_name="$app-worker" --action="start" --log_path="/var/log/$app/${app}-worker.log" #================================================= # END OF SCRIPT diff --git a/scripts/install b/scripts/install index b787df7..ab061e6 100644 --- a/scripts/install +++ b/scripts/install @@ -26,10 +26,6 @@ ynh_setup_source --dest_dir="$install_dir/front" --source_id="front" mkdir -p $install_dir/config -chmod 750 "$install_dir" -chmod -R o-rwx "$install_dir" -chown -R $app:www-data "$install_dir" - #================================================= # NGINX CONFIGURATION #================================================= @@ -46,11 +42,11 @@ ynh_add_nginx_config ynh_script_progression --message="Creating a data directory..." --weight=1 mkdir -p $data_dir/data -mkdir -p $data_dir/{static,media,music} +mkdir -p $data_dir/data/{static,media,music} chmod 750 "$data_dir" chmod -R o-rwx "$data_dir/" -chown -R $app:www-data "$data_dir/" +chown -R $app:$app "$data_dir/" #================================================= # ADD A CONFIGURATION @@ -112,6 +108,18 @@ chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" +#================================================= +# LOGROTATE +#================================================= +ynh_script_progression --message="Configuring logrotate to manage application logfiles" --weight=1 + +# Use logrotate to manage application logfile(s) +ynh_use_logrotate --specific_user=$app +touch /var/log/$app/${app}-server.log +touch /var/log/$app/${app}-worker.log +touch /var/log/$app/${app}-beat.log +chown -R $app:$app /var/log/$app/ + #================================================= # GENERIC FINALIZATION #================================================= @@ -119,9 +127,9 @@ chown -R $app:www-data "$install_dir" #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add "${app}-beat" -yunohost service add "${app}-server" -yunohost service add "${app}-worker" +yunohost service add "${app}-beat" --description="${app} celery beat process" --log="/var/log/$app/${app}-beat.log" +yunohost service add "${app}-server" --description="${app} application server" --log="/var/log/$app/${app}-server.log" +yunohost service add "${app}-worker" --description="${app} celery worker" --log="/var/log/$app/${app}-worker.log" #================================================= # START SYSTEMD SERVICE diff --git a/scripts/remove b/scripts/remove index cafe155..e2c549b 100644 --- a/scripts/remove +++ b/scripts/remove @@ -58,6 +58,17 @@ ynh_script_progression --message="Removing NGINX web server configuration..." -- # Remove the dedicated NGINX config ynh_remove_nginx_config +#================================================= +# REMOVE LOGS +#================================================= +ynh_script_progression --message="Removing logs..." --weight=5 + +ynh_remove_logrotate + +# Remove the log files +ynh_secure_remove --file="/var/log/$app" + + #================================================= # REMOVE FAIL2BAN CONFIGURATION #================================================= diff --git a/scripts/restore b/scripts/restore index 66c9940..2d780e0 100644 --- a/scripts/restore +++ b/scripts/restore @@ -28,11 +28,11 @@ ynh_script_progression --message="Restoring the data directory..." --weight=1 ynh_restore_file --origin_path="$data_dir/" --not_mandatory mkdir -p $data_dir/data -mkdir -p $data_dir/{static,media,music} +mkdir -p $data_dir/data/{static,media,music} chmod 750 "$data_dir/" chmod -R o-rwx "$data_dir/" -chown -R $app:www-data "$data_dir/" +chown -R $app:$app "$data_dir/" #================================================= # RESTORE THE NGINX CONFIGURATION @@ -48,6 +48,18 @@ ynh_script_progression --message="Restoring the PostgreSQL database..." --weight ynh_psql_execute_file_as_root --file="./db.sql" --database=$db_name +#================================================= +# LOGROTATE +#================================================= +ynh_script_progression --message="Configuring logrotate to manage application logfiles" --weight=1 + +# Use logrotate to manage application logfile(s) +ynh_use_logrotate --specific_user=$app +touch /var/log/$app/${app}-server.log +touch /var/log/$app/${app}-worker.log +touch /var/log/$app/${app}-beat.log +chown -R $app:$app /var/log/$app/ + #================================================= # RESTORE SYSTEMD #================================================= @@ -67,9 +79,13 @@ systemctl enable "${app}-worker.service" --quiet #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add "${app}-beat" -yunohost service add "${app}-server" -yunohost service add "${app}-worker" +ynh_add_systemd_config --service="${app}-server" --template="funkwhale-server.service" +ynh_add_systemd_config --service="${app}-worker" --template="funkwhale-worker.service" +ynh_add_systemd_config --service="${app}-beat" --template="funkwhale-beat.service" + +yunohost service add "${app}-beat" --description="${app} celery beat process" --log="/var/log/$app/${app}-beat.log" +yunohost service add "${app}-server" --description="${app} application server" --log="/var/log/$app/${app}-server.log" +yunohost service add "${app}-worker" --description="${app} celery worker" --log="/var/log/$app/${app}-worker.log" #================================================= # START SYSTEMD SERVICE diff --git a/scripts/upgrade b/scripts/upgrade index a28a83a..30a1403 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -33,16 +33,16 @@ ynh_systemd_action --action="stop" --service_name="${app}-worker" --log_path="sy if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Upgrading source files..." --weight=1 + + # Remove the old files + ynh_secure_remove --file="$install_dir/api" + ynh_secure_remove --file="$install_dir/front" # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir/api" --source_id="api" ynh_setup_source --dest_dir="$install_dir/front" --source_id="front" fi -chmod 750 "$install_dir" -chmod -R o-rwx "$install_dir" -chown -R $app:www-data "$install_dir" - #================================================= # NGINX CONFIGURATION #================================================= @@ -51,6 +51,15 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." - # Create a dedicated NGINX config ynh_add_nginx_config +#================================================= +# Assure correct permissions to $data_dir +#================================================= +ynh_script_progression --message="Assure correct permissions to $data_dir..." --weight=1 + +chmod 750 "$data_dir" +chmod -R o-rwx "$data_dir/" +chown -R $app:$app "$data_dir/" + #================================================= # SPECIFIC UPGRADE #================================================= @@ -90,6 +99,7 @@ pushd $install_dir # needed for enabling the 'unaccent' extension ynh_psql_execute_as_root --sql="ALTER USER $db_user WITH SUPERUSER;" --database="$db_name" + ynh_exec_warn_less ynh_exec_as $app $install_dir/venv/bin/funkwhale-manage migrate ynh_psql_execute_as_root --sql="ALTER USER $db_user WITH NOSUPERUSER;" --database="$db_name" popd @@ -98,6 +108,18 @@ chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" +#================================================= +# LOGROTATE +#================================================= +ynh_script_progression --message="Configuring logrotate to manage application logfiles" --weight=1 + +# Use logrotate to manage application logfile(s) +ynh_use_logrotate --specific_user=$app +touch /var/log/$app/${app}-server.log +touch /var/log/$app/${app}-worker.log +touch /var/log/$app/${app}-beat.log +chown -R $app:$app /var/log/$app/ + #================================================= # SETUP SYSTEMD #================================================= @@ -117,9 +139,9 @@ ynh_add_systemd_config --service="${app}-beat" --template="funkwhale-beat.serv #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add "${app}-beat" -yunohost service add "${app}-server" -yunohost service add "${app}-worker" +yunohost service add "${app}-beat" --description="${app} celery beat process" --log="/var/log/$app/${app}-beat.log" +yunohost service add "${app}-server" --description="${app} application server" --log="/var/log/$app/${app}-server.log" +yunohost service add "${app}-worker" --description="${app} celery worker" --log="/var/log/$app/${app}-worker.log" #================================================= # START SYSTEMD SERVICE