From f7977494f3e69a0490723dacb8cff65dc4db27a8 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Thu, 1 Apr 2021 21:29:22 +0200 Subject: [PATCH] Stick to official install process --- check_process | 2 +- conf/funkwhale-beat.service | 20 +--- conf/funkwhale-server.service | 16 +-- conf/funkwhale-worker.service | 20 +--- conf/nginx.conf | 200 ++++++++++++++++++---------------- manifest.json | 18 +-- scripts/install | 14 +-- scripts/remove | 10 -- scripts/restore | 11 +- scripts/upgrade | 29 +++-- 10 files changed, 134 insertions(+), 206 deletions(-) diff --git a/check_process b/check_process index 464801b..c0629ce 100644 --- a/check_process +++ b/check_process @@ -16,7 +16,7 @@ setup_private=1 setup_public=1 upgrade=1 - upgrade=1 from_commit=4d4bf0981e2d3a00eaae6b19bd54344fe55d6530 + upgrade=1 from_commit=4d4bf0981e2d3a00eaae6b19bd54344fe55d6530 # 1.1~ynh1 upgrade=1 from_commit=8172790fb461d16f09089593fdac380f0d499c83 backup_restore=1 diff --git a/conf/funkwhale-beat.service b/conf/funkwhale-beat.service index 77234aa..2efd191 100644 --- a/conf/funkwhale-beat.service +++ b/conf/funkwhale-beat.service @@ -1,5 +1,5 @@ [Unit] -Description=Funkwhale (__APP__) celery beat process +Description=__APP__ celery beat process After=redis.service postgresql.service PartOf=__APP__.target @@ -8,21 +8,7 @@ User=__APP__ Group=__APP__ WorkingDirectory=__FINALPATH__/api EnvironmentFile=__FINALPATH__/config/.env -ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp beat --loglevel INFO --logfile=/var/log/__APP__/beat.log - -#NoNewPrivileges=true -#PrivateDevices=true -#PrivateTmp=true -#ProtectHome=true -#ProtectSystem=strict -#ProtectControlGroups=yes -#ProtectKernelModules=yes -#ReadOnlyPaths=__FINALPATH__/config/.env __FINALPATH__/ -#ReadWritePaths=__DATADIR__/media __DATADIR__/music __FINALPATH__/api /var/log/__APP__ - -StandardOutput=syslog -StandardError=syslog -SyslogIdentifier=__APP__-beat +ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp beat -l INFO [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/conf/funkwhale-server.service b/conf/funkwhale-server.service index 4e9a110..59d5dd2 100644 --- a/conf/funkwhale-server.service +++ b/conf/funkwhale-server.service @@ -1,5 +1,5 @@ [Unit] -Description=Funkwhale (__APP__) application server +Description=__APP__ application server After=redis.service postgresql.service PartOf=__APP__.target @@ -10,19 +10,5 @@ WorkingDirectory=__FINALPATH__/api EnvironmentFile=__FINALPATH__/config/.env ExecStart=__FINALPATH__/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT} -#NoNewPrivileges=true -#PrivateDevices=true -#PrivateTmp=true -#ProtectHome=true -#ProtectSystem=strict -#ProtectControlGroups=yes -#ProtectKernelModules=yes -#ReadOnlyPaths=__FINALPATH__/config/.env __FINALPATH__/ -#ReadWritePaths=__DATADIR__/media __DATADIR__/music /var/log/__APP__ - -StandardOutput=syslog -StandardError=syslog -SyslogIdentifier=__APP__-server - [Install] WantedBy=multi-user.target diff --git a/conf/funkwhale-worker.service b/conf/funkwhale-worker.service index 5e5fe08..ca8bd26 100644 --- a/conf/funkwhale-worker.service +++ b/conf/funkwhale-worker.service @@ -1,5 +1,5 @@ [Unit] -Description=Funkwhale (__APP__) celery worker +Description=__APP__ celery worker After=redis.service postgresql.service PartOf=__APP__.target @@ -8,21 +8,7 @@ User=__APP__ Group=__APP__ WorkingDirectory=__FINALPATH__/api EnvironmentFile=__FINALPATH__/config/.env -ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp worker --loglevel INFO --logfile=/var/log/__APP__/worker.log - -#NoNewPrivileges=true -#PrivateDevices=true -#PrivateTmp=true -#ProtectHome=true -#ProtectSystem=strict -#ProtectControlGroups=yes -#ProtectKernelModules=yes -#ReadOnlyPaths=__FINALPATH__/config/.env __FINALPATH__/ -#ReadWritePaths=__DATADIR__/media __DATADIR__/music /var/log/__APP__ - -StandardOutput=syslog -StandardError=syslog -SyslogIdentifier=__APP__-worker +ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO --concurrency=0 [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/conf/nginx.conf b/conf/nginx.conf index e7fc380..3ffa7c1 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,137 +1,145 @@ +root __FINALPATH__/front/dist; + location / { - # Force usage of https - if ($scheme = http) { - rewrite ^ https://$server_name$request_uri? permanent; - } - - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; + # Force usage of https + if ($scheme = http) { + rewrite ^ https://$server_name$request_uri? permanent; + } - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + # global proxy conf + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host:$server_port; + proxy_set_header X-Forwarded-Port $server_port; + proxy_redirect off; - # this is needed if you have file import via upload enabled - client_max_body_size 100M; - proxy_pass http://127.0.0.1:__PORT__/; + # websocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; - # Include SSOWAT user panel. - include conf.d/yunohost_panel.conf.inc; + # this is needed if you have file import via upload enabled + client_max_body_size 100M; + proxy_pass http://127.0.0.1:__PORT__/; + + # Include SSOWAT user panel. + include conf.d/yunohost_panel.conf.inc; } location /front/ { - more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; - more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; - more_set_headers "Service-Worker-Allowed: /"; - more_set_headers "X-Frame-Options: SAMEORIGIN"; - alias __FINALPATH__/front/dist/; - expires 30d; - more_set_headers "Pragma: public"; - more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate"; + more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; + more_set_headers "Service-Worker-Allowed: /"; + more_set_headers "X-Frame-Options: SAMEORIGIN"; + alias __FINALPATH__/front/dist/; + expires 30d; + more_set_headers "Pragma: public"; + more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate"; } location /front/embed.html { - more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; - more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; + more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + more_set_headers "Referrer-Policy: strict-origin-when-cross-origin"; - more_set_headers "X-Frame-Options: ALLOW"; - alias __FINALPATH__/front/dist/embed.html; - expires 30d; - more_set_headers "Pragma: public"; - more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate"; + more_set_headers "X-Frame-Options: ALLOW"; + alias __FINALPATH__/front/dist/embed.html; + expires 30d; + more_set_headers "Pragma: public"; + more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate"; } location /federation/ { - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_pass http://127.0.0.1:__PORT__/federation/; + # global proxy conf + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host:$server_port; + proxy_set_header X-Forwarded-Port $server_port; + proxy_redirect off; + + # websocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_pass http://127.0.0.1:__PORT__/federation/; } # You can comment this if you do not plan to use the Subsonic API location /rest/ { - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_pass http://127.0.0.1:__PORT__/api/subsonic/rest/; + # global proxy conf + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host:$server_port; + proxy_set_header X-Forwarded-Port $server_port; + proxy_redirect off; + + # websocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_pass http://127.0.0.1:__PORT__/api/subsonic/rest/; } location /.well-known/ { - # global proxy conf - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_set_header X-Forwarded-Port $server_port; - proxy_redirect off; - # websocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_pass http://127.0.0.1:__PORT__/.well-known/; + # global proxy conf + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host:$server_port; + proxy_set_header X-Forwarded-Port $server_port; + proxy_redirect off; + + # websocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_pass http://127.0.0.1:__PORT__/.well-known/; } location /media/ { - alias __DATADIR__/media/; + alias __DATADIR__/media/; } -location /_protected/media/ { - # this is an internal location that is used to serve - # audio files once correct permission / authentication - # has been checked on API side - internal; - alias __DATADIR__/media/; +location /_protected/media { + # this is an internal location that is used to serve + # audio files once correct permission / authentication + # has been checked on API side + internal; + alias __DATADIR__/media; } # Comment the previous location and uncomment this one if you're storing # media files in a S3 bucket # location ~ /_protected/media/(.+) { -# internal; -# # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932 -# proxy_set_header Authorization ""; -# proxy_pass $1; +# internal; +# # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932 +# proxy_set_header Authorization ""; +# proxy_pass $1; # } -location /_protected/music/ { - # this is an internal location that is used to serve - # audio files once correct permission / authentication - # has been checked on API side - # Set this to the same value as your MUSIC_DIRECTORY_PATH setting - internal; - alias __DATADIR__/music/; +location /_protected/music { + # this is an internal location that is used to serve + # audio files once correct permission / authentication + # has been checked on API side + # Set this to the same value as your MUSIC_DIRECTORY_PATH setting + internal; + alias __DATADIR__/music; } location /staticfiles/ { - # django static files - alias __DATADIR__/static/; + # django static files + alias __DATADIR__/static/; } diff --git a/manifest.json b/manifest.json index 040598a..e81660e 100644 --- a/manifest.json +++ b/manifest.json @@ -29,32 +29,16 @@ { "name": "domain", "type": "domain", - "ask": { - "en": "Choose a domain for Funkwhale", - "fr": "Choisissez un nom de domaine pour Funkwhale" - }, "example": "example.com" }, { "name": "admin", "type": "user", - "ask": { - "en": "Choose an admin user", - "fr": "Choisissez l'administrateur" - }, - "example": "sporiff" + "example": "johndoe" }, { "name": "is_public", "type": "boolean", - "ask": { - "en": "Is it a public application?", - "fr": "Est-ce une application publique ?" - }, - "help": { - "en": "Allows unauthenticated users to access the user interface (mandatory for federation).", - "fr": "Permet aux utilisateurs non authentifiés d'accéder à l'interface utilisateur (obligatoire pour la fédération)." - }, "default": true } ] diff --git a/scripts/install b/scripts/install index af68acc..0d1cfc5 100644 --- a/scripts/install +++ b/scripts/install @@ -152,6 +152,7 @@ ynh_app_setting_set --app=$app --key=key --value=$key ynh_app_setting_set --app=$app --key=redis_db --value=$redis_db ynh_add_config --template="../conf/env.prod" --destination="$final_path/config/.env" +chmod 600 $final_path/config/.env #================================================= # BUILDING FUNKWHALE @@ -191,21 +192,16 @@ ynh_script_progression --message="Securing files and directories..." # Set permissions to app files chown -R $app: $final_path -chmod -R 755 "$final_path/front/dist/" - chown -R $app: $datadir -mkdir -p "/var/log/$app" -chown -R $app: "/var/log/$app" - #================================================= # INTEGRATE SERVICE IN YUNOHOST #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add "${app}-beat" --log="/var/log/$app/beat.log" -yunohost service add "${app}-server" --log="/var/log/$app/server.log" -yunohost service add "${app}-worker" --log="/var/log/$app/worker.log" +yunohost service add "${app}-beat" --log_type systemd +yunohost service add "${app}-server" --log_type systemd +yunohost service add "${app}-worker" --log_type systemd #================================================= # START SYSTEMD SERVICE @@ -223,7 +219,7 @@ ynh_systemd_action --service_name="${app}-worker" --action="start" --log_path="s ynh_script_progression --message="Configuring Fail2Ban..." # Create a dedicated Fail2Ban config -ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-access.log" --failregex=".* \"POST /api/v1/token/ HTTP/1.1\" 400 68.*$" --max_retry=5 +ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-access.log" --failregex=".* \"POST /api/v1/token/ HTTP/1.1\" 400 68.*$" --max_retry=5 #================================================= # SETUP SSOWAT diff --git a/scripts/remove b/scripts/remove index d059f68..35e1da4 100644 --- a/scripts/remove +++ b/scripts/remove @@ -112,16 +112,6 @@ ynh_script_progression --message="Removing Fail2ban configuration..." # Remove the dedicated Fail2Ban config ynh_remove_fail2ban_config -#================================================= -# SPECIFIC REMOVE -#================================================= -# REMOVE VARIOUS FILES -#================================================= -ynh_script_progression --message="Removing various files..." - -# Remove the log files -ynh_secure_remove --file="/var/log/$app" - #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/restore b/scripts/restore index f7ca191..4bda944 100644 --- a/scripts/restore +++ b/scripts/restore @@ -92,13 +92,8 @@ ynh_script_progression --message="Restoring user rights..." # Restore permissions on app files chown -R $app: $final_path -chmod -R 755 "$final_path/front/dist/" - chown -R $app: $datadir -mkdir -p "/var/log/$app" -chown -R $app: "/var/log/$app" - #================================================= # SPECIFIC RESTORATION #================================================= @@ -137,9 +132,9 @@ systemctl enable "$app-worker.service" --quiet #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add "${app}-beat" --log="/var/log/$app/beat.log" -yunohost service add "${app}-server" --log="/var/log/$app/server.log" -yunohost service add "${app}-worker" --log="/var/log/$app/worker.log" +yunohost service add "${app}-beat" --log_type systemd +yunohost service add "${app}-server" --log_type systemd +yunohost service add "${app}-worker" --log_type systemd #================================================= # START SYSTEMD SERVICE diff --git a/scripts/upgrade b/scripts/upgrade index 16f7ef1..7359fbb 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -88,16 +88,17 @@ if [ -z "$datadir" ]; then ynh_script_progression --message="Moving datas..." datadir="/home/yunohost.app/${app}/data" ynh_app_setting_set --app=$app --key=datadir --value=$datadir - mv $finalpath/code/data/static $datadir/static - mv $finalpath/media $datadir/media - mv $finalpath/import $datadir/music + mv $final_path/code/data/static $datadir/static + mv $final_path/media $datadir/media + mv $final_path/import $datadir/music - ynh_backup_if_checksum_is_different --file="$finalpath/code/config/.env" - mv $finalpath/code/config $finalpath/config - ynh_store_file_checksum --file="$finalpath/config/.env" - ynh_delete_file_checksum --file="$finalpath/code/config/.env" + ynh_backup_if_checksum_is_different --file="$final_path/code/config/.env" + mv $final_path/code/config $final_path/config + chmod 600 $final_path/config/.env + ynh_store_file_checksum --file="$final_path/config/.env" + ynh_delete_file_checksum --file="$final_path/code/config/.env" - ynh_secure_remove --file="$finalpath/code" + ynh_secure_remove --file="$final_path/code" configfile="$final_path/code/config/.env" fi @@ -163,6 +164,7 @@ popd ynh_script_progression --message="Modifying a config file..." ynh_add_config --template="../conf/env.prod" --destination="$final_path/config/.env" +chmod 600 $final_path/config/.env #================================================= # MIGRATE FUNKWHALE @@ -219,21 +221,16 @@ ynh_script_progression --message="Securing files and directories..." # Set permissions on app files chown -R $app: "$final_path" -chmod -R 755 "$final_path/front/dist/" - chown -R $app: $datadir -mkdir -p "/var/log/$app" -chown -R $app: "/var/log/$app" - #================================================= # INTEGRATE SERVICE IN YUNOHOST #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add "${app}-beat" --log="/var/log/$app/beat.log" -yunohost service add "${app}-server" --log="/var/log/$app/server.log" -yunohost service add "${app}-worker" --log="/var/log/$app/worker.log" +yunohost service add "${app}-beat" --log_type systemd +yunohost service add "${app}-server" --log_type systemd +yunohost service add "${app}-worker" --log_type systemd #================================================= # START SYSTEMD SERVICE