Stick to official install process

2024-09-03 18:36:24 +02:00 · 2021-04-01 21:29:22 +02:00 · 2021-04-01 21:29:22 +02:00 · f7977494f3
commit f7977494f3
parent 1c694b7288
10 changed files with 134 additions and 206 deletions
--- a/2
+++ b/2
@ -16,7 +16,7 @@
 		setup_private=1
 		setup_public=1
 		upgrade=1
-		upgrade=1   from_commit=4d4bf0981e2d3a00eaae6b19bd54344fe55d6530
+		upgrade=1	from_commit=4d4bf0981e2d3a00eaae6b19bd54344fe55d6530
 		# 1.1~ynh1
 		upgrade=1   from_commit=8172790fb461d16f09089593fdac380f0d499c83
 		backup_restore=1
--- a/conf/funkwhale-beat.service
+++ b/conf/funkwhale-beat.service
@ -1,5 +1,5 @@
 [Unit]
-Description=Funkwhale (__APP__) celery beat process
+Description=__APP__ celery beat process
 After=redis.service postgresql.service
 PartOf=__APP__.target
@ -8,21 +8,7 @@ User=__APP__
 Group=__APP__
 WorkingDirectory=__FINALPATH__/api
 EnvironmentFile=__FINALPATH__/config/.env
-ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp beat --loglevel INFO --logfile=/var/log/__APP__/beat.log
+ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp beat -l INFO
 #NoNewPrivileges=true
 #PrivateDevices=true
 #PrivateTmp=true
 #ProtectHome=true
 #ProtectSystem=strict
 #ProtectControlGroups=yes
 #ProtectKernelModules=yes
 #ReadOnlyPaths=__FINALPATH__/config/.env __FINALPATH__/
 #ReadWritePaths=__DATADIR__/media __DATADIR__/music __FINALPATH__/api /var/log/__APP__
 StandardOutput=syslog
 StandardError=syslog
 SyslogIdentifier=__APP__-beat
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
--- a/conf/funkwhale-server.service
+++ b/conf/funkwhale-server.service
@ -1,5 +1,5 @@
 [Unit]
-Description=Funkwhale (__APP__) application server
+Description=__APP__ application server
 After=redis.service postgresql.service
 PartOf=__APP__.target
@ -10,19 +10,5 @@ WorkingDirectory=__FINALPATH__/api
 EnvironmentFile=__FINALPATH__/config/.env
 ExecStart=__FINALPATH__/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}
 #NoNewPrivileges=true
 #PrivateDevices=true
 #PrivateTmp=true
 #ProtectHome=true
 #ProtectSystem=strict
 #ProtectControlGroups=yes
 #ProtectKernelModules=yes
 #ReadOnlyPaths=__FINALPATH__/config/.env __FINALPATH__/
 #ReadWritePaths=__DATADIR__/media __DATADIR__/music /var/log/__APP__
 StandardOutput=syslog
 StandardError=syslog
 SyslogIdentifier=__APP__-server
 [Install]
 WantedBy=multi-user.target
--- a/conf/funkwhale-worker.service
+++ b/conf/funkwhale-worker.service
@ -1,5 +1,5 @@
 [Unit]
-Description=Funkwhale (__APP__) celery worker
+Description=__APP__ celery worker
 After=redis.service postgresql.service
 PartOf=__APP__.target
@ -8,21 +8,7 @@ User=__APP__
 Group=__APP__
 WorkingDirectory=__FINALPATH__/api
 EnvironmentFile=__FINALPATH__/config/.env
-ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp worker --loglevel INFO --logfile=/var/log/__APP__/worker.log
+ExecStart=__FINALPATH__/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO --concurrency=0
 #NoNewPrivileges=true
 #PrivateDevices=true
 #PrivateTmp=true
 #ProtectHome=true
 #ProtectSystem=strict
 #ProtectControlGroups=yes
 #ProtectKernelModules=yes
 #ReadOnlyPaths=__FINALPATH__/config/.env __FINALPATH__/
 #ReadWritePaths=__DATADIR__/media __DATADIR__/music /var/log/__APP__
 StandardOutput=syslog
 StandardError=syslog
 SyslogIdentifier=__APP__-worker
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -1,137 +1,145 @@
 root __FINALPATH__/front/dist;
 location / {
-    # Force usage of https
+  # Force usage of https
-    if ($scheme = http) {
+  if ($scheme = http) {
-        rewrite ^ https://$server_name$request_uri? permanent;
+    rewrite ^ https://$server_name$request_uri? permanent;
-    }
+  }
    # global proxy conf
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_redirect off;
-    # websocket support
+  # global proxy conf
-    proxy_http_version 1.1;
+  proxy_set_header Host $host;
-    proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header Connection $connection_upgrade;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-Host $host:$server_port;
  proxy_set_header X-Forwarded-Port $server_port;
  proxy_redirect off;
-    # this is needed if you have file import via upload enabled
+  # websocket support
-    client_max_body_size 100M;
+  proxy_http_version 1.1;
-    proxy_pass   http://127.0.0.1:__PORT__/;
+  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;
-    # Include SSOWAT user panel.
+  # this is needed if you have file import via upload enabled
-    include conf.d/yunohost_panel.conf.inc;
+  client_max_body_size 100M;
  proxy_pass   http://127.0.0.1:__PORT__/;
  # Include SSOWAT user panel.
  include conf.d/yunohost_panel.conf.inc;
 }
 location /front/ {
-    more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+  more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
-    more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
+  more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
-    more_set_headers "Service-Worker-Allowed: /";
+  more_set_headers "Service-Worker-Allowed: /";
-    more_set_headers "X-Frame-Options: SAMEORIGIN";
+  more_set_headers "X-Frame-Options: SAMEORIGIN";
-    alias __FINALPATH__/front/dist/;
+  alias __FINALPATH__/front/dist/;
-    expires 30d;
+  expires 30d;
-    more_set_headers "Pragma: public";
+  more_set_headers "Pragma: public";
-    more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate";
+  more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate";
 }
 location /front/embed.html {
-    more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+  more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
-    more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
+  more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
-    more_set_headers "X-Frame-Options: ALLOW";
+  more_set_headers "X-Frame-Options: ALLOW";
-    alias __FINALPATH__/front/dist/embed.html;
+  alias __FINALPATH__/front/dist/embed.html;
-    expires 30d;
+  expires 30d;
-    more_set_headers "Pragma: public";
+  more_set_headers "Pragma: public";
-    more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate";
+  more_set_headers "Cache-Control: public, must-revalidate, proxy-revalidate";
 }
 location /federation/ {
    # global proxy conf
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_redirect off;
-    # websocket support
+  # global proxy conf
-    proxy_http_version 1.1;
+  proxy_set_header Host $host;
-    proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header Connection $connection_upgrade;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_pass   http://127.0.0.1:__PORT__/federation/;
+  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-Host $host:$server_port;
  proxy_set_header X-Forwarded-Port $server_port;
  proxy_redirect off;
  # websocket support
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;
  proxy_pass   http://127.0.0.1:__PORT__/federation/;
 }
 # You can comment this if you do not plan to use the Subsonic API
 location /rest/ {
    # global proxy conf
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_redirect off;
-    # websocket support
+  # global proxy conf
-    proxy_http_version 1.1;
+  proxy_set_header Host $host;
-    proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header Connection $connection_upgrade;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_pass   http://127.0.0.1:__PORT__/api/subsonic/rest/;
+  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-Host $host:$server_port;
  proxy_set_header X-Forwarded-Port $server_port;
  proxy_redirect off;
  # websocket support
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;
  proxy_pass   http://127.0.0.1:__PORT__/api/subsonic/rest/;
 }
 location /.well-known/ {
    # global proxy conf
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_redirect off;
-    # websocket support
+  # global proxy conf
-    proxy_http_version 1.1;
+  proxy_set_header Host $host;
-    proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header Connection $connection_upgrade;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_pass   http://127.0.0.1:__PORT__/.well-known/;
+  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-Host $host:$server_port;
  proxy_set_header X-Forwarded-Port $server_port;
  proxy_redirect off;
  # websocket support
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;
  proxy_pass   http://127.0.0.1:__PORT__/.well-known/;
 }
 location /media/ {
-    alias __DATADIR__/media/;
+  alias __DATADIR__/media/;
 }
-location /_protected/media/ {
+location /_protected/media {
-    # this is an internal location that is used to serve
+  # this is an internal location that is used to serve
-    # audio files once correct permission / authentication
+  # audio files once correct permission / authentication
-    # has been checked on API side
+  # has been checked on API side
-    internal;
+  internal;
-    alias   __DATADIR__/media/;
+  alias   __DATADIR__/media;
 }
 # Comment the previous location and uncomment this one if you're storing
 # media files in a S3 bucket
 # location ~ /_protected/media/(.+) {
-#     internal;
+#   internal;
-#     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+#   # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
-#     proxy_set_header Authorization "";
+#   proxy_set_header Authorization "";
-#     proxy_pass $1;
+#   proxy_pass $1;
 # }
-location /_protected/music/ {
+location /_protected/music {
-    # this is an internal location that is used to serve
+  # this is an internal location that is used to serve
-    # audio files once correct permission / authentication
+  # audio files once correct permission / authentication
-    # has been checked on API side
+  # has been checked on API side
-    # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
+  # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
-    internal;
+  internal;
-    alias   __DATADIR__/music/;
+  alias   __DATADIR__/music;
 }
 location /staticfiles/ {
-    # django static files
+  # django static files
-    alias __DATADIR__/static/;
+  alias __DATADIR__/static/;
 }
--- a/manifest.json
+++ b/manifest.json
@ -29,32 +29,16 @@
            {
                "name": "domain",
                "type": "domain",
                "ask": {
                    "en": "Choose a domain for Funkwhale",
                    "fr": "Choisissez un nom de domaine pour Funkwhale"
                },
                "example": "example.com"
            },
            {
                "name": "admin",
                "type": "user",
-                "ask": {
+                "example": "johndoe"
                    "en": "Choose an admin user",
                    "fr": "Choisissez l'administrateur"
                },
                "example": "sporiff"
            },
            {
                "name": "is_public",
                "type": "boolean",
                "ask": {
                    "en": "Is it a public application?",
                    "fr": "Est-ce une application publique ?"
                },
                "help": {
                    "en": "Allows unauthenticated users to access the user interface (mandatory for federation).",
                    "fr": "Permet aux utilisateurs non authentifiés d'accéder à l'interface utilisateur (obligatoire pour la fédération)."
                },
                "default": true
            }
        ]
--- a/scripts/install
+++ b/scripts/install
@ -152,6 +152,7 @@ ynh_app_setting_set --app=$app --key=key --value=$key
 ynh_app_setting_set --app=$app --key=redis_db --value=$redis_db
 ynh_add_config --template="../conf/env.prod" --destination="$final_path/config/.env"
 chmod 600 $final_path/config/.env
 #=================================================
 # BUILDING FUNKWHALE
@ -191,21 +192,16 @@ ynh_script_progression --message="Securing files and directories..."
 # Set permissions to app files
 chown -R $app: $final_path
 chmod -R 755 "$final_path/front/dist/"
 chown -R $app: $datadir
 mkdir -p "/var/log/$app"
 chown -R $app: "/var/log/$app"
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
 #=================================================
 ynh_script_progression --message="Integrating service in YunoHost..."
-yunohost service add "${app}-beat"   --log="/var/log/$app/beat.log"
+yunohost service add "${app}-beat" --log_type systemd
-yunohost service add "${app}-server" --log="/var/log/$app/server.log"
+yunohost service add "${app}-server" --log_type systemd
-yunohost service add "${app}-worker" --log="/var/log/$app/worker.log"
+yunohost service add "${app}-worker" --log_type systemd
 #=================================================
 # START SYSTEMD SERVICE
@ -223,7 +219,7 @@ ynh_systemd_action --service_name="${app}-worker" --action="start" --log_path="s
 ynh_script_progression --message="Configuring Fail2Ban..."
 # Create a dedicated Fail2Ban config
-ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-access.log" --failregex="<HOST>.* \"POST /api/v1/token/ HTTP/1.1\" 400 68.*$" --max_retry=5
+ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-access.log" --failregex="<HOST>.* \"POST /api/v1/token/ HTTP/1.1\" 400 68.*$" --max_retry=5
 #=================================================
 # SETUP SSOWAT
--- a/scripts/remove
+++ b/scripts/remove
@ -112,16 +112,6 @@ ynh_script_progression --message="Removing Fail2ban configuration..."
 # Remove the dedicated Fail2Ban config
 ynh_remove_fail2ban_config
 #=================================================
 # SPECIFIC REMOVE
 #=================================================
 # REMOVE VARIOUS FILES
 #=================================================
 ynh_script_progression --message="Removing various files..."
 # Remove the log files
 ynh_secure_remove --file="/var/log/$app"
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -92,13 +92,8 @@ ynh_script_progression --message="Restoring user rights..."
 # Restore permissions on app files
 chown -R $app: $final_path
 chmod -R 755 "$final_path/front/dist/"
 chown -R $app: $datadir
 mkdir -p "/var/log/$app"
 chown -R $app: "/var/log/$app"
 #=================================================
 # SPECIFIC RESTORATION
 #=================================================
@ -137,9 +132,9 @@ systemctl enable "$app-worker.service" --quiet
 #=================================================
 ynh_script_progression --message="Integrating service in YunoHost..."
-yunohost service add "${app}-beat"   --log="/var/log/$app/beat.log"
+yunohost service add "${app}-beat" --log_type systemd
-yunohost service add "${app}-server" --log="/var/log/$app/server.log"
+yunohost service add "${app}-server" --log_type systemd
-yunohost service add "${app}-worker" --log="/var/log/$app/worker.log"
+yunohost service add "${app}-worker" --log_type systemd
 #=================================================
 # START SYSTEMD SERVICE
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -88,16 +88,17 @@ if [ -z "$datadir" ]; then
 	ynh_script_progression --message="Moving datas..."
 	datadir="/home/yunohost.app/${app}/data"
 	ynh_app_setting_set --app=$app --key=datadir --value=$datadir
-	mv $finalpath/code/data/static $datadir/static
+	mv $final_path/code/data/static $datadir/static
-	mv $finalpath/media $datadir/media
+	mv $final_path/media $datadir/media
-	mv $finalpath/import $datadir/music
+	mv $final_path/import $datadir/music
-	ynh_backup_if_checksum_is_different --file="$finalpath/code/config/.env"
+	ynh_backup_if_checksum_is_different --file="$final_path/code/config/.env"
-	mv $finalpath/code/config $finalpath/config
+	mv $final_path/code/config $final_path/config
-	ynh_store_file_checksum --file="$finalpath/config/.env"
+	chmod 600 $final_path/config/.env
-	ynh_delete_file_checksum --file="$finalpath/code/config/.env"
+	ynh_store_file_checksum --file="$final_path/config/.env"
 	ynh_delete_file_checksum --file="$final_path/code/config/.env"
-	ynh_secure_remove --file="$finalpath/code"
+	ynh_secure_remove --file="$final_path/code"
 	configfile="$final_path/code/config/.env"
 fi
@ -163,6 +164,7 @@ popd
 ynh_script_progression --message="Modifying a config file..."
 ynh_add_config --template="../conf/env.prod" --destination="$final_path/config/.env"
 chmod 600 $final_path/config/.env
 #=================================================
 # MIGRATE FUNKWHALE
@ -219,21 +221,16 @@ ynh_script_progression --message="Securing files and directories..."
 # Set permissions on app files
 chown -R $app: "$final_path"
 chmod -R 755 "$final_path/front/dist/"
 chown -R $app: $datadir
 mkdir -p "/var/log/$app"
 chown -R $app: "/var/log/$app"
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
 #=================================================
 ynh_script_progression --message="Integrating service in YunoHost..."
-yunohost service add "${app}-beat"   --log="/var/log/$app/beat.log"
+yunohost service add "${app}-beat" --log_type systemd
-yunohost service add "${app}-server" --log="/var/log/$app/server.log"
+yunohost service add "${app}-server" --log_type systemd
-yunohost service add "${app}-worker" --log="/var/log/$app/worker.log"
+yunohost service add "${app}-worker" --log_type systemd
 #=================================================
 # START SYSTEMD SERVICE