MirrorMirror
/
funkwhale
mirror of https://dev.funkwhale.audio/funkwhale/funkwhale.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

refactor(front/Docker): cleanup nginx-based container

This commit is contained in:
JuniorJPDJ 2022-07-20 01:31:28 +02:00
parent 3f04429993
commit 6df36f519a
4 changed files with 31 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changes/changelog.d/front-docker-cleanup.enhancement Normal file
View File

@ -0,0 +1 @@
Cleaned up frontend docker container

9
front/Dockerfile
View File

@ -15,20 +15,15 @@ RUN yarn build:deployment
FROM nginx:1.23.1-alpine as final FROM nginx:1.23.1-alpine as final
COPY --from=builder /app/dist /usr/share/nginx/html COPY --from=builder /app/dist /usr/share/nginx/html
COPY docker/funkwhale.template /etc/nginx/conf.d/funkwhale.template COPY docker/funkwhale.conf.template /etc/nginx/templates/default.conf.template
COPY docker/funkwhale_proxy.conf /etc/nginx/funkwhale_proxy.conf COPY docker/funkwhale_proxy.conf /etc/nginx/funkwhale_proxy.conf
COPY docker/entrypoint.sh /docker-entrypoint.d/99-funkwhale.sh
# Allow running as non-root for custom setups # Allow running as non-root for custom setups
RUN mkdir -p /var/log/nginx /var/cache/nginx /var/run/nginx && \ RUN mkdir -p /var/log/nginx /var/cache/nginx /var/run/nginx && \
chown -R nginx:nginx /var/log/nginx /var/run/nginx /var/cache/nginx /etc/nginx && \ chown -R nginx:nginx /var/log/nginx /var/run/nginx /var/cache/nginx /etc/nginx && \
sed -e 's#/var/run/nginx.pid#/var/run/nginx/nginx.pid#' -i /etc/nginx/nginx.conf sed -e 's#/var/run/nginx.pid#/var/run/nginx/nginx.pid#' -i /etc/nginx/nginx.conf
CMD ["sh", "-c", "envsubst \"`env | awk -F = '{printf \" $$%s\", $$1}'`\" \
< /etc/nginx/conf.d/funkwhale.template \
> /etc/nginx/conf.d/default.conf \
&& cat /etc/nginx/conf.d/default.conf \
&& nginx -g 'daemon off;'"]
ENV FUNKWHALE_API_HOST=api ENV FUNKWHALE_API_HOST=api
ENV FUNKWHALE_API_PORT=5000 ENV FUNKWHALE_API_PORT=5000
ENV AWS_S3_ENDPOINT_URL= ENV AWS_S3_ENDPOINT_URL=

8
front/docker/entrypoint.sh Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
if [ -n "$AWS_S3_ENDPOINT_URL" ]; then
# uncomment S3 section in media location and comment NON-S3 section
sed -i '/# NON-S3/s/^/#/g;/# S3/s/^#//g' /etc/nginx/conf.d/default.conf
fi
cat /etc/nginx/conf.d/default.conf

51
front/docker/funkwhale.template → front/docker/funkwhale.conf.template
View File

@ -3,7 +3,7 @@ upstream funkwhale-api {
} }
# required for websocket support # Required for websocket support.
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {
default upgrade; default upgrade;
'' close; '' close;
@ -13,17 +13,10 @@ server {
listen 80; listen 80;
server_name ${FUNKWHALE_HOSTNAME}; server_name ${FUNKWHALE_HOSTNAME};
# TLS
# Feel free to use your own configuration for SSL here or simply remove the
# lines and move the configuration to the previous server block if you
# don't want to run funkwhale behind https (this is not recommended)
# have a look here for let's encrypt configuration:
# https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx
root /usr/share/nginx/html; root /usr/share/nginx/html;
# If you are using S3 to host your files, remember to add your S3 URL to the # If you are using S3 to host your files, remember to add your S3 URL to the
# media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:) # media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:).
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
@ -31,7 +24,7 @@ server {
location / { location / {
include /etc/nginx/funkwhale_proxy.conf; include /etc/nginx/funkwhale_proxy.conf;
# this is needed if you have file import via upload enabled # This is needed if you have file import via upload enabled.
client_max_body_size ${NGINX_MAX_BODY_SIZE}; client_max_body_size ${NGINX_MAX_BODY_SIZE};
proxy_pass http://funkwhale-api/; proxy_pass http://funkwhale-api/;
} }
@ -47,7 +40,7 @@ server {
} }
location = /front/embed.html { location = /front/embed.html {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "" always; add_header X-Frame-Options "" always;
@ -62,7 +55,7 @@ server {
proxy_pass http://funkwhale-api/federation/; proxy_pass http://funkwhale-api/federation/;
} }
# You can comment this if you do not plan to use the Subsonic API # You can comment this if you do not plan to use the Subsonic API.
location /rest/ { location /rest/ {
include /etc/nginx/funkwhale_proxy.conf; include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api/api/subsonic/rest/; proxy_pass http://funkwhale-api/api/subsonic/rest/;
@ -77,34 +70,30 @@ server {
alias ${MEDIA_ROOT}/; alias ${MEDIA_ROOT}/;
} }
# this is an internal location that is used to serve # This is an internal location that is used to serve
# audio files once correct permission / authentication # media (uploaded) files once correct permission / authentication
# has been checked on API side # has been checked on API side.
location /_protected/media/ { # Comment the "NON-S3" commented lines and uncomment "S3" commented lines
# if you're storing media files in a S3 bucket.
location /_protected/media/(.+) {
internal; internal;
alias ${MEDIA_ROOT}/; alias ${MEDIA_ROOT}/; # NON-S3
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
# proxy_set_header Authorization ""; # S3
# proxy_pass $1; # S3
} }
# Comment the previous location and uncomment this one if you're storing
# media files in a S3 bucket
# location ~ /_protected/media/(.+) {
# internal;
# # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
# proxy_set_header Authorization "";
# proxy_pass $1;
# }
location /_protected/music/ { location /_protected/music/ {
# this is an internal location that is used to serve # This is an internal location that is used to serve
# audio files once correct permission / authentication # local music files once correct permission / authentication
# has been checked on API side # has been checked on API side.
# Set this to the same value as your MUSIC_DIRECTORY_PATH setting # Set this to the same value as your MUSIC_DIRECTORY_PATH setting.
internal; internal;
alias ${MUSIC_DIRECTORY_PATH}/; alias ${MUSIC_DIRECTORY_PATH}/;
} }
location /staticfiles/ { location /staticfiles/ {
# django static files # Django static files
alias ${STATIC_ROOT}/; alias ${STATIC_ROOT}/;
} }
} }