commit 0c232f46e0b5db9094428d8e251b4b6565249885
Author: Vivianne Langdon <puttabutta@gmail.com>
Date:   Sun Nov 13 18:14:14 2022 -0500

    Working funkwhale config!

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4c49bd7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.env
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..1758333
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,106 @@
+version: "3"
+
+services:
+  postgres:
+    restart: unless-stopped
+    networks:
+      - default
+    env_file: .env
+    environment:
+      - "POSTGRES_HOST_AUTH_METHOD=trust"
+    image: postgres:11
+    volumes:
+      - ./data/postgres:/var/lib/postgresql/data
+
+  redis:
+    restart: unless-stopped
+    networks:
+      - default
+    env_file: .env
+    image: redis:5
+    volumes:
+      - ./data/redis:/data
+
+  celeryworker:
+    restart: unless-stopped
+    image: funkwhale/funkwhale:${FUNKWHALE_VERSION:-latest}
+    networks:
+      - default
+    depends_on:
+      - postgres
+      - redis
+    env_file: .env
+    # Celery workers handle background tasks (such file imports or federation
+    # messaging). The more processes a worker gets, the more tasks
+    # can be processed in parallel. However, more processes also means
+    # a bigger memory footprint.
+    # By default, a worker will span a number of process equal to your number
+    # of CPUs. You can adjust this, by explicitly setting the --concurrency
+    # flag:
+    #   celery -A funkwhale_api.taskapp worker -l INFO --concurrency=4
+    command: celery -A funkwhale_api.taskapp worker -l INFO --concurrency=${CELERYD_CONCURRENCY-0}
+    environment:
+      - C_FORCE_ROOT=true
+    volumes:
+      - "${MUSIC_DIRECTORY_SERVE_PATH-/srv/funkwhale/data/music}:${MUSIC_DIRECTORY_PATH-/music}:ro"
+      - "${MEDIA_ROOT}:${MEDIA_ROOT}"
+
+  celerybeat:
+    restart: unless-stopped
+    image: funkwhale/funkwhale:${FUNKWHALE_VERSION:-latest}
+    networks:
+      - default
+    depends_on:
+      - postgres
+      - redis
+    env_file: .env
+    command: celery -A funkwhale_api.taskapp beat --pidfile= -l INFO
+
+  api:
+    restart: unless-stopped
+    image: funkwhale/funkwhale:${FUNKWHALE_VERSION:-latest}
+    networks:
+      - default
+    depends_on:
+      - postgres
+      - redis
+    env_file: .env
+    volumes:
+      - "${MUSIC_DIRECTORY_SERVE_PATH-/srv/funkwhale/data/music}:${MUSIC_DIRECTORY_PATH-/music}:ro"
+      - "${MEDIA_ROOT}:${MEDIA_ROOT}"
+      - "${STATIC_ROOT}:${STATIC_ROOT}"
+      - "${FUNKWHALE_FRONTEND_PATH}:/frontend"
+    ports:
+      - "5000"
+
+  nginx:
+    restart: unless-stopped
+    image: nginx
+    networks:
+      - default
+    depends_on:
+      - api
+    env_file:
+      - .env
+    environment:
+      # Override those variables in your .env file if needed
+      - "NGINX_MAX_BODY_SIZE=${NGINX_MAX_BODY_SIZE-100M}"
+    volumes:
+      - "./nginx/funkwhale.template:/etc/nginx/conf.d/funkwhale.template:ro"
+      - "./nginx/funkwhale_proxy.conf:/etc/nginx/funkwhale_proxy.conf:ro"
+      - "${MUSIC_DIRECTORY_SERVE_PATH-/srv/funkwhale/data/music}:${MUSIC_DIRECTORY_PATH-/music}:ro"
+      - "${MEDIA_ROOT}:${MEDIA_ROOT}:ro"
+      - "${STATIC_ROOT}:${STATIC_ROOT}:ro"
+      - "${FUNKWHALE_FRONTEND_PATH}:/frontend:ro"
+    ports:
+      # override those variables in your .env file if needed
+      - "${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}:80"
+    command: >
+        sh -c "envsubst \"`env | awk -F = '{printf \" $$%s\", $$1}'`\"
+        < /etc/nginx/conf.d/funkwhale.template
+        > /etc/nginx/conf.d/default.conf
+        && cat /etc/nginx/conf.d/default.conf
+        && nginx -g 'daemon off;'"
+
+networks:
+  default:
diff --git a/nginx/funkwhale.template b/nginx/funkwhale.template
new file mode 100644
index 0000000..218dc31
--- /dev/null
+++ b/nginx/funkwhale.template
@@ -0,0 +1,111 @@
+upstream funkwhale-api {
+    # depending on your setup, you may want to update this
+    server api:5000;
+}
+
+
+# required for websocket support
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+server {
+    listen 80;
+    server_name ${FUNKWHALE_HOSTNAME};
+
+    # TLS
+    # Feel free to use your own configuration for SSL here or simply remove the
+    # lines and move the configuration to the previous server block if you
+    # don't want to run funkwhale behind https (this is not recommended)
+    # have a look here for let's encrypt configuration:
+    # https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx
+
+    root /frontend;
+
+    # If you are using S3 to host your files, remember to add your S3 URL to the
+    # media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:)
+
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header X-Frame-Options "SAMEORIGIN" always;
+
+    location / {
+        include /etc/nginx/funkwhale_proxy.conf;
+        # this is needed if you have file import via upload enabled
+        client_max_body_size ${NGINX_MAX_BODY_SIZE};
+        proxy_pass   http://funkwhale-api/;
+    }
+
+    location /front/ {
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+        add_header Service-Worker-Allowed "/";
+        alias /frontend/;
+        expires 30d;
+        add_header Pragma public;
+        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+    }
+
+    location /front/embed.html {
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+        add_header X-Frame-Options "" always;
+        alias /frontend/embed.html;
+        expires 30d;
+        add_header Pragma public;
+        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+    }
+
+    location /federation/ {
+        include /etc/nginx/funkwhale_proxy.conf;
+        proxy_pass   http://funkwhale-api/federation/;
+    }
+
+    # You can comment this if you do not plan to use the Subsonic API
+    location /rest/ {
+        include /etc/nginx/funkwhale_proxy.conf;
+        proxy_pass   http://funkwhale-api/api/subsonic/rest/;
+    }
+
+    location /.well-known/ {
+        include /etc/nginx/funkwhale_proxy.conf;
+        proxy_pass   http://funkwhale-api/.well-known/;
+    }
+
+    location /media/ {
+        alias ${MEDIA_ROOT}/;
+    }
+
+    # this is an internal location that is used to serve
+    # audio files once correct permission / authentication
+    # has been checked on API side
+    location /_protected/media {
+        internal;
+        alias   ${MEDIA_ROOT};
+
+    }
+    # Comment the previous location and uncomment this one if you're storing
+    # media files in a S3 bucket
+    # location ~ /_protected/media/(.+) {
+    #     internal;
+    #     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+    #     proxy_set_header Authorization "";
+    #     proxy_pass $1;
+    # }
+
+    location /_protected/music {
+        # this is an internal location that is used to serve
+        # audio files once correct permission / authentication
+        # has been checked on API side
+        # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
+        internal;
+        alias   ${MUSIC_DIRECTORY_PATH};
+    }
+
+    location /staticfiles/ {
+        # django static files
+        alias ${STATIC_ROOT}/;
+    }
+}
diff --git a/nginx/funkwhale_proxy.conf b/nginx/funkwhale_proxy.conf
new file mode 100644
index 0000000..dccc782
--- /dev/null
+++ b/nginx/funkwhale_proxy.conf
@@ -0,0 +1,19 @@
+# use this one if you put the nginx container behind another proxy
+# you will have to set some headers on this proxy as well to ensure
+# everything works correctly, you can use the ones from the funkwhale_proxy.conf file
+# at https://dev.funkwhale.audio/funkwhale/funkwhale/blob/develop/deploy/funkwhale_proxy.conf
+# your proxy will also need to support websockets
+
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
+proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
+proxy_redirect off;
+
+# websocket support
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $connection_upgrade;