More config settings and add a template without secrets
This commit is contained in:
parent
0c232f46e0
commit
c396ec0fd2
4 changed files with 223 additions and 11 deletions
203
.env.template
Normal file
203
.env.template
Normal file
|
@ -0,0 +1,203 @@
|
|||
# If you have any doubts about what a setting does,
|
||||
# check https://docs.funkwhale.audio/configuration.html#configuration-reference
|
||||
|
||||
# If you're tweaking this file from the template, ensure you edit at least the
|
||||
# following variables:
|
||||
# - DJANGO_SECRET_KEY
|
||||
# - FUNKWHALE_HOSTNAME
|
||||
# - EMAIL_CONFIG and DEFAULT_FROM_EMAIL if you plan to send e-mails)
|
||||
# On non-docker setup **only**, you'll also have to tweak/uncomment those variables:
|
||||
# - DATABASE_URL
|
||||
# - CACHE_URL
|
||||
#
|
||||
# You **don't** need to update those variables on pure docker setups.
|
||||
#
|
||||
# Additional options you may want to check:
|
||||
# - MUSIC_DIRECTORY_PATH and MUSIC_DIRECTORY_SERVE_PATH if you plan to use
|
||||
# in-place import
|
||||
#
|
||||
# Docker only
|
||||
# -----------
|
||||
|
||||
# The tag of the image we should use
|
||||
# (it will be interpolated in docker-compose file)
|
||||
# You can comment or ignore this if you're not using docker
|
||||
FUNKWHALE_VERSION=1.2.8
|
||||
|
||||
# End of Docker-only configuration
|
||||
|
||||
# General configuration
|
||||
# ---------------------
|
||||
|
||||
# Set this variables to bind the API server to another interface/port
|
||||
# example: FUNKWHALE_API_IP=0.0.0.0
|
||||
# example: FUNKWHALE_API_PORT=5678
|
||||
FUNKWHALE_API_IP=127.0.0.1
|
||||
FUNKWHALE_API_PORT=5000
|
||||
# The number of web workers to start in parallel. Higher means you can handle
|
||||
# more concurrent requests, but also leads to higher CPU/Memory usage
|
||||
FUNKWHALE_WEB_WORKERS=4
|
||||
# Replace this by the definitive, public domain you will use for
|
||||
# your instance. It cannot be changed after initial deployment
|
||||
# without breaking your instance.
|
||||
FUNKWHALE_HOSTNAME=audio.solarpunk.moe
|
||||
FUNKWHALE_PROTOCOL=https
|
||||
|
||||
# Log level (debug, info, warning, error, critical)
|
||||
LOGLEVEL=error
|
||||
|
||||
# Configure e-mail sending using this variale
|
||||
# By default, funkwhale will output e-mails sent to stdout
|
||||
# here are a few examples for this setting
|
||||
# EMAIL_CONFIG=consolemail:// # output e-mails to console (the default)
|
||||
# EMAIL_CONFIG=dummymail:// # disable e-mail sending completely
|
||||
# On a production instance, you'll usually want to use an external SMTP server:
|
||||
# If `user` or `password` contain special characters (eg.
|
||||
# `noreply@youremail.host` as `user`), be sure to urlencode them, using
|
||||
# for example the command:
|
||||
# `python3 -c 'import urllib.parse; print(urllib.parse.quote_plus
|
||||
# ("noreply@youremail.host"))'`
|
||||
# (returns `noreply%40youremail.host`)
|
||||
EMAIL_CONFIG=smtp://mail:25
|
||||
# EMAIL_CONFIG=smtp+ssl://user:password@youremail.host:465
|
||||
# EMAIL_CONFIG=smtp+tls://user:password@youremail.host:587
|
||||
|
||||
# Make e-mail verification mandatory before using the service
|
||||
# Doesn't apply to admins.
|
||||
ACCOUNT_EMAIL_VERIFICATION_ENFORCE=true
|
||||
|
||||
# The e-mail address to use to send system e-mails.
|
||||
DEFAULT_FROM_EMAIL=noreply@audio.solarpunk.moe
|
||||
|
||||
# Depending on the reverse proxy used in front of your funkwhale instance,
|
||||
# the API will use different kind of headers to serve audio files
|
||||
# Allowed values: nginx, apache2
|
||||
REVERSE_PROXY_TYPE=nginx
|
||||
|
||||
# API/Django configuration
|
||||
|
||||
# Database configuration
|
||||
# Examples:
|
||||
# DATABASE_URL=postgresql://<user>:<password>@<host>:<port>/<database>
|
||||
# DATABASE_URL=postgresql://funkwhale:passw0rd@localhost:5432/funkwhale_database
|
||||
# Use the next one if you followed Debian installation guide
|
||||
# DATABASE_URL=postgresql://funkwhale@:5432/funkwhale
|
||||
|
||||
# Cache configuration
|
||||
# Examples:
|
||||
# CACHE_URL=redis://<host>:<port>/<database>
|
||||
# CACHE_URL=redis://localhost:6379/0c
|
||||
# With a password:
|
||||
# CACHE_URL=redis://:password@localhost:6379/0
|
||||
# (the extra semicolon is important)
|
||||
# Use the next one if you followed Debian installation guide
|
||||
#
|
||||
# CACHE_URL=redis://127.0.0.1:6379/0
|
||||
#
|
||||
# If you want to use Redis over unix sockets, you'll actually need two variables:
|
||||
# For the cache part:
|
||||
# CACHE_URL=redis:///run/redis/redis.sock?db=0
|
||||
# For the Celery/asynchronous tasks part:
|
||||
# CELERY_BROKER_URL=redis+socket:///run/redis/redis.sock?virtual_host=0
|
||||
|
||||
# Number of worker processes to execute. Defaults to 0, in which case it uses your number of CPUs
|
||||
# Celery workers handle background tasks (such file imports or federation
|
||||
# messaging). The more processes a worker gets, the more tasks
|
||||
# can be processed in parallel. However, more processes also means
|
||||
# a bigger memory footprint.
|
||||
# CELERYD_CONCURRENCY=0
|
||||
|
||||
# Where media files (such as album covers or audio tracks) should be stored
|
||||
# on your system?
|
||||
# (Ensure this directory actually exists)
|
||||
MEDIA_ROOT=/srv/funkwhale/data/media
|
||||
|
||||
# Where static files (such as API css or icons) should be compiled
|
||||
# on your system?
|
||||
# (Ensure this directory actually exists)
|
||||
STATIC_ROOT=/srv/funkwhale/data/static
|
||||
|
||||
# which settings module should django use?
|
||||
# You don't have to touch this unless you really know what you're doing
|
||||
DJANGO_SETTINGS_MODULE=config.settings.production
|
||||
|
||||
# Generate one using `openssl rand -base64 45`, for example
|
||||
DJANGO_SECRET_KEY=
|
||||
|
||||
# You don't have to edit this, but you can put the admin on another URL if you
|
||||
# want to
|
||||
# DJANGO_ADMIN_URL=^api/admin/
|
||||
|
||||
# In-place import settings
|
||||
# You can safely leave those settings uncommented if you don't plan to use
|
||||
# in place imports.
|
||||
# Typical docker setup:
|
||||
# MUSIC_DIRECTORY_PATH=/music # docker-only
|
||||
# MUSIC_DIRECTORY_SERVE_PATH=/srv/funkwhale/data/music
|
||||
# Typical non-docker setup:
|
||||
# MUSIC_DIRECTORY_PATH=/srv/funkwhale/data/music
|
||||
# # MUSIC_DIRECTORY_SERVE_PATH= # stays commented, not needed
|
||||
|
||||
MUSIC_DIRECTORY_PATH=/srv/funkwhale/data/music
|
||||
MUSIC_DIRECTORY_SERVE_PATH=/srv/funkwhale/data/music
|
||||
|
||||
# LDAP settings
|
||||
# Use the following options to allow authentication on your Funkwhale instance
|
||||
# using a LDAP directory.
|
||||
# Have a look at https://docs.funkwhale.audio/installation/ldap.html for
|
||||
# detailed instructions.
|
||||
|
||||
# LDAP_ENABLED=False
|
||||
# LDAP_SERVER_URI=ldap://your.server:389
|
||||
# LDAP_BIND_DN=cn=admin,dc=domain,dc=com
|
||||
# LDAP_BIND_PASSWORD=bindpassword
|
||||
# LDAP_SEARCH_FILTER=(|(cn={0})(mail={0}))
|
||||
# LDAP_START_TLS=False
|
||||
# LDAP_ROOT_DN=dc=domain,dc=com
|
||||
|
||||
FUNKWHALE_FRONTEND_PATH=/srv/funkwhale/front/dist
|
||||
|
||||
# Nginx related configuration
|
||||
NGINX_MAX_BODY_SIZE=100M
|
||||
|
||||
## External storages configuration
|
||||
# Funkwhale can store uploaded files on Amazon S3 and S3-compatible storages (such as Minio)
|
||||
# Uncomment and fill the variables below
|
||||
|
||||
#AWS_ACCESS_KEY_ID=
|
||||
#AWS_SECRET_ACCESS_KEY=
|
||||
#AWS_STORAGE_BUCKET_NAME=
|
||||
# An optional bucket subdirectory were you want to store the files. This is especially useful
|
||||
# if you plan to use share the bucket with other services
|
||||
#AWS_LOCATION=
|
||||
|
||||
# If you use a S3-compatible storage such as minio, set the following variable
|
||||
# the full URL to the storage server. Example:
|
||||
# AWS_S3_ENDPOINT_URL=https://minio.mydomain.com
|
||||
#AWS_S3_ENDPOINT_URL=
|
||||
|
||||
# If you want to serve media directly from your S3 bucket rather than through a proxy,
|
||||
# set this to false
|
||||
PROXY_MEDIA=false
|
||||
|
||||
# If you are using Amazon S3 to serve media directly, you will need to specify your region
|
||||
# name in order to access files. Example:
|
||||
# AWS_S3_REGION_NAME=eu-west-2
|
||||
#AWS_S3_REGION_NAME=
|
||||
|
||||
# If you are using Amazon S3, use this setting to configure how long generated URLs should stay
|
||||
# valid. The default value is 3600 (60 minutes). The maximum accepted value is 604800 (7 days)
|
||||
|
||||
# AWS_QUERYSTRING_EXPIRE=
|
||||
|
||||
# If you are using an S3-compatible object storage provider, and need to provide a default
|
||||
# ACL for object uploads that is different from the default applied by boto3, you may
|
||||
# override it here. Example:
|
||||
# AWS_DEFAULT_ACL=public-read
|
||||
# Available options can be found here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl
|
||||
|
||||
#AWS_DEFAULT_ACL=
|
||||
|
||||
# Funkwhale allows collecting errors using Sentry compatible APIs. If you want
|
||||
# to help us improving Funkwhale, feel free to use our instance:
|
||||
#FUNKWHALE_SENTRY_DSN=https://5840197379c64f65aad3c5c09274994d@am.funkwhale.audio/1
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1 +1,2 @@
|
|||
.env
|
||||
data/
|
||||
|
|
|
@ -61,6 +61,7 @@ services:
|
|||
image: funkwhale/funkwhale:${FUNKWHALE_VERSION:-latest}
|
||||
networks:
|
||||
- default
|
||||
- mail
|
||||
depends_on:
|
||||
- postgres
|
||||
- redis
|
||||
|
@ -78,6 +79,7 @@ services:
|
|||
image: nginx
|
||||
networks:
|
||||
- default
|
||||
- httpsproxy
|
||||
depends_on:
|
||||
- api
|
||||
env_file:
|
||||
|
@ -85,6 +87,8 @@ services:
|
|||
environment:
|
||||
# Override those variables in your .env file if needed
|
||||
- "NGINX_MAX_BODY_SIZE=${NGINX_MAX_BODY_SIZE-100M}"
|
||||
- LETSENCRYPT_HOST=audio.solarpunk.moe
|
||||
- VIRTUAL_HOST=audio.solarpunk.moe
|
||||
volumes:
|
||||
- "./nginx/funkwhale.template:/etc/nginx/conf.d/funkwhale.template:ro"
|
||||
- "./nginx/funkwhale_proxy.conf:/etc/nginx/funkwhale_proxy.conf:ro"
|
||||
|
@ -103,4 +107,8 @@ services:
|
|||
&& nginx -g 'daemon off;'"
|
||||
|
||||
networks:
|
||||
mail:
|
||||
external: true
|
||||
httpsproxy:
|
||||
external: true
|
||||
default:
|
||||
|
|
|
@ -26,7 +26,7 @@ server {
|
|||
# If you are using S3 to host your files, remember to add your S3 URL to the
|
||||
# media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:)
|
||||
|
||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
|
||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' https://*.digitaloceanspaces.com data:; font-src 'self' data:; object-src 'none'; media-src 'self' https://*.digitaloceanspaces.com data:";
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
|
||||
|
@ -81,19 +81,19 @@ server {
|
|||
# this is an internal location that is used to serve
|
||||
# audio files once correct permission / authentication
|
||||
# has been checked on API side
|
||||
location /_protected/media {
|
||||
internal;
|
||||
alias ${MEDIA_ROOT};
|
||||
#location /_protected/media {
|
||||
# internal;
|
||||
# alias ${MEDIA_ROOT};
|
||||
|
||||
}
|
||||
#}
|
||||
# Comment the previous location and uncomment this one if you're storing
|
||||
# media files in a S3 bucket
|
||||
# location ~ /_protected/media/(.+) {
|
||||
# internal;
|
||||
# # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
|
||||
# proxy_set_header Authorization "";
|
||||
# proxy_pass $1;
|
||||
# }
|
||||
location ~ /_protected/media/(.+) {
|
||||
internal;
|
||||
# Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
|
||||
proxy_set_header Authorization "";
|
||||
proxy_pass $1;
|
||||
}
|
||||
|
||||
location /_protected/music {
|
||||
# this is an internal location that is used to serve
|
||||
|
|
Loading…
Reference in a new issue