From c396ec0fd2ae6480feabd20caf50f123122b8ae8 Mon Sep 17 00:00:00 2001
From: Vivianne Langdon <puttabutta@gmail.com>
Date: Sun, 13 Nov 2022 20:37:29 -0500
Subject: [PATCH] More config settings and add a template without secrets

---
 .env.template            | 203 +++++++++++++++++++++++++++++++++++++++
 .gitignore               |   1 +
 docker-compose.yml       |   8 ++
 nginx/funkwhale.template |  22 ++---
 4 files changed, 223 insertions(+), 11 deletions(-)
 create mode 100644 .env.template

diff --git a/.env.template b/.env.template
new file mode 100644
index 0000000..4997eb8
--- /dev/null
+++ b/.env.template
@@ -0,0 +1,203 @@
+# If you have any doubts about what a setting does,
+# check https://docs.funkwhale.audio/configuration.html#configuration-reference
+
+# If you're tweaking this file from the template, ensure you edit at least the
+# following variables:
+# - DJANGO_SECRET_KEY
+# - FUNKWHALE_HOSTNAME
+# - EMAIL_CONFIG and DEFAULT_FROM_EMAIL if you plan to send e-mails)
+# On non-docker setup **only**, you'll also have to tweak/uncomment those variables:
+# - DATABASE_URL
+# - CACHE_URL
+#
+# You **don't** need to update those variables on pure docker setups.
+#
+# Additional options you may want to check:
+# - MUSIC_DIRECTORY_PATH and MUSIC_DIRECTORY_SERVE_PATH if you plan to use
+#   in-place import
+#
+# Docker only
+# -----------
+
+# The tag of the image we should use
+# (it will be interpolated in docker-compose file)
+# You can comment or ignore this if you're not using docker
+FUNKWHALE_VERSION=1.2.8
+
+# End of Docker-only configuration
+
+# General configuration
+# ---------------------
+
+# Set this variables to bind the API server to another interface/port
+# example: FUNKWHALE_API_IP=0.0.0.0
+# example: FUNKWHALE_API_PORT=5678
+FUNKWHALE_API_IP=127.0.0.1
+FUNKWHALE_API_PORT=5000
+# The number of web workers to start in parallel. Higher means you can handle
+# more concurrent requests, but also leads to higher CPU/Memory usage
+FUNKWHALE_WEB_WORKERS=4
+# Replace this by the definitive, public domain you will use for
+# your instance. It cannot be changed after initial deployment
+# without breaking your instance.
+FUNKWHALE_HOSTNAME=audio.solarpunk.moe
+FUNKWHALE_PROTOCOL=https
+
+# Log level (debug, info, warning, error, critical)
+LOGLEVEL=error
+
+# Configure e-mail sending using this variale
+# By default, funkwhale will output e-mails sent to stdout
+# here are a few examples for this setting
+# EMAIL_CONFIG=consolemail://         # output e-mails to console (the default)
+# EMAIL_CONFIG=dummymail://          # disable e-mail sending completely
+# On a production instance, you'll usually want to use an external SMTP server:
+# If `user` or `password` contain special characters (eg.
+# `noreply@youremail.host` as `user`), be sure to urlencode them, using
+# for example the command:
+# `python3 -c 'import urllib.parse; print(urllib.parse.quote_plus
+# ("noreply@youremail.host"))'`
+# (returns `noreply%40youremail.host`)
+EMAIL_CONFIG=smtp://mail:25
+# EMAIL_CONFIG=smtp+ssl://user:password@youremail.host:465
+# EMAIL_CONFIG=smtp+tls://user:password@youremail.host:587
+
+# Make e-mail verification mandatory before using the service
+# Doesn't apply to admins.
+ACCOUNT_EMAIL_VERIFICATION_ENFORCE=true
+
+# The e-mail address to use to send system e-mails.
+DEFAULT_FROM_EMAIL=noreply@audio.solarpunk.moe
+
+# Depending on the reverse proxy used in front of your funkwhale instance,
+# the API will use different kind of headers to serve audio files
+# Allowed values: nginx, apache2
+REVERSE_PROXY_TYPE=nginx
+
+# API/Django configuration
+
+# Database configuration
+# Examples:
+#  DATABASE_URL=postgresql://<user>:<password>@<host>:<port>/<database>
+#  DATABASE_URL=postgresql://funkwhale:passw0rd@localhost:5432/funkwhale_database
+# Use the next one if you followed Debian installation guide
+# DATABASE_URL=postgresql://funkwhale@:5432/funkwhale
+
+# Cache configuration
+# Examples:
+#  CACHE_URL=redis://<host>:<port>/<database>
+#  CACHE_URL=redis://localhost:6379/0c
+#  With a password:
+#  CACHE_URL=redis://:password@localhost:6379/0
+#  (the extra semicolon is important)
+# Use the next one if you followed Debian installation guide
+#
+# CACHE_URL=redis://127.0.0.1:6379/0
+#
+# If you want to use Redis over unix sockets, you'll actually need two variables:
+# For the cache part:
+#  CACHE_URL=redis:///run/redis/redis.sock?db=0
+# For the Celery/asynchronous tasks part:
+#  CELERY_BROKER_URL=redis+socket:///run/redis/redis.sock?virtual_host=0
+
+# Number of worker processes to execute. Defaults to 0, in which case it uses your number of CPUs
+# Celery workers handle background tasks (such file imports or federation
+# messaging). The more processes a worker gets, the more tasks
+# can be processed in parallel. However, more processes also means
+# a bigger memory footprint.
+# CELERYD_CONCURRENCY=0
+
+# Where media files (such as album covers or audio tracks) should be stored
+# on your system?
+# (Ensure this directory actually exists)
+MEDIA_ROOT=/srv/funkwhale/data/media
+
+# Where static files (such as API css or icons) should be compiled
+# on your system?
+# (Ensure this directory actually exists)
+STATIC_ROOT=/srv/funkwhale/data/static
+
+# which settings module should django use?
+# You don't have to touch this unless you really know what you're doing
+DJANGO_SETTINGS_MODULE=config.settings.production
+
+# Generate one using `openssl rand -base64 45`, for example
+DJANGO_SECRET_KEY=
+
+# You don't have to edit this, but you can put the admin on another URL if you
+# want to
+# DJANGO_ADMIN_URL=^api/admin/
+
+# In-place import settings
+# You can safely leave those settings uncommented if you don't plan to use
+# in place imports.
+# Typical docker setup:
+#   MUSIC_DIRECTORY_PATH=/music  # docker-only
+#   MUSIC_DIRECTORY_SERVE_PATH=/srv/funkwhale/data/music
+# Typical non-docker setup:
+#   MUSIC_DIRECTORY_PATH=/srv/funkwhale/data/music
+#   # MUSIC_DIRECTORY_SERVE_PATH= # stays commented, not needed
+
+MUSIC_DIRECTORY_PATH=/srv/funkwhale/data/music
+MUSIC_DIRECTORY_SERVE_PATH=/srv/funkwhale/data/music
+
+# LDAP settings
+# Use the following options to allow authentication on your Funkwhale instance
+# using a LDAP directory.
+# Have a look at https://docs.funkwhale.audio/installation/ldap.html for
+# detailed instructions.
+
+# LDAP_ENABLED=False
+# LDAP_SERVER_URI=ldap://your.server:389
+# LDAP_BIND_DN=cn=admin,dc=domain,dc=com
+# LDAP_BIND_PASSWORD=bindpassword
+# LDAP_SEARCH_FILTER=(|(cn={0})(mail={0}))
+# LDAP_START_TLS=False
+# LDAP_ROOT_DN=dc=domain,dc=com
+
+FUNKWHALE_FRONTEND_PATH=/srv/funkwhale/front/dist
+
+# Nginx related configuration
+NGINX_MAX_BODY_SIZE=100M
+
+## External storages configuration
+# Funkwhale can store uploaded files on Amazon S3 and S3-compatible storages (such as Minio)
+# Uncomment and fill the variables below
+
+#AWS_ACCESS_KEY_ID=
+#AWS_SECRET_ACCESS_KEY=
+#AWS_STORAGE_BUCKET_NAME=
+# An optional bucket subdirectory were you want to store the files. This is especially useful
+# if you plan to use share the bucket with other services
+#AWS_LOCATION=
+
+# If you use a S3-compatible storage such as minio, set the following variable
+# the full URL to the storage server. Example:
+#   AWS_S3_ENDPOINT_URL=https://minio.mydomain.com
+#AWS_S3_ENDPOINT_URL=
+
+# If you want to serve media directly from your S3 bucket rather than through a proxy,
+# set this to false
+PROXY_MEDIA=false
+
+# If you are using Amazon S3 to serve media directly, you will need to specify your region
+# name in order to access files. Example:
+#   AWS_S3_REGION_NAME=eu-west-2
+#AWS_S3_REGION_NAME=
+
+# If you are using Amazon S3, use this setting to configure how long generated URLs should stay
+# valid. The default value is 3600 (60 minutes). The maximum accepted value is 604800 (7 days)
+
+# AWS_QUERYSTRING_EXPIRE=
+
+# If you are using an S3-compatible object storage provider, and need to provide a default
+# ACL for object uploads that is different from the default applied by boto3, you may
+# override it here. Example:
+#    AWS_DEFAULT_ACL=public-read
+# Available options can be found here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl
+
+#AWS_DEFAULT_ACL=
+
+# Funkwhale allows collecting errors using Sentry compatible APIs. If you want
+# to help us improving Funkwhale, feel free to use our instance:
+#FUNKWHALE_SENTRY_DSN=https://5840197379c64f65aad3c5c09274994d@am.funkwhale.audio/1
diff --git a/.gitignore b/.gitignore
index 4c49bd7..24f9f8d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 .env
+data/
diff --git a/docker-compose.yml b/docker-compose.yml
index 1758333..62bbf80 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -61,6 +61,7 @@ services:
     image: funkwhale/funkwhale:${FUNKWHALE_VERSION:-latest}
     networks:
       - default
+      - mail
     depends_on:
       - postgres
       - redis
@@ -78,6 +79,7 @@ services:
     image: nginx
     networks:
       - default
+      - httpsproxy
     depends_on:
       - api
     env_file:
@@ -85,6 +87,8 @@ services:
     environment:
       # Override those variables in your .env file if needed
       - "NGINX_MAX_BODY_SIZE=${NGINX_MAX_BODY_SIZE-100M}"
+      - LETSENCRYPT_HOST=audio.solarpunk.moe
+      - VIRTUAL_HOST=audio.solarpunk.moe
     volumes:
       - "./nginx/funkwhale.template:/etc/nginx/conf.d/funkwhale.template:ro"
       - "./nginx/funkwhale_proxy.conf:/etc/nginx/funkwhale_proxy.conf:ro"
@@ -103,4 +107,8 @@ services:
         && nginx -g 'daemon off;'"
 
 networks:
+  mail:
+    external: true
+  httpsproxy:
+    external: true
   default:
diff --git a/nginx/funkwhale.template b/nginx/funkwhale.template
index 218dc31..593cf3d 100644
--- a/nginx/funkwhale.template
+++ b/nginx/funkwhale.template
@@ -26,7 +26,7 @@ server {
     # If you are using S3 to host your files, remember to add your S3 URL to the
     # media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:)
 
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' https://*.digitaloceanspaces.com data:; font-src 'self' data:; object-src 'none'; media-src 'self' https://*.digitaloceanspaces.com data:";
     add_header Referrer-Policy "strict-origin-when-cross-origin";
     add_header X-Frame-Options "SAMEORIGIN" always;
 
@@ -81,19 +81,19 @@ server {
     # this is an internal location that is used to serve
     # audio files once correct permission / authentication
     # has been checked on API side
-    location /_protected/media {
-        internal;
-        alias   ${MEDIA_ROOT};
+    #location /_protected/media {
+    #    internal;
+    #    alias   ${MEDIA_ROOT};
 
-    }
+    #}
     # Comment the previous location and uncomment this one if you're storing
     # media files in a S3 bucket
-    # location ~ /_protected/media/(.+) {
-    #     internal;
-    #     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
-    #     proxy_set_header Authorization "";
-    #     proxy_pass $1;
-    # }
+    location ~ /_protected/media/(.+) {
+        internal;
+        # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+        proxy_set_header Authorization "";
+        proxy_pass $1;
+    }
 
     location /_protected/music {
         # this is an internal location that is used to serve