commit b280f97b00eb8909d0f5efe0915072aaf430e599 Author: Gabriel Carneiro Date: Thu Feb 27 10:07:07 2025 -0300 initial commit diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..f0a074f --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,151 @@ +services: + postgres: + restart: unless-stopped + env_file: .env + environment: + - "POSTGRES_HOST_AUTH_METHOD=trust" + image: postgres:15-alpine + volumes: + - ./data/postgres:/var/lib/postgresql/data + networks: + # - default + - traefik-public + + redis: + restart: unless-stopped + env_file: .env + image: redis:7-alpine + volumes: + - ./data/redis:/data + networks: + # - default + - traefik-public + + celeryworker: + restart: unless-stopped + image: funkwhale/api:${FUNKWHALE_VERSION:-latest} + depends_on: + - postgres + - redis + env_file: .env + # Celery workers handle background tasks (such file imports or federation + # messaging). The more processes a worker gets, the more tasks + # can be processed in parallel. However, more processes also means + # a bigger memory footprint. + # By default, a worker will span a number of process equal to your number + # of CPUs. You can adjust this, by explicitly setting the --concurrency + # flag: + # celery -A funkwhale_api.taskapp worker -l INFO --concurrency=4 + networks: + # - default + - traefik-public + command: + - celery + - --app=funkwhale_api.taskapp + - worker + - --loglevel=INFO + - --concurrency=${CELERYD_CONCURRENCY-0} + environment: + - C_FORCE_ROOT=true + volumes: + - "${MUSIC_DIRECTORY_SERVE_PATH-/srv/funkwhale/data/music}:${MUSIC_DIRECTORY_PATH-/music}:ro" + - "${MEDIA_ROOT}:${MEDIA_ROOT}" + + celerybeat: + restart: unless-stopped + image: funkwhale/api:${FUNKWHALE_VERSION:-latest} + networks: + # - default + - traefik-public + command: + - celery + - --app=funkwhale_api.taskapp + - beat + - --loglevel=INFO + depends_on: + - postgres + - redis + env_file: .env + + api: + restart: unless-stopped + image: funkwhale/api:${FUNKWHALE_VERSION:-latest} + depends_on: + - postgres + - redis + env_file: .env + networks: + # - default + - traefik-public + volumes: + - "${MUSIC_DIRECTORY_SERVE_PATH-/srv/funkwhale/data/music}:${MUSIC_DIRECTORY_PATH-/music}:ro" + - "${MEDIA_ROOT}:${MEDIA_ROOT}" + - "${STATIC_ROOT}:${STATIC_ROOT}" + + front: + restart: unless-stopped + image: funkwhale/front:${FUNKWHALE_VERSION:-latest} + depends_on: + - api + env_file: + - .env + environment: + # Override those variables in your .env file if needed + - "NGINX_MAX_BODY_SIZE=${NGINX_MAX_BODY_SIZE-100M}" + volumes: + # Uncomment if you want to use your previous nginx config, please let us + # know what special configuration you need, so we can support it with out + # upstream nginx configuration! + # - "./nginx/funkwhale.template:/etc/nginx/nginx.conf:ro" + # - "./nginx/funkwhale.template:/etc/nginx/templates/default.conf.template:ro" + # - "./nginx/funkwhale_proxy.conf:/etc/nginx/funkwhale_proxy.conf:ro" + + - "${MUSIC_DIRECTORY_SERVE_PATH-/srv/funkwhale/data/music}:${MUSIC_DIRECTORY_PATH-/music}:ro" + - "${MEDIA_ROOT}:${MEDIA_ROOT}:ro" + - "${STATIC_ROOT}:/usr/share/nginx/html/staticfiles:ro" + # ports: + # # override those variables in your .env file if needed + # - "${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}:80" + + labels: + traefik.enable: true + traefik.http.services.funkwhale.loadbalancer.server.port: 80 + traefik.http.routers.funkwhale.entrypoints: websecure + traefik.http.routers.funkwhale.rule: Host(`audio.alice.ufsj.edu.br`) + # traefik.http.routers.funkwhale.middlewares: "funkwhale" + traefik.http.middlewares.funkwhale.headers.stsSeconds: '15552000' + traefik.http.middlewares.funkwhale.headers.framedeny: true + traefik.http.middlewares.funkwhale.headers.stsIncludeSubdomains: true + traefik.http.middlewares.funkwhale.headers.customFrameOptionsValue: SAMEORIGIN + traefik.http.middlewares.funkwhale.headers.stsPreload: true + traefik.http.middlewares.funkwhale.headers.sslredirect: true + traefik.http.middlewares.funkwhale.headers.customrequestheaders.X-Forwarded-Proto: https + # traefik.http.middlewares.funkwhale.headers.forwardedHeaders: true + # traefik.http.middlewares.funkwhale.headers.customrequestheaders.X-Forwarded-User: https + # traefik.http.middlewares.funkwhale.forwardauth.trustforwardheader: true + # traefik.http.middlewares.funkwhale.forwardauth.authresponseheaders: "X-Forwarded-User" + + + + networks: + # - default + - traefik-public + + typesense: + restart: unless-stopped + env_file: + - .env + image: typesense/typesense:0.24.0 + volumes: + - ./typesense/data:/data + command: --data-dir /data --enable-cors + profiles: + - typesense + networks: + # - default + - traefik-public + +networks: + # default: + traefik-public: + external: true diff --git a/nginx/funkwhale.template b/nginx/funkwhale.template new file mode 100644 index 0000000..f151fee --- /dev/null +++ b/nginx/funkwhale.template @@ -0,0 +1,86 @@ +upstream fw { + server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}; +} + +# Required for websocket support. +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + listen 80; + listen [::]:80; + # update this to match your instance name + server_name audio.alice.ufsj.edu.br; + + # useful for Let's Encrypt + location /.well-known/acme-challenge/ { + allow all; + } + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ${FUNKWHALE_HOSTNAME}; + + # TLS + # Feel free to use your own configuration for SSL here or simply remove the + # lines and move the configuration to the previous server block if you + # don't want to run funkwhale behind https (this is not recommended) + # have a look here for let's encrypt configuration: + # https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx + ssl_protocols TLSv1.2; + ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + # ssl_certificate /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/fullchain.pem; + #ssl_certificate_key /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/privkey.pem; + + # HSTS + add_header Strict-Transport-Security "max-age=31536000"; + + + # General configs + client_max_body_size ${NGINX_MAX_BODY_SIZE}; + charset utf-8; + + # compression settings + gzip on; + gzip_comp_level 5; + gzip_min_length 256; + gzip_proxied any; + gzip_vary on; + gzip_types + application/javascript + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; + # end of compression settings + + location / { + include /etc/nginx/funkwhale_proxy.conf; + proxy_pass http://fw; + } + +} + diff --git a/nginx/funkwhale_proxy.conf b/nginx/funkwhale_proxy.conf new file mode 100644 index 0000000..1dec896 --- /dev/null +++ b/nginx/funkwhale_proxy.conf @@ -0,0 +1,14 @@ +# global proxy conf +proxy_set_header Host $host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $host:$server_port; +proxy_set_header X-Forwarded-Port $server_port; +proxy_redirect off; + +# websocket support +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; +