From 2ccfdf0de6eeaddf819fbb36c63b155419f56437 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Wed, 2 Jul 2025 02:07:41 +0200 Subject: [PATCH] Finished Funkwhale implementation --- group_vars/all/13_ldap.yml | 2 +- roles/docker-funkwhale/Administration.md | 59 ++++++++++++++++++- roles/docker-funkwhale/meta/main.yml | 3 +- .../templates/docker-compose.yml.j2 | 31 +++++----- roles/docker-funkwhale/templates/env.j2 | 32 +++++----- roles/docker-funkwhale/vars/configuration.yml | 31 ++++++++-- roles/docker-funkwhale/vars/main.yml | 7 ++- roles/docker-ldap/templates/env.j2 | 8 +-- roles/docker-matomo/tasks/main.yml | 14 +++++ roles/docker-mobilizon/vars/configuration.yml | 1 + 10 files changed, 140 insertions(+), 48 deletions(-) diff --git a/group_vars/all/13_ldap.yml b/group_vars/all/13_ldap.yml index 8128ea6d..2ba52010 100644 --- a/group_vars/all/13_ldap.yml +++ b/group_vars/all/13_ldap.yml @@ -62,7 +62,7 @@ ldap: surname: "sn" ssh_public_key: "sshPublicKey" # Password to access dn.bind - bind_credential: "{{applications.ldap.credentials.administrator_database_password}}" + bind_credential: "{{ applications.ldap.credentials.administrator_database_password }}" server: domain: "{{applications.ldap.hostname if applications.ldap.network.docker | bool else domains.ldap}}" # Mapping for public or locale access port: "{{_ldap_server_port}}" diff --git a/roles/docker-funkwhale/Administration.md b/roles/docker-funkwhale/Administration.md index 786002b5..23db9072 100644 --- a/roles/docker-funkwhale/Administration.md +++ b/roles/docker-funkwhale/Administration.md @@ -4,4 +4,61 @@ ```bash docker-compose down && docker volume rm funkwhale_data -``` \ No newline at end of file +``` + +## create admin account +```bash +docker compose exec -T api funkwhale-manage fw users create --superuser +``` + +## ldap debugging +```bash +docker compose exec -T api funkwhale-manage shell + +import logging +logging.basicConfig(level=logging.DEBUG) + + +from django.contrib.auth import authenticate +user = authenticate(username="kevinveenbirkenbach", password="DEINPASSWORT") +print(user) + + +####### +from django_auth_ldap.backend import LDAPBackend +from django_auth_ldap.config import LDAPSearch +from ldap import initialize + +# Zugriff auf deine Funkwhale-Einstellungen +import django.conf +settings = django.conf.settings + +# Verbindung aufbauen +conn = initialize(settings.AUTH_LDAP_SERVER_URI) +conn.simple_bind_s(settings.AUTH_LDAP_BIND_DN, settings.AUTH_LDAP_BIND_PASSWORD) + +# Benutzername einsetzen +username = "kevinveenbirkenbach" + +# Search-Filter einsetzen +search_filter = settings.AUTH_LDAP_USER_SEARCH.search_filter.format(username) +base_dn = settings.AUTH_LDAP_USER_SEARCH.base_dn +scope = settings.AUTH_LDAP_USER_SEARCH.scope + +# Suche durchführen +results = conn.search_s(base_dn, scope, search_filter) + +print(results) + +########## + +from django.conf import settings + +print("LDAP Server URI:", settings.AUTH_LDAP_SERVER_URI) +print("Bind DN:", settings.AUTH_LDAP_BIND_DN) +print("Bind Password:", settings.AUTH_LDAP_BIND_PASSWORD) +print("Search Base:", settings.AUTH_LDAP_USER_SEARCH.base_dn) +print("Search Filter:", settings.AUTH_LDAP_USER_SEARCH.search_filter) +print("User Attr Map:", settings.AUTH_LDAP_USER_ATTR_MAP) + +``` diff --git a/roles/docker-funkwhale/meta/main.yml b/roles/docker-funkwhale/meta/main.yml index 7bb1c3be..d25049a1 100644 --- a/roles/docker-funkwhale/meta/main.yml +++ b/roles/docker-funkwhale/meta/main.yml @@ -18,4 +18,5 @@ galaxy_info: documentation: https://s.veen.world/cymais logo: class: "fa-solid fa-music" -dependencies: [] \ No newline at end of file + run_after: + - docker-ldap \ No newline at end of file diff --git a/roles/docker-funkwhale/templates/docker-compose.yml.j2 b/roles/docker-funkwhale/templates/docker-compose.yml.j2 index 10d7f906..d7bed0ab 100644 --- a/roles/docker-funkwhale/templates/docker-compose.yml.j2 +++ b/roles/docker-funkwhale/templates/docker-compose.yml.j2 @@ -1,5 +1,4 @@ services: -# @todo Test which containers can be removed crom cental_database networks {% include 'roles/docker-central-database/templates/services/' + database_type + '.yml.j2' %} {% include 'templates/docker/services/redis.yml.j2' %} @@ -14,53 +13,51 @@ services: # flag: # celery -A funkwhale_api.taskapp worker -l INFO --concurrency=4 {% include 'roles/docker-compose/templates/services/base.yml.j2' %} - image: "{{ applications[application_id].images.api }}" + image: "{{ applications | get_docker_image(application_id,'api') }}" command: celery -A funkwhale_api.taskapp worker -l INFO --concurrency={{celeryd_concurrency}} environment: - C_FORCE_ROOT=true volumes: - - "data:{{media_root}}" - - "music:{{music_directory_path}}:ro" + - "data:{{funkwhale_media_root}}" + - "music:{{funkwhale_music_directory_path}}:ro" {% include 'templates/docker/container/depends-on-database-redis.yml.j2' %} {% include 'templates/docker/container/networks.yml.j2' %} celerybeat: {% include 'roles/docker-compose/templates/services/base.yml.j2' %} - image: "{{ applications[application_id].images.api }}" + image: "{{ applications | get_docker_image(application_id,'api') }}" command: celery -A funkwhale_api.taskapp beat --pidfile= -l INFO {% include 'templates/docker/container/depends-on-database-redis.yml.j2' %} {% include 'templates/docker/container/networks.yml.j2' %} api: {% include 'roles/docker-compose/templates/services/base.yml.j2' %} - image: "{{ applications[application_id].images.api }}" + image: "{{ applications | get_docker_image(application_id,'api') }}" volumes: - - "music:{{music_directory_path}}:ro" - - "data:{{media_root}}" - - "static_root:{{static_root}}" + - "music:{{funkwhale_music_directory_path}}:ro" + - "data:{{funkwhale_media_root}}" + - "funkwhale_static_root:{{funkwhale_static_root}}" ports: - - "5000" # Exposes API just in local docker network to be used by front container + - "{{ funkwhale_docker_api_port }}" {% include 'templates/docker/container/depends-on-database-redis.yml.j2' %} {% include 'templates/docker/container/networks.yml.j2' %} front: {% include 'roles/docker-compose/templates/services/base.yml.j2' %} - image: "{{ applications[application_id].images.front }}" + image: "{{ applications | get_docker_image(application_id,'front') }}" depends_on: - api environment: - # Override those variables in your .env file if needed - "NGINX_MAX_BODY_SIZE=100M" volumes: - - "data:{{media_root}}:ro" - #- "{{static_root}}:{{static_root}}:ro" + - "data:{{funkwhale_media_root}}:ro" + #- "{{funkwhale_static_root}}:{{funkwhale_static_root}}:ro" ports: - # override those variables in your .env file if needed - "127.0.0.1:{{ports.localhost.http[application_id]}}:80" typesense: {% include 'roles/docker-compose/templates/services/base.yml.j2' %} - image: "{{ applications[application_id].images.typesense }}" + image: "{{ applications[application_id].docker.images.typesense }}" volumes: - ./typesense/data:/data command: --data-dir /data --enable-cors @@ -69,7 +66,7 @@ services: {% include 'templates/docker/compose/volumes.yml.j2' %} data: - static_root: + funkwhale_static_root: redis: music: diff --git a/roles/docker-funkwhale/templates/env.j2 b/roles/docker-funkwhale/templates/env.j2 index 7d3fbcfb..5b92676c 100644 --- a/roles/docker-funkwhale/templates/env.j2 +++ b/roles/docker-funkwhale/templates/env.j2 @@ -17,11 +17,7 @@ # # Docker only # ----------- -MUSIC_DIRECTORY_PATH={{music_directory_path}} - -# Assuming that the following variable isn't used anymore. -# @todo remove it if this is true -FUNKWHALE_VERSION={{applications.funkwhale.version}} +MUSIC_DIRECTORY_PATH={{funkwhale_music_directory_path}} # End of docker-only configuration @@ -32,7 +28,7 @@ FUNKWHALE_VERSION={{applications.funkwhale.version}} FUNKWHALE_API_IP=127.0.0.1 # Assuming that the following variable isn't used anymore. # @todo remove it if this is true -FUNKWHALE_API_PORT={{ports.localhost.http[application_id]}}: +FUNKWHALE_API_PORT={{ funkwhale_docker_api_port }} # The number of web workers to start in parallel. Higher means you can handle # more concurrent requests, but also leads to higher CPU/Memory usage @@ -46,6 +42,9 @@ FUNKWHALE_PROTOCOL={{ web_protocol }} # Log level (debug, info, warning, error, critical) LOGLEVEL={% if enable_debug | bool %}debug{% else %}error{% endif %} +# Could be that this is redundant +DJANGO_LOGLEVEL={% if enable_debug | bool %}debug{% else %}error{% endif %} + # Configure e-mail sending using this variale # By default, funkwhale will output e-mails sent to stdout # here are a few examples for this setting @@ -86,12 +85,12 @@ CELERYD_CONCURRENCY={{celeryd_concurrency}} # Where media files (such as album covers or audio tracks) should be stored # on your system? # (Ensure this directory actually exists) -MEDIA_ROOT={{media_root}} +MEDIA_ROOT={{funkwhale_media_root}} # Where static files (such as API css or icons) should be compiled # on your system? # (Ensure this directory actually exists) -STATIC_ROOT={{static_root}} +STATIC_ROOT={{funkwhale_static_root}} # which settings module should django use? # You don't have to touch this unless you really know what you're doing @@ -106,14 +105,17 @@ DJANGO_SECRET_KEY={{applications[application_id].credentials.django_secret}} # using a LDAP directory. # Have a look at https://docs.funkwhale.audio/installation/ldap.html for # detailed instructions. +# Commit: https://gitea.fudaoyuan.icu/Github/funkwhale/commit/4ce46ff2a000646a3dbab80f0ca9fd8d7f8ae24c + +LDAP_ENABLED = True +LDAP_SERVER_URI = "{{ ldap.server.uri }}" +LDAP_BIND_DN = "{{ ldap.dn.administrator.data }}" +LDAP_BIND_PASSWORD = "{{ ldap.bind_credential }}" +#LDAP_SEARCH_FILTER = "{{ ldap.filters.users.login | replace('%' ~ ldap.attributes.user_id, '{0}') }}" +LDAP_START_TLS = False +LDAP_ROOT_DN = "{{ldap.dn.root}}" +#LDAP_USER_ATTR_MAP = "first_name:{{ ldap.attributes.firstname }}, last_name:{{ ldap.attributes.surname }}, username:{{ ldap.attributes.user_id }}, email:{{ ldap.attributes.mail }}" -LDAP_ENABLED = True -LDAP_SERVER_URI = "{{ldap.server.uri}}" -LDAP_BIND_DN = "{{ldap.dn.administrator.data}}" -LDAP_BIND_PASSWORD = "{{ldap.bind_credential}}" -LDAP_SEARCH_FILTER = "(|(cn={0})(mail={0}))" -LDAP_START_TLS = False -LDAP_ROOT_DN = "{{ldap.dn.root}}" {% endif %} FUNKWHALE_FRONTEND_PATH=/srv/funkwhale/front/dist diff --git a/roles/docker-funkwhale/vars/configuration.yml b/roles/docker-funkwhale/vars/configuration.yml index 196f2969..9deac1a3 100644 --- a/roles/docker-funkwhale/vars/configuration.yml +++ b/roles/docker-funkwhale/vars/configuration.yml @@ -1,17 +1,36 @@ -images: - api: "funkwhale/api:1.4.0" - front: "funkwhale/front:1.4.0" - typesense: "typesense/typesense" +docker: + versions: + api: "1.4.0" + front: "1.4.0" + typesense: "typesense/typesense" + images: + api: "funkwhale/api" + front: "funkwhale/front" + typesense: "typesense/typesense" features: matomo: true - css: true + css: false portfolio_iframe: true ldap: true central_database: true + oauth2: false # Doesn't make sense to activate it atm, because login is possible on homepage credentials: domains: canonical: - "audio.{{ primary_domain }}" aliases: - "music.{{ primary_domain }}" - - "sound.{{ primary_domain }}" \ No newline at end of file + - "sound.{{ primary_domain }}" +csp: + flags: + style-src: + unsafe-inline: true + whitelist: + font-src: + - "data:" +oauth2_proxy: + application: "front" + port: "80" + acl: + blacklist: + - "/login" \ No newline at end of file diff --git a/roles/docker-funkwhale/vars/main.yml b/roles/docker-funkwhale/vars/main.yml index a6110b88..f95b8270 100644 --- a/roles/docker-funkwhale/vars/main.yml +++ b/roles/docker-funkwhale/vars/main.yml @@ -1,7 +1,8 @@ application_id: "funkwhale" nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 512M;" database_type: "postgres" -media_root: "/srv/funkwhale/data/" -static_root: "{{media_root}}static" +funkwhale_media_root: "/srv/funkwhale/data/" +funkwhale_static_root: "{{funkwhale_media_root}}static" celeryd_concurrency: 1 -music_directory_path: "/music" \ No newline at end of file +funkwhale_music_directory_path: "/music" +funkwhale_docker_api_port: 5000 \ No newline at end of file diff --git a/roles/docker-ldap/templates/env.j2 b/roles/docker-ldap/templates/env.j2 index a4fc6d9b..8ac42abb 100644 --- a/roles/docker-ldap/templates/env.j2 +++ b/roles/docker-ldap/templates/env.j2 @@ -2,16 +2,16 @@ # @See https://hub.docker.com/r/bitnami/openldap # GENERAL -## Database -LDAP_ADMIN_USERNAME= {{applications[application_id].users.administrator.username}} # LDAP database admin user. -LDAP_ADMIN_PASSWORD= {{applications[application_id].credentials.administrator_database_password}} # LDAP database admin password. +## Admin (Data) +LDAP_ADMIN_USERNAME= {{applications[application_id].users.administrator.username}} # LDAP database admin user. +LDAP_ADMIN_PASSWORD= {{ldap.bind_credential}} # LDAP database admin password. ## Users LDAP_USERS= ' ' # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02 LDAP_PASSWORDS= ' ' # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami2 LDAP_ROOT= {{ldap.dn.root}} # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org -## Admin +## Admin (Config) LDAP_ADMIN_DN= {{ldap.dn.administrator.data}} LDAP_CONFIG_ADMIN_ENABLED= yes LDAP_CONFIG_ADMIN_USERNAME= {{applications[application_id].users.administrator.username}} diff --git a/roles/docker-matomo/tasks/main.yml b/roles/docker-matomo/tasks/main.yml index 3537e1e8..fdcd8d4b 100644 --- a/roles/docker-matomo/tasks/main.yml +++ b/roles/docker-matomo/tasks/main.yml @@ -33,3 +33,17 @@ token_auth: "{{ matomo_auth_token }}" return_content: yes status_code: 200 + +- name: Exclude CSP-CheckerBot user agent in Matomo + uri: + url: "{{ matomo_index_php_url }}" + method: POST + body_format: form-urlencoded + body: + module: API + method: SitesManager.setGlobalExcludedUserAgents + excludedUserAgents: "CSP-CheckerBot" + format: json + token_auth: "{{ matomo_auth_token }}" + return_content: yes + status_code: 200 diff --git a/roles/docker-mobilizon/vars/configuration.yml b/roles/docker-mobilizon/vars/configuration.yml index a578cecd..8844e95c 100644 --- a/roles/docker-mobilizon/vars/configuration.yml +++ b/roles/docker-mobilizon/vars/configuration.yml @@ -4,6 +4,7 @@ images: features: central_database: true oidc: true + matomo: true csp: flags: script-src-elem: