Update to 2021-12-01 19:13

roles/funkwhale/defaults/main.yml

@@ -0,0 +1,55 @@
+---
+
+funkwhale_version: 1.1.2
+funkwhale_id: 1
+# https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/{{ funkwhale_version }}/download?job=build_front
+# https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/{{ funkwhale_version }}/download?job=build_api
+funkwhale_base_url: https://dev.funkwhale.audio/funkwhale/funkwhale/-/jobs/artifacts/{{ funkwhale_version }}/download
+funkwhale_archive_sha1:
+  api: 43c123ab0f19e81169372d79a3b322cb2e079974
+  front: 6a5d2b586fd54dd433a7aeb7ef6fe166485d4a13
+funkwhale_root_dir: /opt/funkwhale_{{ funkwhale_id }}
+
+# Should ansible manage upgrades of funkwhale, or only initial install
+funkwhale_manage_upgrade: True
+
+# A random one will be created if not defined
+# funkwhale_secret_key: 
+
+funkwhale_user: funkwhale_{{ funkwhale_id }}
+
+funkwhale_api_bind_ip: 127.0.0.1
+funkwhale_api_port: 5006
+
+# Set to your public URL
+funkwhale_public_url: https://{{ inventory_hostname }}
+
+# Database param
+funkwhale_db_server: "{{ pg_server | default('localhost') }}"
+funkwhale_db_port: 5432
+funkwhale_db_name: funkwhale_{{ funkwhale_id }}
+funkwhale_db_user: funkwhale_{{ funkwhale_id }}
+# A rand pass will be created if not defined
+# funkwhale_db_pass: 
+
+# Cache param
+funkwhale_redis_url: redis://127.0.0.1:6379/0
+
+# LDAP param
+funkwhale_ldap_auth: False
+funkwhale_ldap_url: "{{ ad_auth | default(False) | ternary('ldap://' + ad_realm | default(samba_realm) | default(ansible_domain) | lower, ldap_auth | default(False) | ternary(ldap_uri, '')) }}"
+# funkwhale_bind_dn: CN=Funkwhale,OU=Apps,DC=example,DC=org
+# funkwhale_bind_pass: S3cR3t.
+funkwhale_ldap_user_filter: "{{ ad_auth | default(False) | ternary('(&(objectClass=user)(sAMAccountName={0}))','(&(objectClass=inetOrgPerson)(uid={0}))') }}"
+funkwhale_ldap_base: "{{ ad_auth | default(False) | ternary((ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base,'DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC=')), ldap_auth | ternary(ldap_user_base + ',' + ldap_base, '')) }}"
+funkwhale_ldap_attr_map: "first_name:givenName, last_name:sn, username:{{ ad_auth | ternary('sAMAccountName', 'uid') }}, email:mail"
+
+# dict of library ID <-> path from which to import music
+funkwhale_libraries: []
+# funkwhale_libraries:
+#   - id: 7b64b90c-353d-4969-8ab4-dafdf049036e
+#     path: /opt/funkwhale/data/music
+#     inplace: True
+
+# Increase on busy servers (but will require more memory)
+funkwhale_web_workers: 1

roles/funkwhale/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: restart funkwhale
+  service: name=funkwhale_{{ funkwhale_id }}-{{ item }} state=restarted
+  loop:
+    - server
+    - worker
+    - beat

roles/funkwhale/meta/main.yml

@@ -0,0 +1,13 @@
+---
+allow_duplicates: true
+dependencies:
+  - role: repo_rpmfusion # for ffmpeg
+  - role: repo_xsendfile # mod_xsendfile is not available in base repo for EL8
+    when:
+      - ansible_os_family == 'RedHat'
+      - ansible_distribution_major_version is version('8','>=')
+  - role: httpd_common
+  - role: redis_server
+    when: funkwhale_redis_url | urlsplit('hostname') == 'localhost' or funkwhale_redis_url | urlsplit('hostname') == '127.0.0.1'
+  - role: postgresql_server
+    when: funkwhale_db_server == 'localhost' or funkwhale_db_server == '127.0.0.1'

roles/funkwhale/tasks/archive_post.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Compress previous version
+  command: tar cf {{ funkwhale_root_dir }}/archives/{{ funkwhale_current_version }}.tar.zst --use-compress-program=zstd ./
+  args:
+    chdir: "{{ funkwhale_root_dir }}/archives/{{ funkwhale_current_version }}"
+    warn: False
+  environment:
+    ZSTD_CLEVEL: 10
+  tags: funkwhale
+

roles/funkwhale/tasks/archive_pre.yml

@@ -0,0 +1,32 @@
+---
+
+- name: Create archive dir
+  file: path={{ funkwhale_root_dir }}/archives/{{ funkwhale_current_version }} state=directory
+  tags: funkwhale
+
+- name: Archive previous version
+  synchronize:
+    src: "{{ funkwhale_root_dir }}/{{ item }}"
+    dest: "{{ funkwhale_root_dir }}/archives/{{ funkwhale_current_version }}/"
+    recursive: True
+    delete: True
+  loop:
+    - api
+    - front
+    - venv
+  delegate_to: "{{ inventory_hostname }}"
+  tags: funkwhale
+
+- name: Archive a database dump
+  command: >
+    /usr/pgsql-14/bin/pg_dump
+    --clean
+    --create
+    --host={{ funkwhale_db_server }}
+    --port={{ funkwhale_db_port }}
+    --username=sqladmin {{ funkwhale_db_name }}
+    --file={{ funkwhale_root_dir }}/archives/{{ funkwhale_current_version }}/{{ funkwhale_db_name }}.sql
+  environment:
+    - PGPASSWORD: "{{ pg_admin_pass }}"
+  tags: funkwhale
+

roles/funkwhale/tasks/cleanup.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Remove temp files
+  file: path={{ funkwhale_root_dir }}/{{ item }} state=absent
+  loop:
+    - tmp/api.zip
+    - tmp/api
+    - tmp/front.zip
+    - tmp/front
+    - archives/{{ funkwhale_current_version }}
+    - db_dumps
+  tags: funkwhale

roles/funkwhale/tasks/conf.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Deploy permissions script
+  template: src=perms.sh.j2 dest={{ funkwhale_root_dir }}/perms.sh mode=755
+  register: funkwhale_perms
+  tags: funkwhale
+
+- name: Set optimal permissions
+  command: "{{ funkwhale_root_dir }}/perms.sh"
+  when: funkwhale_install_mode != 'none' or funkwhale_perms.changed
+  tags: funkwhale
+
+- name: Deploy apache config
+  template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/40-funkwhale_{{ funkwhale_id }}.conf
+  notify: reload httpd
+  tags: funkwhale
+

roles/funkwhale/tasks/directories.yml

@@ -0,0 +1,30 @@
+---
+
+- name: Create directories
+  file:
+    path: "{{ funkwhale_root_dir }}/{{ item.dir }}"
+    state: directory
+    owner: "{{ item.user | default(omit) }}"
+    group: "{{ item.group | default(omit) }}"
+    mode: "{{ item.mode | default(omit) }}"
+  loop:
+    - dir: /
+    - dir: api
+    - dir: front
+    - dir: data
+    - dir: data/media
+    - dir: data/music
+    - dir: data/static
+    - dir: config
+      group: "{{ funkwhale_user }}"
+      mode: 750
+    - dir: archives
+      mode: 700
+    - dir: meta
+      mode: 700
+    - dir: tmp
+      mode: 700
+    - dir: backup
+      mode: 700
+  tags: funkwhale
+

roles/funkwhale/tasks/facts.yml

@@ -0,0 +1,42 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: funkwhale
+
+- fail: msg="pg_admin_pass must be set"
+  when: pg_admin_pass is not defined
+  tags: funkwhale
+
+- import_tasks: ../includes/webapps_set_install_mode.yml
+  vars:
+    - root_dir: "{{ funkwhale_root_dir }}"
+    - version: "{{ funkwhale_version }}"
+  tags: funkwhale
+- block:
+    - set_fact: funkwhale_install_mode={{ (install_mode == 'upgrade' and not funkwhale_manage_upgrade) | ternary('none',install_mode) }}
+    - set_fact: funkwhale_current_version={{ current_version | default('') }}
+  tags: funkwhale
+
+  # Create a random pass for the DB if needed
+- when: funkwhale_db_pass is not defined
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ funkwhale_root_dir }}/meta/ansible_dbpass"
+    - set_fact: funkwhale_db_pass={{ rand_pass }}
+  tags: funkwhale
+
+  # Create a random django secret key
+- when: funkwhale_secret_key is not defined
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ funkwhale_root_dir }}/meta/ansible_django_key"
+    - set_fact: funkwhale_secret_key={{ rand_pass }}
+  tags: funkwhale
+

roles/funkwhale/tasks/install.yml

@@ -0,0 +1,183 @@
+---
+
+- name: Install packages
+  yum: name={{ funkwhale_packages }}
+  tags: funkwhale
+
+- name: Check if mod_xsendfile is available
+  stat: path=/usr/lib64/httpd/modules/mod_xsendfile.so
+  register: funkwhale_xsendfile
+  tags: funkwhale
+
+- name: Download funkwhale frontend and api
+  get_url:
+    url: "{{ funkwhale_base_url }}?job=build_{{ item }}"
+    dest: "{{ funkwhale_root_dir }}/tmp/{{ item }}.zip"
+    checksum: sha1:{{ funkwhale_archive_sha1[item] }}
+  when: funkwhale_install_mode != 'none'
+  loop:
+    - front
+    - api
+  tags: funkwhale
+
+- name: Extract funkwhale archives
+  unarchive:
+    src: "{{ funkwhale_root_dir }}/tmp/{{ item }}.zip"
+    dest: "{{ funkwhale_root_dir }}/tmp/"
+    remote_src: True
+  when: funkwhale_install_mode != 'none'
+  loop:
+    - front
+    - api
+  tags: funkwhale
+
+- name: Move files to their final location
+  synchronize:
+    src: "{{ funkwhale_root_dir }}/tmp/{{ item }}/"
+    dest: "{{ funkwhale_root_dir }}/{{ item }}/"
+    recursive: True
+    delete: True
+  loop:
+    - api
+    - front
+  delegate_to: "{{ inventory_hostname }}"
+  when: funkwhale_install_mode != 'none'
+  tags: funkwhale
+
+- name: Create the PostgreSQL role
+  postgresql_user:
+    db: postgres
+    name: "{{ funkwhale_db_user }}"
+    password: "{{ funkwhale_db_pass }}"
+    login_host: "{{ funkwhale_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  tags: funkwhale
+
+- name: Create the PostgreSQL database
+  postgresql_db:
+    name: "{{ funkwhale_db_name }}"
+    encoding: UTF-8
+    lc_collate: C
+    lc_ctype: C
+    template: template0
+    owner: "{{ funkwhale_db_user }}"
+    login_host: "{{ funkwhale_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  tags: funkwhale
+
+- name: Enable required PostgreSQL extensions
+  postgresql_ext:
+    name: "{{ item }}"
+    db: "{{ funkwhale_db_name }}"
+    login_host: "{{ funkwhale_db_server }}"
+    login_user: sqladmin
+    login_password: "{{ pg_admin_pass }}"
+  loop:
+    - unaccent
+    - citext
+  tags: funkwhale
+
+- name: Wipe the venv on upgrade
+  file: path={{ funkwhale_root_dir }}/venv state=absent
+  when: funkwhale_install_mode == 'upgrade'
+  tags: funkwhale
+
+- name: Create the venv dir
+  file: path={{ funkwhale_root_dir }}/venv state=directory
+  tags: funkwhale
+
+- name: Create the virtualenv
+  pip:
+    name:
+      - wheel
+      - pip
+      - virtualenv
+      - service_identity
+    virtualenv: "{{ funkwhale_root_dir }}/venv"
+    virtualenv_command: /bin/virtualenv-3
+    virtualenv_python: /bin/python3
+  when: funkwhale_install_mode != 'none'
+  notify: restart funkwhale
+  tags: funkwhale
+
+- name: Install python modules in the virtualenv
+  pip:
+    requirements: "{{ funkwhale_root_dir }}/api/requirements.txt"
+    virtualenv: "{{ funkwhale_root_dir }}/venv"
+    virtualenv_command: /bin/virtualenv-3
+    virtualenv_python: /bin/python3
+  when: funkwhale_install_mode != 'none'
+  notify: restart funkwhale
+  tags: funkwhale
+
+- name: Deploy funkwhale configuration
+  template: src=env.j2 dest={{ funkwhale_root_dir }}/config/.env group={{ funkwhale_user }}
+  notify: restart funkwhale
+  tags: funkwhale
+
+- name: Migrate database
+  django_manage:
+    command: migrate
+    app_path: "{{ funkwhale_root_dir }}/api"
+    virtualenv: "{{ funkwhale_root_dir }}/venv"
+  environment:
+    - FUNKWHALE_URL: "{{ funkwhale_public_url }}"
+  when: funkwhale_install_mode != 'none'
+  notify: restart funkwhale
+  tags: funkwhale
+
+- name: Collect static files
+  django_manage:
+    command: collectstatic
+    app_path: "{{ funkwhale_root_dir }}/api"
+    virtualenv: "{{ funkwhale_root_dir }}/venv"
+  when: funkwhale_install_mode != 'none'
+  tags: funkwhale
+
+- name: Deploy systemd units
+  template: src=funkwhale-{{ item }}.service.j2 dest=/etc/systemd/system/funkwhale_{{ funkwhale_id }}-{{ item }}.service
+  register: funkwhale_units
+  loop:
+    - server
+    - worker
+    - beat
+  notify: restart funkwhale
+  tags: funkwhale
+
+- name: Deploy library update units
+  template: src=funkwhale-update-media.{{ item }}.j2 dest=/etc/systemd/system/funkwhale_{{ funkwhale_id }}-update-media.{{ item }}
+  register: funkwhale_media_updater
+  loop:
+    - service
+    - timer
+  tags: funkwhale
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: (funkwhale_units.results + funkwhale_media_updater.results) | selectattr('changed','equalto',True) | list | length > 0
+  tags: funkwhale
+
+- name: Deploy pre and post backup scripts
+  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/funkwhale_{{ funkwhale_id }}.sh mode=750
+  loop:
+    - pre
+    - post
+  tags: funkwhale
+
+  # When upgrading to funkwhale 1.0, we have to rebuild thumbnails
+- block:
+    - name: Wipe the thumbnail directory
+      file: path={{ funkwhale_root_dir }}/data/media/__sized__ state=absent
+
+    - name: Rebuild thumbnails
+      django_manage:
+        command: fw media generate-thumbnails
+        app_path: "{{ funkwhale_root_dir }}/api"
+        virtualenv: "{{ funkwhale_root_dir }}/venv"
+
+  when:
+    - funkwhale_install_mode == 'upgrade'
+    - funkwhale_current_version is version('1.0', '<')
+  tags: funkwhale

roles/funkwhale/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: funkwhale_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: service.yml
+- include: write_version.yml
+- include: archive_post.yml
+  when: funkwhale_install_mode == 'upgrade'
+- include: cleanup.yml

roles/funkwhale/tasks/service.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Start and enable funkwhale services
+  systemd: name=funkwhale_{{ funkwhale_id }}-{{ item }} state=started enabled=True
+  loop:
+    - server.service
+    - update-media.timer
+  tags: funkwhale
+

roles/funkwhale/tasks/user.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Create a system user account
+  user:
+    name: "{{ funkwhale_user }}"
+    comment: "Funkwhale system user"
+    system: True
+    shell: /sbin/nologin
+    home: "{{ funkwhale_root_dir }}"
+  tags: funkwhale

roles/funkwhale/tasks/write_version.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Write version
+  copy: content={{ funkwhale_version }} dest={{ funkwhale_root_dir }}/meta/ansible_version
+  tags: funkwhale
+

roles/funkwhale/templates/env.j2

@@ -0,0 +1,34 @@
+FUNKWHALE_API_IP=127.0.0.1
+FUNKWHALE_API_PORT={{ funkwhale_api_port }}
+FUNKWHALE_WEB_WORKERS={{ funkwhale_web_workers }}
+FUNKWHALE_HOSTNAME={{ funkwhale_public_url | urlsplit('hostname') }}
+FUNKWHALE_PROTOCOL={{ funkwhale_public_url | urlsplit('scheme') }}
+EMAIL_CONFIG=smtp://127.0.0.1
+DEFAULT_FROM_EMAIL=funkwhale-noreply@{{ ansible_domain }}
+REVERSE_PROXY_TYPE=apache2
+DATABASE_URL='postgresql://{{ funkwhale_db_user }}:{{ funkwhale_db_pass | urlencode | regex_replace('/','%2F') }}@{{ funkwhale_db_server }}:{{ funkwhale_db_port }}/{{ funkwhale_db_name }}'
+CACHE_URL={{ funkwhale_redis_url }}
+MEDIA_ROOT={{ funkwhale_root_dir }}/data/media
+STATIC_ROOT={{ funkwhale_root_dir }}/data/static
+DJANGO_SETTINGS_MODULE=config.settings.production
+DJANGO_SECRET_KEY='{{ funkwhale_secret_key }}'
+RAVEN_ENABLED=False
+RAVEN_DSN=https://44332e9fdd3d42879c7d35bf8562c6a4:0062dc16a22b41679cd5765e5342f716@sentry.eliotberriot.com/5
+MUSIC_DIRECTORY_PATH={{ funkwhale_root_dir }}/data/music
+{% if funkwhale_ldap_url is defined %}
+LDAP_ENABLED=True
+LDAP_SERVER_URI={{ funkwhale_ldap_url }}
+LDAP_START_TLS={{ (funkwhale_ldap_url | urlsplit('scheme') == 'ldaps' or funkwhale_ldap_url | urlsplit('hostname') == '127.0.0.1' or funkwhale_ldap_url | urlsplit('hostname') == 'localhost') | ternary('False', 'True') }}
+{% if funkwhale_ldap_bind_dn is defined and funkwhale_ldap_bind_pass is defined %}
+LDAP_BIND_DN='{{ funkwhale_ldap_bind_dn }}'
+LDAP_BIND_PASSWORD='{{ funkwhale_ldap_bind_pass }}'
+{% endif %}
+LDAP_SEARCH_FILTER='{{ funkwhale_ldap_user_filter }}'
+LDAP_ROOT_DN='{{ funkwhale_ldap_base }}'
+LDAP_USER_ATTR_MAP='{{ funkwhale_ldap_attr_map }}'
+{% endif %}
+FUNKWHALE_FRONTEND_PATH={{ funkwhale_root_dir }}/front/dist
+NGINX_MAX_BODY_SIZE=100M
+MUSIC_USE_DENORMALIZATION=True
+FUNKWHALE_SPA_HTML_ROOT={{ funkwhale_root_dir }}/front/dist/
+FUNKWHALE_URL={{ funkwhale_public_url }}

roles/funkwhale/templates/funkwhale-beat.service.j2

@@ -0,0 +1,22 @@
+[Unit]
+Description=Funkwhale celery beat process
+After=redis.service postgresql.service
+
+[Service]
+User={{ funkwhale_user }}
+WorkingDirectory={{ funkwhale_root_dir }}/api
+EnvironmentFile={{ funkwhale_root_dir }}/config/.env
+ExecStart={{ funkwhale_root_dir }}/venv/bin/celery -A funkwhale_api.taskapp beat -l INFO --pidfile /tmp/funkwhale-beat.pid --schedule /tmp/funkwhale-beat-schedule.db
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=1024M
+SyslogIdentifier=funkwhale_{{ funkwhale_id }}-beat
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/funkwhale/templates/funkwhale-server.service.j2

@@ -0,0 +1,23 @@
+[Unit]
+Description=Funkwhale application server
+After=redis.service postgresql.service
+Wants=funkwhale_{{ funkwhale_id }}-worker.service funkwhale_{{ funkwhale_id }}-beat.service
+
+[Service]
+User={{ funkwhale_user }}
+WorkingDirectory={{ funkwhale_root_dir }}/api
+EnvironmentFile={{ funkwhale_root_dir }}/config/.env
+ExecStart={{ funkwhale_root_dir }}/venv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=1024M
+SyslogIdentifier=funkwhale_{{ funkwhale_id }}-server
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/funkwhale/templates/funkwhale-update-media.service.j2

@@ -0,0 +1,23 @@
+[Unit]
+Description=Update funkwhale media library
+
+[Service]
+Type=oneshot
+{% for lib in funkwhale_libraries %}
+ExecStart={{ funkwhale_root_dir }}/venv/bin/python \
+            {{ funkwhale_root_dir }}/api/manage.py \
+            import_files {{ lib.id }} \
+            --no-input{% if lib.inplace %} --in-place{% endif %} \
+            "{{ lib.path }}" \
+            --recursive
+{% endfor %}
+ExecStart={{ funkwhale_root_dir }}/venv/bin/python \
+            {{ funkwhale_root_dir }}/api/manage.py \
+            check_inplace_files \
+            --no-dry-run
+ExecStart={{ funkwhale_root_dir }}/venv/bin/python \
+            {{ funkwhale_root_dir }}/api/manage.py \
+            prune_library \
+            --tracks --albums --artists --no-dry-run
+User={{ funkwhale_user }}
+Group={{ funkwhale_user }}

roles/funkwhale/templates/funkwhale-update-media.timer.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=Update funkwhale media library
+
+[Timer]
+OnCalendar=daily
+
+[Install]
+WantedBy=timers.target

roles/funkwhale/templates/funkwhale-worker.service.j2

@@ -0,0 +1,22 @@
+[Unit]
+Description=Funkwhale celery worker
+After=redis.service postgresql.service
+
+[Service]
+User={{ funkwhale_user }}
+WorkingDirectory={{ funkwhale_root_dir }}/api
+EnvironmentFile={{ funkwhale_root_dir }}/config/.env
+ExecStart={{ funkwhale_root_dir }}/venv/bin/celery -A funkwhale_api.taskapp worker -l INFO --pool=solo --concurrency=1
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+MemoryLimit=1024M
+SyslogIdentifier=funkwhale_{{ funkwhale_id }}-worker
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/funkwhale/templates/httpd.conf.j2

@@ -0,0 +1,81 @@
+<VirtualHost *:80>
+  ServerName {{ funkwhale_public_url | urlsplit('hostname') }}
+  ProxyVia On
+  ProxyPreserveHost On
+  <IfModule mod_remoteip.c>
+    RemoteIPHeader X-Forwarded-For
+  </IfModule>
+  <Proxy *>
+    AddDefaultCharset off
+    Order Allow,Deny
+    Allow from all
+  </Proxy>
+
+  <Location "/">
+    LimitRequestBody 104857600
+    ProxyPass http://127.0.0.1:{{ funkwhale_api_port }}/
+    ProxyPassReverse http://127.0.0.1:{{ funkwhale_api_port }}/
+  </Location>
+  <Location "/federation">
+    ProxyPass http://127.0.0.1:{{ funkwhale_api_port }}/federation
+    ProxyPassReverse http://127.0.0.1:{{ funkwhale_api_port }}/federation
+  </Location>
+
+  <Location "/rest">
+    ProxyPass http://127.0.0.1:{{ funkwhale_api_port }}/api/subsonic/rest
+    ProxyPassReverse http://127.0.0.1:{{ funkwhale_api_port }}/api/subsonic/rest
+  </Location>
+
+  <Location "/.well-known/">
+    ProxyPass http://127.0.0.1:{{ funkwhale_api_port }}/.well-known/
+    ProxyPassReverse http://127.0.0.1:{{ funkwhale_api_port }}/.well-known/
+  </Location>
+
+  <Location "/front">
+    ProxyPass  "!"
+  </Location>
+
+  Alias /front {{ funkwhale_root_dir }}/front/dist/
+
+  <Location "/media">
+    ProxyPass  "!"
+  </Location>
+  Alias /media {{ funkwhale_root_dir }}/data/media/
+
+  <Location "/staticfiles">
+    ProxyPass  "!"
+  </Location>
+  Alias /staticfiles {{ funkwhale_root_dir }}/data/static
+
+  <Location "/api/v1/activity">
+    ProxyPass ws://127.0.0.1:{{ funkwhale_api_port }}/api/v1/activity
+  </Location>
+
+  <Directory "{{ funkwhale_root_dir }}/data/static">
+    Options FollowSymLinks
+    AllowOverride None
+    Require all granted
+  </Directory>
+
+  <Directory "{{ funkwhale_root_dir }}/front/dist">
+    Options FollowSymLinks
+    AllowOverride None
+    Require all granted
+  </Directory>
+
+  <Directory "{{ funkwhale_root_dir }}/data/media">
+    Options FollowSymLinks
+    AllowOverride None
+    Require all granted
+  </Directory>
+
+{% if funkwhale_xsendfile.stat.exists %}
+  LoadModule xsendfile_module modules/mod_xsendfile.so
+{% endif %}
+  <IfModule mod_xsendfile.c>
+    XSendFile On
+    XSendFilePath {{ funkwhale_root_dir }}/data/media
+    XSendFilePath {{ funkwhale_root_dir }}/data/music
+    SetEnv MOD_X_SENDFILE_ENABLED 1
+  </IfModule>
+</VirtualHost>

roles/funkwhale/templates/perms.sh.j2

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+chown -R root:root {{ funkwhale_root_dir }}/{front,api}
+chmod 755 {{ funkwhale_root_dir }}
+chown {{ funkwhale_user }}:apache {{ funkwhale_root_dir }}/data
+chmod 750 {{ funkwhale_root_dir }}/data
+chown -R {{ funkwhale_user }}:{{ funkwhale_user }} {{ funkwhale_root_dir }}/data/{media,music}
+chown -R root:root {{ funkwhale_root_dir }}/data/static
+find {{ funkwhale_root_dir }}/{front,api,data/static} -type f -exec chmod 644 "{}" \;
+find {{ funkwhale_root_dir }}/{front,api} -type d -exec chmod 755 "{}" \;
+chmod 755 {{ funkwhale_root_dir }}/api/manage.py
+chmod 700 {{ funkwhale_root_dir }}/{meta,db_dumps,archives}
+chown -R root:{{ funkwhale_user }} {{ funkwhale_root_dir }}/config
+chmod 750 {{ funkwhale_root_dir }}/config
+chmod 640 {{ funkwhale_root_dir }}/config/.env

roles/funkwhale/templates/post-backup.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ funkwhale_root_dir }}/backup/{{ funkwhale_db_name }}.sql.zst

roles/funkwhale/templates/pre-backup.sh.j2

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -eo pipefail
+
+PGPASSWORD={{ funkwhale_db_pass | quote }} /usr/pgsql-14/bin/pg_dump \
+  --clean \
+  --create \
+  --username={{ funkwhale_db_user | quote }} \
+  --host={{ funkwhale_db_server | quote }} \
+  {{ funkwhale_db_name | quote }} | \
+  zstd -c > {{ funkwhale_root_dir }}/backup/{{ funkwhale_db_name | quote }}.sql.zst

roles/funkwhale/vars/RedHat-7.yml

@@ -0,0 +1,17 @@
+---
+
+funkwhale_packages:
+  - gcc
+  - git
+  - postgresql14
+  - postgresql-devel
+  - openldap-devel
+  - cyrus-sasl-devel
+  - libjpeg-turbo-devel
+  - python-psycopg2
+  - python-setuptools
+  - python3-virtualenv
+  - python3-pip
+  - ffmpeg
+  - mod_xsendfile
+

roles/funkwhale/vars/RedHat-8.yml

@@ -0,0 +1,16 @@
+---
+
+funkwhale_packages:
+  - gcc
+  - git
+  - postgresql14
+  - postgresql-devel
+  - openldap-devel
+  - cyrus-sasl-devel
+  - libjpeg-turbo-devel
+  - python3-psycopg2
+  - python3-setuptools
+  - python3-virtualenv
+  - python3-pip
+  - ffmpeg
+  - mod_xsendfile