From 6df36f519a5cce44ad1c6529ce7ff4e1732c6634 Mon Sep 17 00:00:00 2001
From: JuniorJPDJ <git@juniorjpdj.pl>
Date: Wed, 20 Jul 2022 01:31:28 +0200
Subject: [PATCH] refactor(front/Docker): cleanup nginx-based container

---
 .../front-docker-cleanup.enhancement          |  1 +
 front/Dockerfile                              |  9 +---
 front/docker/entrypoint.sh                    |  8 +++
 ...whale.template => funkwhale.conf.template} | 51 ++++++++-----------
 4 files changed, 31 insertions(+), 38 deletions(-)
 create mode 100644 changes/changelog.d/front-docker-cleanup.enhancement
 create mode 100755 front/docker/entrypoint.sh
 rename front/docker/{funkwhale.template => funkwhale.conf.template} (67%)

diff --git a/changes/changelog.d/front-docker-cleanup.enhancement b/changes/changelog.d/front-docker-cleanup.enhancement
new file mode 100644
index 000000000..26a639c38
--- /dev/null
+++ b/changes/changelog.d/front-docker-cleanup.enhancement
@@ -0,0 +1 @@
+Cleaned up frontend docker container
diff --git a/front/Dockerfile b/front/Dockerfile
index 0a3cc22f0..d74b230bd 100644
--- a/front/Dockerfile
+++ b/front/Dockerfile
@@ -15,20 +15,15 @@ RUN yarn build:deployment
 FROM nginx:1.23.1-alpine as final
 
 COPY --from=builder /app/dist /usr/share/nginx/html
-COPY docker/funkwhale.template /etc/nginx/conf.d/funkwhale.template
+COPY docker/funkwhale.conf.template /etc/nginx/templates/default.conf.template
 COPY docker/funkwhale_proxy.conf /etc/nginx/funkwhale_proxy.conf
+COPY docker/entrypoint.sh /docker-entrypoint.d/99-funkwhale.sh
 
 # Allow running as non-root for custom setups
 RUN mkdir -p /var/log/nginx /var/cache/nginx /var/run/nginx && \
     chown -R nginx:nginx /var/log/nginx /var/run/nginx /var/cache/nginx /etc/nginx && \
     sed -e 's#/var/run/nginx.pid#/var/run/nginx/nginx.pid#' -i /etc/nginx/nginx.conf
 
-CMD ["sh", "-c", "envsubst \"`env | awk -F = '{printf \" $$%s\", $$1}'`\" \
-        < /etc/nginx/conf.d/funkwhale.template \
-        > /etc/nginx/conf.d/default.conf \
-        && cat /etc/nginx/conf.d/default.conf \
-        && nginx -g 'daemon off;'"]
-
 ENV FUNKWHALE_API_HOST=api
 ENV FUNKWHALE_API_PORT=5000
 ENV AWS_S3_ENDPOINT_URL=
diff --git a/front/docker/entrypoint.sh b/front/docker/entrypoint.sh
new file mode 100755
index 000000000..3f262f252
--- /dev/null
+++ b/front/docker/entrypoint.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if [ -n "$AWS_S3_ENDPOINT_URL" ]; then
+  # uncomment S3 section in media location and comment NON-S3 section
+  sed -i '/# NON-S3/s/^/#/g;/# S3/s/^#//g' /etc/nginx/conf.d/default.conf
+fi
+
+cat /etc/nginx/conf.d/default.conf
diff --git a/front/docker/funkwhale.template b/front/docker/funkwhale.conf.template
similarity index 67%
rename from front/docker/funkwhale.template
rename to front/docker/funkwhale.conf.template
index d56f40573..bf9e35f7c 100644
--- a/front/docker/funkwhale.template
+++ b/front/docker/funkwhale.conf.template
@@ -3,7 +3,7 @@ upstream funkwhale-api {
 }
 
 
-# required for websocket support
+# Required for websocket support.
 map $http_upgrade $connection_upgrade {
     default upgrade;
     ''      close;
@@ -13,17 +13,10 @@ server {
     listen 80;
     server_name ${FUNKWHALE_HOSTNAME};
 
-    # TLS
-    # Feel free to use your own configuration for SSL here or simply remove the
-    # lines and move the configuration to the previous server block if you
-    # don't want to run funkwhale behind https (this is not recommended)
-    # have a look here for let's encrypt configuration:
-    # https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx
-
     root /usr/share/nginx/html;
 
     # If you are using S3 to host your files, remember to add your S3 URL to the
-    # media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:)
+    # media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:).
 
     add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
     add_header Referrer-Policy "strict-origin-when-cross-origin";
@@ -31,7 +24,7 @@ server {
 
     location / {
         include /etc/nginx/funkwhale_proxy.conf;
-        # this is needed if you have file import via upload enabled
+        # This is needed if you have file import via upload enabled.
         client_max_body_size ${NGINX_MAX_BODY_SIZE};
         proxy_pass   http://funkwhale-api/;
     }
@@ -47,7 +40,7 @@ server {
     }
 
     location = /front/embed.html {
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' ${AWS_S3_ENDPOINT_URL} data:; font-src 'self' data:; object-src 'none'; media-src ${AWS_S3_ENDPOINT_URL} 'self' data:";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
 
         add_header X-Frame-Options "" always;
@@ -62,7 +55,7 @@ server {
         proxy_pass   http://funkwhale-api/federation/;
     }
 
-    # You can comment this if you do not plan to use the Subsonic API
+    # You can comment this if you do not plan to use the Subsonic API.
     location /rest/ {
         include /etc/nginx/funkwhale_proxy.conf;
         proxy_pass   http://funkwhale-api/api/subsonic/rest/;
@@ -77,34 +70,30 @@ server {
         alias ${MEDIA_ROOT}/;
     }
 
-    # this is an internal location that is used to serve
-    # audio files once correct permission / authentication
-    # has been checked on API side
-    location /_protected/media/ {
+    # This is an internal location that is used to serve
+    # media (uploaded) files once correct permission / authentication
+    # has been checked on API side.
+    # Comment the "NON-S3" commented lines and uncomment "S3" commented lines
+    # if you're storing media files in a S3 bucket.
+    location /_protected/media/(.+) {
         internal;
-        alias   ${MEDIA_ROOT}/;
-
+        alias   ${MEDIA_ROOT}/;                                             # NON-S3
+        # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
+#       proxy_set_header Authorization "";                                  # S3
+#       proxy_pass $1;                                                      # S3
     }
-    # Comment the previous location and uncomment this one if you're storing
-    # media files in a S3 bucket
-    # location ~ /_protected/media/(.+) {
-    #     internal;
-    #     # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
-    #     proxy_set_header Authorization "";
-    #     proxy_pass $1;
-    # }
 
     location /_protected/music/ {
-        # this is an internal location that is used to serve
-        # audio files once correct permission / authentication
-        # has been checked on API side
-        # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
+        # This is an internal location that is used to serve
+        # local music files once correct permission / authentication
+        # has been checked on API side.
+        # Set this to the same value as your MUSIC_DIRECTORY_PATH setting.
         internal;
         alias   ${MUSIC_DIRECTORY_PATH}/;
     }
 
     location /staticfiles/ {
-        # django static files
+        # Django static files
         alias ${STATIC_ROOT}/;
     }
 }