From 373ee3cef8d26998febe4b98fe8d32fd0267df78 Mon Sep 17 00:00:00 2001
From: Alexander Olofsson <ace@haxalot.com>
Date: Sat, 8 Jan 2022 13:35:59 +0100
Subject: [PATCH] funkwhale: Fix for potential startup issue

Also updates the nginx config to the current version
---
 charts/funkwhale/Chart.yaml                   |  2 +-
 .../funkwhale/templates/configmap-front.yaml  | 38 ++++++++++++++++---
 charts/funkwhale/templates/configmap.yaml     |  1 +
 3 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/charts/funkwhale/Chart.yaml b/charts/funkwhale/Chart.yaml
index a33ae17..b268f44 100644
--- a/charts/funkwhale/Chart.yaml
+++ b/charts/funkwhale/Chart.yaml
@@ -4,7 +4,7 @@ appVersion: "1.2.1"
 description: A social platform to enjoy and share music
 icon: https://funkwhale.audio/favicon.png
 name: funkwhale
-version: 0.4.4
+version: 0.4.5
 
 dependencies:
 - name: redis
diff --git a/charts/funkwhale/templates/configmap-front.yaml b/charts/funkwhale/templates/configmap-front.yaml
index cbd0445..c0d1d04 100644
--- a/charts/funkwhale/templates/configmap-front.yaml
+++ b/charts/funkwhale/templates/configmap-front.yaml
@@ -28,9 +28,36 @@ data:
 
       root /frontend;
 
-      add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
       add_header Referrer-Policy "strict-origin-when-cross-origin";
+      add_header X-Frame-Options "SAMEORIGIN" always;
 
+      # compression settings
+      gzip on;
+      gzip_comp_level    5;
+      gzip_min_length    256;
+      gzip_proxied       any;
+      gzip_vary          on;
+
+      gzip_types
+          application/javascript
+          application/vnd.geo+json
+          application/vnd.ms-fontobject
+          application/x-font-ttf
+          application/x-web-app-manifest+json
+          font/opentype
+          image/bmp
+          image/svg+xml
+          image/x-icon
+          text/cache-manifest
+          text/css
+          text/plain
+          text/vcard
+          text/vnd.rim.location.xloc
+          text/vtt
+          text/x-component
+          text/x-cross-domain-policy;
+      # end of compression settings
 
       location / {
           include /etc/nginx/funkwhale_proxy.conf;
@@ -40,7 +67,7 @@ data:
       }
 
       location /front/ {
-          add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+          add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
           add_header Referrer-Policy "strict-origin-when-cross-origin";
           add_header Service-Worker-Allowed "/";
           add_header X-Frame-Options "ALLOW";
@@ -51,10 +78,10 @@ data:
       }
 
       location /front/embed.html {
-          add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+          add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
           add_header Referrer-Policy "strict-origin-when-cross-origin";
 
-          add_header X-Frame-Options "ALLOW";
+          add_header X-Frame-Options "" always;
           alias /frontend/embed.html;
           expires 30d;
           add_header Pragma public;
@@ -84,6 +111,7 @@ data:
     {{- if .Values.s3.enabled }}
       location ~ /_protected/media/(.+) {
           internal;
+          # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
           proxy_set_header Authorization "";
           proxy_pass $1;
       }
@@ -103,7 +131,7 @@ data:
           # has been checked on API side
           # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
           internal;
-          alias   ${MUSIC_DIRECTORY_PATH};
+          alias   ${MUSIC_DIRECTORY_SERVE_PATH};
       }
 
       location /staticfiles/ {
diff --git a/charts/funkwhale/templates/configmap.yaml b/charts/funkwhale/templates/configmap.yaml
index 9334904..f05c73f 100644
--- a/charts/funkwhale/templates/configmap.yaml
+++ b/charts/funkwhale/templates/configmap.yaml
@@ -11,6 +11,7 @@ metadata:
 data:
   FUNKWHALE_HOSTNAME: {{ .Values.ingress.host }}
   FUNKWHALE_PROTOCOL: {{ .Values.ingress.protocol }}
+  FUNKWHALE_SPA_HTML_ROOT: http://localhost/front/
   REVERSE_PROXY_TYPE: nginx
   MEDIA_ROOT: /srv/funkwhale/data/media
   STATIC_ROOT: /srv/funkwhale/data/static