funkwhale: Sync frontend template with upstream

2022-11-25 21:40:21 +01:00 · 2022-11-25 21:40:21 +01:00 · a6476ed30a
commit a6476ed30a
parent 802d83645d
3 changed files with 25 additions and 30 deletions
--- a/charts/funkwhale/Chart.yaml
+++ b/charts/funkwhale/Chart.yaml
@ -4,7 +4,7 @@ appVersion: "1.2.9"
 description: A social platform to enjoy and share music
 icon: https://funkwhale.audio/favicon.png
 name: funkwhale
-version: 0.6.1
+version: 0.7.0

 dependencies:
 - name: redis
--- a/charts/funkwhale/templates/configmap-front.yaml
+++ b/charts/funkwhale/templates/configmap-front.yaml
@ -15,22 +15,25 @@ data:
      server localhost:5000;
    }

+    # Required for websocket support.
    map $http_upgrade $connection_upgrade {
      default upgrade;
      ''      close;
    }

    server {
-      listen 80;
+      listen      80;
      listen [::]:80;
+      charset     utf-8;

-      server_name ${FUNKWHALE_HOSTNAME};
+      server_name _;

-      root /frontend;
-
-      add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
+      add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
      add_header Referrer-Policy "strict-origin-when-cross-origin";
      add_header X-Frame-Options "SAMEORIGIN" always;
+      add_header Service-Worker-Allowed "/";
+
+      root /frontend;

      # compression settings
      gzip on;
@ -67,25 +70,16 @@ data:
      }

      location /front/ {
-          add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
-          add_header Referrer-Policy "strict-origin-when-cross-origin";
-          add_header Service-Worker-Allowed "/";
-          add_header X-Frame-Options "ALLOW";
          alias /frontend/;
-          expires 30d;
-          add_header Pragma public;
-          add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+          expires 1d;
      }

      location /front/embed.html {
-          add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
+          add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
          add_header Referrer-Policy "strict-origin-when-cross-origin";

-          add_header X-Frame-Options "" always;
          alias /frontend/embed.html;
-          expires 30d;
-          add_header Pragma public;
-          add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+          expires 1d;
      }

      location /federation/ {
@ -106,24 +100,23 @@ data:

      location /media/ {
          alias ${MEDIA_ROOT}/;
+          add_header Access-Control-Allow-Origin '*';
      }

-    {{- if .Values.s3.enabled }}
-      location ~ /_protected/media/(.+) {
-          internal;
-          # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
-          proxy_set_header Authorization "";
-          proxy_pass $1;
-      }
-    {{- else }}
      # this is an internal location that is used to serve
      # audio files once correct permission / authentication
      # has been checked on API side
-      location /_protected/media {
+      location ~ /_protected/media/(.+) {
          internal;
-          alias   ${MEDIA_ROOT};
-      }
+    {{- if .Values.s3.enabled }}
+          # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
+          proxy_set_header Authorization "";
+          proxy_pass $1;
+    {{- else }}
+          alias   ${MEDIA_ROOT}/$1;
    {{- end }}
+          add_header Access-Control-Allow-Origin '*';
+      }

      location /_protected/music {
          # this is an internal location that is used to serve
@ -131,7 +124,8 @@ data:
          # has been checked on API side
          # Set this to the same value as your MUSIC_DIRECTORY_PATH setting
          internal;
-          alias   ${MUSIC_DIRECTORY_SERVE_PATH};
+          alias   ${MUSIC_DIRECTORY_SERVE_PATH}/;
+          add_header Access-Control-Allow-Origin '*';
      }

      location /staticfiles/ {
--- a/charts/funkwhale/templates/deployment.yaml
+++ b/charts/funkwhale/templates/deployment.yaml
@ -23,6 +23,7 @@ spec:
    metadata:
      annotations:
        checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/frontend: {{ include (print .Template.BasePath "/configmap-front.yaml") . | sha256sum }}
        checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
      labels:
        app.kubernetes.io/name: {{ include "funkwhale.name" . }}