feat(nginx): Generate configs using a template

Part-of: <https://dev.funkwhale.audio/funkwhale/funkwhale/-/merge_requests/2547>
2023-08-01 13:31:51 +02:00 · 2023-08-01 13:31:51 +02:00 · 88d7bdb8ab
commit 88d7bdb8ab
--- a/changes/changelog.d/nginxtemplates.feature
+++ b/changes/changelog.d/nginxtemplates.feature
@ -0,0 +1 @@
+Generate all nginx configurations from one template
--- a/deploy/docker.proxy.template
+++ b/deploy/docker.proxy.template
@ -1,7 +1,8 @@
 upstream fw {
-    # depending on your setup, you may want to update this
    server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
 }
+
+# Required for websocket support.
 map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
@ -10,15 +11,31 @@ map $http_upgrade $connection_upgrade {
 server {
    listen 80;
    listen [::]:80;
+    # update this to match your instance name
    server_name ${FUNKWHALE_HOSTNAME};
-    location / { return 301 https://$host$request_uri; }
+
+    # useful for Let's Encrypt
+    location /.well-known/acme-challenge/ {
+        allow all;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
+
 server {
    listen      443 ssl http2;
    listen [::]:443 ssl http2;
+
    server_name ${FUNKWHALE_HOSTNAME};

    # TLS
+    # Feel free to use your own configuration for SSL here or simply remove the
+    # lines and move the configuration to the previous server block if you
+    # don't want to run funkwhale behind https (this is not recommended)
+    # have a look here for let's encrypt configuration:
+    # https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx
    ssl_protocols TLSv1.2;
    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
    ssl_prefer_server_ciphers on;
@ -29,12 +46,10 @@ server {
    # HSTS
    add_header Strict-Transport-Security "max-age=31536000";

-    # Security related headers

-    # If you are using S3 to host your files, remember to add your S3 URL to the
-    # media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:)
-
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+    # General configs
+    client_max_body_size ${NGINX_MAX_BODY_SIZE};
+    charset utf-8;

    # compression settings
    gzip on;
@ -42,7 +57,6 @@ server {
    gzip_min_length    256;
    gzip_proxied       any;
    gzip_vary          on;
-
    gzip_types
        application/javascript
        application/vnd.geo+json
@ -61,10 +75,13 @@ server {
        text/vtt
        text/x-component
        text/x-cross-domain-policy;
+    # end of compression settings
+
+

    location / {
-        include /etc/nginx/funkwhale_proxy.conf;
-        client_max_body_size ${NGINX_MAX_BODY_SIZE};
-        proxy_pass   http://fw;
+        expires 1d;
+        proxy_pass http://fw
    }
+
 }
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@ -1,10 +1,15 @@
-# This file was generated from Funkwhale's nginx.template

 upstream funkwhale-api {
    # depending on your setup, you may want to update this
    server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
 }

+# Required for websocket support.
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
 server {
    listen 80;
    listen [::]:80;
@ -21,16 +26,10 @@ server {
    }
 }

-# Required for websocket support.
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    ''      close;
-}
-
 server {
    listen      443 ssl http2;
    listen [::]:443 ssl http2;
-    charset     utf-8;
+
    server_name ${FUNKWHALE_HOSTNAME};

    # TLS
@ -49,12 +48,11 @@ server {
    # HSTS
    add_header Strict-Transport-Security "max-age=31536000";

-    add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
-    add_header Referrer-Policy "strict-origin-when-cross-origin";
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header Service-Worker-Allowed "/";

-    root ${FUNKWHALE_FRONTEND_PATH};
+    # General configs
+    root ${FUNKWHALE_FRONTEND_PATH},
+    client_max_body_size ${NGINX_MAX_BODY_SIZE};
+    charset utf-8;

    # compression settings
    gzip on;
@ -62,7 +60,6 @@ server {
    gzip_min_length    256;
    gzip_proxied       any;
    gzip_vary          on;
-
    gzip_types
        application/javascript
        application/vnd.geo+json
@ -83,6 +80,12 @@ server {
        text/x-cross-domain-policy;
    # end of compression settings

+    # headers
+    add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Service-Worker-Allowed "/";
+
    location /api/ {
        include /etc/nginx/funkwhale_proxy.conf;
        # This is needed if you have file import via upload enabled.
@ -91,16 +94,16 @@ server {
    }

    location / {
-        alias ${FUNKWHALE_FRONTEND_PATH}/;
        expires 1d;
+        alias ${FUNKWHALE_FRONTEND_PATH}/,
        try_files $uri $uri/ /index.html;
    }

    location ~ "/(front/)?embed.html" {
+        alias ${FUNKWHALE_FRONTEND_PATH}/embed.html,
        add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";

-        alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
        expires 1d;
    }

@ -158,7 +161,7 @@ server {
        # has been checked on API side.
        # Set this to the same value as your MUSIC_DIRECTORY_PATH setting.
        internal;
-        alias   ${MUSIC_DIRECTORY_SERVE_PATH}/;
+        alias   ${MUSIC_DIRECTORY_PATH}/;
        add_header Access-Control-Allow-Origin '*';
    }

@ -166,4 +169,5 @@ server {
        # If the reverse proxy is terminating SSL, nginx gets confused and redirects to http, hence the full URL
        return 302 ${FUNKWHALE_PROTOCOL}://${FUNKWHALE_HOSTNAME}/api/v1/instance/spa-manifest.json;
    }
+
 }
--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@ -1,6 +1,9 @@
+
 upstream funkwhale-api {
+    # depending on your setup, you may want to update this
    server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
 }
+
 upstream funkwhale-front {
    server ${FUNKWHALE_FRONT_IP}:${FUNKWHALE_FRONT_PORT};
 }
@ -11,17 +14,18 @@ map $http_upgrade $connection_upgrade {
    ''      close;
 }

+
 server {
    listen      80;
    listen [::]:80;
-    charset     utf-8;
-    client_max_body_size ${NGINX_MAX_BODY_SIZE};
-    include /etc/nginx/funkwhale_proxy.conf;

-    add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
-    add_header Referrer-Policy "strict-origin-when-cross-origin";
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header Service-Worker-Allowed "/";
+    server_name _;
+
+
+    # General configs
+    root /usr/share/nginx/html;
+    client_max_body_size ${NGINX_MAX_BODY_SIZE};
+    charset utf-8;

    # compression settings
    gzip on;
@ -29,7 +33,6 @@ server {
    gzip_min_length    256;
    gzip_proxied       any;
    gzip_vary          on;
-
    gzip_types
        application/javascript
        application/vnd.geo+json
@ -50,6 +53,12 @@ server {
        text/x-cross-domain-policy;
    # end of compression settings

+    # headers
+    add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Service-Worker-Allowed "/";
+
    location /api/ {
        include /etc/nginx/funkwhale_proxy.conf;
        # This is needed if you have file import via upload enabled.
@ -58,15 +67,15 @@ server {
    }

    location / {
-        proxy_pass   http://funkwhale-front;
        expires 1d;
+        proxy_pass http://funkwhale-front;
    }

    location = /embed.html {
+        proxy_pass http://funkwhale-front;
        add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";

-        proxy_pass   http://funkwhale-front;
        expires 1d;
    }

@ -81,14 +90,6 @@ server {
        proxy_pass   http://funkwhale-api/api/subsonic/rest/;
    }

-    location /media/__sized__/ {
-        alias /protected/media/__sized__/;
-    }
-
-    location /media/attachments/ {
-        alias /protected/media/attachments/;
-    }
-
    location /.well-known/ {
        include /etc/nginx/funkwhale_proxy.conf;
        proxy_pass   http://funkwhale-api;
@ -96,13 +97,13 @@ server {

    # Allow direct access to only specific subdirectories in /media
    location /media/__sized__/ {
-        alias /protected/media/__sized__/;
+        alias ${MEDIA_ROOT}/__sized__/;
        add_header Access-Control-Allow-Origin '*';
    }

    # Allow direct access to only specific subdirectories in /media
    location /media/attachments/ {
-        alias /protected/media/attachments/;
+        alias ${MEDIA_ROOT}/attachments/;
        add_header Access-Control-Allow-Origin '*';
    }

@ -119,10 +120,10 @@ server {
    # if you're storing media files in a S3 bucket.
    location ~ /_protected/media/(.+) {
        internal;
-        alias   /protected/media/$1;                                        # NON-S3
+        alias   ${MEDIA_ROOT}/$1;                                           # NON-S3
        # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
-#           proxy_set_header Authorization "";                                  # S3
-#           proxy_pass $1;                                                      # S3
+#       proxy_set_header Authorization "";                                  # S3
+#       proxy_pass $1;                                                      # S3
        add_header Access-Control-Allow-Origin '*';
    }

@ -132,7 +133,7 @@ server {
        # has been checked on API side.
        # Set this to the same value as your MUSIC_DIRECTORY_PATH setting.
        internal;
-        alias   /music/;
+        alias   ${MUSIC_DIRECTORY_PATH}/;
        add_header Access-Control-Allow-Origin '*';
    }

@ -142,7 +143,6 @@ server {
    }

    location /staticfiles/ {
-        alias /staticfiles/;
+        alias /usr/share/nginx/html/staticfiles/;
    }
-
 }
--- a/front/docker/funkwhale.conf.template
+++ b/front/docker/funkwhale.conf.template
@ -1,5 +1,7 @@
+
 upstream funkwhale-api {
-    server ${FUNKWHALE_API_HOST}:${FUNKWHALE_API_PORT};
+    # depending on your setup, you may want to update this
+    server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
 }

 # Required for websocket support.
@ -8,18 +10,18 @@ map $http_upgrade $connection_upgrade {
    ''      close;
 }

+
 server {
    listen      80;
    listen [::]:80;
-    charset     utf-8;
+
    server_name _;

-    add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
-    add_header Referrer-Policy "strict-origin-when-cross-origin";
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header Service-Worker-Allowed "/";

+    # General configs
    root /usr/share/nginx/html;
+    client_max_body_size ${NGINX_MAX_BODY_SIZE};
+    charset utf-8;

    # compression settings
    gzip on;
@ -27,7 +29,6 @@ server {
    gzip_min_length    256;
    gzip_proxied       any;
    gzip_vary          on;
-
    gzip_types
        application/javascript
        application/vnd.geo+json
@ -48,6 +49,12 @@ server {
        text/x-cross-domain-policy;
    # end of compression settings

+    # headers
+    add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Service-Worker-Allowed "/";
+
    location /api/ {
        include /etc/nginx/funkwhale_proxy.conf;
        # This is needed if you have file import via upload enabled.
@ -56,16 +63,16 @@ server {
    }

    location / {
-        alias /usr/share/nginx/html/;
        expires 1d;
+        alias /usr/share/nginx/html/;
        try_files $uri $uri/ /index.html;
    }

    location ~ "/(front/)?embed.html" {
+        alias /usr/share/nginx/html/embed.html;
        add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";

-        alias /usr/share/nginx/html/embed.html;
        expires 1d;
    }

@ -131,4 +138,5 @@ server {
        # If the reverse proxy is terminating SSL, nginx gets confused and redirects to http, hence the full URL
        return 302 ${FUNKWHALE_PROTOCOL}://${FUNKWHALE_HOSTNAME}/api/v1/instance/spa-manifest.json;
    }
+
 }
--- a/scripts/compile-templates.py
+++ b/scripts/compile-templates.py
@ -0,0 +1,38 @@
+from jinja2 import Environment, FileSystemLoader
+
+file_loader = FileSystemLoader("templates")
+env = Environment(
+    loader=file_loader, trim_blocks=True, lstrip_blocks=True, keep_trailing_newline=True
+)
+
+files = [
+    {
+        "output": "docker/nginx/conf.dev",
+        "config": {"proxy_frontend": True, "inside_docker": True},
+    },
+    {
+        "output": "front/docker/funkwhale.conf.template",
+        "config": {"proxy_frontend": False, "inside_docker": True},
+    },
+    {
+        "output": "deploy/nginx.template",
+        "config": {"proxy_frontend": False, "inside_docker": False},
+    },
+    {
+        "output": "deploy/docker.proxy.template",
+        "config": {
+            "proxy_frontend": False,
+            "inside_docker": False,
+            "reverse_proxy": True,
+        },
+    },
+]
+
+template = env.get_template("nginx.conf.j2")
+for f in files:
+    print(f["output"])
+    output = template.render(config=f["config"])
+
+    output_file = open(f["output"], "w")
+    output_file.write(output)
+    output_file.close()
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@ -0,0 +1,231 @@
+{% if config.reverse_proxy %}
+upstream fw {
+    server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
+}
+{% else %}
+
+upstream funkwhale-api {
+    # depending on your setup, you may want to update this
+    server ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT};
+}
+{% endif %}
+{% if config.proxy_frontend %}
+
+upstream funkwhale-front {
+    server ${FUNKWHALE_FRONT_IP}:${FUNKWHALE_FRONT_PORT};
+}
+{% endif %}
+
+# Required for websocket support.
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+{% if not config.inside_docker %}
+server {
+    listen 80;
+    listen [::]:80;
+    # update this to match your instance name
+    server_name ${FUNKWHALE_HOSTNAME};
+
+    # useful for Let's Encrypt
+    location /.well-known/acme-challenge/ {
+        allow all;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+{% endif %}
+
+server {
+{% if not config.inside_docker %}
+    listen      443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${FUNKWHALE_HOSTNAME};
+
+    # TLS
+    # Feel free to use your own configuration for SSL here or simply remove the
+    # lines and move the configuration to the previous server block if you
+    # don't want to run funkwhale behind https (this is not recommended)
+    # have a look here for let's encrypt configuration:
+    # https://certbot.eff.org/all-instructions/#debian-9-stretch-nginx
+    ssl_protocols TLSv1.2;
+    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_certificate     /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${FUNKWHALE_HOSTNAME}/privkey.pem;
+
+    # HSTS
+    add_header Strict-Transport-Security "max-age=31536000";
+
+{% else %}
+    listen      80;
+    listen [::]:80;
+
+    server_name _;
+
+{% endif %}
+
+    # General configs
+{% if not config.reverse_proxy %}
+{% if config.inside_docker %}
+    root /usr/share/nginx/html;
+{% else %}
+    root ${FUNKWHALE_FRONTEND_PATH},
+{% endif %}
+{% endif %}
+    client_max_body_size ${NGINX_MAX_BODY_SIZE};
+    charset utf-8;
+
+    # compression settings
+    gzip on;
+    gzip_comp_level    5;
+    gzip_min_length    256;
+    gzip_proxied       any;
+    gzip_vary          on;
+    gzip_types
+        application/javascript
+        application/vnd.geo+json
+        application/vnd.ms-fontobject
+        application/x-font-ttf
+        application/x-web-app-manifest+json
+        font/opentype
+        image/bmp
+        image/svg+xml
+        image/x-icon
+        text/cache-manifest
+        text/css
+        text/plain
+        text/vcard
+        text/vnd.rim.location.xloc
+        text/vtt
+        text/x-component
+        text/x-cross-domain-policy;
+    # end of compression settings
+
+{% if not config.reverse_proxy %}
+    # headers
+    add_header Content-Security-Policy "default-src 'self'; connect-src https: wss: http: ws: 'self' 'unsafe-eval'; script-src 'self' 'wasm-unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; media-src https: http: 'self' data:; object-src 'none'";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Service-Worker-Allowed "/";
+{% endif %}
+
+{% if not config.reverse_proxy %}
+    location /api/ {
+        include /etc/nginx/funkwhale_proxy.conf;
+        # This is needed if you have file import via upload enabled.
+        client_max_body_size ${NGINX_MAX_BODY_SIZE};
+        proxy_pass   http://funkwhale-api;
+    }
+{% endif %}
+
+    location / {
+        expires 1d;
+{% if config.proxy_frontend and not config.reverse_proxy %}
+        proxy_pass http://funkwhale-front;
+{% elif not config.proxy_frontend and config.reverse_proxy %}
+        proxy_pass http://fw
+{% else %}
+{% if config.inside_docker %}
+        alias /usr/share/nginx/html/;
+{% else %}
+        alias ${FUNKWHALE_FRONTEND_PATH}/,
+{% endif %}
+        try_files $uri $uri/ /index.html;
+{% endif %}
+    }
+
+{% if not config.reverse_proxy %}
+{% if config.proxy_frontend %}
+    location = /embed.html {
+        proxy_pass http://funkwhale-front;
+{% else %}
+    location ~ "/(front/)?embed.html" {
+{% if config.inside_docker %}
+        alias /usr/share/nginx/html/embed.html;
+{% else %}
+        alias ${FUNKWHALE_FRONTEND_PATH}/embed.html,
+{% endif %}
+{% endif %}
+        add_header Content-Security-Policy "connect-src https: http: 'self'; default-src 'self'; script-src 'self' unpkg.com 'unsafe-inline' 'unsafe-eval'; style-src https: http: 'self' 'unsafe-inline'; img-src https: http: 'self' data:; font-src https: http: 'self' data:; object-src 'none'; media-src https: http: 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+        expires 1d;
+    }
+
+    location /federation/ {
+        include /etc/nginx/funkwhale_proxy.conf;
+        proxy_pass   http://funkwhale-api;
+    }
+
+    # You can comment this if you do not plan to use the Subsonic API.
+    location /rest/ {
+        include /etc/nginx/funkwhale_proxy.conf;
+        proxy_pass   http://funkwhale-api/api/subsonic/rest/;
+    }
+
+    location /.well-known/ {
+        include /etc/nginx/funkwhale_proxy.conf;
+        proxy_pass   http://funkwhale-api;
+    }
+
+    # Allow direct access to only specific subdirectories in /media
+    location /media/__sized__/ {
+        alias ${MEDIA_ROOT}/__sized__/;
+        add_header Access-Control-Allow-Origin '*';
+    }
+
+    # Allow direct access to only specific subdirectories in /media
+    location /media/attachments/ {
+        alias ${MEDIA_ROOT}/attachments/;
+        add_header Access-Control-Allow-Origin '*';
+    }
+
+    # Allow direct access to only specific subdirectories in /media
+    location /media/dynamic_preferences/ {
+        alias ${MEDIA_ROOT}/dynamic_preferences/;
+        add_header Access-Control-Allow-Origin '*';
+    }
+
+    # This is an internal location that is used to serve
+    # media (uploaded) files once correct permission / authentication
+    # has been checked on API side.
+    # Comment the "NON-S3" commented lines and uncomment "S3" commented lines
+    # if you're storing media files in a S3 bucket.
+    location ~ /_protected/media/(.+) {
+        internal;
+        alias   ${MEDIA_ROOT}/$1;                                           # NON-S3
+        # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932.
+#       proxy_set_header Authorization "";                                  # S3
+#       proxy_pass $1;                                                      # S3
+        add_header Access-Control-Allow-Origin '*';
+    }
+
+    location /_protected/music/ {
+        # This is an internal location that is used to serve
+        # local music files once correct permission / authentication
+        # has been checked on API side.
+        # Set this to the same value as your MUSIC_DIRECTORY_PATH setting.
+        internal;
+        alias   ${MUSIC_DIRECTORY_PATH}/;
+        add_header Access-Control-Allow-Origin '*';
+    }
+
+    location /manifest.json {
+        # If the reverse proxy is terminating SSL, nginx gets confused and redirects to http, hence the full URL
+        return 302 ${FUNKWHALE_PROTOCOL}://${FUNKWHALE_HOSTNAME}/api/v1/instance/spa-manifest.json;
+    }
+
+{% if config.proxy_frontend %}
+    location /staticfiles/ {
+        alias /usr/share/nginx/html/staticfiles/;
+    }
+{% endif %}
+{% endif %}
+}
				`@ -0,0 +1 @@`
				`Generate all nginx configurations from one template`