Trying to setup funkwhale on a RPI4 for local use (+ with VPN)

someuser

Hello! I'm aiming to get funkwhale running on my Raspberry Pi 4 to use while inside the network and on the go via a Wireguard VPN (that is already functional on the RPI4). I've run the quick install command and entered the following details:

`Installation summary:

version: 1.1.4
domain: music.my.domain
Admin username: admin
Admin email: funkwhale@my.domain
Manage nginx and certbot: true
Manage redis: true
Manage systemd unit files: true
Manage PostgreSQL: true
`

There was a total of one error during the run time of the script, according to the summary:

PLAY RECAP ********************************************************************* 127.0.0.1 : ok=37 changed=26 unreachable=0 failed=1 skipped=15 rescued=0 ignored=0

This is the error output:

TASK [funkwhale : Create letsencrypt certificate] ****************************** fatal: [127.0.0.1]: FAILED! => {"changed": true, "cmd": ["certbot", "-v", "-n", "certonly", "--nginx", "-m", "funkwhale@my.domain", "--agree-tos", "-d", "music.my.domain"], "delta": "0:00:13.880233", "end": "2021-10-20 11:58:42.381887", "msg": "non-zero return code", "rc": 1, "start": "2021-10-20 11:58:28.501654", "stderr": "Saving debug log to /var/log/letsencrypt/letsencrypt.log\nPlugins selected: Authenticator nginx, Installer nginx\nPerforming the following challenges:\nhttp-01 challenge for music.my.domain\nWaiting for verification...\nChallenge failed for domain music.my.domain\nhttp-01 challenge for music.my.domain\nCleaning up challenges\nSome challenges have failed.\nAsk for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.", "stderr_lines": ["Saving debug log to /var/log/letsencrypt/letsencrypt.log", "Plugins selected: Authenticator nginx, Installer nginx", "Performing the following challenges:", "http-01 challenge for music.darius.email", "Waiting for verification...", "Challenge failed for domain music.my.domain", "http-01 challenge for music.my.domain", "Cleaning up challenges", "Some challenges have failed.", "Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details."], "stdout": "Account registered.\nRequesting a certificate for music.my.domain\n\nCertbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:\n Domain: music.my.domain\n Type: dns\n Detail: DNS problem: NXDOMAIN looking up A for music.my.domain - check that a DNS record exists for this domain\n\nHint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.", "stdout_lines": ["Account registered.", "Requesting a certificate for music.my.domain", "", "Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:", " Domain: music.my.domain", " Type: dns", " Detail: DNS problem: NXDOMAIN looking up A for music.my.domain - check that a DNS record exists for this domain", "", "Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet."]}

Navigating to the local IP of my RPI4 in a browser shows the following:

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

To be clear, the domain "my.domain" has no relevance with my RPI4 whatsoever (I use it as a custom email domain) and I didn't take any steps to point the subdomain "music.my.domain" to my RPI4. In hind-sight, maybe I should've done something with the dynamic DNS service (freedns.afraid.org) which is part of the Wireguard config files. But I feel like I shouldn't need to make funkwhale accessible to the web, as I only plan to use it locally or via a VPN (which I think is equivalent to local network use). That would also mean there's no point in generating a SSL certificate.

Does this mean I can redo the installation and enter the local IP of my RPI4 as the domain? If so, what should I do with the current instance that is not functional? (Apologies if I am rambling nonsense)

Thank you for trying to help! 😄

gcrk

Hi,

in short - the quick install script does not support non https setups right now. It basically covers one specific use case, nothing more. Its possible with our ansible role: https://dev.funkwhale.audio/funkwhale/ansible

someuser

Thanks for reading and letting me know about the other installation method!

I tried following the instructions on the page you linked, but I'm not sure how to manipulate the playbook.yml and inventory.ini.

I tried putting this into playbook.yml:

- hosts: funkwhale-servers
  roles:
    - role: funkwhale
      funkwhale_hostname: localhost
      funkwhale_letsencrypt_enabled: false

I also tried replacing funkwhale_hostname with rapsberrypi, 127.0.0.1 and pi, to no avail.

My inventory.ini file looks like this:

[funkwhale-servers]
localhost

Again, I tried replacing localhost with the above variations and tried all possible combinations. I'm probably missing something very obvious (as is usually the case)..

The output from ansible-playbook --ask-become-pass -i inventory.ini playbook.yml --check --diff for the above-mentioned inputs is:

[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.7.3 (default, Jan 22 2021, 
20:04:44) [GCC 8.3.0]. This feature will be removed from ansible-core in version 2.12. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
BECOME password: 
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details

PLAY [funkwhale-servers] *************************************************************************************************************************************

TASK [Gathering Facts] ***************************************************************************************************************************************
fatal: [localhost]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: pi@localhost: Permission denied (publickey,password).", "unreachable": true}

PLAY RECAP ***************************************************************************************************************************************************
localhost                  : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0