redis security

[TheBolshe]

Is there a reason why the redis container doesn't have a password?

I'd like to host my audiomuse instance on a server to be able to access it from anywhere and to connect additional workers, i feel like adding this security to the deployement would only be beneficial.

[NeptuneHub]

I never tested but I think you can add a password to redis without problem. If you have problem, just raise a ticket with the log and I'll take a look.

Anyway I don't think that put redis on internet, with password or not, is the best choice. Maybe raise a VPN in addition to the password could be better?

[TheBolshe]

If i setup a server without a worker and want to setup a worker on another machine what parts of the server does the worker needs to access ? In the config file i need to enter the credentials and addresses for everything, the music server, the database, redis and the server.

Do i need to expose all of them or does the worker connects only to the server which then transfers the information between the db and redis to the workers ?

[NeptuneHub]

Yes worker need to access to database, redis and music server:
https://github.com/NeptuneHub/AudioMuse-AI/blob/main/docs/ARCHITECTURE.md

[TheBolshe]

Do you have anything specific that you would then recommend to setup an access to them from the worker but without exposing them to the internet ? I'm using docker compose with the examples that you give to deploy both the server and the worker but but i don't know where to go from here if i want to add some security

[NeptuneHub]

Potentially is better to have all on the same private network, like a LAN or a VPN.

In the worst case scenario I will suggest to have all the component in the audiomuse-ai deployment example in the same private network and just the music server on internet.

if you start to put backend component exposed direct on internet is not a good choice.

[TheBolshe]

ok i have setup a vpn so that my audiomuse server and worker can see eachother.

I was under the impression that i would be able to expose the interface though, however i can't seem to be able to access it from outside.

Here's how my compose looks like on the server :

services:
  # Redis service for RQ (task queue)
  redis:
    image: redis:7-alpine
    container_name: audiomuse-redis
    # ports:
    #  - "${REDIS_PORT:-6379}:6379"
    volumes:
      - redis-data:/data
    restart: unless-stopped
    networks:
      back: null
      vpn_net:
        ipv4_address: 10.0.5.10

  # PostgreSQL database service
  postgres:
    image: postgres:15-alpine
    container_name: audiomuse-postgres
    environment:
      POSTGRES_USER: ${POSTGRES_USER:-audiomuse}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-audiomusepassword}
      POSTGRES_DB: ${POSTGRES_DB:-audiomusedb}
    # ports:
    #  - "${POSTGRES_PORT:-5432}:5432"
    volumes:
      - postgres-data:/var/lib/postgresql/data
    restart: unless-stopped
    networks:
      back: null
      vpn_net:
        ipv4_address: 10.0.5.11

  # AudioMuse-AI Flask application service
  audiomuse-ai-flask:
    image: ghcr.io/neptunehub/audiomuse-ai:latest
    container_name: audiomuse-ai-flask-app
    # ports:
    #  - "${FRONTEND_PORT:-8000}:8000"
    environment:
      SERVICE_TYPE: "flask"
      TZ: "${TZ:-UTC}"
      MEDIASERVER_TYPE: "navidrome"
      NAVIDROME_URL: "${NAVIDROME_URL}"
      NAVIDROME_USER: "${NAVIDROME_USER}"
      NAVIDROME_PASSWORD: "${NAVIDROME_PASSWORD}"
      POSTGRES_USER: ${POSTGRES_USER:-audiomuse}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-audiomusepassword}
      POSTGRES_DB: ${POSTGRES_DB:-audiomusedb}
      POSTGRES_HOST: "postgres"
      POSTGRES_PORT: "${POSTGRES_PORT:-5432}"
      REDIS_URL: "${REDIS_URL:-redis://redis:6379/0}"
      AI_MODEL_PROVIDER: "${AI_MODEL_PROVIDER}"
      OPENAI_API_KEY: "${OPENAI_API_KEY}"
      OPENAI_SERVER_URL: "${OPENAI_SERVER_URL}"
      OPENAI_MODEL_NAME: "${OPENAI_MODEL_NAME}"
      GEMINI_API_KEY: "${GEMINI_API_KEY}"
      MISTRAL_API_KEY: "${MISTRAL_API_KEY}"
      CLAP_ENABLED: "${CLAP_ENABLED:-true}" # Enable CLAP text search (set to false for slower systems)
      TEMP_DIR: "/app/temp_audio"
    volumes:
      - temp-audio-flask:/app/temp_audio
    depends_on:
      - redis
      - postgres
    restart: unless-stopped
    labels:
      - traefik.enable=true
      - traefik.http.routers.audiomuse.entrypoints=websecure
      - traefik.http.routers.audiomuse.rule=Host(`hostname`)
      - traefik.http.routers.audiomuse.middlewares=admin
      - traefik.http.routers.audiomuse.tls=true
    networks:
      - front
      - back

volumes:
  redis-data:
  postgres-data:
  temp-audio-flask:

networks:
  back:
    name: back
    external: true
  front:
    name: front
    external: true
  vpn_net:
    driver: bridge
    ipam:
      config:
        - subnet: 10.0.5.0/24
          gateway: 10.0.5.1

The server starts without a problem however when i try to access the ui i get a Getaway timeout in my browser
I don't have that issue when all containers have exposed ports

[TheBolshe]

I finally managed to get it to work, i usesd this article to setup the vpn. The audiomuse and navidrome containers are connected to the private network so they can work together. Navidrome and Audiomuse frontend are exposed to the internet so i can access and control them from where i want