Merge branch 'master' into 'master'

Add option to disable access to api dashboard See merge request !2

Merge branch 'master' into 'master'
Add option to disable access to api dashboard See merge request !2
610817a3 · Eliot Berriot · e1613ff8 · a0fdc39d · 610817a3 · 610817a3
Commit 610817a3 authored 5 years ago by Eliot Berriot
--- a/README.md
+++ b/README.md
@@ -124,6 +124,7 @@ Role Variables
 | `funkwhale_database_user`               | `funkwhale`                   | Postgresql username to login as |
 | `funkwhale_env_vars`                    | `[]`                          | List of environment variables to append to the generated `.env` file. Example: `["AWS_ACCESS_KEY_ID=myawsid", "AWS_SECRET_ACCESS_KEY=myawskey"]` |
 | `funkwhale_external_storage_enabled`    | `false`                       | If `true`, set up the proper configuration to use an extenal storage for media files |
+| `funkwhale_disable_django_admin`        | `false`                       | If `true`, returns a 403 (Forbidden) for `/api/admin` |
 | `funkwhale_install_path`                | `/srv/funkwhale`              | Path were frontend, api and virtualenv files should be stored (**no trailing slash**) |
 | `funkwhale_letsencrypt_certbot_flags`   | `null`                        | Additional flags to pass to `certbot` |
 | `funkwhale_letsencrypt_enabled`         | `true`                        | If `true`, will configure SSL with certbot and Let's Encrypt |

--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -6,6 +6,7 @@ funkwhale_static_path: /srv/funkwhale/data/static
 funkwhale_music_path: /srv/funkwhale/data/music
 funkwhale_config_path: /srv/funkwhale/config
 funkwhale_external_storage_enabled: false
+funkwhale_disable_django_admin: false
 funkwhale_username: funkwhale
 funkwhale_database_managed: true
 funkwhale_frontend_managed: true

--- a/install.sh
+++ b/install.sh
@@ -89,10 +89,12 @@ setup() {
            read -p "Enter your redis configuration, (e.g redis://127.0.0.1:6379/0): "  funkwhale_redis_url
            funkwhale_systemd_after="funkwhale_systemd_after: "
        fi
+        yesno_prompt funkwhale_disable_django_admin 'Disable access to API admin dashboard?' 'no'
    else
        funkwhale_nginx_managed="true"
        funkwhale_database_managed="true"
        funkwhale_redis_managed="true"
+        funkwhale_disable_django_admin="false"
    fi
@@ -112,6 +114,9 @@ setup() {
    if [ "$funkwhale_database_managed" = "false" ]; then
        echo "  - Custom PostgreSQL configuration: $funkwhale_database_url"
    fi
+    if [ "$funkwhale_disable_django_admin" = "true"]; then
+        echo "- Disabled access to API admin dashboard"
+    fi
    if [ "$is_dry_run" = "true" ]; then
        echo "Running with dry-run mode, your system will be not be modified (apart from Ansible installation)."
@@ -255,6 +260,11 @@ EOF
 [funkwhale_servers]
 127.0.0.1 ansible_connection=local ansible_python_interpreter=/usr/bin/python3
 EOF
+    if [ "$funkwhale_disable_django_admin" = "true" ]; then
+        cat <<EOF >>playbook.yml
+      funkwhale_disable_django_admin: true
+EOF
+    fi
    echo "[2/$total_steps] Downloading Funkwhale playbook dependencies"
    $ansible_bin_path/ansible-galaxy install -r requirements.yml -f

--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@@ -132,4 +132,11 @@ server {
        # django static files
        alias {{ funkwhale_static_path }}/;
    }
+    {% if funkwhale_disable_django_admin -%}
+    location /api/admin/ {
+        # disable access to API admin dashboard
+        return 403;
+    }
+    {% else -%}
 }