From a0fdc39d1d7825484bcf34d07c3ac14441bfa188 Mon Sep 17 00:00:00 2001
From: Lerk <lukas@k40s.net>
Date: Fri, 30 Aug 2019 16:12:20 +0200
Subject: [PATCH] Add option to disable access to api dashboard
---
README.md | 1 +
defaults/main.yml | 1 +
install.sh | 10 ++++++++++
templates/nginx.conf.j2 | 7 +++++++
4 files changed, 19 insertions(+)
diff --git a/README.md b/README.md
index d8d18d6..242ab33 100644
--- a/README.md
+++ b/README.md
@@ -124,6 +124,7 @@ Role Variables
| `funkwhale_database_user` | `funkwhale` | Postgresql username to login as |
| `funkwhale_env_vars` | `[]` | List of environment variables to append to the generated `.env` file. Example: `["AWS_ACCESS_KEY_ID=myawsid", "AWS_SECRET_ACCESS_KEY=myawskey"]` |
| `funkwhale_external_storage_enabled` | `false` | If `true`, set up the proper configuration to use an extenal storage for media files |
+| `funkwhale_disable_django_admin` | `false` | If `true`, returns a 403 (Forbidden) for `/api/admin` |
| `funkwhale_install_path` | `/srv/funkwhale` | Path were frontend, api and virtualenv files should be stored (**no trailing slash**) |
| `funkwhale_letsencrypt_certbot_flags` | `null` | Additional flags to pass to `certbot` |
| `funkwhale_letsencrypt_enabled` | `true` | If `true`, will configure SSL with certbot and Let's Encrypt |
diff --git a/defaults/main.yml b/defaults/main.yml
index 2a1f3e7..5aca750 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -6,6 +6,7 @@ funkwhale_static_path: /srv/funkwhale/data/static
funkwhale_music_path: /srv/funkwhale/data/music
funkwhale_config_path: /srv/funkwhale/config
funkwhale_external_storage_enabled: false
+funkwhale_disable_django_admin: false
funkwhale_username: funkwhale
funkwhale_database_managed: true
funkwhale_frontend_managed: true
diff --git a/install.sh b/install.sh
index 41a3938..f4a17a7 100644
--- a/install.sh
+++ b/install.sh
@@ -89,10 +89,12 @@ setup() {
read -p "Enter your redis configuration, (e.g redis://127.0.0.1:6379/0): " funkwhale_redis_url
funkwhale_systemd_after="funkwhale_systemd_after: "
fi
+ yesno_prompt funkwhale_disable_django_admin 'Disable access to API admin dashboard?' 'no'
else
funkwhale_nginx_managed="true"
funkwhale_database_managed="true"
funkwhale_redis_managed="true"
+ funkwhale_disable_django_admin="false"
fi
@@ -112,6 +114,9 @@ setup() {
if [ "$funkwhale_database_managed" = "false" ]; then
echo " - Custom PostgreSQL configuration: $funkwhale_database_url"
fi
+ if [ "$funkwhale_disable_django_admin" = "true"]; then
+ echo "- Disabled access to API admin dashboard"
+ fi
if [ "$is_dry_run" = "true" ]; then
echo "Running with dry-run mode, your system will be not be modified (apart from Ansible installation)."
@@ -255,6 +260,11 @@ EOF
[funkwhale_servers]
127.0.0.1 ansible_connection=local ansible_python_interpreter=/usr/bin/python3
EOF
+ if [ "$funkwhale_disable_django_admin" = "true" ]; then
+ cat <<EOF >>playbook.yml
+ funkwhale_disable_django_admin: true
+EOF
+ fi
echo "[2/$total_steps] Downloading Funkwhale playbook dependencies"
$ansible_bin_path/ansible-galaxy install -r requirements.yml -f
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
index f1a4cda..88db347 100644
--- a/templates/nginx.conf.j2
+++ b/templates/nginx.conf.j2
@@ -132,4 +132,11 @@ server {
# django static files
alias {{ funkwhale_static_path }}/;
}
+
+ {% if funkwhale_disable_django_admin -%}
+ location /api/admin/ {
+ # disable access to API admin dashboard
+ return 403;
+ }
+ {% else -%}
}
--
GitLab