I just started trying out Vikunja to use for a small group of people and I’m running this on a VPS, but I find that anyone can create an account. Is there a way to disable this account creation? I have scoured the docs for any instructions but have yet to find anything or any kind of account management. Is there any way I could manage who else is using Vikunja? I imagine this would be a big security risk.
You can disable self service registration with the service.enableregistration option set to false. After that you can still create new accounts through the cli. If you’re not constantly onboarding new people to your instance it may be the easiest to just enable the registration, tell everyone to register and disable it again after everyone has an account.
I imagine this would be a big security risk.
Would you mind elaborating that a bit more? Everything is private until you share it. If you don’t intentionally share something with a user you didn’t want to have on your instance it shouldn’t be a risk.
ah thank you so much, that option was what I was looking for! Regarding the security risk, while I would only intentionally share it with a handful of people, I’m assuming that anyone is scanning servers for services and can find my instance. Then, if they can freely create an account they could upload whatever files to my server via vikunja and at best fill my harddrive. Does that make sense? I just want to remove the risk, so thank you again for letting me know this is possible!
1 Like
Yeah , some sort of low level DOS like that is definitely possible, albeit unlikely.
I filled up the hard disk on my VPS with Vikunja/Docker logs at one point and that was with the instance IP restricted to me and with myself as the only user =D
Thanks guys, I’m glad to know that. I was just worried since it does open up an attack vector and I want to be careful.
Lol I read that thread before posting since it was somewhat similar to what I was concerned about!
Now that I have a solution, does anyone know why I can’t get a config.yml going? I’m running the docker-compose version and I have a volume bind to the file directory, but that’s not where vikunja looks for the config. If try to bind to anything else vikunja tends to freak out and not know what to do.
I just do any config with environment variables in the docker-compose. I assemble my docker-compose with ansible so here’s the vikunja backend (API) part from my jinja2 template (hence the curly braced variables):
vikunja-backend:
container_name: 'vikunja-backend'
image: vikunja/api
environment:
VIKUNJA_DATABASE_HOST: 'vikunja-db'
VIKUNJA_DATABASE_PASSWORD: "{{ vikunja_db_password }}"
VIKUNJA_DATABASE_TYPE: 'mysql'
VIKUNJA_DATABASE_USER: 'vikunja'
VIKUNJA_DATABASE_DATABASE: 'vikunja'
VIKUNJA_REDIS_ENABLED: 1
VIKUNJA_REDIS_HOST: 'vikunja-redis:6379'
VIKUNJA_CACHE_ENABLED: 1
VIKUNJA_CACHE_TYPE: redis
VIKUNJA_SERVICE_FRONTENDURL: "https://vikunja.{{ traefik_domain }}"
VIKUNJA_SERVICE_ENABLEREGISTRATION: 0
VIKUNJA_MIGRATION_WUNDERLIST_ENABLE: 0
VIKUNJA_MIGRATION_TODOIST_ENABLE: 1
VIKUNJA_FILES_BASEPATH: "/app/vikunja/files"
VIKUNJA_MAILER_ENABLED: 1
VIKUNJA_MAILER_HOST: "{{ fqdn }}"
VIKUNJA_MAILER_PORT: 587
VIKUNJA_MAILER_USERNAME: 'vikunja'
VIKUNJA_MAILER_PASSWORD: "{{ vikunja_email_password }}"
VIKUNJA_MAILER_FROMEMAIL: "vikunja@{{ fqdn }}"
VIKUNJA_MAILER_SKIPTLSVERIFY: 'true'
PUID: "{{ docker_user_uid }}"
PGID: "{{ docker_user_gid }}"
volumes:
- source: "{{ docker_data_dir }}/vikunja-backend"
target: '/app/vikunja/files'
type: 'bind'
depends_on:
- vikunja-db
- vikunja-redis
restart: "{{ restart_policy }}"
labels:
traefik.enable: 'true'
traefik.http.routers.vikunja-backend.rule: "Host(`vikunja.{{ traefik_domain }}`) && PathPrefix(`/api/v1`, `/dav/`)"
traefik.http.routers.vikunja-backend.tls: 'true'
#traefik.http.routers.vikunja-backend.middlewares: 'access-whitelist@file'
com.centurylinklabs.watchtower.enable: 'true'
networks:
- 'default'
- 'frontend'
Obviously the formatting will may need tweaked to use directly in a docker-compose.yml file.
Check out the docs for locations where Vikunja looks for config files. But if you’re not using a very long or very complicated config, I’d suggest to stick with environment variables.