Block module/theme installation on new Drupal instances

The goal is to disallow any level of customization to the Drupal administrators.

To achieve this, we must block module installation.

Current possible options:

1. Change deployment setup

Description:

The deployment would have PVs mounted as read-only for /drupal-data/modules and /drupal-data/themes paths on webdav container.

Pros:

It is uniform to all users. New instances will have no customization, existing instances will not be able to add any new customizations, but keep current ones.

Cons:

Once applied, modules cannot be updated neither removed by users. It will require admin action or access to the php-fpm container in order to do full CRUD operations. Users that have requested advanced access to containers will continue to be able to add modules. Revoking access to previously given users would be advisable.

Extra: We can have a label to make it ready-write mount on webdav for necessary exceptions for a temporary time. I would not recommend this, but can be included if we are to go with this path but multiple expecting exceptions.

2. Separate new image

Description:

We can have a default image, and the only available for new instances, that does not do any linkage of /drupal-data/modules to be actually used as modules. This linkage is embedded in the image, and if removed, would make the customization impossible to users.

Pros:

Clear distinction between websites with and without customization available. Fully working for the first, zero for the latter.

Cons:

Maintain two RELEASE images for the time being, and have to update both.