Migration commit; fresh start

.gitignore

@@ -0,0 +1,2 @@
+.vagrant
+*.log

LICENSE

@@ -1,4 +1,4 @@
-MIT License Copyright (c) <year> <copyright holders>
+MIT License Copyright (c) 2021 "Stichting Disroot.org"
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Playbooks/privatebin.yml

@@ -0,0 +1,10 @@
+---
+
+- hosts: privatebin
+  roles:
+    - nginx
+    - php-fpm
+    - privatebin
+
+  vars_files:
+    - ../defaults/main.yml

README.md

@@ -1,4 +1,24 @@
-# privatebin
+# PrivateBin - Ansible Role
+This role covers deployment, configuration and software updates of PrivateBin. This role is released under MIT Licence and we give no warranty for this piece of software. Currently supported OS - Debian.
 
-Ansible role that installs, updates and configures Privatebin - zero knowledge paste bin
-https://privatebin.info/
+You can deploy test instance using `Vagrantfile` attached to the role.
+
+However, to have this role working with Vagrant, you have to get a self-signed certificate. To do so, simply change the var `privatebin_selfsigned` from `false` to `true`.
+
+Then simply:
+`vagrant up`
+
+`ansible-playbook -b Playbooks/privatebin.yml`
+
+Then you can access PrivateBin from your computer on https://192.168.33.12
+
+
+## Playbook
+The playbook includes php-fpm and nginx role and deploys entire stack needed to run PrivateBin. Additional roles are also available in the Ansible roles repos in git.
+
+
+
+## CHANGELOG
+ - **05.04.2021** - Improve readme + add Licence + bump to 1.3.5
+ - **22.11.2020** - Make it ready for public release
+     - improve readme file

Vagrantfile

@@ -0,0 +1,20 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+  #config.ssh.insert_key = false
+  config.vm.define "privatebin" do |privatebin|
+    privatebin.vm.box = "generic/debian10"
+    privatebin.vm.provider :libvirt do |libvirt|
+      libvirt.memory = 256
+    end
+    privatebin.vm.network "forwarded_port", guest: 80, host: 8888, host_ip: "192.168.33.12"
+    privatebin.vm.network "forwarded_port", guest: 443, host: 4443, host_ip: "192.168.33.12"
+    privatebin.vm.network "private_network", ip: "192.168.33.12"
+
+end
+end

defaults/main.yml

@@ -0,0 +1,93 @@
+---
+
+#PRIVATE BIN VARIABLES
+privatebin_version: '1.3.5'
+privatebin_app_dir: '/var/www/privatebin'
+privatebin_user: 'www-data'
+privatebin_group: 'www-data'
+#PRIVATE BIN CONFIG VARS
+#[main]
+privatebin_name: 'PrivateBin'
+privatebin_info: 'More information on the <a href=\"https://privatebin.info/\">project page</a>.'
+privatebin_highlight_theme: 'sons-of-obsidian'
+privatebin_theme: 'bootstrap-dark'
+privatebin_sizelimit: '2097152'
+privatebin_alt_path: ''
+privatebin_defaultlang: 'en'
+privatebin_qrcode: 'true'
+privatebin_project_name: 'PrivateBin'
+privatebin_discussion: 'true'
+privatebin_opendiscussion: 'false'
+privatebin_password: 'true'
+privatebin_fileupload: 'false'
+privatebin_burnafterreadingselected: 'false'
+privatebin_defaultformatter: 'plaintext'
+privatebin_zerobincompatibility: 'false'
+privatebin_notice: ""
+privatebin_language_selection: 'true'
+privatebin_ip_icon: 'none'
+privatebin_compression: 'zlib'
+#[expire]
+privatebin_expire_default: '1week'
+privatebin_purge_limit: '300'
+privatebin_purge_batchsize: '10'
+#[traffic]
+privatebin_data_dir: '/srv/test'
+privatebin_ratelimit: '10'
+privatebin_header: 'X_FORWARDED_FOR'
+privatebin_pkgs:
+  - build-essential
+  - libsodium-dev
+  - libmcrypt-dev
+  - links
+
+#PHP Vars
+php_version: '8.0'
+php_etc_path: '/etc/php'
+install_php: 'true'
+pool_listen: '/var/run/php/php{{ php_version }}-fpm.sock'
+
+php_pkgs:
+  - php{{ php_version }}-fpm
+  - php{{ php_version }}-bz2
+  - php{{ php_version }}-cgi
+  - php{{ php_version }}-cli
+  - php{{ php_version }}-common
+  - php{{ php_version }}-curl
+  - php{{ php_version }}-dev
+  - php{{ php_version }}-enchant
+  - php{{ php_version }}-gd
+  - php{{ php_version }}-gmp
+  - php{{ php_version }}-igbinary
+  - php{{ php_version }}-interbase
+  - php{{ php_version }}-intl
+  - php{{ php_version }}-mbstring
+  - php{{ php_version }}-msgpack
+  - php{{ php_version }}-pspell
+  - php{{ php_version }}-readline
+  - php{{ php_version }}-zip
+
+#nginx vhosts
+nginx_default_vhost: 'privatebin'
+nginx_default_vhost_ssl: 'privatebin'
+nginx_www_dir: '/var/www/'
+nginx_gen_dh: 'true'
+ssl_src_path: '/etc/letsencrypt/live'
+nginx_vhosts:
+- name: 'privatebin'
+  template: 'privatebin'
+  proto: 'https'
+  listen: '443'
+  root: 'privatebin/PrivateBin-{{ privatebin_version }}'
+  index: 'index.php'
+  ssl_name: 'bin.localhost'
+  selfsigned: 'true'
+  use_access_log: 'false'
+  use_error_log: 'true'
+  nginx_error_log_level: 'warn'
+  upstream_params:
+    - 'fastcgi_pass unix:{{ pool_listen }};'
+    - 'fastcgi_index index.php;'
+    - 'fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;'
+  state: 'enable'
+  letsencrypt: 'false'

tasks/configure.yml

@@ -0,0 +1,15 @@
+---
+
+ - name: '[Configure] - Deploy index.php'
+   template:
+     src: 'index.php.j2'
+     dest: '{{ privatebin_app_dir }}/PrivateBin-{{ privatebin_version }}/index.php'
+     owner: '{{ privatebin_user }}'
+     group: '{{ privatebin_group }}'
+
+ - name: '[Configure] - Deploy PrivateBin config'
+   template:
+     src: 'cfg/conf.php.j2'
+     dest: '{{ privatebin_app_dir }}/PrivateBin-{{ privatebin_version }}/cfg/conf.php'
+     owner: '{{ privatebin_user }}'
+     group: '{{ privatebin_group }}'

tasks/installapp.yml

@@ -0,0 +1,30 @@
+---
+
+- name: '[Install] - Create app dir'
+  file:
+    path: '{{ privatebin_app_dir }}'
+    state: 'directory'
+    owner: '{{ privatebin_user }}'
+    group: '{{ privatebin_group }}'
+
+- name: '[Install] - Create data store dir'
+  file:
+    path: '{{ privatebin_data_dir }}'
+    state: 'directory'
+    owner: '{{ privatebin_user }}'
+    group: '{{ privatebin_group }}'
+
+- name: '[Install] - Check if the app is already installed'
+  stat:
+    path: '{{ privatebin_app_dir }}/PrivateBin-{{ privatebin_version }}'
+  register: privatebin_installed
+
+- name: '[Install] - Download PrivateBin release'
+  unarchive:
+    src: 'https://github.com/PrivateBin/PrivateBin/archive/{{ privatebin_version }}.tar.gz'
+    dest: '{{ privatebin_app_dir }}'
+    mode: '0750'
+    owner: '{{ privatebin_user }}'
+    group: '{{ privatebin_group }}'
+    remote_src: yes
+  when: privatebin_installed.stat.exists == false

tasks/installdeps.yml

@@ -0,0 +1,6 @@
+---
+
+- name: '[Deps] - Install Dependencies'
+  apt:
+    name: '{{ privatebin_pkgs }}'
+    update_cache: yes

tasks/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: 'Install dependencies'
+  include: installdeps.yml
+
+- name: 'Install application'
+  include: installapp.yml
+
+- name: 'Configure app'
+  include: configure.yml

templates/cfg/conf.php.j2

@@ -0,0 +1,182 @@
+;<?php http_response_code(403); /*
+; config file for PrivateBin
+;
+; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
+
+[main]
+; (optional) set a project name to be displayed on the website
+name = "{{ privatebin_name }}"
+
+; The full URL, with the domain name and directories that point to the PrivateBin files
+; This URL is essential to allow Opengraph images to be displayed on social networks
+; basepath = ""
+
+; enable or disable the discussion feature, defaults to true
+discussion = {{ privatebin_discussion }}
+
+; preselect the discussion feature, defaults to false
+opendiscussion = {{ privatebin_opendiscussion }}
+
+; enable or disable the password feature, defaults to true
+password = {{ privatebin_password }}
+
+; enable or disable the file upload feature, defaults to false
+fileupload = {{ privatebin_fileupload }}
+
+; preselect the burn-after-reading feature, defaults to false
+burnafterreadingselected = {{ privatebin_burnafterreadingselected }}
+
+; which display mode to preselect by default, defaults to "plaintext"
+; make sure the value exists in [formatter_options]
+defaultformatter = "{{ privatebin_defaultformatter }}"
+
+; (optional) set a syntax highlighting theme, as found in css/prettify/
+syntaxhighlightingtheme = "{{ privatebin_highlight_theme }}"
+
+; size limit per paste or comment in bytes, defaults to 2 Mebibytes
+sizelimit = {{ privatebin_sizelimit }}
+
+; template to include, default is "bootstrap" (tpl/bootstrap.php)
+template = "{{ privatebin_theme }}"
+
+; (optional) info text to display
+info = "{{ privatebin_info }}"
+
+; (optional) notice to display
+notice = {{ privatebin_notice }}
+
+; by default PrivateBin will guess the visitors language based on the browsers
+; settings. Optionally you can enable the language selection menu, which uses
+; a session cookie to store the choice until the browser is closed.
+languageselection = {{ privatebin_language_selection }}
+
+; set the language your installs defaults to, defaults to English
+; if this is set and language selection is disabled, this will be the only language
+languagedefault = "{{ privatebin_defaultlang }}"
+
+; (optional) URL shortener address to offer after a new paste is created
+; it is suggested to only use this with self-hosted shorteners as this will leak
+; the pastes encryption key
+; urlshortener = "https://shortener.example.com/api?link="
+
+; (optional) Let users create a QR code for sharing the paste URL with one click.
+; It works both when a new paste is created and when you view a paste.
+qrcode = {{ privatebin_qrcode }}
+
+; (optional) IP based icons are a weak mechanism to detect if a comment was from
+; a different user when the same username was used in a comment. It might be
+; used to get the IP of a non anonymous comment poster if the server salt is
+; leaked and a SHA256 HMAC rainbow table is generated for all (relevant) IPs.
+; Can be set to one these values: none / vizhash / identicon (default).
+icon = {{ privatebin_ip_icon }}
+
+; Content Security Policy headers allow a website to restrict what sources are
+; allowed to be accessed in its context. You need to change this if you added
+; custom scripts from third-party domains to your templates, e.g. tracking
+; scripts or run your site behind certain DDoS-protection services.
+; Check the documentation at https://content-security-policy.com/
+; Notes:
+; - If you use a bootstrap theme, you can remove the allow-popups from the
+;   sandbox restrictions.
+; - By default this disallows to load images from third-party servers, e.g. when
+;   they are embedded in pastes. If you wish to allow that, you can adjust the
+;   policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
+;   for details.
+; - The 'unsafe-eval' is used in two cases; to check if the browser supports
+;   async functions and display an error if not and for Chrome to enable
+;   webassembly support (used for zlib compression). You can remove it if Chrome
+;   doesn't need to be supported and old browsers don't need to be warned.
+; cspheader = "default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
+
+; stay compatible with PrivateBin Alpha 0.19, less secure
+; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
+; sha256 in HMAC for the deletion token
+zerobincompatibility = {{ privatebin_zerobincompatibility }}
+
+; Enable or disable the warning message when the site is served over an insecure
+; connection (insecure HTTP instead of HTTPS), defaults to true.
+; Secure transport methods like Tor and I2P domains are automatically whitelisted.
+; It is **strongly discouraged** to disable this.
+; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
+; httpwarning = true
+
+; Pick compression algorithm or disable it. Only applies to pastes/comments
+; created after changing the setting.
+; Can be set to one these values: "none" / "zlib" (default).
+compression = "{{ privatebin_compression }}"
+
+[expire]
+; expire value that is selected per default
+; make sure the value exists in [expire_options]
+default = "{{ privatebin_expire_default }}"
+
+[expire_options]
+; Set each one of these to the number of seconds in the expiration period,
+; or 0 if it should never expire
+5min = 300
+10min = 600
+1hour = 3600
+1day = 86400
+1week = 604800
+; Well this is not *exactly* one month, it's 30 days:
+1month = 2592000
+1year = 31536000
+never = 0
+
+[formatter_options]
+; Set available formatters, their order and their labels
+plaintext = "Plain Text"
+syntaxhighlighting = "Source Code"
+markdown = "Markdown"
+
+[traffic]
+; time limit between calls from the same IP address in seconds
+; Set this to 0 to disable rate limiting.
+limit = {{ privatebin_ratelimit }}
+
+; (optional) if your website runs behind a reverse proxy or load balancer,
+; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
+header = "{{ privatebin_header }}"
+
+; directory to store the traffic limits in
+dir = PATH "{{ privatebin_data_dir }}"
+
+[purge]
+; minimum time limit between two purgings of expired pastes, it is only
+; triggered when pastes are created
+; Set this to 0 to run a purge every time a paste is created.
+limit = {{ privatebin_purge_limit }}
+
+; maximum amount of expired pastes to delete in one purge
+; Set this to 0 to disable purging. Set it higher, if you are running a large
+; site
+batchsize = {{ privatebin_purge_batchsize }}
+
+; directory to store the purge limit in
+dir = PATH "{{ privatebin_data_dir }}"
+
+[model]
+; name of data model class to load and directory for storage
+; the default model "Filesystem" stores everything in the filesystem
+class = Filesystem
+[model_options]
+dir = PATH "{{ privatebin_data_dir }}"
+
+;[model]
+; example of DB configuration for MySQL
+;class = Database
+;[model_options]
+;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
+;tbl = "privatebin_"	; table prefix
+;usr = "privatebin"
+;pwd = "Z3r0P4ss"
+;opt[12] = true	  ; PDO::ATTR_PERSISTENT
+
+;[model]
+; example of DB configuration for SQLite
+;class = Database
+;[model_options]
+;dsn = "sqlite:" PATH "data/db.sq3"
+;usr = null
+;pwd = null
+;opt[12] = true	; PDO::ATTR_PERSISTENT

templates/etc/nginx/snippets/self-signed.conf

@@ -0,0 +1,2 @@
+ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

templates/etc/nginx/snippets/ssl-params.conf

@@ -0,0 +1,21 @@
+# from https://cipherli.st/
+# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+# Disable preloading HSTS for now.  You can use the commented out header line that includes
+# the "preload" directive if you understand the implications.
+#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+ssl_dhparam /etc/ssl/certs/dhparam.pem;

templates/index.php.j2

@@ -0,0 +1,18 @@
+<?php
+/**
+ * PrivateBin
+ *
+ * a zero-knowledge paste bin
+ *
+ * @link      https://github.com/PrivateBin/PrivateBin
+ * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
+ * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
+ * @version   1.1
+ */
+
+// change this, if your php files and data is outside of your webservers document root
+define('PATH', '{{ privatebin_alt_path }}');
+
+define('PUBLIC_PATH', __DIR__);
+require PATH . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';
+new PrivateBin\Controller;