initial release based on https://github.com/zfuller/privatebin and instructions from https://github.com/PrivateBin/docker-nginx-fpm-alpine

2020-08-24 07:33:12 +00:00 · 2020-08-24 07:33:12 +00:00 · 8f737432d8
parent db66f3cc3a
commit 8f737432d8
5 changed files with 441 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -1,2 +1,111 @@
-# ansible-privatebin
-Ansible role to install and configure PrivateBin
+# PrivateBin Role
+
+Role installs and configures [PrivateBin](https://privatebin.info/) docker container.
+
+## Requirements
+
+Need to have an SSL Certificate, geerlingguy.certbot ansible galaxy role can be used to generate a Let's Encrypt SSL for the domain, if one does not already exist.
+
+## Role Variables
+### Task Variables
+```yaml
+private_bin_version: {{ version | default('1.3.4') }}
+private_bin_user: 65534        # UID 65534 https://github.com/PrivateBin/docker-nginx-fpm-alpine
+private_bin_group: 82          # GID 82    https://github.com/PrivateBin/docker-nginx-fpm-alpine
+private_bin_directory: /srv
+```
+
+### conf.php Variables
+These variables are the default ones that are set in the conf.sample.php file from the PrivateBin repo.
+* Variables that are set `true` can be set `false` and vise versa.
+* Variables that are left blank below are commented out in the config by default unless defined.
+More deatils on the Variables here https://github.com/PrivateBin/PrivateBin/wiki/Configuration
+Variables are fed into the [templates/conf.php.j2](templates/conf.php.j2) file
+
+```yaml
+private_bin_main_name:
+private_bin_main_dicussion: "true"
+private_bin_main_opendicussion: "false"
+private_bin_main_password: "true"
+private_bin_main_fileupload: "false"
+private_bin_main_burnafterreadingselected: "false"
+private_bin_main_defaultformatter: plaintext # plaintext, markdown, syntaxhighlighting
+private_bin_main_syntaxhighlightingtheme: # sons-of-obsidian
+private_bin_main_paste_sizelimit: 10485760
+private_bin_main_template: bootstrap-dark # bootstrap, bootstrap-page, bootstrap-dark, bootstrap-dark-page, bootstrap-compact, bootstrap-compact-page, page
+private_bin_main_notice:
+private_bin_main_language_selection: "false"
+private_bin_main_language_default:
+private_bin_main_url_shortener:
+private_bin_main_qrcode: "false"
+private_bin_main_icon: identicon # identicon, vizhash, none
+private_bin_main_cspheader:
+private_bin_main_zerobincompatibility: "false"
+private_bin_main_httpwarning: "true"
+private_bin_main_compression: zlib # none
+private_bin_expire_default: 1week # 5min 10min 1hour 1day 1week 1month 1year never
+
+private_bin_expire_options: # add your own custom expire times
+  - time: $nicename
+    seconds: $seconds
+  - time: $nicename_2
+    seconds: $seconds_2
+
+private_bin_traffic_limit: 10
+private_bin_traffic_header:
+private_bin_traffic_directory: data
+private_bin_purge_limit: 300
+private_bin_batchsize_limit: 10
+private_bin_purge_directory: data
+
+private_bin_model_class: Filesystem # Filesystem, MySql, SQLite
+private_bin_model_fs_option_directory: data
+private_bin_model_mysql_option_dsn:
+private_bin_model_mysql_option_tbl:
+private_bin_model_mysql_option_usr:
+private_bin_model_mysql_option_pwd:
+private_bin_model_mysql_option_opt:
+private_bin_model_sqlite3_option_path:
+private_bin_model_sqlite3_option_usr:
+private_bin_model_sqlite3_option_pwd:
+private_bin_model_sqlite3_option_opt:
+```
+
+## Dependencies
+
+None
+
+## Example Playbook
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+```yaml
+ - hosts: privatebinhost
+   become: true
+   vars:
+     private_bin_version: {{ version | default('1.3.4') }}
+
+     # Set default page name
+     private_bin_main_name: "My Private Bin"
+
+     # different install location than /srv
+     private_bin_directory: /home/webuser/privatebin
+
+     # Set custom expiration times
+     private_bin_expire_options:
+       - time: 1min
+         seconds: 60
+       - time: 5min
+         seconds: 300
+       - time: 15min
+         seconds: 900
+       - time: 1hour
+         seconds: 3600
+   roles:
+     - geerlingguy.docker
+     - stationgroup.privatebin
+```
+
+## License
+
+GPLv2
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,74 @@
+---
+# task variables
+private_bin_repo: https://github.com/PrivateBin/PrivateBin
+#private_bin_version: 1.3.4
+private_bin_archive_format: tar.gz
+private_bin_user: www-data
+private_bin_group: www-data
+private_bin_directory: /var/www/html/privatebin
+
+# conf.php.j2 template variables
+# https://github.com/PrivateBin/PrivateBin/wiki/Configuration
+# https://github.com/PrivateBin/PrivateBin/blob/master/cfg/conf.sample.php
+private_bin_main_name:
+private_bin_main_dicussion: "true"
+private_bin_main_opendicussion: "false"
+private_bin_main_password: "true"
+private_bin_main_fileupload: "false"
+private_bin_main_burnafterreadingselected: "false"
+private_bin_main_defaultformatter: plaintext
+private_bin_main_syntaxhighlightingtheme:
+private_bin_main_paste_sizelimit: 10485760
+private_bin_main_template: bootstrap-dark
+private_bin_main_notice:
+private_bin_main_language_selection: "false"
+private_bin_main_language_default:
+private_bin_main_url_shortener:
+private_bin_main_qrcode: "false"
+private_bin_main_icon: identicon
+private_bin_main_cspheader:
+private_bin_main_zerobincompatibility: "false"
+private_bin_main_httpwarning: "true"
+private_bin_main_compression: zlib
+private_bin_expire_default: 1week
+private_bin_expire_options:
+  - time: 5min
+    seconds: 300
+  - time: 10min
+    seconds: 600
+  - time: 1hour
+    seconds: 3600
+  - time: 1day
+    seconds: 86400
+  - time: 1week
+    seconds: 604800
+  - time: 1month
+    seconds: 2592000
+  - time: 1year
+    seconds: 31536000
+  - time: never
+    seconds: 0
+private_bin_formatter_options:
+  - format: plaintext
+    label: "Plain Text"
+  - format: syntaxhighlighting
+    label: "Source Code"
+  - format: markdown
+    label: "Markdown"
+private_bin_traffic_limit: 10
+private_bin_traffic_header:
+private_bin_traffic_directory: data
+private_bin_purge_limit: 300
+private_bin_batchsize_limit: 10
+private_bin_purge_directory: data
+private_bin_model_class: Filesystem
+private_bin_model_fs_option_directory: data
+private_bin_model_mysql_option_dsn:
+private_bin_model_mysql_option_tbl:
+private_bin_model_mysql_option_usr:
+private_bin_model_mysql_option_pwd:
+private_bin_model_mysql_option_opt:
+private_bin_model_sqlite3_option_path:
+private_bin_model_sqlite3_option_usr:
+private_bin_model_sqlite3_option_pwd:
+private_bin_model_sqlite3_option_opt:
--- a/meta/main.yml
+++ b/meta/main.yml
@ -0,0 +1,15 @@
+galaxy_info:
+  author: zfuller
+  description: Simple role to install and configure PrivateBin on Ubuntu
+  issue_tracker_url: https://github.com/zfuller/privatebin/issues
+  license: GPLv2
+  min_ansible_version: 2.4
+  platforms:
+    - name: Ubuntu
+      versions:
+        - trusty
+        - xenial
+        - bionic
+  galaxy_tags:
+    - privatebin
+    - pastebin
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,29 @@
+---
+- name: making directories
+  file:
+    path: "{{ private_bin_directory }}/data"
+    state: directory
+    mode: 0750
+    owner: "{{ private_bin_user }}"
+    group: "{{ private_bin_group }}"
+
+- name: making directories
+  file:
+    path: "{{ private_bin_directory }}/cfg"
+    state: directory
+    mode: 0750
+    owner: "{{ private_bin_user }}"
+    group: "{{ private_bin_group }}"
+
+- name: Setting up config file
+  template:
+    src: templates/conf.php.j2
+    dest: "{{ private_bin_directory }}/cfg/conf.php"
+    owner: "{{ private_bin_user }}"
+    group: "{{ private_bin_group }}"
+    mode: 0640
+
+- name: pull and run privatebin docker
+  become: "true"
+  become_user: "root"
+  shell: "/usr/bin/docker run -d --restart='always' --read-only -p 8080:8080 -v {{ private_bin_directory }}/cfg/conf.php:{{ private_bin_directory }}/cfg/conf.php:ro -v {{ private_bin_directory }}/data:{{ private_bin_directory }}/data privatebin/nginx-fpm-alpine:{{ private_bin_version }}"
--- a/templates/conf.php.j2
+++ b/templates/conf.php.j2
@ -0,0 +1,212 @@
+;<?php http_response_code(403); /*
+; config file for PrivateBin
+;
+; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
+
+[main]
+; (optional) set a project name to be displayed on the website
+{% if private_bin_main_name is not none %}
+name = "{{ private_bin_main_name }}"
+{% else %}
+; name = "PrivateBin"
+{% endif %}
+
+; enable or disable the discussion feature, defaults to true
+discussion = {{ private_bin_main_dicussion }}
+
+; preselect the discussion feature, defaults to false
+opendiscussion = {{ private_bin_main_opendicussion }}
+
+; enable or disable the password feature, defaults to true
+password = {{ private_bin_main_password }}
+
+; enable or disable the file upload feature, defaults to false
+fileupload = {{ private_bin_main_fileupload }}
+
+; preselect the burn-after-reading feature, defaults to false
+burnafterreadingselected = {{ private_bin_main_burnafterreadingselected }}
+
+; which display mode to preselect by default, defaults to "plaintext"
+; make sure the value exists in [formatter_options]
+defaultformatter = "{{ private_bin_main_defaultformatter }}"
+
+; (optional) set a syntax highlighting theme, as found in css/prettify/
+{% if private_bin_main_syntaxhighlightingtheme is not none %}
+syntaxhighlightingtheme = "{{ private_bin_main_syntaxhighlightingtheme }}"
+{% else %}
+; syntaxhighlightingtheme = "sons-of-obsidian"
+{% endif %}
+
+; size limit per paste or comment in bytes, defaults to 10 Mebibytes
+sizelimit = {{ private_bin_main_paste_sizelimit }}
+
+; template to include, default is "bootstrap" (tpl/bootstrap.php)
+template = "{{ private_bin_main_template }}"
+
+; (optional) notice to display
+{% if private_bin_main_notice is not none %}
+notice = {{ private_bin_main_notice }}
+{% else %}
+; notice = "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service."
+{% endif %}
+
+; by default PrivateBin will guess the visitors language based on the browsers
+; settings. Optionally you can enable the language selection menu, which uses
+; a session cookie to store the choice until the browser is closed.
+languageselection = {{ private_bin_main_language_selection }}
+
+; set the language your installs defaults to, defaults to English
+; if this is set and language selection is disabled, this will be the only language
+{% if private_bin_main_language_default is not none %}
+languagedefault = "{{ private_bin_main_language_default }}"
+{% else %}
+; languagedefault = "en"
+{% endif %}
+
+; (optional) URL shortener address to offer after a new paste is created
+; it is suggested to only use this with self-hosted shorteners as this will leak
+; the pastes encryption key
+{% if private_bin_main_url_shortener is not none %}
+urlshortener = "{{ private_bin_main_url_shortener }}"
+{% else %}
+; urlshortener = "https://shortener.example.com/api?link="
+{% endif %}
+
+; (optional) Let users create a QR code for sharing the paste URL with one click.
+; It works both when a new paste is created and when you view a paste.
+qrcode = {{ private_bin_main_qrcode }}
+
+
+; (optional) IP based icons are a weak mechanism to detect if a comment was from
+; a different user when the same username was used in a comment. It might be
+; used to get the IP of a non anonymous comment poster if the server salt is
+; leaked and a SHA256 HMAC rainbow table is generated for all (relevant) IPs.
+; Can be set to one these values: none / vizhash / identicon (default).
+icon = {{ private_bin_main_icon }}
+
+; Content Security Policy headers allow a website to restrict what sources are
+; allowed to be accessed in its context. You need to change this if you added
+; custom scripts from third-party domains to your templates, e.g. tracking
+; scripts or run your site behind certain DDoS-protection services.
+; Check the documentation at https://content-security-policy.com/
+; Notes:
+; - If you use a bootstrap theme, you can remove the allow-popups from the
+;   sandbox restrictions.
+; - By default this disallows to load images from third-party servers, e.g. when
+;   they are embedded in pastes. If you wish to allow that, you can adjust the
+;   policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
+;   for details.
+; - The 'unsafe-eval' is used in two cases; to check if the browser supports
+;   async functions and display an error if not and for Chrome to enable
+;   webassembly support (used for zlib compression). You can remove it if Chrome
+;   doesn't need to be supported and old browsers don't need to be warned.
+{% if private_bin_main_url_shortener is not none %}
+cspheader = {{ private_bin_main_cspheader }}
+{% else %}
+; cspheader = "default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals"
+{% endif %}
+
+; stay compatible with PrivateBin Alpha 0.19, less secure
+; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
+; sha256 in HMAC for the deletion token
+zerobincompatibility = {{ private_bin_main_zerobincompatibility }}
+
+; Enable or disable the warning message when the site is served over an insecure
+; connection (insecure HTTP instead of HTTPS), defaults to true.
+; Secure transport methods like Tor and I2P domains are automatically whitelisted.
+; It is **strongly discouraged** to disable this.
+; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
+httpwarning = {{ private_bin_main_httpwarning }}
+
+; Pick compression algorithm or disable it. Only applies to pastes/comments
+; created after changing the setting.
+; Can be set to one these values: none / zlib (default).
+compression = {{ private_bin_main_compression }}
+
+[expire]
+; expire value that is selected per default
+; make sure the value exists in [expire_options]
+default = "{{ private_bin_expire_default }}"
+
+[expire_options]
+; Set each one of these to the number of seconds in the expiration period,
+; or 0 if it should never expire
+{% for expiretime in private_bin_expire_options %}
+{{ expiretime.time }} = {{ expiretime.seconds }}
+{% endfor %}
+
+[formatter_options]
+; Set available formatters, their order and their labels
+{% for format in private_bin_formatter_options %}
+{{ format.format }} = "{{ format.label }}"
+{% endfor %}
+
+[traffic]
+; time limit between calls from the same IP address in seconds
+; Set this to 0 to disable rate limiting.
+limit = {{ private_bin_traffic_limit }}
+
+; (optional) if your website runs behind a reverse proxy or load balancer,
+; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
+{% if private_bin_traffic_header is not none %}
+header = "{{ private_bin_traffic_header }}"
+{% else %}
+; header = "X_FORWARDED_FOR"
+{% endif %}
+
+; directory to store the traffic limits in
+dir = PATH "{{ private_bin_traffic_directory }}"
+
+[purge]
+; minimum time limit between two purgings of expired pastes, it is only
+; triggered when pastes are created
+; Set this to 0 to run a purge every time a paste is created.
+limit = {{ private_bin_purge_limit }}
+
+; maximum amount of expired pastes to delete in one purge
+; Set this to 0 to disable purging. Set it higher, if you are running a large
+; site
+batchsize = {{ private_bin_batchsize_limit }}
+
+; directory to store the purge limit in
+dir = PATH "{{ private_bin_purge_directory }}"
+
+{% if private_bin_model_class == "Filesystem" and private_bin_model_fs_option_directory is not none %}
+
+[model]
+class = Filesystem
+[model_options]
+dir = PATH "{{ private_bin_model_fs_option_directory }}"
+
+{% elif private_bin_model_class == "MySql" and
+private_bin_model_mysql_option_dsn is not none and
+private_bin_model_mysql_option_tbl is not none and
+private_bin_model_mysql_option_usr is not none and
+private_bin_model_mysql_option_pwd %}}
+
+[model]
+class = Database
+[model_options]
+;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
+dsn = "{{ private_bin_model_mysql_option_dsn }}"
+tbl = "{{ private_bin_model_mysql_option_tbl }}" ; table prefix
+usr = "{{ private_bin_model_mysql_option_usr }}"
+pwd = "{{ private_bin_model_mysql_option_pwd }}"
+opt[12] = {{ private_bin_model_mysql_option_opt }} ; PDO::ATTR_PERSISTENT
+
+{% elif private_bin_model_class == "SQLite" and
+private_bin_model_sqlite3_option_dsn is not none and
+private_bin_model_sqlite3_option_path is not none and
+private_bin_model_sqlite3_option_usr is not none and
+private_bin_model_sqlite3_option_pwd is not none and
+private_bin_model_sqlite3_option_opt %}
+
+[model]
+class = Database
+[model_options]
+;dsn = "sqlite:" PATH "data/db.sq3"
+dsn = "sqlite:" PATH "{{ private_bin_model_sqlite3_option_path }}"
+usr = {{ private_bin_model_sqlite3_option_usr }}
+pwd = {{ private_bin_model_sqlite3_option_pwd }}
+opt[12] = {{ private_bin_model_sqlite3_option_opt }} ; PDO::ATTR_PERSISTENT
+{% endif %}