From 178ca6b2c439fe8ee61abb19a9952240ac038da2 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 19 Sep 2021 19:29:05 +0100 Subject: [PATCH] Add privatebin config Disable super long expirations, among other things --- ansible/roles/privatebin/files/config.ini | 185 ++++++++++++++++++ .../roles/privatebin/files/docker-compose.yml | 1 + ansible/roles/privatebin/tasks/main.yml | 9 + 3 files changed, 195 insertions(+) create mode 100644 ansible/roles/privatebin/files/config.ini diff --git a/ansible/roles/privatebin/files/config.ini b/ansible/roles/privatebin/files/config.ini new file mode 100644 index 0000000..6b77598 --- /dev/null +++ b/ansible/roles/privatebin/files/config.ini @@ -0,0 +1,185 @@ +;project page." + +; (optional) notice to display +;notice = "Kittens will die if you abuse this service." + +; by default PrivateBin will guess the visitors language based on the browsers +; settings. Optionally you can enable the language selection menu, which uses +; a session cookie to store the choice until the browser is closed. +languageselection = false + +; set the language your installs defaults to, defaults to English +; if this is set and language selection is disabled, this will be the only language +; languagedefault = "en" + +; (optional) URL shortener address to offer after a new paste is created +; it is suggested to only use this with self-hosted shorteners as this will leak +; the pastes encryption key +; urlshortener = "https://shortener.example.com/api?link=" + +; (optional) Let users create a QR code for sharing the paste URL with one click. +; It works both when a new paste is created and when you view a paste. +qrcode = true + +; (optional) IP based icons are a weak mechanism to detect if a comment was from +; a different user when the same username was used in a comment. It might be +; used to get the IP of a non anonymous comment poster if the server salt is +; leaked and a SHA256 HMAC rainbow table is generated for all (relevant) IPs. +; Can be set to one these values: "none" / "vizhash" / "identicon" (default). +; icon = "none" + +; Content Security Policy headers allow a website to restrict what sources are +; allowed to be accessed in its context. You need to change this if you added +; custom scripts from third-party domains to your templates, e.g. tracking +; scripts or run your site behind certain DDoS-protection services. +; Check the documentation at https://content-security-policy.com/ +; Notes: +; - If you use a bootstrap theme, you can remove the allow-popups from the +; sandbox restrictions. +; - By default this disallows to load images from third-party servers, e.g. when +; they are embedded in pastes. If you wish to allow that, you can adjust the +; policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images +; for details. +; - The 'unsafe-eval' is used in two cases; to check if the browser supports +; async functions and display an error if not and for Chrome to enable +; webassembly support (used for zlib compression). You can remove it if Chrome +; doesn't need to be supported and old browsers don't need to be warned. +; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads" + +; stay compatible with PrivateBin Alpha 0.19, less secure +; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of +; sha256 in HMAC for the deletion token +; zerobincompatibility = false + +; Enable or disable the warning message when the site is served over an insecure +; connection (insecure HTTP instead of HTTPS), defaults to true. +; Secure transport methods like Tor and I2P domains are automatically whitelisted. +; It is **strongly discouraged** to disable this. +; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information. +; httpwarning = true + +; Pick compression algorithm or disable it. Only applies to pastes/comments +; created after changing the setting. +; Can be set to one these values: "none" / "zlib" (default). +; compression = "zlib" + +[expire] +; expire value that is selected per default +; make sure the value exists in [expire_options] +default = "1week" + +[expire_options] +; Set each one of these to the number of seconds in the expiration period, +; or 0 if it should never expire +5min = 300 +10min = 600 +1hour = 3600 +1day = 86400 +1week = 604800 +1month = 2592000 + +[formatter_options] +; Set available formatters, their order and their labels +plaintext = "Plain Text" +syntaxhighlighting = "Source Code" +markdown = "Markdown" + +[traffic] +; time limit between calls from the same IP address in seconds +; Set this to 0 to disable rate limiting. +limit = 10 + +; Set ips (v4|v6) which should be exempted for the rate-limit. CIDR also supported. Needed to be comma separated. +; Unset for enabling and invalid values will be ignored +; eg: exemptedIp = '1.2.3.4,10.10.10/24' + +; (optional) if your website runs behind a reverse proxy or load balancer, +; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR +; header = "X_FORWARDED_FOR" + +[purge] +; minimum time limit between two purgings of expired pastes, it is only +; triggered when pastes are created +; Set this to 0 to run a purge every time a paste is created. +limit = 300 + +; maximum amount of expired pastes to delete in one purge +; Set this to 0 to disable purging. Set it higher, if you are running a large +; site +batchsize = 10 + +[model] +; name of data model class to load and directory for storage +; the default model "Filesystem" stores everything in the filesystem +class = Filesystem +[model_options] +dir = PATH "data" + +;[model] +; example of a Google Cloud Storage configuration +;class = GoogleCloudStorage +;[model_options] +;bucket = "my-private-bin" +;prefix = "pastes" + +;[model] +; example of DB configuration for MySQL +;class = Database +;[model_options] +;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8" +;tbl = "privatebin_" ; table prefix +;usr = "privatebin" +;pwd = "Z3r0P4ss" +;opt[12] = true ; PDO::ATTR_PERSISTENT + +;[model] +; example of DB configuration for SQLite +;class = Database +;[model_options] +;dsn = "sqlite:" PATH "data/db.sq3" +;usr = null +;pwd = null +;opt[12] = true ; PDO::ATTR_PERSISTENT diff --git a/ansible/roles/privatebin/files/docker-compose.yml b/ansible/roles/privatebin/files/docker-compose.yml index 4c471ac..9dd8c2e 100644 --- a/ansible/roles/privatebin/files/docker-compose.yml +++ b/ansible/roles/privatebin/files/docker-compose.yml @@ -7,6 +7,7 @@ services: - TZ={{ TZ }} volumes: - "{{ app_data_dir }}/privatebin/:/srv/data" + - "{{ app_data_dir }}/privatebin/conf.php:/srv/cfg/conf.php:ro" restart: unless-stopped labels: - traefik.enable=true diff --git a/ansible/roles/privatebin/tasks/main.yml b/ansible/roles/privatebin/tasks/main.yml index b487fd4..a2a631c 100644 --- a/ansible/roles/privatebin/tasks/main.yml +++ b/ansible/roles/privatebin/tasks/main.yml @@ -15,3 +15,12 @@ validate: docker-compose -f %s config notify: restart privatebin become: true + +- name: Install config file + template: + src: files/config.ini + dest: "{{ app_data_dir }}/privatebin/conf.php" # Yes, really + mode: "{{ docker_compose_file_mask }}" + owner: "{{ docker_user.name }}" + notify: restart privatebin + become: true