From 83935a86499124818ad619a174ed2e95fc5e7a88 Mon Sep 17 00:00:00 2001
From: Jesper Hess Nielsen <jesper@graffen.dk>
Date: Wed, 13 Feb 2019 08:50:42 +0100
Subject: [PATCH 1/5] Add privatebin service

---
 roles/docker/defaults/main.yml             |  3 +++
 roles/docker/tasks/services/privatebin.yml | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 roles/docker/tasks/services/privatebin.yml

diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
index 804536a..e5bfd45 100644
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -21,3 +21,6 @@ matrix:
 
 riot:
   domain: "riot.{{ base_domain }}"
+
+privatebin:
+  domain: "paste.{{ base_domain }}"
diff --git a/roles/docker/tasks/services/privatebin.yml b/roles/docker/tasks/services/privatebin.yml
new file mode 100644
index 0000000..db1869c
--- /dev/null
+++ b/roles/docker/tasks/services/privatebin.yml
@@ -0,0 +1,18 @@
+---
+- name: privatebin volume
+  docker_volume:
+    name: privatebin
+
+- name: privatebin app container
+  docker_container:
+    name: privatebin
+    image: jgeusebroek/privatebin:latest
+    restart_policy: unless_stopped
+    volumes:
+      - privatebin:/privatebin
+    networks:
+      - name: external_services
+    env:
+      VIRTUAL_HOST: "{{ privatebin.domain }}"
+      LETSENCRYPT_HOST: "{{ privatebin.domain }}"
+      LETSENCRYPT_EMAIL: "{{ letsencrypt_email }}"

From 7a1e2c4b02c5c218962c267f7af3edfdb3c42c23 Mon Sep 17 00:00:00 2001
From: Jesper Hess Nielsen <jesper@graffen.dk>
Date: Wed, 13 Feb 2019 08:54:05 +0100
Subject: [PATCH 2/5] Fix typo

---
 roles/docker/tasks/services/privatebin.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/docker/tasks/services/privatebin.yml b/roles/docker/tasks/services/privatebin.yml
index db1869c..b60755e 100644
--- a/roles/docker/tasks/services/privatebin.yml
+++ b/roles/docker/tasks/services/privatebin.yml
@@ -7,7 +7,7 @@
   docker_container:
     name: privatebin
     image: jgeusebroek/privatebin:latest
-    restart_policy: unless_stopped
+    restart_policy: unless-stopped
     volumes:
       - privatebin:/privatebin
     networks:

From d9921adae08198bc01371f4d5521fc6d6bd00b32 Mon Sep 17 00:00:00 2001
From: Jesper Hess Nielsen <jesper@graffen.dk>
Date: Wed, 13 Feb 2019 10:04:22 +0100
Subject: [PATCH 3/5] Add /docker-volumes folder structure for bind mounts

---
 group_vars/all/vars.yml        | 2 ++
 roles/docker/defaults/main.yml | 1 +
 2 files changed, 3 insertions(+)

diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 9edd0c2..578c45e 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -13,3 +13,5 @@ users:
     password: $6$qt3G.E.CxhC$OwBDn4rZUbCz06HLEMBHjgvKjxiv/eeerbklTHi.gpHIn1OejzX3k2.0NM0Dforaw6Yn5Y8Cgn8kL2FdbQLZ3/
     groups:
       - sudo
+
+volume_root_folder: "/docker-volumes"
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
index e5bfd45..3670b6b 100644
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -24,3 +24,4 @@ riot:
 
 privatebin:
   domain: "paste.{{ base_domain }}"
+  volume_folder: "{{ volume_root_folder}}/privatebin"

From ca183eaf4dca054781f5119648a564785f08287e Mon Sep 17 00:00:00 2001
From: Jesper Hess Nielsen <jesper@graffen.dk>
Date: Wed, 13 Feb 2019 10:04:40 +0100
Subject: [PATCH 4/5] Add privatebin config file

---
 .../docker/files/configs/privatebin-conf.php  | 154 ++++++++++++++++++
 1 file changed, 154 insertions(+)
 create mode 100644 roles/docker/files/configs/privatebin-conf.php

diff --git a/roles/docker/files/configs/privatebin-conf.php b/roles/docker/files/configs/privatebin-conf.php
new file mode 100644
index 0000000..039c2c0
--- /dev/null
+++ b/roles/docker/files/configs/privatebin-conf.php
@@ -0,0 +1,154 @@
+;<?php http_response_code(403); /*
+; config file for PrivateBin
+;
+; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
+
+[main]
+; (optional) set a project name to be displayed on the website
+name = "paste.data.coop"
+
+; enable or disable the discussion feature, defaults to true
+discussion = true
+
+; preselect the discussion feature, defaults to false
+opendiscussion = false
+
+; enable or disable the password feature, defaults to true
+password = true
+
+; enable or disable the file upload feature, defaults to false
+fileupload = true
+
+; preselect the burn-after-reading feature, defaults to false
+burnafterreadingselected = false
+
+; which display mode to preselect by default, defaults to "plaintext"
+; make sure the value exists in [formatter_options]
+defaultformatter = "plaintext"
+
+; (optional) set a syntax highlighting theme, as found in css/prettify/
+; syntaxhighlightingtheme = "sons-of-obsidian"
+
+; size limit per paste or comment in bytes, defaults to 2 Mebibytes
+sizelimit = 2097152
+
+; template to include, default is "bootstrap" (tpl/bootstrap.php)
+template = "bootstrap"
+
+; (optional) notice to display
+; notice = "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service."
+
+; by default PrivateBin will guess the visitors language based on the browsers
+; settings. Optionally you can enable the language selection menu, which uses
+; a session cookie to store the choice until the browser is closed.
+languageselection = false
+
+; set the language your installs defaults to, defaults to English
+; if this is set and language selection is disabled, this will be the only language
+; languagedefault = "en"
+
+; (optional) URL shortener address to offer after a new paste is created
+; it is suggested to only use this with self-hosted shorteners as this will leak
+; the pastes encryption key
+; urlshortener = "https://shortener.example.com/api?link="
+
+; (optional) Let users create a QR code for sharing the paste URL with one click.
+; It works both when a new paste is created and when you view a paste.
+; qrcode = true
+
+; (optional) IP based icons are a weak mechanism to detect if a comment was from
+; a different user when the same username was used in a comment. It might be
+; used to get the IP of a non anonymous comment poster if the server salt is
+; leaked and a SHA256 HMAC rainbow table is generated for all (relevant) IPs.
+; Can be set to one these values: none / vizhash / identicon (default).
+; icon = none
+
+; Content Security Policy headers allow a website to restrict what sources are
+; allowed to be accessed in its context. You need to change this if you added
+; custom scripts from third-party domains to your templates, e.g. tracking
+; scripts or run your site behind certain DDoS-protection services.
+; Check the documentation at https://content-security-policy.com/
+; Note: If you use a bootstrap theme, you can remove the allow-popups from the sandbox restrictions.
+; By default this disallows to load images from third-party servers, e.g. when they are embedded in pastes. If you wish to allow that, you can adjust the policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images for details.
+; cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; media-src data:; object-src data:; Referrer-Policy: 'no-referrer'; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals"
+
+; stay compatible with PrivateBin Alpha 0.19, less secure
+; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
+; sha256 in HMAC for the deletion token
+zerobincompatibility = false
+
+[expire]
+; expire value that is selected per default
+; make sure the value exists in [expire_options]
+default = "1day"
+
+[expire_options]
+; Set each one of these to the number of seconds in the expiration period,
+; or 0 if it should never expire
+5min = 300
+10min = 600
+1hour = 3600
+1day = 86400
+1week = 604800
+; Well this is not *exactly* one month, it's 30 days:
+1month = 2592000
+1year = 31536000
+never = 0
+
+[formatter_options]
+; Set available formatters, their order and their labels
+plaintext = "Plain Text"
+syntaxhighlighting = "Source Code"
+markdown = "Markdown"
+
+[traffic]
+; time limit between calls from the same IP address in seconds
+; Set this to 0 to disable rate limiting.
+limit = 10
+
+; (optional) if your website runs behind a reverse proxy or load balancer,
+; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
+header = "X_FORWARDED_FOR"
+
+; directory to store the traffic limits in
+dir = PATH "data"
+
+[purge]
+; minimum time limit between two purgings of expired pastes, it is only
+; triggered when pastes are created
+; Set this to 0 to run a purge every time a paste is created.
+limit = 300
+
+; maximum amount of expired pastes to delete in one purge
+; Set this to 0 to disable purging. Set it higher, if you are running a large
+; site
+batchsize = 10
+
+; directory to store the purge limit in
+dir = PATH "data"
+
+[model]
+; name of data model class to load and directory for storage
+; the default model "Filesystem" stores everything in the filesystem
+class = Filesystem
+[model_options]
+dir = PATH "data"
+
+;[model]
+; example of DB configuration for MySQL
+;class = Database
+;[model_options]
+;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
+;tbl = "privatebin_"	; table prefix
+;usr = "privatebin"
+;pwd = "Z3r0P4ss"
+;opt[12] = true	  ; PDO::ATTR_PERSISTENT
+
+;[model]
+; example of DB configuration for SQLite
+;class = Database
+;[model_options]
+;dsn = "sqlite:" PATH "data/db.sq3"
+;usr = null
+;pwd = null
+;opt[12] = true	; PDO::ATTR_PERSISTENT

From 26792454f41335af82d6403d71319bb9948bfe27 Mon Sep 17 00:00:00 2001
From: Jesper Hess Nielsen <jesper@graffen.dk>
Date: Wed, 13 Feb 2019 10:05:00 +0100
Subject: [PATCH 5/5] Finalise privatebin service setup

---
 roles/docker/tasks/main.yml                |  5 +++++
 roles/docker/tasks/services/privatebin.yml | 19 +++++++++++++++----
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index f4183ac..a54eaa1 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -22,6 +22,11 @@
     name: "docker-compose"
     state: present
 
+- name: create folder structure for bind mounts
+  file:
+    name: "{{ volume_root_folder }}"
+    state: directory
+
 - name: setup services
   import_tasks: services.yml
   tags:
diff --git a/roles/docker/tasks/services/privatebin.yml b/roles/docker/tasks/services/privatebin.yml
index b60755e..d6ab54b 100644
--- a/roles/docker/tasks/services/privatebin.yml
+++ b/roles/docker/tasks/services/privatebin.yml
@@ -1,7 +1,17 @@
 ---
-- name: privatebin volume
-  docker_volume:
-    name: privatebin
+
+- name: create privatebin volume folders
+  file:
+    name: "{{ privatebin.volume_folder }}/{{ item }}"
+    state: directory
+  with_items:
+    - cfg
+    - data
+
+- name: upload privatebin config
+  template:
+    src: files/configs/privatebin-conf.php
+    dest: "{{ privatebin.volume_folder }}/cfg/conf.php"
 
 - name: privatebin app container
   docker_container:
@@ -9,7 +19,8 @@
     image: jgeusebroek/privatebin:latest
     restart_policy: unless-stopped
     volumes:
-      - privatebin:/privatebin
+      - "{{ privatebin.volume_folder }}/cfg:/privatebin/cfg"
+      - "{{ privatebin.volume_folder }}/data:/privatebin/data"
     networks:
       - name: external_services
     env: