aboutsummaryrefslogtreecommitdiffstats
path: root/terminaldweller.com
diff options
context:
space:
mode:
authorterminaldweller <thabogre@gmail.com>2023-01-04 05:29:55 +0000
committerterminaldweller <thabogre@gmail.com>2023-01-04 05:29:55 +0000
commit0775e0c9f094bcba05284bc73b336151cf6a9e51 (patch)
treeaeefb0fe6f79a394d8f4c8b2683b328f0dcad38c /terminaldweller.com
parentupdate (diff)
downloadscripts-0775e0c9f094bcba05284bc73b336151cf6a9e51.tar.gz
scripts-0775e0c9f094bcba05284bc73b336151cf6a9e51.zip
update
Diffstat (limited to '')
-rw-r--r--terminaldweller.com/haproxy/haproxy.cfg11
-rw-r--r--terminaldweller.com/privatebin/conf.php248
-rw-r--r--terminaldweller.com/privatebin/docker-compose.yaml38
-rw-r--r--terminaldweller.com/privatebin/nginx.conf40
4 files changed, 337 insertions, 0 deletions
diff --git a/terminaldweller.com/haproxy/haproxy.cfg b/terminaldweller.com/haproxy/haproxy.cfg
index feee75c..57f79f4 100644
--- a/terminaldweller.com/haproxy/haproxy.cfg
+++ b/terminaldweller.com/haproxy/haproxy.cfg
@@ -48,6 +48,7 @@ frontend http
acl browsh-host hdr_sub(host) -i browsh.terminaldweller.com
acl main-host hdr_sub(host) -i terminaldweller.com
acl doh2-host hdr_sub(shost) -i doh2.terminaldweller.com
+ acl pastebin-host hdr_sub(shost) -i pastebin.terminaldweller.com
acl mila-api-acl url_beg /mila
acl crypto-api-acl url_beg /crypto
acl http ssl_fc,not
@@ -69,6 +70,7 @@ frontend http
http-request redirect scheme https code 301 if http rssgen-host !letsencrypt-acl
http-request redirect scheme https code 301 if http main-host !letsencrypt-acl
http-request redirect scheme https code 301 if http doh2-host !letsencrypt-acl
+ http-request redirect scheme https code 301 if http pastebin-host !letsencrypt-acl
#Conditions
use_backend blog-backend-cert if letsencrypt-acl blog-host
@@ -84,6 +86,7 @@ frontend http
use_backend searx-backend-cert if letsencrypt-acl cargo-host
use_backend vpn6-cert-backend if letsencrypt-acl browsh-host
use_backend searx-backend-cert if letsencrypt-acl main-host
+ use_backend searx-backend-cert if letsencrypt-acl pastebin-host
use_backend doh2-backend-cert if letsencrypt-acl doh2-host
# use_backend editor-backend-cert if letsencrypt-acl editor-host
use_backend certbot-backend if letsencrypt-acl !jabber-host !blog-host !api-host
@@ -121,6 +124,7 @@ frontend https
acl browsh-host-s req.ssl_sni -i browsh.terminaldweller.com
acl main-host-s req.ssl_sni -i terminaldweller.com
acl doh2-host-s req.ssl_sni -i doh2.terminaldweller.com
+ acl pastebin-host-s req.ssl_sni -i pastebin.terminaldweller.com
#Conditions
use_backend mail-backend-s if mail-host-s
#use_backend chat-backend-s if chat-host-s
@@ -138,6 +142,7 @@ frontend https
use_backend browsh-backend-s if browsh-host-s
use_backend main-backend-s if main-host-s
use_backend doh2-backend-s if doh2-host-s
+ use_backend pastebin-backend-s if pastebin-host-s
#frontend jabber5222
# bind *:5222
@@ -412,7 +417,13 @@ backend main-backend-s
backend doh2-backend-cert
mode http
server doh2-backend-host 185.130.47.81:80
+
backend doh2-backend-s
mode tcp
option tcp-check
server doh2-backend-s 185.130.47.81:443
+
+backend pastebin-backend-s
+ mode tcp
+ option tcp-check
+ server main-host-s 185.130.47.208:3010
diff --git a/terminaldweller.com/privatebin/conf.php b/terminaldweller.com/privatebin/conf.php
new file mode 100644
index 0000000..3ffefab
--- /dev/null
+++ b/terminaldweller.com/privatebin/conf.php
@@ -0,0 +1,248 @@
+;<?php http_response_code(403); /*
+; config file for PrivateBin
+;
+; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
+
+[main]
+; (optional) set a project name to be displayed on the website
+; name = "PrivateBin"
+
+; The full URL, with the domain name and directories that point to the
+; PrivateBin files, including an ending slash (/). This URL is essential to
+; allow Opengraph images to be displayed on social networks.
+basepath = "https://privatebin.terminaldweller.com/"
+
+; enable or disable the discussion feature, defaults to true
+discussion = true
+
+; preselect the discussion feature, defaults to false
+opendiscussion = false
+
+; enable or disable the password feature, defaults to true
+password = true // pragma: allowlist secret
+
+; enable or disable the file upload feature, defaults to false
+fileupload = false
+
+; preselect the burn-after-reading feature, defaults to false
+burnafterreadingselected = false
+
+; which display mode to preselect by default, defaults to "plaintext"
+; make sure the value exists in [formatter_options]
+defaultformatter = "plaintext"
+
+; (optional) set a syntax highlighting theme, as found in css/prettify/
+; syntaxhighlightingtheme = "sons-of-obsidian"
+
+; size limit per paste or comment in bytes, defaults to 10 Mebibytes
+sizelimit = 10485760
+
+; template to include, default is "bootstrap" (tpl/bootstrap.php)
+template = "bootstrap"
+
+; (optional) info text to display
+; use single, instead of double quotes for HTML attributes
+;info = "More information on the <a href='https://privatebin.info/'>project page</a>."
+
+; (optional) notice to display
+notice = "Note: This is an ephemeral service: Data may be deleted anytime. Kittens will die if you abuse this service."
+
+; by default PrivateBin will guess the visitors language based on the browsers
+; settings. Optionally you can enable the language selection menu, which uses
+; a session cookie to store the choice until the browser is closed.
+languageselection = false
+
+; set the language your installs defaults to, defaults to English
+; if this is set and language selection is disabled, this will be the only language
+languagedefault = "en"
+
+; (optional) URL shortener address to offer after a new paste is created.
+; It is suggested to only use this with self-hosted shorteners as this will leak
+; the pastes encryption key.
+; urlshortener = "https://shortener.example.com/api?link="
+
+; (optional) Let users create a QR code for sharing the paste URL with one click.
+; It works both when a new paste is created and when you view a paste.
+qrcode = true
+
+; (optional) IP based icons are a weak mechanism to detect if a comment was from
+; a different user when the same username was used in a comment. It might get
+; used to get the IP of a comment poster if the server salt is leaked and a
+; SHA512 HMAC rainbow table is generated for all (relevant) IPs.
+; Can be set to one these values:
+; "none" / "identicon" (default) / "jdenticon" / "vizhash".
+; icon = "none"
+
+; Content Security Policy headers allow a website to restrict what sources are
+; allowed to be accessed in its context. You need to change this if you added
+; custom scripts from third-party domains to your templates, e.g. tracking
+; scripts or run your site behind certain DDoS-protection services.
+; Check the documentation at https://content-security-policy.com/
+; Notes:
+; - If you use a bootstrap theme, you can remove the allow-popups from the
+; sandbox restrictions.
+; - By default this disallows to load images from third-party servers, e.g. when
+; they are embedded in pastes. If you wish to allow that, you can adjust the
+; policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
+; for details.
+; - The 'unsafe-eval' is used in two cases; to check if the browser supports
+; async functions and display an error if not and for Chrome to enable
+; webassembly support (used for zlib compression). You can remove it if Chrome
+; doesn't need to be supported and old browsers don't need to be warned.
+cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
+
+; stay compatible with PrivateBin Alpha 0.19, less secure
+; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
+; sha256 in HMAC for the deletion token
+; zerobincompatibility = false
+
+; Enable or disable the warning message when the site is served over an insecure
+; connection (insecure HTTP instead of HTTPS), defaults to true.
+; Secure transport methods like Tor and I2P domains are automatically whitelisted.
+; It is **strongly discouraged** to disable this.
+; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
+httpwarning = true
+
+; Pick compression algorithm or disable it. Only applies to pastes/comments
+; created after changing the setting.
+; Can be set to one these values: "none" / "zlib" (default).
+compression = "zlib"
+
+[expire]
+; expire value that is selected per default
+; make sure the value exists in [expire_options]
+default = "1week"
+
+[expire_options]
+; Set each one of these to the number of seconds in the expiration period,
+; or 0 if it should never expire
+5min = 300
+10min = 600
+1hour = 3600
+1day = 86400
+1week = 604800
+; Well this is not *exactly* one month, it's 30 days:
+1month = 2592000
+1year = 31536000
+never = 0
+
+[formatter_options]
+; Set available formatters, their order and their labels
+plaintext = "Plain Text"
+syntaxhighlighting = "Source Code"
+markdown = "Markdown"
+
+[traffic]
+; time limit between calls from the same IP address in seconds
+; Set this to 0 to disable rate limiting.
+limit = 10
+
+; (optional) Set IPs addresses (v4 or v6) or subnets (CIDR) which are exempted
+; from the rate-limit. Invalid IPs will be ignored. If multiple values are to
+; be exempted, the list needs to be comma separated. Leave unset to disable
+; exemptions.
+; exempted = "1.2.3.4,10.10.10/24"
+
+; (optional) If you want only some source IP addresses (v4 or v6) or subnets
+; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be
+; ignored. If multiple values are to be exempted, the list needs to be comma
+; separated. Leave unset to allow anyone to create pastes.
+; creators = "1.2.3.4,10.10.10/24"
+
+; (optional) if your website runs behind a reverse proxy or load balancer,
+; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
+; header = "X_FORWARDED_FOR"
+
+[purge]
+; minimum time limit between two purgings of expired pastes, it is only
+; triggered when pastes are created
+; Set this to 0 to run a purge every time a paste is created.
+limit = 300
+
+; maximum amount of expired pastes to delete in one purge
+; Set this to 0 to disable purging. Set it higher, if you are running a large
+; site
+batchsize = 10
+
+[model]
+; name of data model class to load and directory for storage
+; the default model "Filesystem" stores everything in the filesystem
+class = Filesystem
+[model_options]
+dir = PATH "data"
+
+;[model]
+; example of a Google Cloud Storage configuration
+;class = GoogleCloudStorage
+;[model_options]
+;bucket = "my-private-bin"
+;prefix = "pastes"
+;uniformacl = false
+
+;[model]
+; example of DB configuration for MySQL
+;class = Database
+;[model_options]
+;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
+;tbl = "privatebin_" ; table prefix
+;usr = "privatebin"
+;pwd = "Z3r0P4ss"
+;opt[12] = true ; PDO::ATTR_PERSISTENT
+
+;[model]
+; example of DB configuration for SQLite
+;class = Database
+;[model_options]
+;dsn = "sqlite:" PATH "data/db.sq3"
+;usr = null
+;pwd = null
+;opt[12] = true ; PDO::ATTR_PERSISTENT
+
+;[model]
+; example of DB configuration for PostgreSQL
+;class = Database
+;[model_options]
+;dsn = "pgsql:host=localhost;dbname=privatebin"
+;tbl = "privatebin_" ; table prefix
+;usr = "privatebin"
+;pwd = "Z3r0P4ss"
+;opt[12] = true ; PDO::ATTR_PERSISTENT
+
+;[model]
+; example of S3 configuration for Rados gateway / CEPH
+;class = S3Storage
+;[model_options]
+;region = ""
+;version = "2006-03-01"
+;endpoint = "https://s3.my-ceph.invalid"
+;use_path_style_endpoint = true
+;bucket = "my-bucket"
+;accesskey = "my-rados-user"
+;secretkey = "my-rados-pass"
+
+;[model]
+; example of S3 configuration for AWS
+;class = S3Storage
+;[model_options]
+;region = "eu-central-1"
+;version = "latest"
+;bucket = "my-bucket"
+;accesskey = "access key id"
+;secretkey = "secret access key"
+
+[yourls]
+; When using YOURLS as a "urlshortener" config item:
+; - By default, "urlshortener" will point to the YOURLS API URL, with or without
+; credentials, and will be visible in public on the PrivateBin web page.
+; Only use this if you allow short URL creation without credentials.
+; - Alternatively, using the parameters in this section ("signature" and
+; "apiurl"), "urlshortener" needs to point to the base URL of your PrivateBin
+; instance with "shortenviayourls?link=" appended. For example:
+; urlshortener = "${basepath}shortenviayourls?link="
+; This URL will in turn call YOURLS on the server side, using the URL from
+; "apiurl" and the "access signature" from the "signature" parameters below.
+
+; (optional) the "signature" (access key) issued by YOURLS for the using account
+; signature = ""
+; (optional) the URL of the YOURLS API, called to shorten a PrivateBin URL
+; apiurl = "https://yourls.example.com/yourls-api.php"
diff --git a/terminaldweller.com/privatebin/docker-compose.yaml b/terminaldweller.com/privatebin/docker-compose.yaml
new file mode 100644
index 0000000..c6f97e3
--- /dev/null
+++ b/terminaldweller.com/privatebin/docker-compose.yaml
@@ -0,0 +1,38 @@
+version: "3"
+services:
+ privatebin:
+ image: privatebin/nginx-fpm-alpine:stable
+ networks:
+ - privatebinnet
+ ports:
+ - "127.0.0.1:3180:8080"
+ restart: unless-stopped
+ depends_on:
+ - nginx
+ volumes:
+ - ./conf.php:/srv/cfg/conf.php:ro
+ # - privatebin-vault:/srv/data
+ # cap_drop:
+ # - ALL
+ nginx:
+ image: nginx:stable
+ ports:
+ - "3010:443"
+ networks:
+ - privatebinnet
+ restart: unless-stopped
+ cap_drop:
+ - ALL
+ cap_add:
+ - CHOWN
+ - DAC_OVERRIDE
+ - SETGID
+ - SETUID
+ - NET_BIND_SERVICE
+ volumes:
+ - ./nginx.conf:/etc/nginx/nginx.conf:ro
+ - /etc/letsencrypt/archive/pastebin.terminaldweller.com/:/certs/:ro
+networks:
+ privatebinnet:
+volumes:
+ privatebin-vault:
diff --git a/terminaldweller.com/privatebin/nginx.conf b/terminaldweller.com/privatebin/nginx.conf
new file mode 100644
index 0000000..78b0bc5
--- /dev/null
+++ b/terminaldweller.com/privatebin/nginx.conf
@@ -0,0 +1,40 @@
+events {
+ worker_connections 1024;
+}
+http {
+ include /etc/nginx/mime.types;
+ server_tokens off;
+ limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
+ server {
+ listen 443 ssl;
+ keepalive_timeout 60;
+ charset utf-8;
+ ssl_certificate /certs/fullchain1.pem;
+ ssl_certificate_key /certs/privkey1.pem;
+ ssl_ciphers HIGH:!aNULL:!MD5:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_protocols TLSv1.3;
+ ssl_session_cache shared:SSL:50m;
+ ssl_session_timeout 1d;
+ ssl_session_tickets off;
+ ssl_prefer_server_ciphers on;
+ # sendfile on;
+ tcp_nopush on;
+ add_header X-Content-Type-Options "nosniff" always;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+ add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads";
+ add_header X-Frame-Options SAMEORIGIN always;
+ add_header X-XSS-Protection "1; mode=block" always;
+ # add_header Permissions-Policy "geolocation=(self),midi=(self),sync-xhr=(self),microphone=(self),camera=(self),magnetometer=(self),gyroscope=(self),fullscreen=(self),payment=(self),usb=(self)";
+ add_header Referrer-Policy "no-referrer";
+ fastcgi_hide_header X-Powered-By;
+ # resolver 9.9.9.9 208.67.222.222;
+ # ssl_stapling on;
+ # ssl_stapling_verify on;
+ ssl_trusted_certificate /certs/cert1.pem;
+
+ error_page 401 403 404 /404.html;
+ location / {
+ proxy_pass http://privatebin:8080;
+ }
+ }
+}