From 96daffc9798c8afcae5de49b386cb8483909f071 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 12 Mar 2023 17:01:00 +0100
Subject: Add privatebin profile+role

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 salt/profile/privatebin/init.sls | 55 ++++++++++++++++++++++++++++++++++++++++
 salt/role/privatebin.sls         |  4 +++
 2 files changed, 59 insertions(+)
 create mode 100644 salt/profile/privatebin/init.sls
 create mode 100644 salt/role/privatebin.sls

diff --git a/salt/profile/privatebin/init.sls b/salt/profile/privatebin/init.sls
new file mode 100644
index 0000000..7b9c036
--- /dev/null
+++ b/salt/profile/privatebin/init.sls
@@ -0,0 +1,55 @@
+{%- set mypillar = salt['pillar.get']('profile:privatebin', {}) -%}
+{%- set confdir = '/etc/PrivateBin' -%}
+{%- set configfile = confdir ~ '/conf.php' -%}
+
+privatebin_packages:
+  pkg.installed:
+    - names:
+      - PrivateBin-config-httpd
+
+privatebin_clean:
+  file.directory:
+    - name: {{ confdir }}
+    - clean: True
+    - onchanges:
+      - pkg: privatebin_packages
+    - require:
+      - pkg: privatebin_packages
+
+{%- if mypillar | length %}
+{{ configfile }}:
+  ini.options_present:
+    - separator: '='
+    - strict: True
+    - sections:
+        {%- macro conf(section, options) %}
+        {%- for option in options.keys() -%}
+        {%- if mypillar[section][option] is string and mypillar[section][option].startswith('$') or mypillar[section][option] is number %}
+        {%- set value = mypillar[section][option] -%}
+        {%- else %}
+        {%- set value = mypillar[section][option] | quote -%}
+        {%- endif %}
+          {{ option }}: {{ value }}
+        {%- endfor -%}
+        {%- endmacro %}
+        {%- for section, options in mypillar.items() %}
+        {{ section }}:
+          {{ conf(section, options) }}
+        {%- endfor %}
+    - require:
+      - pkg: privatebin_packages
+    - watch:
+      - file: privatebin_clean
+    - watch_in:
+      - file: privatebin_permissions
+{%- endif %}
+
+privatebin_permissions:
+  file.managed:
+    - mode: '0640'
+    - user: wwwrun
+    - group: privatebin
+    - names:
+      - {{ configfile }}
+    - require:
+      - pkg: privatebin_packages
diff --git a/salt/role/privatebin.sls b/salt/role/privatebin.sls
new file mode 100644
index 0000000..ec8581d
--- /dev/null
+++ b/salt/role/privatebin.sls
@@ -0,0 +1,4 @@
+include:
+  - role.web.apache-httpd
+  - profile.privatebin
+  - php.fpm
-- 
cgit v1.2.3


From bf3aaa5ff112840a0d89b7df7bd8b85a45842eb0 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 12 Mar 2023 17:01:17 +0100
Subject: id.themis: import PrivateBin configuration

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 pillar/id/themis_lysergic_dev.sls | 42 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/pillar/id/themis_lysergic_dev.sls b/pillar/id/themis_lysergic_dev.sls
index 0773f4f..81538e9 100644
--- a/pillar/id/themis_lysergic_dev.sls
+++ b/pillar/id/themis_lysergic_dev.sls
@@ -75,3 +75,45 @@ profile:
     saml2_group_attribute: groups
     saml2_remove_from_groups: true
     queue_connection: database
+
+  privatebin:
+    main:
+      name: Bin
+      fileupload: true
+      syntaxhighlightingtheme: sons-of-obsidian
+      sizelimit: 310485760
+      notice: 'Note: Kittens will die if you abuse this service.'
+      languageselection: true
+      urlshortener: ${'secret_privatebin:main:urlshortener'}
+      qrcode: true
+    expire:
+      default: 1week
+    expire_options:
+      5min: 300
+      10min: 600
+      1hour: 3600
+      1day: 86400
+      1week: 604800
+      1month: 2592000
+      1year: 31536000
+      never: 0
+    formatter_options:
+      plaintext: Plain Text
+      syntaxhighlighting: Source Code
+      markdown: Markdown
+    traffic:
+      limit: 10
+      header: X_FORWARDED_FOR
+      dir: /var/lib/PrivateBin/limits
+    purge:
+      limit: 300
+      batchsize: 10
+      dir: /var/lib/PrivateBin/limits
+    model:
+      class: Database
+    model_options:
+      dsn: ${'secret_privatebin:model_options:dsn'}
+      tbl: privatebin_
+      usr: ${'secret_privatebin:model_options:usr'}
+      pwd: ${'secret_privatebin:model_options:pwd'}
+      opt[12]: true
-- 
cgit v1.2.3


From 4ff7a39f0ed24cf279347937f5b96aedfa2e8cce Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 12 Mar 2023 17:21:32 +0100
Subject: id.themis: import PrivateBin httpd vhost

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 pillar/id/themis_lysergic_dev.sls | 50 +++++++++++++++++++++++++++++----------
 1 file changed, 37 insertions(+), 13 deletions(-)

diff --git a/pillar/id/themis_lysergic_dev.sls b/pillar/id/themis_lysergic_dev.sls
index 81538e9..5decac5 100644
--- a/pillar/id/themis_lysergic_dev.sls
+++ b/pillar/id/themis_lysergic_dev.sls
@@ -1,9 +1,26 @@
+{%- set common = {'address': '[fd29:8e45:f292:ff80::1]', 'port': 443, 'domain': '.themis.backend.syscid.com', 'snippetsdir': '/etc/apache2/snippets.d/'} -%}
+
+{%- macro httpdformulaexcess() -%}
+      LogLevel: False
+      ErrorLog: False
+      LogFormat: False
+      CustomLog: False
+      ServerAdmin: False
+      ServerAlias: False
+{%- endmacro -%}
+{%- macro httpdcommon(app) -%}
+        Include {{ common['snippetsdir'] }}ssl_themis.conf
+        <FilesMatch '\.php$'>
+          SetHandler 'proxy:unix:/run/php-fpm/{{ app }}.sock|fcgi://{{ app }}'
+        </FilesMatch>
+{%- endmacro -%}
+
 apache:
   sites:
     BookStack:
-      interface: '[fd29:8e45:f292:ff80::1]'
-      port: 443
-      ServerName: bookstack.themis.backend.syscid.com
+      interface: '{{ common['address'] }}'
+      port: {{ common['port'] }}
+      ServerName: bookstack{{ common['domain'] }}
       DocumentRoot: /srv/www/BookStack/
       DirectoryIndex: index.php
       Directory:
@@ -21,19 +38,26 @@ apache:
             RewriteCond '%{REQUEST_FILENAME} !-d'
             RewriteCond '%{REQUEST_FILENAME} !-f'
             RewriteCond '^ index.php [L]'
-      LogLevel: False
-      ErrorLog: False
-      LogFormat: False
-      CustomLog: False
-      ServerAdmin: False
-      ServerAlias: False
+      {{ httpdformulaexcess() }}
       Formula_Append: |
-        Include /etc/apache2/snippets.d/ssl_themis.conf
+        {{ httpdcommon('BookStack') }}
         AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
         SetOutputFilter DEFLATE
-        <FilesMatch '\.php$'>
-          SetHandler 'proxy:unix:/run/php-fpm/BookStack.sock|fcgi://BookStack'
-        </FilesMatch>
+
+    PrivateBin:
+      interface: '{{ common['address'] }}'
+      port: {{ common['port'] }}
+      ServerName: privatebin{{ common['domain'] }}
+      DocumentRoot: /srv/www/PrivateBin/public
+      DirectoryIndex: index.php
+      Directory:
+        /srv/www/PrivateBin/:
+          Options: false
+          AllowOverride: None
+          Require: all granted
+      {{ httpdformulaexcess() }}
+      Formula_Append: |
+        {{ httpdcommon('PrivateBin') }}
 
 profile:
   bookstack:
-- 
cgit v1.2.3


From f32d814658a3005654b10e28c0827fb2a9302678 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sat, 29 Apr 2023 18:39:30 +0200
Subject: id.themis: import backend firewall rules

Allow HTTPS traffic.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 pillar/id/themis_lysergic_dev.sls | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pillar/id/themis_lysergic_dev.sls b/pillar/id/themis_lysergic_dev.sls
index 5decac5..67a7757 100644
--- a/pillar/id/themis_lysergic_dev.sls
+++ b/pillar/id/themis_lysergic_dev.sls
@@ -141,3 +141,9 @@ profile:
       usr: ${'secret_privatebin:model_options:usr'}
       pwd: ${'secret_privatebin:model_options:pwd'}
       opt[12]: true
+
+firewalld:
+  zones:
+    backend:
+      services:
+        - https
-- 
cgit v1.2.3