pillar/id/themis_lysergic_dev.sls

@@ -1,9 +1,26 @@
+{%- set common = {'address': '[fd29:8e45:f292:ff80::1]', 'port': 443, 'domain': '.themis.backend.syscid.com', 'snippetsdir': '/etc/apache2/snippets.d/'} -%}
+
+{%- macro httpdformulaexcess() -%}
+      LogLevel: False
+      ErrorLog: False
+      LogFormat: False
+      CustomLog: False
+      ServerAdmin: False
+      ServerAlias: False
+{%- endmacro -%}
+{%- macro httpdcommon(app) -%}
+        Include {{ common['snippetsdir'] }}ssl_themis.conf
+        <FilesMatch '\.php$'>
+          SetHandler 'proxy:unix:/run/php-fpm/{{ app }}.sock|fcgi://{{ app }}'
+        </FilesMatch>
+{%- endmacro -%}
+
 apache:
   sites:
     BookStack:
-      interface: '[fd29:8e45:f292:ff80::1]'
+      interface: '{{ common['address'] }}'
-      port: 443
+      port: {{ common['port'] }}
-      ServerName: bookstack.themis.backend.syscid.com
+      ServerName: bookstack{{ common['domain'] }}
       DocumentRoot: /srv/www/BookStack/
       DirectoryIndex: index.php
       Directory:
@@ -21,19 +38,26 @@ apache:
             RewriteCond '%{REQUEST_FILENAME} !-d'
             RewriteCond '%{REQUEST_FILENAME} !-f'
             RewriteCond '^ index.php [L]'
-      LogLevel: False
+      {{ httpdformulaexcess() }}
-      ErrorLog: False
-      LogFormat: False
-      CustomLog: False
-      ServerAdmin: False
-      ServerAlias: False
       Formula_Append: |
-        Include /etc/apache2/snippets.d/ssl_themis.conf
+        {{ httpdcommon('BookStack') }}
         AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
         SetOutputFilter DEFLATE
-        <FilesMatch '\.php$'>
+
-          SetHandler 'proxy:unix:/run/php-fpm/BookStack.sock|fcgi://BookStack'
+    PrivateBin:
-        </FilesMatch>
+      interface: '{{ common['address'] }}'
+      port: {{ common['port'] }}
+      ServerName: privatebin{{ common['domain'] }}
+      DocumentRoot: /srv/www/PrivateBin/public
+      DirectoryIndex: index.php
+      Directory:
+        /srv/www/PrivateBin/:
+          Options: false
+          AllowOverride: None
+          Require: all granted
+      {{ httpdformulaexcess() }}
+      Formula_Append: |
+        {{ httpdcommon('PrivateBin') }}
 
 profile:
   bookstack:
@@ -75,3 +99,51 @@ profile:
     saml2_group_attribute: groups
     saml2_remove_from_groups: true
     queue_connection: database
+
+  privatebin:
+    main:
+      name: Bin
+      fileupload: true
+      syntaxhighlightingtheme: sons-of-obsidian
+      sizelimit: 310485760
+      notice: 'Note: Kittens will die if you abuse this service.'
+      languageselection: true
+      urlshortener: ${'secret_privatebin:main:urlshortener'}
+      qrcode: true
+    expire:
+      default: 1week
+    expire_options:
+      5min: 300
+      10min: 600
+      1hour: 3600
+      1day: 86400
+      1week: 604800
+      1month: 2592000
+      1year: 31536000
+      never: 0
+    formatter_options:
+      plaintext: Plain Text
+      syntaxhighlighting: Source Code
+      markdown: Markdown
+    traffic:
+      limit: 10
+      header: X_FORWARDED_FOR
+      dir: /var/lib/PrivateBin/limits
+    purge:
+      limit: 300
+      batchsize: 10
+      dir: /var/lib/PrivateBin/limits
+    model:
+      class: Database
+    model_options:
+      dsn: ${'secret_privatebin:model_options:dsn'}
+      tbl: privatebin_
+      usr: ${'secret_privatebin:model_options:usr'}
+      pwd: ${'secret_privatebin:model_options:pwd'}
+      opt[12]: true
+
+firewalld:
+  zones:
+    backend:
+      services:
+        - https

salt/profile/privatebin/init.sls

@@ -0,0 +1,55 @@
+{%- set mypillar = salt['pillar.get']('profile:privatebin', {}) -%}
+{%- set confdir = '/etc/PrivateBin' -%}
+{%- set configfile = confdir ~ '/conf.php' -%}
+
+privatebin_packages:
+  pkg.installed:
+    - names:
+      - PrivateBin-config-httpd
+
+privatebin_clean:
+  file.directory:
+    - name: {{ confdir }}
+    - clean: True
+    - onchanges:
+      - pkg: privatebin_packages
+    - require:
+      - pkg: privatebin_packages
+
+{%- if mypillar | length %}
+{{ configfile }}:
+  ini.options_present:
+    - separator: '='
+    - strict: True
+    - sections:
+        {%- macro conf(section, options) %}
+        {%- for option in options.keys() -%}
+        {%- if mypillar[section][option] is string and mypillar[section][option].startswith('$') or mypillar[section][option] is number %}
+        {%- set value = mypillar[section][option] -%}
+        {%- else %}
+        {%- set value = mypillar[section][option] | quote -%}
+        {%- endif %}
+          {{ option }}: {{ value }}
+        {%- endfor -%}
+        {%- endmacro %}
+        {%- for section, options in mypillar.items() %}
+        {{ section }}:
+          {{ conf(section, options) }}
+        {%- endfor %}
+    - require:
+      - pkg: privatebin_packages
+    - watch:
+      - file: privatebin_clean
+    - watch_in:
+      - file: privatebin_permissions
+{%- endif %}
+
+privatebin_permissions:
+  file.managed:
+    - mode: '0640'
+    - user: wwwrun
+    - group: privatebin
+    - names:
+      - {{ configfile }}
+    - require:
+      - pkg: privatebin_packages

salt/role/privatebin.sls

@@ -0,0 +1,4 @@
+include:
+  - role.web.apache-httpd
+  - profile.privatebin
+  - php.fpm