From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Sat, 4 Feb 2023 01:23:43 -0500
Subject: initial commit

---
 roles/hastebin/defaults/main.yml                   |   9 ++
 .../lib/hastebin/haste-server/static/index.html    |  70 ++++++++++++
 roles/hastebin/handlers/main.yml                   |   4 +
 roles/hastebin/tasks/main.yml                      | 119 +++++++++++++++++++++
 .../etc/systemd/system/hastebin.service.j2         |  35 ++++++
 .../var/lib/hastebin/haste-server/config.js.j2     |  32 ++++++
 roles/hastebin/vars/main.yml                       |  30 ++++++
 7 files changed, 299 insertions(+)
 create mode 100644 roles/hastebin/defaults/main.yml
 create mode 100644 roles/hastebin/files/var/lib/hastebin/haste-server/static/index.html
 create mode 100644 roles/hastebin/handlers/main.yml
 create mode 100644 roles/hastebin/tasks/main.yml
 create mode 100644 roles/hastebin/templates/etc/systemd/system/hastebin.service.j2
 create mode 100644 roles/hastebin/templates/var/lib/hastebin/haste-server/config.js.j2
 create mode 100644 roles/hastebin/vars/main.yml

(limited to 'roles/hastebin')

diff --git a/roles/hastebin/defaults/main.yml b/roles/hastebin/defaults/main.yml
new file mode 100644
index 0000000..adbe279
--- /dev/null
+++ b/roles/hastebin/defaults/main.yml
@@ -0,0 +1,9 @@
+hastebin_version: master
+hastebin_server_aliases: []
+hastebin_letsencrypt: no
+hastebin_upload_cidrs: []
+hastebin_port: 8080
+
+hastebin_expire_days: 0
+
+hastebin_user: hastebin
diff --git a/roles/hastebin/files/var/lib/hastebin/haste-server/static/index.html b/roles/hastebin/files/var/lib/hastebin/haste-server/static/index.html
new file mode 100644
index 0000000..e7d71c1
--- /dev/null
+++ b/roles/hastebin/files/var/lib/hastebin/haste-server/static/index.html
@@ -0,0 +1,70 @@
+<html>
+
+	<head>
+
+		<title>hastebin</title>
+		<meta charset="utf-8" />
+		<link rel="stylesheet" type="text/css" href="solarized_dark.css"/>
+		<link rel="stylesheet" type="text/css" href="application.css"/>
+
+		<script type="text/javascript" src="jquery.min.js"></script>
+		<script type="text/javascript" src="highlight.min.js"></script>
+		<script type="text/javascript" src="application.min.js"></script>
+
+		<meta name="robots" content="noindex,nofollow"/>
+
+		<script type="text/javascript">
+			var app = null;
+			// Handle pops
+			var handlePop = function(evt) {
+				var path = evt.target.location.pathname;
+				if (path === '/') { app.newDocument(true); }
+				else { app.loadDocument(path.substring(1, path.length)); }
+			};
+			// Set up the pop state to handle loads, skipping the first load
+			// to make chrome behave like others:
+			// http://code.google.com/p/chromium/issues/detail?id=63040
+			setTimeout(function() {
+				window.onpopstate = function(evt) {
+					try { handlePop(evt); } catch(err) { /* not loaded yet */ }
+				};
+			}, 1000);
+			// Construct app and load initial path
+			$(function() {
+				app = new haste('hastebin', { twitter: false });
+				handlePop({ target: window });
+			});
+		</script>
+
+	</head>
+
+	<body>
+		<ul id="messages"></ul>
+
+		<div id="key">
+		  <div id="pointer" style="display:none;"></div>
+      <!---
+			<div id="box1">
+				<a href="/about.md" class="logo"></a>
+			</div>
+      --->
+			<div id="box2">
+				<button class="save function button-picture">Save</button>
+				<button class="new function button-picture">New</button>
+				<button class="duplicate function button-picture">Duplicate & Edit</button>
+				<button class="raw function button-picture">Just Text</button>
+				<button class="twitter function button-picture">Twitter</button>
+			</div>
+			<div id="box3" style="display:none;">
+				<div class="label"></div>
+				<div class="shortcut"></div>
+			</div>
+		</div>
+
+		<div id="linenos"></div>
+		<pre id="box" style="display:none;" class="hljs" tabindex="0"><code></code></pre>
+		<textarea spellcheck="false" style="display:none;"></textarea>
+
+	</body>
+
+</html>
diff --git a/roles/hastebin/handlers/main.yml b/roles/hastebin/handlers/main.yml
new file mode 100644
index 0000000..2dd7dad
--- /dev/null
+++ b/roles/hastebin/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart hastebin
+  systemd:
+    name: hastebin
+    state: restarted
diff --git a/roles/hastebin/tasks/main.yml b/roles/hastebin/tasks/main.yml
new file mode 100644
index 0000000..75f4cba
--- /dev/null
+++ b/roles/hastebin/tasks/main.yml
@@ -0,0 +1,119 @@
+- name: install packages
+  dnf:
+    name: '{{ hastebin_packages }}'
+    state: present
+
+- name: create local user
+  user:
+    name: '{{ hastebin_user }}'
+    system: yes
+    home: '{{ hastebin_home }}'
+    shell: /sbin/nologin
+    create_home: no
+
+- name: create home directory
+  file:
+    path: '{{ item }}'
+    owner: '{{ hastebin_user }}'
+    group: '{{ hastebin_user }}'
+    mode: 0700
+    state: directory
+  loop:
+    - '{{ hastebin_home }}'
+    - '{{ hastebin_data_dir }}'
+
+- name: disable npm package lock
+  lineinfile:
+    regexp: ^package-lock=
+    line: package-lock=false
+    path: '{{ hastebin_home }}/.npmrc'
+    create: yes
+    owner: '{{ hastebin_user }}'
+    group: '{{ hastebin_user }}'
+    mode: 0600
+    state: present
+
+- name: clone git repository
+  git:
+    repo: '{{ hastebin_git_repo }}'
+    dest: '{{ hastebin_install_dir }}'
+    version: '{{ hastebin_version }}'
+    force: yes
+    update: yes
+  become: yes
+  become_user: '{{ hastebin_user }}'
+  register: hastebin_git
+  notify: restart hastebin
+
+- name: install npm dependencies
+  npm:
+    path: '{{ hastebin_install_dir }}'
+    production: yes
+    no_optional: yes
+  become: yes
+  become_user: '{{ hastebin_user }}'
+  when: hastebin_git.changed
+  notify: restart hastebin
+
+- name: create systemd unit
+  template:
+    src: etc/systemd/system/hastebin.service.j2
+    dest: /etc/systemd/system/hastebin.service
+  register: hastebin_unit
+  notify: restart hastebin
+
+- name: reload systemd daemons
+  systemd:
+    daemon_reload: yes
+  when: hastebin_unit.changed
+
+- name: generate config file
+  template:
+    src: '{{ hastebin_install_dir[1:] }}/config.js.j2'
+    dest: '{{ hastebin_install_dir }}/config.js'
+    owner: '{{ hastebin_user }}'
+    group: '{{ hastebin_user }}'
+    mode: 0600
+  notify: restart hastebin
+
+- name: copy custom index.html
+  copy:
+    src: '{{ hastebin_install_dir[1:] }}/static/index.html'
+    dest: '{{ hastebin_install_dir }}/static/index.html'
+    owner: '{{ hastebin_user }}'
+    group: '{{ hastebin_user }}'
+    mode: 0644
+
+- name: download jquery
+  get_url:
+    url: '{{ hastebin_jquery_url }}'
+    dest: '{{ hastebin_install_dir }}/static/jquery.min.js'
+    owner: '{{ hastebin_user }}'
+    group: '{{ hastebin_user }}'
+    mode: 0644
+
+- name: start hastebin
+  systemd:
+    name: hastebin
+    enabled: yes
+    state: started
+
+- name: set http_port_t selinux context for hastebin port
+  seport:
+    ports: '{{ hastebin_port }}'
+    proto: tcp
+    setype: http_port_t
+    state: present
+  tags: selinux
+
+- name: create hastebin-cleanup timer
+  include_role:
+    name: systemd_timer
+  vars:
+    timer_name: hastebin-cleanup
+    timer_description: Delete expired hastebin files
+    timer_after: nss-user-lookup.target
+    timer_on_calendar: daily
+    timer_user: '{{ hastebin_user }}'
+    timer_exec: find {{ hastebin_data_dir }} -type f -mtime +{{ hastebin_expire_days }} -exec rm -v {} +
+    timer_enabled: '{{ true if hastebin_expire_days > 0 else false }}'
diff --git a/roles/hastebin/templates/etc/systemd/system/hastebin.service.j2 b/roles/hastebin/templates/etc/systemd/system/hastebin.service.j2
new file mode 100644
index 0000000..22a2a2d
--- /dev/null
+++ b/roles/hastebin/templates/etc/systemd/system/hastebin.service.j2
@@ -0,0 +1,35 @@
+[Unit]
+Description=hastebin paste server
+After=network.target
+AssertPathExists={{ hastebin_install_dir }}
+
+[Service]
+Type=simple
+Environment="LISTEN_ADDRESS=127.0.0.1"
+Environment="NODE_ENV=production"
+EnvironmentFile=-/etc/sysconfig/hastebin
+ExecStart=/usr/bin/node server.js
+WorkingDirectory={{ hastebin_install_dir }}
+User={{ hastebin_user }}
+Group={{ hastebin_user }}
+Restart=on-failure
+
+# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+# for details
+DevicePolicy=closed
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap
+
+ProtectSystem=full
+ProtectHome=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/hastebin/templates/var/lib/hastebin/haste-server/config.js.j2 b/roles/hastebin/templates/var/lib/hastebin/haste-server/config.js.j2
new file mode 100644
index 0000000..dcd7668
--- /dev/null
+++ b/roles/hastebin/templates/var/lib/hastebin/haste-server/config.js.j2
@@ -0,0 +1,32 @@
+{
+  "host": "127.0.0.1",
+  "port": {{ hastebin_port }},
+  "keyLength": 10,
+  "maxLength": 400000,
+  "staticMaxAge": 86400,
+  "recompressStaticAssets": true,
+  "logging": [
+    {
+      "level": "verbose",
+      "type": "Console",
+      "colorize": false
+    }
+  ],
+  "keyGenerator": {
+    "type": "random"
+  },
+  "rateLimits": {
+    "categories": {
+      "normal": {
+        "totalRequests": 500,
+        "every": 60000
+      }
+    }
+  },
+  "storage": {
+    "type": "file",
+    "path": "{{ hastebin_data_dir }}"
+  },
+  "documents": {
+  }
+}
diff --git a/roles/hastebin/vars/main.yml b/roles/hastebin/vars/main.yml
new file mode 100644
index 0000000..cfb474b
--- /dev/null
+++ b/roles/hastebin/vars/main.yml
@@ -0,0 +1,30 @@
+hastebin_packages:
+  - git
+  - nodejs
+
+hastebin_home: /var/lib/hastebin
+hastebin_install_dir: '{{ hastebin_home }}/haste-server'
+hastebin_data_dir: '{{ hastebin_home }}/data'
+hastebin_git_repo: https://github.com/toptal/haste-server
+hastebin_keytab: /var/lib/gssproxy/clients/{{ hastebin_user }}.keytab
+
+hastebin_jquery_url: https://code.jquery.com/jquery-1.7.1.min.js
+
+hastebin_archive_shell: >-
+  TIMESTAMP=$(date +%Y%m%d%H%M%S);
+  tar czf "hastebin-${TIMESTAMP}.tar.gz"
+  --transform "s|^\.|hastebin-${TIMESTAMP}|"
+  -C "{{ hastebin_data_dir }}" .
+
+hastebin_apache_config: |
+  {{ apache_proxy_config }}
+  ProxyPass        / http://127.0.0.1:{{ hastebin_port }}/
+  ProxyPassReverse / http://127.0.0.1:{{ hastebin_port }}/
+
+  <Location /documents>
+    <Limit POST PUT DELETE>
+      {% for cidr in hastebin_upload_cidrs %}
+      Require ip {{ cidr }}
+      {% endfor %}
+    </Limit>
+  </Location>
-- 
cgit