Privatebin : restructuration de fond + CI

.gitlab-ci.yml

@@ -37,6 +37,15 @@ trigger_peerjs:
     - changes:
         - podman-peerjs/*
 
+trigger_privatebin:
+  stage: triggers
+  trigger:
+    include: podman-privatebin/.gitlab-ci.yml
+    strategy: depend
+  rules:
+    - changes:
+        - podman-privatebin/*
+
 trigger_seafile:
   stage: triggers
   trigger:

podman-privatebin/.gitlab-ci.yml

@@ -0,0 +1,19 @@
+before_script:
+  - podman container exists my-privatebin && podman container rm --force my-privatebin
+  - rm -f ~/.config/systemd/user/container-my-privatebin.service && systemctl --user daemon-reload
+  - podman volume exists privatebin-data  && podman volume rm privatebin-data
+  - podman volume exists privatebin-var-lib-nginx-tmp && podman volume rm privatebin-var-lib-nginx-tmp
+  - podman volume exists privatebin-run && podman volume rm privatebin-run
+
+privatebin:
+  stage: test
+  script:
+    - cd podman-privatebin
+    - GARBAYE_PRIVATEBIN_ENV_LISTENPORT=18084 ./05_freshinstall.sh
+    - ./20_enable.sh
+    - ./30_start.sh && sleep 10
+    - ./40_stop.sh
+    - ./70_disable.sh
+    - ./80_destroy.sh
+    - podman rmi $(podman images -a -q -- localhost/privatebin-nginx-fpm-alpine)
+    - podman volume rm privatebin-data

podman-privatebin/00_status.sh

@@ -0,0 +1 @@
+../_podman-common/00_status_container.sh

podman-privatebin/05_freshinstall.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+ABSDIR="$( dirname "$(readlink -f -- "$0")" )"
+source ${ABSDIR}/../functions.sh
+source ${ABSDIR}/vars.sh
+
+ensure_pwd_is_scriptdir
+ensure_not_root
+
+if podman volume exists ${srvdata_volume}; then
+	echo "Files or volumes from previous installation already exists"
+	echo "Please remove them before fresh install, or try continue with normal installation"
+	exit 1
+fi
+
+podman volume create ${srvdata_volume}
+podman unshare chown -R 65534:82 `get_podman_volume_path ${srvdata_volume}`
+${ABSDIR}/10_install.sh

podman-privatebin/10_install.sh

@@ -7,17 +7,27 @@ source ${ABSDIR}/vars.sh
 ensure_pwd_is_scriptdir
 ensure_not_root
 
-git clone https://github.com/PrivateBin/docker-nginx-fpm-alpine
-sed -i 's|fastcgi_pass unix:/run/php-fpm.sock;|fastcgi_pass unix:/run/s6/php-fpm.sock;|' docker-nginx-fpm-alpine/etc/nginx/http.d/site.conf
-sed -i 's|pid /run/nginx.pid;|pid /run/s6/nginx.pid;|' docker-nginx-fpm-alpine/etc/nginx/nginx.conf
-sed -i 's|listen = /run/php-fpm.sock|listen = /run/s6/php-fpm.sock|' docker-nginx-fpm-alpine/etc/php8/php-fpm.d/zz-docker.conf
-cp conf.php docker-nginx-fpm-alpine/conf.php
-grep -q conf.php docker-nginx-fpm-alpine/Dockerfile || sed -i '/^COPY.*/a COPY conf.php /srv/cfg/conf.php' docker-nginx-fpm-alpine/Dockerfile
-podman build -t privatebin-nginx-fpm-alpine docker-nginx-fpm-alpine
-podman volume create privatebin-data
-podman volume create privatebin-run
-podman volume create privatebin-var-lib-nginx-tmp
-podman unshare chown -R 65534:82 `get_podman_volume_path privatebin-data`
-podman unshare chown -R 65534:82 `get_podman_volume_path privatebin-run`
-podman unshare chown -R 65534:82 `get_podman_volume_path privatebin-var-lib-nginx-tmp`
-podman run -d --read-only --restart=always --name my-privatebin -p 8084:8080 -v privatebin-run:/run:Z -v privatebin-data:/srv/data:Z -v privatebin-var-lib-nginx-tmp:/var/lib/nginx/tmp:Z privatebin-nginx-fpm-alpine
+if ! podman volume exists ${srvdata_volume} ; then
+    echo "Error : data volume ${srvdata_volume} does not exists. Consider running 05_freshinstall.sh if this is the first install."
+    exit 1
+fi
+
+git clone -b ${version} --depth=1 https://github.com/PrivateBin/docker-nginx-fpm-alpine &&
+#sed -i 's|fastcgi_pass unix:/run/php-fpm.sock;|fastcgi_pass unix:/run/s6/php-fpm.sock;|' docker-nginx-fpm-alpine/etc/nginx/http.d/site.conf
+#sed -i 's|pid /run/nginx.pid;|pid /run/s6/nginx.pid;|' docker-nginx-fpm-alpine/etc/nginx/nginx.conf
+#sed -i 's|listen = /run/php-fpm.sock|listen = /run/s6/php-fpm.sock|' docker-nginx-fpm-alpine/etc/php8/php-fpm.d/zz-docker.conf
+#cp conf.php docker-nginx-fpm-alpine/conf.php
+#grep -q conf.php docker-nginx-fpm-alpine/Dockerfile || sed -i '/^COPY.*/a COPY conf.php /srv/cfg/conf.php' docker-nginx-fpm-alpine/Dockerfile
+podman build -t privatebin-nginx-fpm-alpine docker-nginx-fpm-alpine &&
+rm -rf docker-nginx-fpm-alpine &&
+podman volume create ${run_volume} &&
+podman volume create ${varlibnginxtmp_volume} &&
+podman unshare chown -R 65534:82 `get_podman_volume_path ${run_volume}` &&
+podman unshare chown -R 65534:82 `get_podman_volume_path ${varlibnginxtmp_volume}` &&
+podman run -d --read-only --restart=always --name ${container_name} \
+       -p ${listen_if}:${listen_port}:8080 \
+       -v ${run_volume}:/run:Z \
+       -v ${srvdata_volume}:/srv/data:Z \
+       -v ${varlibnginxtmp_volume}:/var/lib/nginx/tmp:Z \
+       privatebin-nginx-fpm-alpine &&
+podman stop ${container_name}

podman-privatebin/20_enable.sh

@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-podman generate systemd --files --name my-privatebin
-cp *.service ~/.config/systemd/user/
-systemctl --user enable container-my-privatebin.service

podman-privatebin/20_enable.sh

@@ -0,0 +1 @@
+../_podman-common/20_enable_container.sh

podman-privatebin/30_start.sh

@@ -0,0 +1 @@
+../_podman-common/30_start_container.sh

podman-privatebin/40_stop.sh

@@ -0,0 +1 @@
+../_podman-common/40_stop_container.sh

podman-privatebin/70_disable.sh

@@ -0,0 +1 @@
+../_podman-common/70_disable_container.sh

podman-privatebin/80_destroy.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+ABSDIR="$( dirname "$(readlink -f -- "$0")" )"
+source ${ABSDIR}/../functions.sh
+source ${ABSDIR}/vars.sh
+
+# Run regular prune script for pods
+source ${ABSDIR}/../_podman-common/80_destroy_container.sh &&
+# Remove runtime volumes
+for volume in ${nonpersistent_volumes}; do
+    podman volume rm ${volume}
+done
+

podman-privatebin/90_prune.sh

@@ -0,0 +1 @@
+../_podman-common/90_prune_container.sh

podman-privatebin/conf.php

@@ -1,183 +0,0 @@
-;<?php http_response_code(403); /*
-; config file for PrivateBin
-;
-; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
-
-[main]
-; (optional) set a project name to be displayed on the website
-; name = "PrivateBin"
-
-; The full URL, with the domain name and directories that point to the PrivateBin files
-; This URL is essential to allow Opengraph images to be displayed on social networks
-; basepath = ""
-
-; enable or disable the discussion feature, defaults to true
-discussion = true
-
-; preselect the discussion feature, defaults to false
-opendiscussion = false
-
-; enable or disable the password feature, defaults to true
-password = true
-
-; enable or disable the file upload feature, defaults to false
-fileupload = false
-
-; preselect the burn-after-reading feature, defaults to false
-burnafterreadingselected = false
-
-; which display mode to preselect by default, defaults to "plaintext"
-; make sure the value exists in [formatter_options]
-defaultformatter = "plaintext"
-
-; (optional) set a syntax highlighting theme, as found in css/prettify/
-syntaxhighlightingtheme = "sons-of-obsidian"
-
-; size limit per paste or comment in bytes, defaults to 10 Mebibytes
-sizelimit = 10485760
-
-; template to include, default is "bootstrap" (tpl/bootstrap.php)
-template = "bootstrap-dark"
-
-; (optional) info text to display
-; use single, instead of double quotes for HTML attributes
-;info = "More information on the <a href='https://privatebin.info/'>project page</a>."
-
-; (optional) notice to display
-; notice = "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service."
-
-; by default PrivateBin will guess the visitors language based on the browsers
-; settings. Optionally you can enable the language selection menu, which uses
-; a session cookie to store the choice until the browser is closed.
-languageselection = false
-
-; set the language your installs defaults to, defaults to English
-; if this is set and language selection is disabled, this will be the only language
-; languagedefault = "en"
-
-; (optional) URL shortener address to offer after a new paste is created
-; it is suggested to only use this with self-hosted shorteners as this will leak
-; the pastes encryption key
-; urlshortener = "https://shortener.example.com/api?link="
-
-; (optional) Let users create a QR code for sharing the paste URL with one click.
-; It works both when a new paste is created and when you view a paste.
-; qrcode = true
-
-; (optional) IP based icons are a weak mechanism to detect if a comment was from
-; a different user when the same username was used in a comment. It might be
-; used to get the IP of a non anonymous comment poster if the server salt is
-; leaked and a SHA256 HMAC rainbow table is generated for all (relevant) IPs.
-; Can be set to one these values: "none" / "vizhash" / "identicon" (default).
-; icon = "none"
-
-; Content Security Policy headers allow a website to restrict what sources are
-; allowed to be accessed in its context. You need to change this if you added
-; custom scripts from third-party domains to your templates, e.g. tracking
-; scripts or run your site behind certain DDoS-protection services.
-; Check the documentation at https://content-security-policy.com/
-; Notes:
-; - If you use a bootstrap theme, you can remove the allow-popups from the
-;   sandbox restrictions.
-; - By default this disallows to load images from third-party servers, e.g. when
-;   they are embedded in pastes. If you wish to allow that, you can adjust the
-;   policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images
-;   for details.
-; - The 'unsafe-eval' is used in two cases; to check if the browser supports
-;   async functions and display an error if not and for Chrome to enable
-;   webassembly support (used for zlib compression). You can remove it if Chrome
-;   doesn't need to be supported and old browsers don't need to be warned.
-; cspheader = "default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
-
-; stay compatible with PrivateBin Alpha 0.19, less secure
-; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
-; sha256 in HMAC for the deletion token
-; zerobincompatibility = false
-
-; Enable or disable the warning message when the site is served over an insecure
-; connection (insecure HTTP instead of HTTPS), defaults to true.
-; Secure transport methods like Tor and I2P domains are automatically whitelisted.
-; It is **strongly discouraged** to disable this.
-; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information.
-; httpwarning = true
-
-; Pick compression algorithm or disable it. Only applies to pastes/comments
-; created after changing the setting.
-; Can be set to one these values: "none" / "zlib" (default).
-; compression = "zlib"
-
-[expire]
-; expire value that is selected per default
-; make sure the value exists in [expire_options]
-default = "1week"
-
-[expire_options]
-; Set each one of these to the number of seconds in the expiration period,
-; or 0 if it should never expire
-5min = 300
-10min = 600
-1hour = 3600
-1day = 86400
-1week = 604800
-; Well this is not *exactly* one month, it's 30 days:
-1month = 2592000
-1year = 31536000
-;never = 0
-
-[formatter_options]
-; Set available formatters, their order and their labels
-plaintext = "Plain Text"
-syntaxhighlighting = "Source Code"
-markdown = "Markdown"
-
-[traffic]
-; time limit between calls from the same IP address in seconds
-; Set this to 0 to disable rate limiting.
-limit = 10
-
-; (optional) if your website runs behind a reverse proxy or load balancer,
-; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR
-header = "X_FORWARDED_FOR"
-
-; directory to store the traffic limits in
-dir = PATH "data"
-
-[purge]
-; minimum time limit between two purgings of expired pastes, it is only
-; triggered when pastes are created
-; Set this to 0 to run a purge every time a paste is created.
-limit = 300
-
-; maximum amount of expired pastes to delete in one purge
-; Set this to 0 to disable purging. Set it higher, if you are running a large
-; site
-batchsize = 10
-
-; directory to store the purge limit in
-dir = PATH "data"
-
-[model]
-; name of data model class to load and directory for storage
-; the default model "Filesystem" stores everything in the filesystem
-class = Filesystem
-[model_options]
-dir = PATH "data"
-
-;[model]
-; example of DB configuration for MySQL
-;class = Database
-;[model_options]
-;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
-;tbl = "privatebin_"	; table prefix
-;usr = "privatebin"
-;pwd = "Z3r0P4ss"
-;opt[12] = true	  ; PDO::ATTR_PERSISTENT
-
-;[model]
-; example of DB configuration for SQLite
-;class = Database
-;[model_options]
-;dsn = "sqlite:" PATH "data/db.sq3"
-;usr = null
-;pwd = null
-;opt[12] = true	; PDO::ATTR_PERSISTENT

podman-privatebin/vars.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+container_name='my-privatebin'
+service_name="container-${container_name}.service"
+listen_if="${GARBAYE_PRIVATEBIN_ENV_LISTENIF:-127.0.0.1}"
+listen_port="${GARBAYE_PRIVATEBIN_ENV_LISTENPORT:-8084}"
+srvdata_volume='privatebin-data'
+varlibnginxtmp_volume='privatebin-var-lib-nginx-tmp'
+run_volume='privatebin-run'
+nonpersistent_volumes="${varlibnginxtmp_volume} ${run_volume}"
+upstream_images='localhost/privatebin-nginx-fpm-alpine docker.io/library/alpine'
+version='1.3.5-alpine3.15'