From bb377ffc523ad8d21ac974b5a3594716b46793b0 Mon Sep 17 00:00:00 2001
From: Mathieu Gauthier-Pilote <mgauthier+git@evolix.ca>
Date: Fri, 24 Feb 2023 09:50:11 -0500
Subject: [PATCH 1/5] New role to install + upgrade PrivateBin

---
 webapps/privatebin/LISEZMOI.md             | 49 +++++++++++
 webapps/privatebin/README.md               | 49 +++++++++++
 webapps/privatebin/defaults/main.yml       |  6 ++
 webapps/privatebin/handlers/main.yml       |  2 +
 webapps/privatebin/meta/main.yml           | 52 ++++++++++++
 webapps/privatebin/tasks/main.yml          | 97 ++++++++++++++++++++++
 webapps/privatebin/tasks/upgrade.yml       | 37 +++++++++
 webapps/privatebin/templates/vhost.conf.j2 | 39 +++++++++
 webapps/privatebin/tests/inventory         |  2 +
 webapps/privatebin/tests/test.yml          |  5 ++
 webapps/privatebin/vars/main.yml           |  2 +
 11 files changed, 340 insertions(+)
 create mode 100644 webapps/privatebin/LISEZMOI.md
 create mode 100644 webapps/privatebin/README.md
 create mode 100644 webapps/privatebin/defaults/main.yml
 create mode 100644 webapps/privatebin/handlers/main.yml
 create mode 100644 webapps/privatebin/meta/main.yml
 create mode 100644 webapps/privatebin/tasks/main.yml
 create mode 100644 webapps/privatebin/tasks/upgrade.yml
 create mode 100644 webapps/privatebin/templates/vhost.conf.j2
 create mode 100644 webapps/privatebin/tests/inventory
 create mode 100644 webapps/privatebin/tests/test.yml
 create mode 100644 webapps/privatebin/vars/main.yml

diff --git a/webapps/privatebin/LISEZMOI.md b/webapps/privatebin/LISEZMOI.md
new file mode 100644
index 00000000..05d2f98a
--- /dev/null
+++ b/webapps/privatebin/LISEZMOI.md
@@ -0,0 +1,49 @@
+privatebin
+=========
+
+Ce rôle installe un serveur PrivateBin. 
+
+Notez qu'hormis le présent fichier LISEZMOI.md, tous les fichiers du rôle privatebin sont rédigés en anglais afin de suivre les conventions de la communauté Ansible, favoriser sa réutilisation et son amélioration, etc. Libre à vous cependant de faire appel à ce role dans un playbook rédigé principalement en français ou toute autre langue.
+
+Requis
+------
+
+...
+
+Variables du rôle
+-----------------
+
+Plusieurs des valeurs par défaut dans defaults/main.yml doivent être changées soit directement dans defaults/main.yml ou mieux encore en les supplantant ailleurs, par exemple dans votre playbook (voir l'exemple ci-bas).
+
+Dépendances
+------------
+
+Ce rôle Ansible dépend des rôles suivants :
+
+- nodejs
+
+Exemple de playbook
+-------------------
+
+```
+- name: "Déployer un serveur PrivateBin"
+  hosts: 
+    - all
+  vars:
+    # Supplanter ici les variables du rôle
+    domains: ['votre-vrai-domaine.org']
+    service: 'mon-privatebin'
+
+  roles:
+    - { role: webapps/privatebin , tags: "privatebin" }
+```
+
+Licence
+-------
+
+GPLv3
+
+Infos sur l'auteur
+------------------
+
+Mathieu Gauthier-Pilote, administrateur de systèmes chez Evolix.
diff --git a/webapps/privatebin/README.md b/webapps/privatebin/README.md
new file mode 100644
index 00000000..f7dedd58
--- /dev/null
+++ b/webapps/privatebin/README.md
@@ -0,0 +1,49 @@
+privatebin
+=========
+
+This role installs or upgrades the server for PrivateBin. 
+
+FRENCH: Voir le fichier LISEZMOI.md pour le français.
+
+Requirements
+------------
+
+...
+
+Role Variables
+--------------
+
+Several of the default values in defaults/main.yml must be changed either directly in defaults/main.yml or better even by overwriting them somewhere else, for example in your playbook (see the example below).
+
+Dependencies
+------------
+
+This Ansible role depends on the following other roles:
+
+- nodejs
+
+Example Playbook
+----------------
+
+```
+- name: "Deploy an PrivateBin server"
+  hosts: 
+    - all
+  vars:
+    # Overwrite the role variable here
+    domains: ['your-real-domain.org']
+    service: 'my-privatebin'
+
+  roles:
+    - { role: webapps/privatebin , tags: "privatebin" }
+```
+
+License
+-------
+
+GPLv3
+
+Author Information
+------------------
+
+Mathieu Gauthier-Pilote, sys. admin. at Evolix.
diff --git a/webapps/privatebin/defaults/main.yml b/webapps/privatebin/defaults/main.yml
new file mode 100644
index 00000000..b004cb1e
--- /dev/null
+++ b/webapps/privatebin/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+# defaults file for vars
+system_dep: "['apt-transport-https', 'git', 'certbot', 'libapache2-mod-php', 'libapache2-mpm-itk', 'php-gd']"
+git_url: 'https://github.com/PrivateBin/PrivateBin'
+git_version: '1.5.1'
+domains: ['example.domain.org']
diff --git a/webapps/privatebin/handlers/main.yml b/webapps/privatebin/handlers/main.yml
new file mode 100644
index 00000000..214734cf
--- /dev/null
+++ b/webapps/privatebin/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file
diff --git a/webapps/privatebin/meta/main.yml b/webapps/privatebin/meta/main.yml
new file mode 100644
index 00000000..b065fb2a
--- /dev/null
+++ b/webapps/privatebin/meta/main.yml
@@ -0,0 +1,52 @@
+galaxy_info:
+  author: Mathieu Gauthier-Pilote
+  description: sys. admin.
+  company: Evolix
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license GPL-3.0-only
+
+  min_ansible_version: 2.10
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
diff --git a/webapps/privatebin/tasks/main.yml b/webapps/privatebin/tasks/main.yml
new file mode 100644
index 00000000..13c3eb5e
--- /dev/null
+++ b/webapps/privatebin/tasks/main.yml
@@ -0,0 +1,97 @@
+---
+# tasks file for privatebin install
+
+- name: Install main system dependencies
+  apt:
+    name: "{{ system_dep }}"
+
+- name: Add UNIX account
+  user:
+    name: "{{ service }}"
+    shell: /bin/bash
+
+- name: Clone privatebin repo (git)
+  git:
+    repo: "{{ git_url }}"
+    dest: "~/PrivateBin/"
+    version: "{{ git_version | default(omit) }}"
+    update: yes
+    force: true
+    umask: '0022'
+  become_user: "{{ service }}"
+
+- name: Check if SSL certificate is present and register result
+  stat:
+    path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
+  register: ssl
+
+- name: Generate certificate only if required (first time)
+  block:
+  - name: Template vhost without SSL for successfull LE challengce
+    template: 
+      src: "vhost.conf.j2"
+      dest: "/etc/apache2/sites-available/{{ service }}.conf"
+  - name: Enable apache vhost for privatebin
+    command: "/usr/sbin/a2ensite {{ service }}"
+  - name: Reload apache conf
+    service:
+      name: apache2
+      state: reloaded
+  - name: Make sure /var/lib/letsencrypt exists and has correct permissions
+    file: 
+      path: /var/lib/letsencrypt
+      state: directory
+      mode: '0755'
+  - name: Generate certificate with certbot
+    shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
+  when: ssl.stat.exists == true
+
+- name: (Re)check if SSL certificate is present and register result
+  stat:
+    path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
+  register: ssl
+
+- name: (Re)template conf file for apache vhost with SSL
+  template:
+    src: "vhost.conf.j2"
+    dest: "/etc/apache2/sites-available/{{ service }}.conf"
+
+- name: Enable apache mode_rewrite
+  command: "/usr/sbin/a2enmod rewrite"
+  
+- name: Enable .htaccess configuration
+  copy:
+    src: "~/PrivateBin/.htaccess.disabled"
+    dest: "~/PrivateBin/.htaccess"
+    remote_src: true
+  become_user: "{{ service }}"
+
+- name: Creates directory outside DocumentRoot
+  file:
+    path: "~/secret"
+    state: directory
+  become_user: "{{ service }}"
+  register: directory
+
+- name: Move some directories outside DocumentRoot
+  shell: 
+    cmd: "mv {bin,cfg,doc,lib,tpl,tst,vendor} ~/secret/"
+    chdir: "~/PrivateBin/"
+    executable: /bin/bash
+  become_user: "{{ service }}"
+  when: directory.changed
+
+- name: Ajust path needed for directories outside DocumentRoot
+  lineinfile:
+    path: "~/PrivateBin/index.php"
+    regexp: ^define\('PATH', ''\);
+    line: define('PATH', '../secret/');
+  become_user: "{{ service }}"
+
+- name: Enable apache vhost for privatebin
+  command: "/usr/sbin/a2ensite {{ service }}"
+
+- name: Reload apache conf
+  service:
+    name: apache2
+    state: reloaded
diff --git a/webapps/privatebin/tasks/upgrade.yml b/webapps/privatebin/tasks/upgrade.yml
new file mode 100644
index 00000000..5c1d325d
--- /dev/null
+++ b/webapps/privatebin/tasks/upgrade.yml
@@ -0,0 +1,37 @@
+---
+# tasks file for etherpad upgrade
+
+- name: Move some directories back to DocumentRoot
+  shell: 
+    cmd: "mv {bin,cfg,doc,lib,tpl,tst,vendor} ~/PrivateBin/"
+    chdir: "~/secret/"
+    executable: /bin/bash
+  become_user: "{{ service }}"
+
+- name: Update privatebin repo (git)
+  git:
+    repo: "{{ git_url }}"
+    dest: "~/PrivateBin/"
+    version: "{{ git_version }}"
+    update: yes
+    force: true
+  become_user: "{{ service }}"
+
+- name: Move back some directories outside DocumentRoot
+  shell: 
+    cmd: "mv {bin,cfg,doc,lib,tpl,tst,vendor} ~/secret/"
+    chdir: "~/PrivateBin/"
+    executable: /bin/bash
+  become_user: "{{ service }}"
+
+- name: Ajust path needed for directories outside DocumentRoot
+  lineinfile:
+    path: "~/PrivateBin/index.php"
+    regexp: ^define\('PATH', ''\);
+    line: define('PATH', '../secret/');
+  become_user: "{{ service }}"
+
+- name: Reload apache conf
+  service:
+    name: apache2
+    state: reloaded
diff --git a/webapps/privatebin/templates/vhost.conf.j2 b/webapps/privatebin/templates/vhost.conf.j2
new file mode 100644
index 00000000..343dd246
--- /dev/null
+++ b/webapps/privatebin/templates/vhost.conf.j2
@@ -0,0 +1,39 @@
+<VirtualHost *:80>
+    ServerName {{ domains |first }}
+    
+    {% if not ssl.stat.exists %}
+    RewriteEngine On
+    RewriteCond %{HTTPS} !=on
+    RewriteCond %{HTTP:X-Forwarded-Proto} !=https
+    RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R=permanent]
+    {% endif %}
+
+</VirtualHost>
+
+{% if not ssl.stat.exists %}
+<VirtualHost *:443>
+    ServerName {{ domains |first }}
+
+    DocumentRoot /home/{{ service }}/PrivateBin
+    
+    <Directory /home/{{ service }}/PrivateBin>
+        Options SymLinksIfOwnerMatch
+        AllowOverride Options=All AuthConfig Limit FileInfo Indexes
+        Require all granted
+    </Directory>
+    
+    AssignUserID {{ service }} {{ service }}
+
+    SSLEngine On
+    #SSLCertificateFile /etc/letsencrypt/live/{{ domains |first }}/fullchain.pem
+    #SSLCertificateKeyFile /etc/letsencrypt/live/{{ domains |first }}/privkey.pem
+    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+    
+    RewriteEngine On
+    RewriteCond %{HTTPS} !=on
+    RewriteCond %{HTTP:X-Forwarded-Proto} !=https
+    RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R=permanent]
+
+</VirtualHost>
+{% endif %}
diff --git a/webapps/privatebin/tests/inventory b/webapps/privatebin/tests/inventory
new file mode 100644
index 00000000..878877b0
--- /dev/null
+++ b/webapps/privatebin/tests/inventory
@@ -0,0 +1,2 @@
+localhost
+
diff --git a/webapps/privatebin/tests/test.yml b/webapps/privatebin/tests/test.yml
new file mode 100644
index 00000000..69c8cd9a
--- /dev/null
+++ b/webapps/privatebin/tests/test.yml
@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - privatebin
diff --git a/webapps/privatebin/vars/main.yml b/webapps/privatebin/vars/main.yml
new file mode 100644
index 00000000..2053e362
--- /dev/null
+++ b/webapps/privatebin/vars/main.yml
@@ -0,0 +1,2 @@
+---
+# vars file 
-- 
2.39.2


From 1122b79a0618e17e64889ee3842e64f80a02d919 Mon Sep 17 00:00:00 2001
From: Mathieu Gauthier-Pilote <mgauthier+git@evolix.ca>
Date: Fri, 28 Apr 2023 10:32:46 -0400
Subject: [PATCH 2/5] Now installs a LE SSL cert via certbot by default

---
 webapps/privatebin/defaults/main.yml          |  3 +-
 webapps/privatebin/tasks/main.yml             | 30 +++++++++++++++++--
 .../privatebin/templates/letsencrypt.conf.j2  | 11 +++++++
 webapps/privatebin/templates/ssl.conf.j2      |  3 ++
 webapps/privatebin/templates/vhost.conf.j2    | 15 ++--------
 5 files changed, 46 insertions(+), 16 deletions(-)
 create mode 100644 webapps/privatebin/templates/letsencrypt.conf.j2
 create mode 100644 webapps/privatebin/templates/ssl.conf.j2

diff --git a/webapps/privatebin/defaults/main.yml b/webapps/privatebin/defaults/main.yml
index b004cb1e..b9518213 100644
--- a/webapps/privatebin/defaults/main.yml
+++ b/webapps/privatebin/defaults/main.yml
@@ -1,6 +1,7 @@
 ---
 # defaults file for vars
-system_dep: "['apt-transport-https', 'git', 'certbot', 'libapache2-mod-php', 'libapache2-mpm-itk', 'php-gd']"
+system_dep: "['apt-transport-https', 'git', 'certbot', 'acl', 'apache2', 'libapache2-mpm-itk', 'libapache2-mod-php', 'php-gd']"
 git_url: 'https://github.com/PrivateBin/PrivateBin'
 git_version: '1.5.1'
 domains: ['example.domain.org']
+certbot_admin_email: 'mgauthier@evolix.ca'
diff --git a/webapps/privatebin/tasks/main.yml b/webapps/privatebin/tasks/main.yml
index 13c3eb5e..d0d0a1d8 100644
--- a/webapps/privatebin/tasks/main.yml
+++ b/webapps/privatebin/tasks/main.yml
@@ -4,6 +4,7 @@
 - name: Install main system dependencies
   apt:
     name: "{{ system_dep }}"
+    update_cache: yes
 
 - name: Add UNIX account
   user:
@@ -20,6 +21,20 @@
     umask: '0022'
   become_user: "{{ service }}"
 
+#- name: Create the conf-available dir if needed
+#  file:
+#    path: /etc/apache2/conf-available
+#    state: directory
+#    mode: '0750'
+
+- name: Template apache conf for Let's Encrypt/Certbot
+  template: 
+    src: "letsencrypt.conf.j2"
+    dest: "/etc/apache2/conf-available/letsencrypt.conf"
+
+- name: Enable apache conf for Let's Encrypt/Certbot
+  command: "/usr/sbin/a2enconf letsencrypt.conf"
+
 - name: Check if SSL certificate is present and register result
   stat:
     path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
@@ -43,8 +58,17 @@
       state: directory
       mode: '0755'
   - name: Generate certificate with certbot
-    shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
-  when: ssl.stat.exists == true
+    shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }}
+  - name: Create the ssl dir if needed
+    file:
+      path: /etc/apache2/ssl
+      state: directory
+      mode: '0750'
+  - name: Template ssl block for apache vhost
+    template: 
+      src: "ssl.conf.j2"
+      dest: "/etc/apache2/ssl/{{ service }}.conf"
+  when: ssl.stat.exists != true
 
 - name: (Re)check if SSL certificate is present and register result
   stat:
@@ -57,7 +81,7 @@
     dest: "/etc/apache2/sites-available/{{ service }}.conf"
 
 - name: Enable apache mode_rewrite
-  command: "/usr/sbin/a2enmod rewrite"
+  command: "/usr/sbin/a2enmod ssl rewrite"
   
 - name: Enable .htaccess configuration
   copy:
diff --git a/webapps/privatebin/templates/letsencrypt.conf.j2 b/webapps/privatebin/templates/letsencrypt.conf.j2
new file mode 100644
index 00000000..ebc99483
--- /dev/null
+++ b/webapps/privatebin/templates/letsencrypt.conf.j2
@@ -0,0 +1,11 @@
+<IfModule jk_module>
+    SetEnvIf Request_URI "/.well-known/acme-challenge/*" no-jk
+</IfModule>
+<IfModule proxy_module>
+    ProxyPass /.well-known/acme-challenge/ !
+</IfModule>
+Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge
+<Directory "/var/lib/letsencrypt/.well-known/acme-challenge">
+    Options -Indexes
+    Require all granted
+</Directory>
diff --git a/webapps/privatebin/templates/ssl.conf.j2 b/webapps/privatebin/templates/ssl.conf.j2
new file mode 100644
index 00000000..719fa1ad
--- /dev/null
+++ b/webapps/privatebin/templates/ssl.conf.j2
@@ -0,0 +1,3 @@
+SSLEngine On
+SSLCertificateFile /etc/letsencrypt/live/{{ domains |first }}/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/{{ domains |first }}/privkey.pem
diff --git a/webapps/privatebin/templates/vhost.conf.j2 b/webapps/privatebin/templates/vhost.conf.j2
index 343dd246..7a41926d 100644
--- a/webapps/privatebin/templates/vhost.conf.j2
+++ b/webapps/privatebin/templates/vhost.conf.j2
@@ -1,7 +1,7 @@
 <VirtualHost *:80>
     ServerName {{ domains |first }}
     
-    {% if not ssl.stat.exists %}
+    {% if ssl.stat.exists %}
     RewriteEngine On
     RewriteCond %{HTTPS} !=on
     RewriteCond %{HTTP:X-Forwarded-Proto} !=https
@@ -10,7 +10,7 @@
 
 </VirtualHost>
 
-{% if not ssl.stat.exists %}
+{% if ssl.stat.exists %}
 <VirtualHost *:443>
     ServerName {{ domains |first }}
 
@@ -24,16 +24,7 @@
     
     AssignUserID {{ service }} {{ service }}
 
-    SSLEngine On
-    #SSLCertificateFile /etc/letsencrypt/live/{{ domains |first }}/fullchain.pem
-    #SSLCertificateKeyFile /etc/letsencrypt/live/{{ domains |first }}/privkey.pem
-    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
-    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-    
-    RewriteEngine On
-    RewriteCond %{HTTPS} !=on
-    RewriteCond %{HTTP:X-Forwarded-Proto} !=https
-    RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R=permanent]
+    IncludeOptional /etc/apache2/ssl/{{ service }}.conf
 
 </VirtualHost>
 {% endif %}
-- 
2.39.2


From a7ad33f4ee4f4efe8004b52cbe0bcf84b156810b Mon Sep 17 00:00:00 2001
From: Mathieu Gauthier-Pilote <mgauthier+git@evolix.ca>
Date: Thu, 9 May 2024 14:06:12 -0400
Subject: [PATCH 3/5] Prefix variables with privatebin_

---
 webapps/privatebin/LISEZMOI.md             |  2 +-
 webapps/privatebin/README.md               |  2 +-
 webapps/privatebin/defaults/main.yml       | 10 +++++-----
 webapps/privatebin/tasks/main.yml          | 12 ++++++------
 webapps/privatebin/tasks/upgrade.yml       |  4 ++--
 webapps/privatebin/templates/ssl.conf.j2   |  4 ++--
 webapps/privatebin/templates/vhost.conf.j2 |  4 ++--
 7 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/webapps/privatebin/LISEZMOI.md b/webapps/privatebin/LISEZMOI.md
index 05d2f98a..ac0e0b92 100644
--- a/webapps/privatebin/LISEZMOI.md
+++ b/webapps/privatebin/LISEZMOI.md
@@ -31,7 +31,7 @@ Exemple de playbook
     - all
   vars:
     # Supplanter ici les variables du rôle
-    domains: ['votre-vrai-domaine.org']
+    privatebin_domains: ['votre-vrai-domaine.org']
     service: 'mon-privatebin'
 
   roles:
diff --git a/webapps/privatebin/README.md b/webapps/privatebin/README.md
index f7dedd58..53db44aa 100644
--- a/webapps/privatebin/README.md
+++ b/webapps/privatebin/README.md
@@ -31,7 +31,7 @@ Example Playbook
     - all
   vars:
     # Overwrite the role variable here
-    domains: ['your-real-domain.org']
+    privatebin_domains: ['your-real-domain.org']
     service: 'my-privatebin'
 
   roles:
diff --git a/webapps/privatebin/defaults/main.yml b/webapps/privatebin/defaults/main.yml
index b9518213..59e0b3f0 100644
--- a/webapps/privatebin/defaults/main.yml
+++ b/webapps/privatebin/defaults/main.yml
@@ -1,7 +1,7 @@
 ---
 # defaults file for vars
-system_dep: "['apt-transport-https', 'git', 'certbot', 'acl', 'apache2', 'libapache2-mpm-itk', 'libapache2-mod-php', 'php-gd']"
-git_url: 'https://github.com/PrivateBin/PrivateBin'
-git_version: '1.5.1'
-domains: ['example.domain.org']
-certbot_admin_email: 'mgauthier@evolix.ca'
+privatebin_system_dep: "['apt-transport-https', 'git', 'certbot', 'acl', 'apache2', 'libapache2-mpm-itk', 'libapache2-mod-php', 'php-gd']"
+privatebin_git_url: 'https://github.com/PrivateBin/PrivateBin'
+privatebin_git_version: '1.5.1'
+privatebin_domains: ['example.domain.net']
+privatebin_certbot_admin_email: 'security@example.net'
diff --git a/webapps/privatebin/tasks/main.yml b/webapps/privatebin/tasks/main.yml
index d0d0a1d8..6bafe360 100644
--- a/webapps/privatebin/tasks/main.yml
+++ b/webapps/privatebin/tasks/main.yml
@@ -3,7 +3,7 @@
 
 - name: Install main system dependencies
   apt:
-    name: "{{ system_dep }}"
+    name: "{{ privatebin_system_dep }}"
     update_cache: yes
 
 - name: Add UNIX account
@@ -13,9 +13,9 @@
 
 - name: Clone privatebin repo (git)
   git:
-    repo: "{{ git_url }}"
+    repo: "{{ privatebin_git_url }}"
     dest: "~/PrivateBin/"
-    version: "{{ git_version | default(omit) }}"
+    version: "{{ privatebin_git_version | default(omit) }}"
     update: yes
     force: true
     umask: '0022'
@@ -37,7 +37,7 @@
 
 - name: Check if SSL certificate is present and register result
   stat:
-    path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
+    path: "/etc/letsencrypt/live/{{ privatebin_domains |first }}/fullchain.pem"
   register: ssl
 
 - name: Generate certificate only if required (first time)
@@ -58,7 +58,7 @@
       state: directory
       mode: '0755'
   - name: Generate certificate with certbot
-    shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }}
+    shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ privatebin_certbot_admin_email }} -d {{ privatebin_domains |first }}
   - name: Create the ssl dir if needed
     file:
       path: /etc/apache2/ssl
@@ -72,7 +72,7 @@
 
 - name: (Re)check if SSL certificate is present and register result
   stat:
-    path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
+    path: "/etc/letsencrypt/live/{{ privatebin_domains |first }}/fullchain.pem"
   register: ssl
 
 - name: (Re)template conf file for apache vhost with SSL
diff --git a/webapps/privatebin/tasks/upgrade.yml b/webapps/privatebin/tasks/upgrade.yml
index 5c1d325d..10e04f14 100644
--- a/webapps/privatebin/tasks/upgrade.yml
+++ b/webapps/privatebin/tasks/upgrade.yml
@@ -10,9 +10,9 @@
 
 - name: Update privatebin repo (git)
   git:
-    repo: "{{ git_url }}"
+    repo: "{{ privatebin_git_url }}"
     dest: "~/PrivateBin/"
-    version: "{{ git_version }}"
+    version: "{{ privatebin_git_version }}"
     update: yes
     force: true
   become_user: "{{ service }}"
diff --git a/webapps/privatebin/templates/ssl.conf.j2 b/webapps/privatebin/templates/ssl.conf.j2
index 719fa1ad..ef07f311 100644
--- a/webapps/privatebin/templates/ssl.conf.j2
+++ b/webapps/privatebin/templates/ssl.conf.j2
@@ -1,3 +1,3 @@
 SSLEngine On
-SSLCertificateFile /etc/letsencrypt/live/{{ domains |first }}/fullchain.pem
-SSLCertificateKeyFile /etc/letsencrypt/live/{{ domains |first }}/privkey.pem
+SSLCertificateFile /etc/letsencrypt/live/{{ privatebin_domains |first }}/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/{{ privatebin_domains |first }}/privkey.pem
diff --git a/webapps/privatebin/templates/vhost.conf.j2 b/webapps/privatebin/templates/vhost.conf.j2
index 7a41926d..e574f4c7 100644
--- a/webapps/privatebin/templates/vhost.conf.j2
+++ b/webapps/privatebin/templates/vhost.conf.j2
@@ -1,5 +1,5 @@
 <VirtualHost *:80>
-    ServerName {{ domains |first }}
+    ServerName {{ privatebin_domains |first }}
     
     {% if ssl.stat.exists %}
     RewriteEngine On
@@ -12,7 +12,7 @@
 
 {% if ssl.stat.exists %}
 <VirtualHost *:443>
-    ServerName {{ domains |first }}
+    ServerName {{ privatebin_domains |first }}
 
     DocumentRoot /home/{{ service }}/PrivateBin
     
-- 
2.39.2


From 7aca2089090431c066f9157435c77971e925363c Mon Sep 17 00:00:00 2001
From: Mathieu Gauthier-Pilote <mgauthier+git@evolix.ca>
Date: Thu, 9 May 2024 14:21:15 -0400
Subject: [PATCH 4/5] ansible.builtin. prefix for modules

---
 webapps/privatebin/tasks/main.yml    | 42 ++++++++++++++--------------
 webapps/privatebin/tasks/upgrade.yml | 10 +++----
 2 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/webapps/privatebin/tasks/main.yml b/webapps/privatebin/tasks/main.yml
index 6bafe360..84020136 100644
--- a/webapps/privatebin/tasks/main.yml
+++ b/webapps/privatebin/tasks/main.yml
@@ -2,17 +2,17 @@
 # tasks file for privatebin install
 
 - name: Install main system dependencies
-  apt:
+  ansible.builtin.apt:
     name: "{{ privatebin_system_dep }}"
     update_cache: yes
 
 - name: Add UNIX account
-  user:
+  ansible.builtin.user:
     name: "{{ service }}"
     shell: /bin/bash
 
 - name: Clone privatebin repo (git)
-  git:
+  ansible.builtin.git:
     repo: "{{ privatebin_git_url }}"
     dest: "~/PrivateBin/"
     version: "{{ privatebin_git_version | default(omit) }}"
@@ -28,77 +28,77 @@
 #    mode: '0750'
 
 - name: Template apache conf for Let's Encrypt/Certbot
-  template: 
+  ansible.builtin.template: 
     src: "letsencrypt.conf.j2"
     dest: "/etc/apache2/conf-available/letsencrypt.conf"
 
 - name: Enable apache conf for Let's Encrypt/Certbot
-  command: "/usr/sbin/a2enconf letsencrypt.conf"
+  ansible.builtin.command: "/usr/sbin/a2enconf letsencrypt.conf"
 
 - name: Check if SSL certificate is present and register result
-  stat:
+  ansible.builtin.stat:
     path: "/etc/letsencrypt/live/{{ privatebin_domains |first }}/fullchain.pem"
   register: ssl
 
 - name: Generate certificate only if required (first time)
   block:
   - name: Template vhost without SSL for successfull LE challengce
-    template: 
+    ansible.builtin.template: 
       src: "vhost.conf.j2"
       dest: "/etc/apache2/sites-available/{{ service }}.conf"
   - name: Enable apache vhost for privatebin
     command: "/usr/sbin/a2ensite {{ service }}"
   - name: Reload apache conf
-    service:
+    ansible.builtin.service:
       name: apache2
       state: reloaded
   - name: Make sure /var/lib/letsencrypt exists and has correct permissions
-    file: 
+    ansible.builtin.file: 
       path: /var/lib/letsencrypt
       state: directory
       mode: '0755'
   - name: Generate certificate with certbot
-    shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ privatebin_certbot_admin_email }} -d {{ privatebin_domains |first }}
+    ansible.builtin.shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ privatebin_certbot_admin_email }} -d {{ privatebin_domains | first }}
   - name: Create the ssl dir if needed
-    file:
+    ansible.builtin.file:
       path: /etc/apache2/ssl
       state: directory
       mode: '0750'
   - name: Template ssl block for apache vhost
-    template: 
+    ansible.builtin.template: 
       src: "ssl.conf.j2"
       dest: "/etc/apache2/ssl/{{ service }}.conf"
   when: ssl.stat.exists != true
 
 - name: (Re)check if SSL certificate is present and register result
-  stat:
+  ansible.builtin.stat:
     path: "/etc/letsencrypt/live/{{ privatebin_domains |first }}/fullchain.pem"
   register: ssl
 
 - name: (Re)template conf file for apache vhost with SSL
-  template:
+  ansible.builtin.template:
     src: "vhost.conf.j2"
     dest: "/etc/apache2/sites-available/{{ service }}.conf"
 
 - name: Enable apache mode_rewrite
-  command: "/usr/sbin/a2enmod ssl rewrite"
+  ansible.builtin.command: "/usr/sbin/a2enmod ssl rewrite"
   
 - name: Enable .htaccess configuration
-  copy:
+  ansible.builtin.copy:
     src: "~/PrivateBin/.htaccess.disabled"
     dest: "~/PrivateBin/.htaccess"
     remote_src: true
   become_user: "{{ service }}"
 
 - name: Creates directory outside DocumentRoot
-  file:
+  ansible.builtin.file:
     path: "~/secret"
     state: directory
   become_user: "{{ service }}"
   register: directory
 
 - name: Move some directories outside DocumentRoot
-  shell: 
+  ansible.builtin.shell: 
     cmd: "mv {bin,cfg,doc,lib,tpl,tst,vendor} ~/secret/"
     chdir: "~/PrivateBin/"
     executable: /bin/bash
@@ -106,16 +106,16 @@
   when: directory.changed
 
 - name: Ajust path needed for directories outside DocumentRoot
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: "~/PrivateBin/index.php"
     regexp: ^define\('PATH', ''\);
     line: define('PATH', '../secret/');
   become_user: "{{ service }}"
 
 - name: Enable apache vhost for privatebin
-  command: "/usr/sbin/a2ensite {{ service }}"
+  ansible.builtin.command: "/usr/sbin/a2ensite {{ service }}"
 
 - name: Reload apache conf
-  service:
+  ansible.builtin.service:
     name: apache2
     state: reloaded
diff --git a/webapps/privatebin/tasks/upgrade.yml b/webapps/privatebin/tasks/upgrade.yml
index 10e04f14..be4c1947 100644
--- a/webapps/privatebin/tasks/upgrade.yml
+++ b/webapps/privatebin/tasks/upgrade.yml
@@ -2,14 +2,14 @@
 # tasks file for etherpad upgrade
 
 - name: Move some directories back to DocumentRoot
-  shell: 
+  ansible.builtin.shell: 
     cmd: "mv {bin,cfg,doc,lib,tpl,tst,vendor} ~/PrivateBin/"
     chdir: "~/secret/"
     executable: /bin/bash
   become_user: "{{ service }}"
 
 - name: Update privatebin repo (git)
-  git:
+  ansible.builtin.git:
     repo: "{{ privatebin_git_url }}"
     dest: "~/PrivateBin/"
     version: "{{ privatebin_git_version }}"
@@ -18,20 +18,20 @@
   become_user: "{{ service }}"
 
 - name: Move back some directories outside DocumentRoot
-  shell: 
+  ansible.builtin.shell: 
     cmd: "mv {bin,cfg,doc,lib,tpl,tst,vendor} ~/secret/"
     chdir: "~/PrivateBin/"
     executable: /bin/bash
   become_user: "{{ service }}"
 
 - name: Ajust path needed for directories outside DocumentRoot
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: "~/PrivateBin/index.php"
     regexp: ^define\('PATH', ''\);
     line: define('PATH', '../secret/');
   become_user: "{{ service }}"
 
 - name: Reload apache conf
-  service:
+  ansible.builtin.service:
     name: apache2
     state: reloaded
-- 
2.39.2


From 73cd25538a459611d7224e732f4ed888d9cecb45 Mon Sep 17 00:00:00 2001
From: Mathieu Gauthier-Pilote <mgauthier+git@evolix.ca>
Date: Thu, 9 May 2024 15:18:27 -0400
Subject: [PATCH 5/5] Handlers; service => systemd; shell => command

---
 webapps/privatebin/handlers/main.yml | 10 +++++++
 webapps/privatebin/tasks/main.yml    | 39 ++++++++++++++--------------
 webapps/privatebin/tasks/upgrade.yml |  2 +-
 3 files changed, 30 insertions(+), 21 deletions(-)

diff --git a/webapps/privatebin/handlers/main.yml b/webapps/privatebin/handlers/main.yml
index 214734cf..8766485d 100644
--- a/webapps/privatebin/handlers/main.yml
+++ b/webapps/privatebin/handlers/main.yml
@@ -1,2 +1,12 @@
 ---
 # handlers file
+
+- name: reload apache
+  ansible.builtin.systemd:
+    name: apache2
+    state: reloaded
+
+- name: restart apache
+  ansible.builtin.systemd:
+    name: apache2
+    state: restarted
diff --git a/webapps/privatebin/tasks/main.yml b/webapps/privatebin/tasks/main.yml
index 84020136..4bd3e511 100644
--- a/webapps/privatebin/tasks/main.yml
+++ b/webapps/privatebin/tasks/main.yml
@@ -21,19 +21,15 @@
     umask: '0022'
   become_user: "{{ service }}"
 
-#- name: Create the conf-available dir if needed
-#  file:
-#    path: /etc/apache2/conf-available
-#    state: directory
-#    mode: '0750'
-
 - name: Template apache conf for Let's Encrypt/Certbot
   ansible.builtin.template: 
     src: "letsencrypt.conf.j2"
     dest: "/etc/apache2/conf-available/letsencrypt.conf"
 
 - name: Enable apache conf for Let's Encrypt/Certbot
-  ansible.builtin.command: "/usr/sbin/a2enconf letsencrypt.conf"
+  ansible.builtin.command: 
+    cmd: "/usr/sbin/a2enconf letsencrypt.conf"
+  notify: reload apache
 
 - name: Check if SSL certificate is present and register result
   ansible.builtin.stat:
@@ -46,19 +42,21 @@
     ansible.builtin.template: 
       src: "vhost.conf.j2"
       dest: "/etc/apache2/sites-available/{{ service }}.conf"
+    notify: reload apache
   - name: Enable apache vhost for privatebin
-    command: "/usr/sbin/a2ensite {{ service }}"
-  - name: Reload apache conf
-    ansible.builtin.service:
-      name: apache2
-      state: reloaded
+    ansible.builtin.command: 
+      cmd: "/usr/sbin/a2ensite {{ service }}"
+    notify: reload apache
+  - name: Flush handlers
+    ansible.builtin.meta: flush_handlers
   - name: Make sure /var/lib/letsencrypt exists and has correct permissions
     ansible.builtin.file: 
       path: /var/lib/letsencrypt
       state: directory
       mode: '0755'
   - name: Generate certificate with certbot
-    ansible.builtin.shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ privatebin_certbot_admin_email }} -d {{ privatebin_domains | first }}
+    ansible.builtin.command:
+      cmd: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ privatebin_certbot_admin_email }} -d {{ privatebin_domains | first }}
   - name: Create the ssl dir if needed
     ansible.builtin.file:
       path: /etc/apache2/ssl
@@ -68,6 +66,7 @@
     ansible.builtin.template: 
       src: "ssl.conf.j2"
       dest: "/etc/apache2/ssl/{{ service }}.conf"
+    notify: reload apache
   when: ssl.stat.exists != true
 
 - name: (Re)check if SSL certificate is present and register result
@@ -79,9 +78,12 @@
   ansible.builtin.template:
     src: "vhost.conf.j2"
     dest: "/etc/apache2/sites-available/{{ service }}.conf"
+    notify: reload apache
 
 - name: Enable apache mode_rewrite
-  ansible.builtin.command: "/usr/sbin/a2enmod ssl rewrite"
+  ansible.builtin.command: 
+    cmd: "/usr/sbin/a2enmod ssl rewrite"
+  notify: restart apache
   
 - name: Enable .htaccess configuration
   ansible.builtin.copy:
@@ -113,9 +115,6 @@
   become_user: "{{ service }}"
 
 - name: Enable apache vhost for privatebin
-  ansible.builtin.command: "/usr/sbin/a2ensite {{ service }}"
-
-- name: Reload apache conf
-  ansible.builtin.service:
-    name: apache2
-    state: reloaded
+  ansible.builtin.command: 
+    cmd: "/usr/sbin/a2ensite {{ service }}"
+  notify: reload apache
diff --git a/webapps/privatebin/tasks/upgrade.yml b/webapps/privatebin/tasks/upgrade.yml
index be4c1947..ac27e98c 100644
--- a/webapps/privatebin/tasks/upgrade.yml
+++ b/webapps/privatebin/tasks/upgrade.yml
@@ -32,6 +32,6 @@
   become_user: "{{ service }}"
 
 - name: Reload apache conf
-  ansible.builtin.service:
+  ansible.builtin.systemd:
     name: apache2
     state: reloaded
-- 
2.39.2