finish privatebin entry

2 files changed, 326 insertions, 262 deletions

diff --git a/src/blog/a/pastebin_alt_with_privatebin.md b/src/blog/a/pastebin_alt_with_privatebin.md
new file mode 100644
index 0000000..643b753
--- /dev/null
+++ b/src/blog/a/pastebin_alt_with_privatebin.md
@@ -0,0 +1,326 @@
+title: Set up a pastebin alternative with PrivateBin and YOURLS
+author: David Luévano
+lang: en
+summary: How to set up a pastebin alternative with PrivateBin and YOURLS as shortener, on Arch.
+tags: server
+    tools
+    code
+    tutorial
+    english
+
+I learned about PrivateBin a few weeks back and ever since I've been looking into installing it, along with a URL shortener (a service I wanted to self host since forever). It took me a while as I ran into some problems while experimenting and documenting all the necessary bits in here.
+
+My setup is exposed to the public, and as always is heavily based on previous entries as described in [Prerequisites](#Prerequisites). Descriptions on setting up MariaDB (preferred MySQL replacement for Arch) and PHP are written in this entry as this is the first time I've needed them.
+
+Everything here is performed in ==arch btw== and all commands should be run as root unless stated otherwise.
+
+# Table of contents
+
+[TOC]
+
+# Prerequisites
+
+If you want to expose to a (sub)domain, then similar to my early [tutorial](https://blog.luevano.xyz/tag/@tutorial.html) entries (specially the [website](https://blog.luevano.xyz/a/website_with_nginx.html) for the reverse proxy plus certificates):
+
+- `nginx` for the reverse proxy.
+- `certbot` for the SSL certificates.
+- `yay` to install AUR packages.
+    - I briefly mention how to install and use it on [Manga server with Komga: yay](https://blog.luevano.xyz/a/manga_server_with_komga.html#yay).
+- An **A** (and/or **AAAA**) or a **CNAME** for `privatebin` and `yourls` (or whatever you want to call them).
+
+# MariaDB
+
+[MariaDB](https://wiki.archlinux.org/title/MariaDB) is a drop-in replacement of [MySQL](https://wiki.archlinux.org/title/MySQL).
+
+Install the `mariadb` package:
+
+```sh
+pacman -S mariadb
+```
+
+Before starting/enabling the systemd service run:
+
+```sh
+mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
+```
+
+`start`/`enable` the `mariadb.service`:
+
+```sh
+systemctl start mariadb.service
+systemctl enable mariadb.service
+```
+
+Run and follow the secure installation script before proceding any further:
+
+```sh
+mariadb-secure-installation
+```
+
+Change the binding address so the service listens on `localhost` only by modifying `/etc/my.cnf.d/server.cnf`:
+
+```ini
+[mariadb]
+bind-address = localhost
+```
+
+## Create users/databases
+
+To use `mariadb` simply run the command and it will try to login with the corresponding linux user running it, for example for root. Else the general login command is:
+
+```sh
+mariadb -u <username> -p <database_name>
+```
+
+The `database_name` is optional. It will prompt a password input field.
+
+Using `mariadb` as root, create users with their respective database if needed with the following queries:
+
+```sql
+MariaDB> CREATE USER '<username>'@'localhost' IDENTIFIED BY '<password>';
+MariaDB> CREATE DATABASE <database_name>;
+MariaDB> GRANT ALL PRIVILEGES ON <database_name>.* TO '<username>'@'localhost';
+MariaDB> quit
+```
+
+The `database_name` will depend on how YOURLS and PrivateBin are configured, that is if the services use a separate database and/or table prefixes are used.
+
+# PHP
+
+[PHP](https://wiki.archlinux.org/title/PHP) is a general-purpose scripting language that is usually used for web development, which was supposed to be ass for a long time but it seems to be a misconseption from the *old times*.
+
+Install the `php`, `php-fpm`, `php-gd` packages:
+
+```sh
+pacman -S php php-fpm php-gd
+```
+
+`start`/`enable` the `php-fpm.service`:
+
+```sh
+systemctl start php-fpm.service
+systemctl enable php-fpm.service
+```
+
+## Configuration
+
+Only showing changes needed, main config file is located at `/etc/php/php.ini`, or drop-in files can be placed at `/etc/php/conf.d/` instead.
+
+Set timezone ([list of timezones](https://www.php.net/manual/en/timezones.php)):
+
+```ini
+date.timezone = Europe/Berlin
+```
+
+Enable the `gd` and `mysql` extensions:
+
+```ini
+extension=gd
+extension=pdo_mysql
+extension=mysqli
+```
+
+## Nginx
+
+Create a PHP specific config that can be reusable at `/etc/nginx/php_fastcgi.conf`:
+
+```nginx
+location ~ \.php$ {
+    # required for yourls
+    add_header Access-Control-Allow-Origin $http_origin;
+
+    # 404
+    try_files $fastcgi_script_name =404;
+
+    # default fastcgi_params
+    include fastcgi_params;
+
+    # fastcgi settings
+    fastcgi_pass                        unix:/run/php-fpm/php-fpm.sock;
+    fastcgi_index                       index.php;
+    fastcgi_buffers                     8 16k;
+    fastcgi_buffer_size         32k;
+
+    # fastcgi params
+    fastcgi_param DOCUMENT_ROOT $realpath_root;
+    fastcgi_param SCRIPT_FILENAME       $realpath_root$fastcgi_script_name;
+    #fastcgi_param PHP_ADMIN_VALUE      "open_basedir=$base/:/usr/lib/php/:/tmp/";
+}
+```
+
+This then can be imported by any `server` directive that needs it.
+
+# YOURLS
+
+[YOURLS](https://yourls.org/) is a self-hosted URL shortener that is supported by PrivateBin.
+
+Install from the AUR with `yay`:
+
+```sh
+yay -S yourls
+```
+
+Create a new user and database as described in [MariaDB: Create users/databases](#Create users/databases).
+
+## Configuration
+
+The default configuration file is self explanatory, it is located at `/etc/webapps/yourls/config.php`.
+
+Set the user/database YOURLS will use and either create a cookie or get one from [URL provided](http://yourls.org/cookie). It is important to change the `$yours_user_passwords` variable, YOURLS will hash the passwords on login so it is not stored in plaintext. Password hashing can be disabled with:
+
+```php
+define( 'YOURLS_NO_HASH_PASSWORD', true );
+```
+
+I also changed the "shortening method" to `62` to include more characters:
+
+```php
+define( 'YOURLS_URL_CONVERT', 62 );
+```
+
+Lastly, the `$yourls_reserved_URL` variable will need more blacklisted words depending on the use-case. `YOURLS_SITE` needs to match whatever is set in `nginx`.
+
+## Nginx
+
+Create a `yourls.conf` at the usual `sites-<available/enabled>` path for `nginx`:
+
+```nginx
+server {
+    listen 80;
+    root /usr/share/webapps/yourls/;
+    server_name short.yourdomain.com;
+    index index.php;
+
+    location / {
+        try_files $uri $uri/ /yourls-loader.php$is_args$args;
+    }
+
+    include /etc/nginx/php_fastcgi.conf;
+}
+```
+
+Make sure the following header is included in the `php`'s nginx location block described in [YOURLS: Nginx](#Nginx):
+
+```nginx
+add_header Access-Control-Allow-Origin $http_origin;
+```
+
+### SSL certificate
+
+Create/extend the certificate by running:
+
+```sh
+certbot --nginx
+```
+
+Restart the `nginx` service for changes to take effect:
+
+```sh
+systemctl restart nginx.service
+```
+
+# PrivateBin
+
+[PrivateBin](https://privatebin.info/) is a minimalist self-hosted alternative to [pastebin](https://pastebin.com/).
+
+Install from the AUR with `yay`:
+
+```sh
+yay -S privatebin
+```
+
+Create a new user and database as described in [MariaDB: Create users/databases](#Create users/databases).
+
+## Configuration
+
+This heavily depends on personal preference, all defaults are fine. Make a copy of the sample config template:
+
+```sh
+cp /etc/webapps/privatebin/conf.sample.php /etc/webapps/privatebin/conf.php
+```
+
+The most important changes needed are `basepath` according to the `privatebin` URL and the `[model]` and `[model_options]` to use MySQL instead of plain filesystem files:
+
+```php
+[model]
+; example of DB configuration for MySQL
+class = Database
+[model_options]
+dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8"
+tbl = "privatebin_"     ; table prefix
+usr = "privatebin"
+pwd = "<password>"
+opt[12] = true    ; PDO::ATTR_PERSISTENT
+```
+
+Any other `[model]` or `[model_options]` needs to be commented out (for example, the default filesystem setting).
+
+### YOURLS integration
+
+I recommend creating a separate user for `privatebin` in `yourls` by modifying the `$yours_user_passwords` variable in `yourls` config file. Then login with this user and get the `signature` from the "Tools" section in the admin page, for more: [YOURLS: Passwordless API](https://yourls.org/docs/guide/advanced/passwordless-api).
+
+For a "private" `yourls` installation (that needs username/pasword), set `urlshortener`:
+
+```php
+urlshortener = "https://short.example.com/yourls-api.php?signature=xxxxxxxxxx&action=shorturl&format=json&url="
+```
+
+==Note that this will expose the `signature` in the HTTP requests and anybody with the signature can use it to shorten external URLs.==
+
+## Nginx
+
+To deny access to some bots/crawlers, PrivateBin provides a sample `.htaccess`, which is used in Apache. We need an Nginx version, which I found [here](https://gist.github.com/benediktg/948a70136e2104c8601da7d355061323).
+
+Add the following at the beginning of the `http` block of the `/etc/nginx/nginx.conf` file:
+
+```nginx
+http {
+    map $http_user_agent $pastebin_badagent {
+        ~*bot 1;
+        ~*spider 1;
+        ~*crawl 1;
+        ~https?:// 1;
+        WhatsApp 1;
+        SkypeUriPreview 1;
+        facebookexternalhit 1;
+	}
+
+    #...
+}
+```
+
+Create a `privatebin.conf` at the usual `sites-<available/enabled>` path for `nginx`:
+
+```nginx
+server {
+    listen 80;
+    root //usr/share/webapps/privatebin/;
+    server_name bin.yourdomain.com;
+    index index.php;
+
+    if ($pastebin_badagent) {
+       return 403;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php$is_args$args;
+    }
+
+    include /etc/nginx/php_fastcgi.conf;
+}
+```
+
+### SSL certificate
+
+Create/extend the certificate by running:
+
+```sh
+certbot --nginx
+```
+
+Restart the `nginx` service for changes to take effect:
+
+```sh
+systemctl restart nginx.service
+```
+
diff --git a/src/blog/temp/pastebin_alt_with_privatebin.md b/src/blog/temp/pastebin_alt_with_privatebin.md
deleted file mode 100644
index 491847e..0000000
--- a/src/blog/temp/pastebin_alt_with_privatebin.md
+++ /dev/null
@@ -1,262 +0,0 @@
-title: Set up a pastebin alternative with PrivateBin and YOURLS
-author: David Luévano
-lang: en
-summary: How to set up a pastebin alternative with PrivateBin and YOURLS, on Arch.
-tags: server
-    tools
-    code
-    tutorial
-    english
-
-https://wiki.archlinux.org/title/Arch_package_guidelines
-https://wiki.archlinux.org/title/Nginx#PHP_implementation
-
-mariadb (for mysql) is assumed
-
-# MariaDB
-
-[MariaDB](https://wiki.archlinux.org/title/MariaDB) is a drop-in replacement of [MySQL](https://wiki.archlinux.org/title/MySQL).
-
-Install the `mariadb` package:
-
-```sh
-pacman -S mariadb
-```
-
-Before starting/enabling the systemd service run:
-
-```sh
-mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
-```
-
-`start`/`enable` the `mariadb.service`:
-
-```sh
-systemctl start mariadb.service
-systemctl enable mariadb.service
-```
-
-Run and follow the secure installation script before proceding any further:
-
-```sh
-mariadb-secure-installation
-```
-
-Change the binding address so the service listens on `localhost` by modifying `/etc/my.cnf.d/server.cnf`:
-
-```ini
-[mariadb]
-bind-address = localhost
-```
-
-## Create users/databases
-
-Using `mariadb` as root, create users with their respective database (for our use-case) with the following queries:
-
-```sql
-MariaDB> CREATE USER '<username>'@'localhost' IDENTIFIED BY '<password>';
-MariaDB> CREATE DATABASE <database_name>;
-MariaDB> GRANT ALL PRIVILEGES ON <database_name>.* TO '<username>'@'localhost';
-MariaDB> quit
-```
-
-The `database_name` will depend on how YOURLS and PrivateBin are configured.
-
-# PHP
-
-[PHP](https://wiki.archlinux.org/title/PHP) is a general-purpose scripting language that is usually used for web development, which was supposed to be ass for a long time but it seems to be a misconseption from the *old times*.
-
-Install the `php`, `php-fpm`, `php-gd` packages:
-
-```sh
-pacman -S php php-fpm php-gd
-```
-
-`start`/`enable` the `php-fpm.service`:
-
-```sh
-systemctl start php-fpm.service
-systemctl enable php-fpm.service
-```
-
-## Configuration
-
-Only showing configurations needed, main config file is located at `/etc/php/php.ini`, but drop-in files can be placed at `/etc/php/conf.d/` instead.
-
-Set timezone ([list of timezones](https://www.php.net/manual/en/timezones.php)):
-
-```ini
-date.timezone = Europe/Berlin
-```
-
-Enable the `gd` and `mysql` extensions:
-
-```ini
-extension=gd
-extension=pdo_mysql
-extension=mysqli
-```
-
-## Nginx
-
-Create a PHP specific config that can be reusable at `/etc/nginx/php_fastcgi.conf`:
-
-```nginx
-location ~ \.php$ {
-    # 404
-    try_files $fastcgi_script_name =404;
-
-    # default fastcgi_params
-    include fastcgi_params;
-
-    # fastcgi settings
-    fastcgi_pass                        unix:/run/php-fpm/php-fpm.sock;
-    fastcgi_index                       index.php;
-    fastcgi_buffers                     8 16k;
-    fastcgi_buffer_size         32k;
-
-    # fastcgi params
-    fastcgi_param DOCUMENT_ROOT $realpath_root;
-    fastcgi_param SCRIPT_FILENAME       $realpath_root$fastcgi_script_name;
-    #fastcgi_param PHP_ADMIN_VALUE      "open_basedir=$base/:/usr/lib/php/:/tmp/";
-}
-```
-
-This then can be imported by any `server` directive that needs it.
-
-# YOURLS
-
-[YOURLS](https://yourls.org/) is a self-hosted URL shortener that is supported by PrivateBin.
-
-Install from the AUR with `yay`:
-
-```sh
-yay -S yourls
-```
-
-Create a new user and database as described in [Create users](#Create users).
-
-## Configuration
-
-The default configuration file is self explanatory, it is located at `/etc/webapps/yourls/config.php`.
-
-Set the newly created user/database information and get one cookie string from the [URL provided](http://yourls.org/cookie) (or create your own). Then it is important to change/set the `$yours_user_passwords` variable. I also changed the "shortening method" to `62`:
-
-```php
-define( 'YOURLS_URL_CONVERT', 62 );
-```
-
-Lastly, the `$yourls_reserved_URL` variable will need more blacklisted words depending on the use-case.
-
-I had issues with the password hashing, which I disabled by adding the following config:
-
-```php
-define( 'YOURLS_NO_HASH_PASSWORD', true );
-```
-
-## Nginx
-
-Create a `yourls.conf` at the usual `sites-<available/enabled>` path for `nginx`:
-
-### TO-DO ACTUALLY WRITE FOR YOURLS
-
-```nginx
-server {
-    listen 80;
-    root //usr/share/webapps/privatebin/;
-    server_name bin.yourdomain.com;
-
-    if ($pastebin_badagent) {
-       return 403;
-    }
-
-    location / {
-        index index.html index.htm index.php;
-    }
-
-    include /etc/nginx/php_fastcgi.conf;
-}
-```
-
-# PrivateBin
-
-https://privatebin.info/
-https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation
---- https://github.com/PrivateBin/PrivateBin/blob/master/INSTALL.md#installation
-https://github.com/PrivateBin/PrivateBin/wiki/Configuration
-https://aur.archlinux.org/packages/privatebin
-
-Install from the AUR with `yay`:
-
-```sh
-yay -S privatebin
-```
-
-## Configuration
-
-This heavily depends on personal preference. Make a copy of the config template:
-
-```sh
-cp /etc/webapps/privatebin/conf.sample.php /etc/webapps/privatebin/conf.php
-```
-
-# TO-DO
-
-NEED TO SPECIFY THE DATA PATH CHAGE FROM 'DATA' TO 'VAR/LIB/PRIVATEBIN/
-
-At least configure the `[model]` and `[model_options]` to use SQLite instead of plain filesystem files. 
-
-```sh
-[model]
-; example of DB configuration for SQLite
-class = Database
-[model_options]
-;dsn = "sqlite:" PATH "data/db.sq3"
-dsn = "sqlite:" PATH "/var/lib/privatebin/db.sq3"
-usr = null
-pwd = null
-opt[12] = true  ; PDO::ATTR_PERSISTENT
-```
-
-
-## Nginx
-
-To deny access to some bots/crawlers, PrivateBin provides a sample `.htaccess`, which is used in Apache. We need an Nginx version, which I found [here](https://gist.github.com/benediktg/948a70136e2104c8601da7d355061323).
-
-Add the following at the beginning of the `http` block of the `/etc/nginx/nginx.conf` file:
-
-```nginx
-http {
-    map $http_user_agent $pastebin_badagent {
-        ~*bot 1;
-        ~*spider 1;
-        ~*crawl 1;
-        ~https?:// 1;
-        WhatsApp 1;
-        SkypeUriPreview 1;
-        facebookexternalhit 1;
-	}
-
-    #...
-}
-```
-
-Create a `privatebin.conf` at the usual `sites-<available/enabled>` path for `nginx`:
-
-```nginx
-server {
-    listen 80;
-    root //usr/share/webapps/privatebin/;
-    server_name bin.yourdomain.com;
-
-    if ($pastebin_badagent) {
-       return 403;
-    }
-
-    location / {
-        index index.html index.htm index.php;
-    }
-
-    include /etc/nginx/php_fastcgi.conf;
-}
-```