punishedponepaste

Requirements

• An HTTP server that can perform URL rewriting and execute PHP 8 code (eg: nginx with php8-fpm,) and the following PHP extensions: pdo, openssl, gd, mbstring, redis.
• A MySQL-compatible server (eg: MariaDB 10.)
• A Redis server.

Building the JS

When you change the JS, you need to rebuild it. assets/bundle.js is used in dev, assets/bundle.min.js is used in production.

You need Yarn (version 1, not version 2 - 2 may work, but I haven't tried it.) After that, whenever you change anything under js/, you need to run yarn rollup --config. Good luck!

Local Development

1. Set up MySQL/MariaDB and Redis/Valkey and note the host+port and credentials for both.
2. Set up an NGINX site using doc/nginx.local.conf as a template; change things for your environment as necessary.
   • Set up a /etc/hosts file entry for ponepaste.local to 127.0.0.1 if you want to use ponepaste.local.
3. Copy includes/config.sample.php to includes/config.php.
   • Recommend setting PP_DEBUG to true for local development and testing.
   • Configure PP_REDIS_* constant as needed.
   • Configure $db_* variables as needed.
4. Copy config/site.example.php to config/site.php. This does not need to be edited; it can be configured in the site's admin UI later.
5. Import doc/schema.sql into the MySQL database you configured above.
6. Create the initial admin user by doing the following:
   • php -f util/ppadmin.php hashpw -> enter your desired password, and hit enter. Copy the hashed password to clipboard.
   • Open a MySQL console to the database you configured above, and run something like INSERT INTO users (username, password, role, admin_password_hash, recovery_code_hash) VALUES ('admin', 'THE HASH FROM EARLIER', 2, 'THE SAME HASH FROM EARLIER', '');
7. Go to http://ponepaste.local (or whatever hostname you configured), log in, and explore the site!

Production Deployment

1. Set up MySQL/MariaDB and Redis/Valkey and note the host+port and credentials for both.
   • Ensure these are properly secured and firewalled from the public Internet.
2. Set up an NGINX site using doc/nginx.conf as a template; change things for your environment as necessary.
   • On initial configuration, you may need to comment out the SSL server { } block or change the cert to a dummy (but valid) one, just long enough to get one from Let's Encrypt. TLS is mostly left as an exercise to the reader. You can do it!
3. Copy includes/config.sample.php to includes/config.php.
   • Ensure PP_DEBUG is set to false for production deployment.
   • Configure the PP_PASSWORD_PEPPER constant to be a long and random string, such as generated by openssl rand -hex 32. This key strengthens the password hashing significantly, and renders the password hashes from a database-only hack/leak effectively uncrackable.
   • Configure the PP_ENCRYPTION_KEY constant to be another, different, long and random string, such as generated by openssl rand -hex 32. This key is used to encrypt all pastes before they are stored in the database. Its use renders the paste data from a database-only hack/leak unrecoverable.
   • Configure PP_REDIS_* constant as needed.
   • Configure $db_* variables as needed.
4. Copy config/site.example.php to config/site.php. This does not need to be edited; it can be configured in the site's admin UI later.
5. Import doc/schema.sql into the MySQL database you configured above.
6. Create the initial admin user by doing the following:
   • php -f util/ppadmin.php hashpw -> enter your desired password, and hit enter. Copy the hashed password to clipboard.
   • Do the same, but use a different password. This second password is the re-authentication password for administrative actions; this is essentially 2FA where both factors are different passwords.
   • Open a MySQL console to the database you configured above, and run something like INSERT INTO users (username, password, role, admin_password_hash, recovery_code_hash) VALUES ('admin', 'THE FIRST HASH FROM EARLIER', 2, 'THE SECOND HASH FROM EARLIER', '');
7. Go to http://{your-domain}, log in, and explore the site!