self-hostingdevopsprivacy

How to Self-Host PrivateBin on a Sovereign Cloud (Docker + Ansible Playbook)

UUnknown

2026-03-05

11 min read

Step-by-step guide to self-host PrivateBin in a sovereign cloud with Docker + Ansible and hardened defaults for compliance.

Stop leaking secrets to third-party pastebins — deploy PrivateBin in a sovereign cloud with hardened defaults

If your team shares logs, stack traces, or one-time secrets in chat or tickets, you already know the pain: plaintext pastes that live forever on a public service, compliance headaches, and operational friction when you try to make a secure alternative work. In 2026, with major cloud providers offering sovereign regions and stricter data-residency controls, the opportunity is simple: self-host a privacy-first paste service that keeps plaintext off servers and inside your control.

Why this matters now (2026 trends)

Late-2025 and early-2026 launched a leap in sovereign cloud availability (for example, AWS European Sovereign Cloud and equivalent offerings from other hyperscalers). Organizations that must meet GDPR, national security, or internal sovereignty requirements increasingly choose regional infrastructure that is physically and legally separated from global regions. At the same time, developers demand workflows that integrate ephemeral sharing into CI/CD and incident response without introducing new leak vectors.

PrivateBin is designed for this: client-side encryption, configurable one-time views and expirations, and a minimal server surface. This guide shows you how to deploy PrivateBin on a sovereign cloud region using Docker for runtime and Ansible for infrastructure-as-code (IAC), with a focus on hardened defaults and practical operational controls.

What you’ll get from this tutorial

Repeatable Ansible playbook to provision a VM in a sovereign region, install Docker, and deploy PrivateBin with Docker Compose
Opinionated security hardening: TLS, headers, firewall, non-root containers, log minimization, and CSP
Options for certificate management (ACME vs provider-managed certs) and suggestions for integrating with CI/CD and chatops
Operational notes for compliance, auditing, and disaster recovery

High-level architecture

We’ll deploy a small stack on a single VM inside your sovereign cloud region. Components:

PrivateBin (official Docker image) running Nginx+PHP-FPM — stores encrypted pastes
Nginx reverse proxy for TLS termination and security headers (you can substitute Traefik/Caddy for ACME automation)
Docker Compose to keep the deployment simple and reproducible
Ansible playbook to provision the VM, install Docker, place config files, and launch the stack

Prerequisites

An account in your sovereign cloud region (AWS European Sovereign Cloud, Azure Sovereign Region, etc.) and the ability to create a small VM (t3.micro / t3.small equivalent)
Ansible control host with connectivity to the VM
DNS entry pointed to the VM's public IP in the sovereign region (or internal load balancer address if using private access)
Choice of certificate management: ACME (Let’s Encrypt) or provider-managed certs — note that some sovereign regions provide internal CA options

Files you’ll create

ansible/hosts (inventory)
ansible/site.yml (main playbook)
ansible/roles/docker/tasks/main.yml
ansible/files/docker-compose.yml
ansible/files/nginx/privatebin.conf
ansible/files/privatebin.env (optional)

Step 1 — Inventory and variables

Create a minimal Ansible inventory (replace IPs and group names as needed). Keep secrets out of the repo — use Ansible Vault for TLS private keys if you store them in the playbook.

# ansible/hosts
[privatebin]
sovereign-vm ansible_host=203.0.113.10 ansible_user=ubuntu

Step 2 — Opinionated Docker Compose

This Compose file uses the official PrivateBin image (verify tag on Docker Hub before use). We bind a data volume for paste storage. Adjust paths for your backup and retention policy.

# ansible/files/docker-compose.yml
version: '3.8'
services:
  privatebin:
    image: privatebin/nginx-fpm:latest
    restart: unless-stopped
    environment:
      - VIRTUAL_HOST=privatebin.example.sov
    volumes:
      - /srv/privatebin/data:/srv/privatebin/data:rw
      - /etc/privatebin/config:/srv/privatebin/cfg:ro
    networks:
      - web

  nginx-proxy:
    image: nginx:stable-alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /etc/letsencrypt:/etc/letsencrypt:ro  # if using ACME files
      - /srv/privatebin/nginx/conf.d:/etc/nginx/conf.d:ro
      - /var/log/nginx:/var/log/nginx
    depends_on:
      - privatebin
    networks:
      - web

networks:
  web:
    driver: bridge

Hardening notes for Compose

Run containers as non-root inside the image (verify the image runs a non-root user — if not, create a custom build to drop root).
Mount only the directories you need; prefer read-only mounts for config files.
Limit restart policies and use resource constraints if your cloud supports it (cpus, mem_limit).

Step 3 — Nginx reverse-proxy with security headers

A simple Nginx vhost secures PrivateBin traffic and sets strict headers. Tweak Content-Security-Policy if you host inline assets elsewhere.

# ansible/files/nginx/privatebin.conf
server {
  listen 80;
  server_name privatebin.example.sov;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl http2;
  server_name privatebin.example.sov;

  ssl_certificate /etc/letsencrypt/live/privatebin.example.sov/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/privatebin.example.sov/privkey.pem;
  ssl_protocols TLSv1.3;
  ssl_prefer_server_ciphers off;

  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options DENY;
  add_header Referrer-Policy no-referrer;
  add_header Permissions-Policy "geolocation=()";
  add_header X-XSS-Protection "0";

  # Minimal CSP: only self for scripts/styles, no external frames
  add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline';" always;

  access_log /var/log/nginx/privatebin.access.log minimal;
  error_log /var/log/nginx/privatebin.error.log warn;

  location / {
    proxy_pass http://privatebin:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # Disable request body buffering for large pastes
    proxy_request_buffering off;
  }
}

Step 4 — Ansible playbook (install Docker, compose, deploy)

The playbook below is the backbone: install Docker, create directories with proper permissions, push files, and start Docker Compose. Save as ansible/site.yml.

# ansible/site.yml
- hosts: privatebin
  become: true
  vars:
    privatebin_user: privatebin
    data_path: /srv/privatebin
  tasks:
    - name: Ensure apt cache is updated
      apt:
        update_cache: yes

    - name: Install required packages
      apt:
        name:
          - apt-transport-https
          - ca-certificates
          - curl
          - gnupg
          - lsb-release
        state: present

    - name: Add Docker GPG key
      apt_key:
        url: https://download.docker.com/linux/ubuntu/gpg
        state: present

    - name: Add Docker repo
      apt_repository:
        repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_lsb.codename }} stable
        state: present

    - name: Install Docker and compose plugin
      apt:
        name:
          - docker-ce
          - docker-ce-cli
          - containerd.io
        state: latest

    - name: Ensure docker group exists
      group:
        name: docker
        state: present

    - name: Create privatebin user
      user:
        name: "{{ privatebin_user }}"
        system: yes
        create_home: no
        groups: docker

    - name: Create data directories
      file:
        path: "{{ item }}"
        state: directory
        owner: "{{ privatebin_user }}"
        group: docker
        mode: '0750'
      loop:
        - "{{ data_path }}"
        - "{{ data_path }}/data"
        - "{{ data_path }}/nginx/conf.d"
        - "{{ data_path }}/cfg"

    - name: Copy docker-compose.yml
      copy:
        src: files/docker-compose.yml
        dest: /home/{{ privatebin_user }}/docker-compose.yml
        owner: "{{ privatebin_user }}"
        mode: '0640'

    - name: Copy nginx config
      copy:
        src: files/nginx/privatebin.conf
        dest: "{{ data_path }}/nginx/conf.d/privatebin.conf"
        owner: root
        mode: '0640'

    - name: Ensure firewall allows only 443 and 22
      ufw:
        rule: allow
        port: '{{ item }}'
      loop:
        - '22'
        - '443'

    - name: Enable UFW
      ufw:
        state: enabled
        logging: low

    - name: Launch stack (docker compose)
      community.docker.docker_compose:
        project_src: /home/{{ privatebin_user }}
        files:
          - /home/{{ privatebin_user }}/docker-compose.yml
        state: present
        restarted: yes

    - name: Ensure logrotate for nginx logs
      copy:
        content: |
          /var/log/nginx/*.log {
            daily
            missingok
            rotate 14
            compress
            delaycompress
            notifempty
            create 0640 root adm
            sharedscripts
            postrotate
              [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
            endscript
          }
        dest: /etc/logrotate.d/nginx-privatebin
        owner: root
        mode: '0644'

Notes on the playbook

We run Docker using official packages and the Ansible community docker_compose module. If your sovereign region restricts external repos, pre-bake an image.
Use Ansible Vault for TLS keys and provider credentials (do not check private keys into Git).
If you prefer systemd-managed compose, add a systemd unit that runs docker compose up in the project directory.

Step 5 — Certificates and ACME in sovereign regions

Certificate options depend on your sovereignty constraints:

Use a provider-managed certificate (recommended for strict sovereignty): upload certificate files to the VM or to the internal LB; reference them in the Nginx config.
Use ACME (Let’s Encrypt) if allowed in your jurisdiction and cloud region — automate via Certbot, Caddy, or Traefik. Confirm the ACME server endpoint is accessible from your sovereign region.
Use your organization’s internal PKI/CA; deploy certs with Ansible Vault and rotate via an automated job.

Step 6 — PrivateBin configuration and hardening

PrivateBin is zero-knowledge, but you should still lock down server-side settings and defaults.

Set default expiration to a short interval (e.g., 1 day) and enforce one-time view by default for sensitive teams.
Disable or minimize access logs. PrivateBin itself doesn't see plaintext; however, your server logs will still record source IPs and timestamps. Keep logs for the minimum time required by policy and store them in a controlled SIEM.
Restrict upload sizes in Nginx to a reasonable maximum (client_max_body_size) to reduce abuse.
Use the Nginx CSP and security headers provided earlier to restrict script sources and prevent embedding in other domains.

Operational considerations

Backups & retention

Decide whether you need to persist pastes long-term. For one-time secret sharing you may prefer ephemeral storage with regular purge jobs (cron + Ansible). If retention is required for auditing, copy metadata (not plaintext) to your audit store and encrypt backups using your KMS inside the sovereign region.

Monitoring & alerting

Log container lifecycle events to your SIEM (container start/stop, image changes).
Monitor TLS certificate expiry and automate renewals inside your sovereign region.
Use internal health checks that do not leak paste contents to external monitors.

Integrations: CI/CD and chatops

Integrate PrivateBin into workflows with short-lived paste creation via API calls or an internal CLI. For example, add a CI step that uploads build logs to PrivateBin with a predefined expiration and posts the link to your private channel. Ensure the CI/CD runner runs in the same sovereign boundary.

Advanced hardening (recommended)

Run the PrivateBin container with a read-only root filesystem and an explicit tmpfs for any writable runtime directories.
Enable kernel-level restrictions (seccomp, AppArmor) via Docker to limit syscalls.
Use a dedicated network security group that only allows incoming 443 traffic from approved networks (no public access for internal-only deployments).
Implement an egress policy for the VM so it cannot call out to unsafe domains — necessary for high-security environments.

Compliance and auditability

For GDPR and national sovereignty controls in 2026, document the following:

Data plane location (the sovereign region and VM IDs)
Access control policy and key rotation schedule
Retention and deletion policy for pastes and logs
Evidence that plaintext is never logged or exported (show client-side encryption flow and validate with a dev test)

Keep automated evidence (e.g., CI jobs that run security checks against the deployed service) to satisfy audits.

Troubleshooting & FAQs

Q: Does PrivateBin see my plaintext?

No — PrivateBin performs client-side encryption. The server stores ciphertext and cannot decrypt it without the key the client embeds in the paste URL. Still, make sure you do not enable server-side plugins that might collect content.

Q: How do I rotate TLS certificates safely in a sovereign region?

Automate renewals with your chosen CA and place renewed certs in a centrally managed secrets store inside the sovereign region. Use Ansible or a provider automation tool to atomically update the Nginx certs and reload the server.

Q: Can I deploy PrivateBin behind an internal load balancer?

Yes. For internal-only access, use your cloud provider’s internal load balancer. Terminate TLS at the LB and keep the backend communication within the sovereign network. Ensure LB logs are retained in-country if required by policy.

Example real-world checklist (fast path)

Provision VM in sovereign region; attach public IP only if required
Run the Ansible playbook to install Docker + Compose and deploy the stack
Install provider-managed cert or run internal ACME and enable TLS
Validate CSP, HSTS, and minimal logging
Run a dev test: upload a paste, confirm server stores only ciphertext, and verify expiration works
Integrate link posting into your private chat and CI (with short expirations)

Future-proofing (2026+)

Emerging trends to watch and adopt:

Sovereign cloud features: more provider-managed services that remain in-country — use managed PKI and secret stores to simplify operations.
Zero-knowledge workflows: expect more off-the-shelf integrations (vaults, chatops) that preserve client-side encryption.
Policy-as-code: automating compliance checks (policy engines that verify logs, region placement, and encryption settings) will become standard.

What I’d change after 6 months of running this in production

Move Nginx to a separate small VM or managed LB for higher availability and autoscaling.
Introduce a signed image policy and image-acceptance pipeline for the PrivateBin image to ensure supply-chain trust.
Integrate short-lived credentials and an internal CA to further reduce blast radius if a VM is compromised.

Actionable takeaways

Deploy PrivateBin in a sovereign cloud to keep paste metadata and ciphertext inside your legal boundary.
Use Ansible + Docker Compose for repeatable, auditable deployments — automate certs and logging policies.
Harden the stack: non-root containers, strict TLS, CSP, minimal logs, and restricted network egress.
Integrate into CI/CD and chatops with short expirations and one-time view defaults to minimize leak risk.

Next steps & call to action

Ready to deploy? Clone the example repository (contains the full Ansible role, Compose file, and example nginx conf) and run the playbook against a VM in your sovereign region. Use Ansible Vault for secrets and verify cert automation fits your provider's rules.

If you want a managed option or a compliance review of your deployment, reach out to our team at privatebin.cloud for a free 30-minute architecture review tailored to your sovereignty requirements.

Quick link: Start with the Ansible playbook, secure your certs in-region, and enforce one-time views by default.

Unknown

Contributor

Senior editor and content strategist. Writing about technology, design, and the future of digital media. Follow along for deep dives into the industry's moving parts.