wastebin on Ubuntu 24.04 on Azure User Guide
Overview
wastebin is a minimal, fast self hosted pastebin. Paste text or a snippet of code into a clean web form and get back a short shareable URL with syntax highlighting for more than 170 languages, optional Markdown rendering, per paste expiry, burn after reading and anonymous owner deletion. It is a single static Rust binary with an embedded SQLite backend, so it stays lightweight and starts instantly.
The cloudimg image installs wastebin 3.7.0 and puts it behind an nginx reverse proxy that binds the engine to loopback, rate limits inbound requests and caps the paste size. wastebin has no user accounts and no admin surface by design, so there is no default password. Its one per VM secret, the key that signs anonymous deletion cookies, is generated uniquely on each virtual machine's first boot by wastebin-firstboot.service and written to a root only file at /root/wastebin-info.txt. It is never baked into the image.
What is included:
- wastebin 3.7.0 single static Rust binary (
/usr/local/bin/wastebin) plus thewastebin-ctlmaintenance tool - SQLite paste database at
/var/lib/wastebin/state.db(no separate database to maintain) wastebin.servicerunning aswastebin, bound to loopback127.0.0.1:8088nginx.servicereverse proxy on TCP 80, TLS ready, rate limited (10 requests per second, burst 20) with a 2 MiB paste size capwastebin-firstboot.servicegenerating a per VM signing key and password salt on first boot- A default paste expiry of one day and options for burn after reading and password protected pastes
- Ubuntu 24.04 LTS base, latest patches, unattended security upgrades enabled
- 24/7 cloudimg support, 24h response SLA
Prerequisites
An active Azure subscription, an SSH key, and a VNet with a subnet. Recommended VM size: Standard_B2s (wastebin is very light; 4 GB RAM is plenty).
Step 1: Deploy from the Azure Portal
Search the Azure Marketplace for wastebin, choose the plan, and create the VM. In the networking step attach an NSG that allows inbound TCP 22 (SSH) and TCP 80 (the web UI) from your client networks only. Put a TLS reverse proxy in front of port 80 for production.
Step 2: Deploy from the Azure CLI
RG="wastebin-prod"; LOCATION="eastus"; VM_NAME="wastebin-01"
GALLERY_IMAGE_ID="/subscriptions/<sub-id>/resourceGroups/azure-cloudimg/providers/Microsoft.Compute/galleries/cloudimgGallery/images/wastebin-ubuntu-24-04/versions/<version>"
SSH_KEY="$(cat ~/.ssh/id_rsa.pub)"
az group create --name "$RG" --location "$LOCATION"
az network vnet create -g "$RG" --name wb-vnet --address-prefix 10.103.0.0/16 --subnet-name wb-subnet --subnet-prefix 10.103.1.0/24
az network nsg create -g "$RG" --name wb-nsg
az network nsg rule create -g "$RG" --nsg-name wb-nsg --name allow-ssh --priority 100 \
--source-address-prefixes "<your-mgmt-cidr>" --destination-port-ranges 22 --access Allow --protocol Tcp
az network nsg rule create -g "$RG" --nsg-name wb-nsg --name allow-web --priority 110 \
--source-address-prefixes "<your-mgmt-cidr>" --destination-port-ranges 80 --access Allow --protocol Tcp
az vm create -g "$RG" --name "$VM_NAME" --image "$GALLERY_IMAGE_ID" \
--size Standard_B2s --storage-sku StandardSSD_LRS \
--admin-username azureuser --ssh-key-values "$SSH_KEY" \
--vnet-name wb-vnet --subnet wb-subnet --nsg wb-nsg --public-ip-sku Standard
Step 3: Connect via SSH
ssh azureuser@<vm-ip>
wastebin.service, nginx.service and wastebin-firstboot.service all start automatically on first boot.
Step 4: Verify the Service
sudo systemctl is-active wastebin nginx wastebin-firstboot
sudo test -f /var/lib/cloudimg/wastebin-firstboot.done && echo FIRSTBOOT_DONE
sudo ss -tlnp | grep -E ':80 |:8088 '
Expected output — both services are active, nginx is bound to the public port 80 and wastebin is bound to loopback 127.0.0.1:8088 only:
active
active
active
FIRSTBOOT_DONE
LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",...))
LISTEN 0 128 127.0.0.1:8088 0.0.0.0:* users:(("wastebin",...))

Step 5: Secure by Default
wastebin binds only to loopback and is fronted by nginx, which rate limits requests and caps the paste size. On first boot a per VM signing key and password salt are generated and written to a root only note:
sudo cat /root/wastebin-info.txt
sudo ss -tlnp | grep 8088
grep -E 'limit_req|client_max_body_size' /etc/nginx/conf.d/cloudimg-wastebin-ratelimit.conf /etc/nginx/sites-available/cloudimg-wastebin
The note contains the per VM signing key (unique to this machine, never baked into the image) and the resolved paste URL:
WASTEBIN_SIGNING_KEY=<WASTEBIN_SIGNING_KEY>
WASTEBIN_URL=http://<vm-ip>/
NOTE=Open WASTEBIN_URL in a browser to create a paste. There is no login.

Step 6: Create a Paste with the API
wastebin exposes a small JSON API. POST to / to create a paste and GET /raw/:id to retrieve its raw content:
RESP=$(curl -s -H 'Content-Type: application/json' \
--data '{"text":"hello from cloudimg","extension":"txt","expires":3600}' \
http://127.0.0.1/)
echo "$RESP"
ID=$(echo "$RESP" | jq -r '.path' | sed 's#^/##')
curl -s "http://127.0.0.1/raw/$ID"
The create call returns a path and a signed owner token; the raw call returns your text back:
{"path":"/7a5mYKOI-Ai.txt","owner":"ZjnP4qIy1XAuwTMkorgn..."}
hello from cloudimg

Set "burn_after_reading": true to have the paste deleted the first time it is read raw, or "expires" to a number of seconds for automatic expiry.
Step 7: Open the Web UI
Open the web form in a browser to paste interactively:
open http://<vm-ip>/
The index page is the new paste form: an editor with line numbers, a language picker with 170+ languages, an expiry selector defaulting to one day, and toggles for burn after reading and password encryption.

Type or paste your content into the editor, pick a language for highlighting, choose an expiry, then submit with the submit button or with the Ctrl+S shortcut:

Step 8: View a Paste
Opening a paste URL shows the content with syntax highlighting. The header shows the remaining time before expiry, and toolbar icons let you view the raw text, download it, copy the URL, or show a QR code:

Pastes created with an md or markdown extension can be viewed as rendered HTML at /md/:id, including GitHub flavored tables, task lists and admonitions:

Step 9: Server Components
| Component | Path |
|---|---|
| wastebin binary | /usr/local/bin/wastebin |
| Maintenance CLI | /usr/local/bin/wastebin-ctl |
| Config (EnvironmentFile) | /etc/wastebin/wastebin.env |
| SQLite database | /var/lib/wastebin/state.db |
| Systemd unit | /etc/systemd/system/wastebin.service |
| Firstboot script | /usr/local/sbin/wastebin-firstboot.sh |
| Per VM info note | /root/wastebin-info.txt (mode 0600) |
| Sentinel | /var/lib/cloudimg/wastebin-firstboot.done |
/usr/local/bin/wastebin-ctl --version
ls /usr/local/bin/wastebin /usr/local/bin/wastebin-ctl /var/lib/wastebin/state.db

Step 10: Managing the Service
sudo systemctl restart wastebin.service
sudo journalctl -u wastebin.service --no-pager -n 20
wastebin-ctl manages the database directly. It can list and filter entries, delete specific ids, or purge expired entries:
sudo WASTEBIN_DATABASE_PATH=/var/lib/wastebin/state.db /usr/local/bin/wastebin-ctl list
Step 11: Configuration
wastebin is configured entirely through environment variables in /etc/wastebin/wastebin.env. Useful keys already set by the image:
| Variable | Meaning | Image default |
|---|---|---|
WASTEBIN_ADDRESS_PORT |
Bind address and port | 127.0.0.1:8088 (loopback) |
WASTEBIN_DATABASE_PATH |
SQLite database file | /var/lib/wastebin/state.db |
WASTEBIN_MAX_BODY_SIZE |
Maximum paste size in bytes | 2097152 (2 MiB) |
WASTEBIN_PASTE_EXPIRATIONS |
Selectable expiries, =d marks the default |
600,3600,86400=d,604800,2592000 |
WASTEBIN_SIGNING_KEY |
Cookie signing key (per VM, 128 bytes) | generated at first boot |
WASTEBIN_BASE_URL |
Base URL used for the paste QR code | resolved to this VM's address |
WASTEBIN_TITLE |
HTML page title | wastebin |
After editing the file, apply changes with sudo systemctl restart wastebin.service. Set WASTEBIN_BASE_URL to your public hostname so the QR code links resolve for external users.
Step 12: Add TLS (Optional)
For production, terminate TLS at nginx. Point a DNS record at the VM, then use the packaged nginx with a certificate from Let's Encrypt:
sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d <your-domain>
certbot installs the certificate, rewrites the nginx server block to listen on 443 and sets up automatic renewal.
Step 13: Security Recommendations
- Restrict the NSG so ports 80 and 22 only reach trusted networks; wastebin has no authentication, so exposing it broadly makes it a public paste service.
- Terminate TLS at nginx (Step 12) so pastes travel encrypted.
- Keep the rate limit in
/etc/nginx/conf.d/cloudimg-wastebin-ratelimit.conf; wastebin has no built in denial of service mitigation, so the reverse proxy limit is what protects it. - Back up
/var/lib/wastebin/state.dbto Azure Blob if you need paste history to survive. - Patch the OS monthly with
sudo apt-get update && sudo apt-get upgrade; unattended security upgrades are already enabled.
Step 14: Support and Licensing
wastebin is MIT licensed — no per CPU or per user fee. cloudimg provides commercial support separately.
- Email: support@cloudimg.co.uk
- Website: www.cloudimg.co.uk
- Support hours: 24/7, 24h response SLA
Deploy on Azure
Launch wastebin on Ubuntu 24.04 with 24/7 support from cloudimg.
View on Marketplace
Need Help?
Our support team is available 24/7. support@cloudimg.co.uk