scripts/install-weblate-docker

#!/bin/bash

set -e

# shellcheck disable=SC1091
. /etc/weblate-bootstrap

if [ "$1" = "--nocert" ] ; then
    CERT=0
    shift
else
    CERT=1
fi

if [ "$1" = "--nomail" ] ; then
    IGNORE_CHECKS=,weblate.E003
    shift
else
    IGNORE_CHECKS=""
fi

if [ "$1" = "--migrate" ] ; then
    MIGRATE=1
    CERT=0
    shift
else
    MIGRATE=0
fi

if [ "$MIGRATE" -eq 0 ] ; then
    adduser weblate --disabled-password --gecos Weblate
fi
usermod --append --groups adm weblate
usermod --append --groups docker weblate

WEBLATE_HOME=~weblate
WEBLATE_DOCKER="$WEBLATE_HOME/weblate"

cd /tmp
apt-get update
apt-get install --no-install-recommends -y\
    fail2ban python3-pyinotify python3-systemd \
    systemd-timesyncd \
    rsyslog \
    nginx \
    openssh-client \
    python3-certbot-nginx \
    git

# Legal stuff
sudo -u weblate git clone https://github.com/WeblateOrg/wllegal.git $WEBLATE_HOME/wllegal

# SSL cert
if [ "$CERT" -eq 1 ] ; then
    certbot --agree-tos --email care@weblate.org --redirect --no-eff-email -d "$WEBLATE_DOMAIN"
fi

# Enable http/2
sed -i -e 's/ssl;/ssl http2;/' -e 's/ssl ipv6only=on/ssl ipv6only=on http2/' /etc/nginx/sites-available/default
if [ "$MIGRATE" -eq 0 ] ; then
    # Enable status locally
    sed -i '/server_name _/a location = /nginx_status {\n    stub_status;\n}'   /etc/nginx/sites-available/default
fi
# Hide server version
sed -i 's/# server_tokens off/server_tokens off/' /etc/nginx/nginx.conf

# Weblate nginx snippet
cat > /etc/nginx/snippets/weblate.conf <<EOT
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_read_timeout 3600s;
        proxy_set_header Host \$host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host \$server_name;
    }
    client_max_body_size 1000m;
    error_page 500 502 504 /weblate_50x.html;
    error_page 503 /weblate_503.html;
    location = /weblate_503.html {
            root $WEBLATE_HOME/wllegal/wllegal/templates;
            internal;
    }
    location = /weblate_50x.html {
            root $WEBLATE_HOME/wllegal/wllegal/templates;
            internal;
    }
    access_log /var/log/nginx/access.log;
EOT

if [ "$MIGRATE" -eq 0 ] ; then
    # Insert include after first server_name stanza
    sed -i "0,/server_name $WEBLATE_DOMAIN.*/s//&\\ninclude snippets\/weblate.conf;/" /etc/nginx/sites-available/default
    # Delete default location, replaced by snippet
    sed -i ':a;N;$!ba;s/\(snippets\/weblate.conf;\)[^}]*}/\1/g' /etc/nginx/sites-available/default
fi
systemctl enable nginx.service
systemctl restart nginx.service

# Fail2ban
if [ ! -d "$WEBLATE_HOME/fail2ban" ] ; then
    sudo -u weblate git clone https://github.com/WeblateOrg/fail2ban.git $WEBLATE_HOME/fail2ban
    ln -s $WEBLATE_HOME/fail2ban/filter.d/* /etc/fail2ban/filter.d/
    ln -s $WEBLATE_HOME/fail2ban/jail.d/* /etc/fail2ban/jail.d/
    systemctl restart fail2ban.service
fi


# Install Weblate dirs
mkdir -p "$WEBLATE_DOCKER" "$WEBLATE_HOME/cache" "$WEBLATE_HOME/data" "$WEBLATE_HOME/postgresql" "$WEBLATE_HOME/redis"

# Go to the docker dir
cd "$WEBLATE_DOCKER"

curl -fsSL https://raw.githubusercontent.com/WeblateOrg/docker-compose/main/docker-compose.yml > docker-compose.yml
curl -fsSL https://raw.githubusercontent.com/WeblateOrg/docker-compose/main/environment > environment
cat > docker-compose.override.yml <<EOT
services:
  weblate:
    image: weblate/weblate:edge
    ports:
    - 127.0.0.1:8080:8080
  database:
    ports:
    - 127.0.0.1:5432:5432
  cache:
    ports:
    - 127.0.0.1:6379:6379
volumes:
  weblate-data:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '$WEBLATE_HOME/data'
  weblate-cache:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '$WEBLATE_HOME/cache'
  postgres-data:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '$WEBLATE_HOME/postgresql'
  redis-data:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '$WEBLATE_HOME/redis'
EOT

cat >> environment <<EOT

# E-mail setup
WEBLATE_EMAIL_HOST=172.16.0.84
WEBLATE_EMAIL_PORT=587
WEBLATE_EMAIL_USE_TLS=0

# Hosted customization
WEBLATE_SERVER_EMAIL=noreply@weblate.org
WEBLATE_DEFAULT_FROM_EMAIL=noreply@weblate.org
WEBLATE_SITE_TITLE="$WEBLATE_TITLE"
WEBLATE_SITE_DOMAIN="$WEBLATE_DOMAIN"
WEBLATE_ADMIN_NAME='Michal Čihař'
WEBLATE_ADMIN_EMAIL='michal@cihar.com'
WEBLATE_DEFAULT_COMMITER_EMAIL='hosted@weblate.org'
WEBLATE_DEFAULT_COMMITER_NAME='Hosted Weblate'
WEBLATE_STATUS_URL="https://status.weblate.org/"
WEBLATE_GET_HELP_URL="https://care.weblate.org/"
WEBLATE_CONTACT_FORM="from"
WEBLATE_ADMINS_CONTACT='care@weblate.org'
WEBLATE_SILENCED_SYSTEM_CHECKS=weblate.E012,weblate.E013$IGNORE_CHECKS
WEBLATE_ZAMMAD_URL=https://care.weblate.org

# Sentry integration
SENTRY_DSN="$WEBLATE_SENTRY"
SENTRY_TOKEN="$WEBLATE_SENTRY_TOKEN"
SENTRY_TRACES_SAMPLE_RATE="0.1"

# Registration
WEBLATE_REGISTRATION_OPEN=0
WEBLATE_REQUIRE_LOGIN=1
WEBLATE_LEGAL_INTEGRATION=wllegal

# SSL
WEBLATE_ENABLE_HTTPS=1
WEBLATE_IP_PROXY_HEADER=HTTP_X_FORWARDED_FOR
EOT

# Fix permissions
chown -R weblate:weblate $WEBLATE_HOME

# Fetch Weblate containers
sudo -u weblate docker compose pull

if [ "$MIGRATE" -eq 1 ] ; then
    exit 0
fi

# Start Weblate
sudo -u weblate docker compose up -d --wait

# Show logs
sudo -u weblate docker compose logs

# Track deploy to Sentry
if [ -n "$WEBLATE_SENTRY_TOKEN" ] ; then
    sudo -u weblate docker compose exec --user weblate weblate weblate sentry_deploy || true
fi

# Create admin user
if [ -n "$WEBLATE_PASSWORD" ] ; then
    sudo -u weblate docker compose exec --user weblate weblate weblate createadmin --username nijel --email michal@cihar.com --name 'Michal Čihař' --password "$WEBLATE_PASSWORD" --update
fi

# Machinery configuration
if [ "$CERT" -eq 1 ] ; then
    sudo -u weblate docker compose exec --user weblate weblate weblate install_machinery --service libretranslate --configuration '{"key": "", "url": "http://172.16.0.9:5000/"}'
    sudo -u weblate docker compose exec --user weblate weblate weblate install_machinery --service apertium-apy --configuration '{"url": "http://172.16.0.9:2737/"}'
fi

# Check
sudo -u weblate docker compose exec --user weblate weblate weblate check --deploy
Improve Dockerized setup - Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one 2023-03-15 14:20:57 +01:00			`#!/bin/bash`
Add Docker based installation script 2023-03-10 13:24:11 +01:00
			`set -e`

			`# shellcheck disable=SC1091`
			`. /etc/weblate-bootstrap`

Ignore e-mail server checks on CI We do not want working e-mail setup there. 2023-03-13 10:51:23 +01:00			`if [ "$1" = "--nocert" ] ; then`
Add migration to docker 2023-04-23 10:04:53 +02:00			`CERT=0`
Ignore e-mail server checks on CI We do not want working e-mail setup there. 2023-03-13 10:51:23 +01:00			`shift`
Fix database import 2023-04-27 14:05:46 +02:00			`else`
			`CERT=1`
Ignore e-mail server checks on CI We do not want working e-mail setup there. 2023-03-13 10:51:23 +01:00			`fi`

			`if [ "$1" = "--nomail" ] ; then`
			`IGNORE_CHECKS=,weblate.E003`
			`shift`
			`else`
			`IGNORE_CHECKS=""`
			`fi`

Add migration to docker 2023-04-23 10:04:53 +02:00			`if [ "$1" = "--migrate" ] ; then`
			`MIGRATE=1`
			`CERT=0`
			`shift`
			`else`
			`MIGRATE=0`
			`fi`

			`if [ "$MIGRATE" -eq 0 ] ; then`
			`adduser weblate --disabled-password --gecos Weblate`
			`fi`
Always fix user groups 2023-04-23 13:00:39 +02:00			`usermod --append --groups adm weblate`
			`usermod --append --groups docker weblate`
Add Docker based installation script 2023-03-10 13:24:11 +01:00
			`WEBLATE_HOME=~weblate`
Add check and start in docker install 2023-03-10 13:38:42 +01:00			`WEBLATE_DOCKER="$WEBLATE_HOME/weblate"`
Add Docker based installation script 2023-03-10 13:24:11 +01:00
Improve Dockerized setup - Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one 2023-03-15 14:20:57 +01:00			`cd /tmp`
			`apt-get update`
			`apt-get install --no-install-recommends -y\`
			`fail2ban python3-pyinotify python3-systemd \`
install: Include systemd-timsyncd 2024-04-09 12:41:12 +02:00			`systemd-timesyncd \`
Include rsyslog, it is no longer default on Debian 12 2023-06-16 13:16:56 +02:00			`rsyslog \`
Improve Dockerized setup - Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one 2023-03-15 14:20:57 +01:00			`nginx \`
			`openssh-client \`
Install git before using it 2023-09-11 13:56:01 +02:00			`python3-certbot-nginx \`
			`git`

			`# Legal stuff`
			`sudo -u weblate git clone https://github.com/WeblateOrg/wllegal.git $WEBLATE_HOME/wllegal`
Improve Dockerized setup - Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one 2023-03-15 14:20:57 +01:00
			`# SSL cert`
Add migration to docker 2023-04-23 10:04:53 +02:00			`if [ "$CERT" -eq 1 ] ; then`
Improve Dockerized setup - Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one 2023-03-15 14:20:57 +01:00			`certbot --agree-tos --email care@weblate.org --redirect --no-eff-email -d "$WEBLATE_DOMAIN"`
			`fi`

			`# Enable http/2`
			`sed -i -e 's/ssl;/ssl http2;/' -e 's/ssl ipv6only=on/ssl ipv6only=on http2/' /etc/nginx/sites-available/default`
Add migration to docker 2023-04-23 10:04:53 +02:00			`if [ "$MIGRATE" -eq 0 ] ; then`
			`# Enable status locally`
			`sed -i '/server_name _/a location = /nginx_status {\n stub_status;\n}' /etc/nginx/sites-available/default`
			`fi`
Improve Dockerized setup - Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one 2023-03-15 14:20:57 +01:00			`# Hide server version`
			`sed -i 's/# server_tokens off/server_tokens off/' /etc/nginx/nginx.conf`

			`# Weblate nginx snippet`
			`cat > /etc/nginx/snippets/weblate.conf <<EOT`
			`location / {`
			`proxy_pass http://127.0.0.1:8080;`
Set bigger timeout 2023-06-30 07:46:56 +02:00			`proxy_read_timeout 3600s;`
Improve Dockerized setup - Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one 2023-03-15 14:20:57 +01:00			`proxy_set_header Host \$host;`
			`proxy_set_header X-Forwarded-Proto https;`
			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Host \$server_name;`
			`}`
chore: increase default client_max_body_size 2025-02-17 14:56:51 +01:00			`client_max_body_size 1000m;`
docker: Show nice error page on upgrade 2023-03-16 09:32:36 +01:00			`error_page 500 502 504 /weblate_50x.html;`
			`error_page 503 /weblate_503.html;`
			`location = /weblate_503.html {`
			`root $WEBLATE_HOME/wllegal/wllegal/templates;`
			`internal;`
			`}`
			`location = /weblate_50x.html {`
			`root $WEBLATE_HOME/wllegal/wllegal/templates;`
			`internal;`
			`}`
Improve Dockerized setup - Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one 2023-03-15 14:20:57 +01:00			`access_log /var/log/nginx/access.log;`
			`EOT`
Add migration to docker 2023-04-23 10:04:53 +02:00
			`if [ "$MIGRATE" -eq 0 ] ; then`
			`# Insert include after first server_name stanza`
			`sed -i "0,/server_name $WEBLATE_DOMAIN.*/s//&\\ninclude snippets\/weblate.conf;/" /etc/nginx/sites-available/default`
			`# Delete default location, replaced by snippet`
			`sed -i ':a;N;$!ba;s/\(snippets\/weblate.conf;\)[^}]*}/\1/g' /etc/nginx/sites-available/default`
			`fi`
Improve Dockerized setup - Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one 2023-03-15 14:20:57 +01:00			`systemctl enable nginx.service`
			`systemctl restart nginx.service`

			`# Fail2ban`
Add migration to docker 2023-04-23 10:04:53 +02:00			`if [ ! -d "$WEBLATE_HOME/fail2ban" ] ; then`
			`sudo -u weblate git clone https://github.com/WeblateOrg/fail2ban.git $WEBLATE_HOME/fail2ban`
			`ln -s $WEBLATE_HOME/fail2ban/filter.d/* /etc/fail2ban/filter.d/`
			`ln -s $WEBLATE_HOME/fail2ban/jail.d/* /etc/fail2ban/jail.d/`
			`systemctl restart fail2ban.service`
			`fi`
Improve Dockerized setup - Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one 2023-03-15 14:20:57 +01:00

			`# Install Weblate dirs`
Drop unused ssl-certs volume 2023-03-15 14:26:42 +01:00			`mkdir -p "$WEBLATE_DOCKER" "$WEBLATE_HOME/cache" "$WEBLATE_HOME/data" "$WEBLATE_HOME/postgresql" "$WEBLATE_HOME/redis"`
Fix docker-compose invocation 2023-03-10 14:11:11 +01:00
			`# Go to the docker dir`
Add migration to docker 2023-04-23 10:04:53 +02:00			`cd "$WEBLATE_DOCKER"`
Fix docker-compose invocation 2023-03-10 14:11:11 +01:00
Improve Dockerized setup - Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one 2023-03-15 14:20:57 +01:00			`curl -fsSL https://raw.githubusercontent.com/WeblateOrg/docker-compose/main/docker-compose.yml > docker-compose.yml`
Fix docker-compose invocation 2023-03-10 14:11:11 +01:00			`curl -fsSL https://raw.githubusercontent.com/WeblateOrg/docker-compose/main/environment > environment`
			`cat > docker-compose.override.yml <<EOT`
Add Docker based installation script 2023-03-10 13:24:11 +01:00			`services:`
			`weblate:`
docker: Switch to edge for now This is moving target now, so be flexible. 2023-03-16 09:06:04 +01:00			`image: weblate/weblate:edge`
docker: Fix exposed ports 2023-03-15 14:26:12 +01:00			`ports:`
			`- 127.0.0.1:8080:8080`
docker: Monitor services 2023-03-16 09:56:08 +01:00			`database:`
			`ports:`
			`- 127.0.0.1:5432:5432`
			`cache:`
			`ports:`
			`- 127.0.0.1:6379:6379`
Add Docker based installation script 2023-03-10 13:24:11 +01:00			`volumes:`
			`weblate-data:`
			`driver: local`
			`driver_opts:`
			`type: 'none'`
			`o: 'bind'`
			`device: '$WEBLATE_HOME/data'`
Improve Dockerized setup - Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one 2023-03-15 14:20:57 +01:00			`weblate-cache:`
			`driver: local`
			`driver_opts:`
			`type: 'none'`
			`o: 'bind'`
			`device: '$WEBLATE_HOME/cache'`
Add Docker based installation script 2023-03-10 13:24:11 +01:00			`postgres-data:`
			`driver: local`
			`driver_opts:`
			`type: 'none'`
			`o: 'bind'`
			`device: '$WEBLATE_HOME/postgresql'`
			`redis-data:`
			`driver: local`
			`driver_opts:`
			`type: 'none'`
			`o: 'bind'`
			`device: '$WEBLATE_HOME/redis'`
			`EOT`

Fix docker-compose invocation 2023-03-10 14:11:11 +01:00			`cat >> environment <<EOT`
Add Docker based installation script 2023-03-10 13:24:11 +01:00
			`# E-mail setup`
use own e-mail delivery 2025-02-25 12:39:43 +01:00			`WEBLATE_EMAIL_HOST=172.16.0.84`
Add Docker based installation script 2023-03-10 13:24:11 +01:00			`WEBLATE_EMAIL_PORT=587`
use own e-mail delivery 2025-02-25 12:39:43 +01:00			`WEBLATE_EMAIL_USE_TLS=0`
Add Docker based installation script 2023-03-10 13:24:11 +01:00
			`# Hosted customization`
			`WEBLATE_SERVER_EMAIL=noreply@weblate.org`
			`WEBLATE_DEFAULT_FROM_EMAIL=noreply@weblate.org`
			`WEBLATE_SITE_TITLE="$WEBLATE_TITLE"`
			`WEBLATE_SITE_DOMAIN="$WEBLATE_DOMAIN"`
			`WEBLATE_ADMIN_NAME='Michal Čihař'`
			`WEBLATE_ADMIN_EMAIL='michal@cihar.com'`
			`WEBLATE_DEFAULT_COMMITER_EMAIL='hosted@weblate.org'`
			`WEBLATE_DEFAULT_COMMITER_NAME='Hosted Weblate'`
			`WEBLATE_STATUS_URL="https://status.weblate.org/"`
			`WEBLATE_GET_HELP_URL="https://care.weblate.org/"`
			`WEBLATE_CONTACT_FORM="from"`
Update contact address 2023-04-29 10:53:30 +02:00			`WEBLATE_ADMINS_CONTACT='care@weblate.org'`
Ignore e-mail server checks on CI We do not want working e-mail setup there. 2023-03-13 10:51:23 +01:00			`WEBLATE_SILENCED_SYSTEM_CHECKS=weblate.E012,weblate.E013$IGNORE_CHECKS`
feat: set zammad URL 2024-11-29 15:11:43 +01:00			`WEBLATE_ZAMMAD_URL=https://care.weblate.org`
Add Docker based installation script 2023-03-10 13:24:11 +01:00
			`# Sentry integration`
			`SENTRY_DSN="$WEBLATE_SENTRY"`
			`SENTRY_TOKEN="$WEBLATE_SENTRY_TOKEN"`
			`SENTRY_TRACES_SAMPLE_RATE="0.1"`

			`# Registration`
			`WEBLATE_REGISTRATION_OPEN=0`
			`WEBLATE_REQUIRE_LOGIN=1`
			`WEBLATE_LEGAL_INTEGRATION=wllegal`

Improve Dockerized setup - Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one 2023-03-15 14:20:57 +01:00			`# SSL`
			`WEBLATE_ENABLE_HTTPS=1`
			`WEBLATE_IP_PROXY_HEADER=HTTP_X_FORWARDED_FOR`
Add Docker based installation script 2023-03-10 13:24:11 +01:00			`EOT`
Add check and start in docker install 2023-03-10 13:38:42 +01:00
			`# Fix permissions`
			`chown -R weblate:weblate $WEBLATE_HOME`

Add migration to docker 2023-04-23 10:04:53 +02:00			`# Fetch Weblate containers`
			`sudo -u weblate docker compose pull`

			`if [ "$MIGRATE" -eq 1 ] ; then`
			`exit 0`
			`fi`

Add check and start in docker install 2023-03-10 13:38:42 +01:00			`# Start Weblate`
Remove debugging 2023-03-13 10:15:26 +01:00			`sudo -u weblate docker compose up -d --wait`
Fixed wait for docker startup 2023-03-10 13:52:34 +01:00
			`# Show logs`
Avoid using legacy docker-compose 2023-03-11 15:55:42 +01:00			`sudo -u weblate docker compose logs`
Add check and start in docker install 2023-03-10 13:38:42 +01:00
docker: Track deploy in Sentry 2023-03-15 10:23:47 +01:00			`# Track deploy to Sentry`
Make sentry deploy tracking optional 2023-03-15 14:44:17 +01:00			`if [ -n "$WEBLATE_SENTRY_TOKEN" ] ; then`
do not fail on sentry failure It can be unavailable or rate limited, so make it optional 2024-06-12 14:18:40 +02:00			`sudo -u weblate docker compose exec --user weblate weblate weblate sentry_deploy \|\| true`
Make sentry deploy tracking optional 2023-03-15 14:44:17 +01:00			`fi`
docker: Track deploy in Sentry 2023-03-15 10:23:47 +01:00
docker: Sync admin password 2023-03-15 10:30:11 +01:00			`# Create admin user`
			`if [ -n "$WEBLATE_PASSWORD" ] ; then`
			`sudo -u weblate docker compose exec --user weblate weblate weblate createadmin --username nijel --email michal@cihar.com --name 'Michal Čihař' --password "$WEBLATE_PASSWORD" --update`
			`fi`

install: Use new interface to configure MT See https://github.com/WeblateOrg/weblate/issues/8908 2023-06-07 11:37:03 +02:00			`# Machinery configuration`
disable machinery install without cert This is needed for CI 2023-06-16 13:54:08 +02:00			`if [ "$CERT" -eq 1 ] ; then`
			`sudo -u weblate docker compose exec --user weblate weblate weblate install_machinery --service libretranslate --configuration '{"key": "", "url": "http://172.16.0.9:5000/"}'`
			`sudo -u weblate docker compose exec --user weblate weblate weblate install_machinery --service apertium-apy --configuration '{"url": "http://172.16.0.9:2737/"}'`
			`fi`
install: Use new interface to configure MT See https://github.com/WeblateOrg/weblate/issues/8908 2023-06-07 11:37:03 +02:00
Add check and start in docker install 2023-03-10 13:38:42 +01:00			`# Check`
Avoid using legacy docker-compose 2023-03-11 15:55:42 +01:00			`sudo -u weblate docker compose exec --user weblate weblate weblate check --deploy`