scripts/install-weblate

#!/bin/sh

set -e

# shellcheck disable=SC1091
. /etc/weblate-bootstrap

cd /tmp

# Install deps
apt-get update
apt-get install --no-install-recommends -y build-essential \
    certbot \
    curl \
    cython3 \
    fail2ban python3-pyinotify python3-systemd \
    g++ \
    gcc \
    gettext \
    gir1.2-pango-1.0 \
    gir1.2-rsvg-2.0 \
    git \
    git-svn \
    git-lfs \
    gnupg \
    libcairo2-dev \
    libenchant-2-2 \
    libfreetype6-dev \
    libgirepository1.0-dev \
    libjpeg-dev \
    libldap2-dev \
    libleptonica-dev \
    libsasl2-dev \
    libssl-dev \
    libtesseract-dev \
    libxml2-dev \
    libxmlsec1-dev \
    libxslt1-dev \
    libyaml-dev \
    libacl1-dev \
    zlib1g-dev \
    liblz4-dev \
    libzstd-dev \
    libxxhash-dev \
    nginx \
    openssh-client \
    pkg-config \
    postgresql-client \
    python3-certbot-nginx \
    python3-dev \
    python3-gdbm \
    python3-pip \
    python3-virtualenv \
    redis-server \
    rsync \
    subversion \
    tesseract-ocr \
    virtualenv \
    uwsgi \
    uwsgi-plugin-python3

# Install ruby deps for licesee
apt-get install -y \
    ruby bundler cmake pkg-config git libssl-dev ruby-dev

# Add user
adduser weblate --disabled-password --gecos Weblate
usermod --append --groups adm weblate

WEBLATE_HOME=~weblate

# Install Weblate and deps
sudo -u weblate virtualenv --python=python3 "$WEBLATE_HOME/weblate-env"
sudo -u weblate "$WEBLATE_HOME/weblate-env/bin/pip" install "Weblate[all,zxcvbn,wsgi]$WEBLATE_VERSION" wllegal 'pygobject<3.52'

PYVER=$(python3 -c 'import sys; print("{}.{}".format(*sys.version_info[:2]))')

SETTINGS_PY="$WEBLATE_HOME/weblate-env/lib/python$PYVER/site-packages/weblate/settings.py"

# Configure Weblate
sudo -u weblate cp "$WEBLATE_HOME/weblate-env/lib/python$PYVER/site-packages/weblate/settings_example.py" "$SETTINGS_PY"

# shellcheck disable=SC1004
sed -i \
    -e "s#^DATA_DIR.*#DATA_DIR = \"$WEBLATE_HOME/data\"#" \
    -e 's#^ENABLE_HTTPS.*#ENABLE_HTTPS = True#' \
    -e 's#^SERVER_EMAIL.*#SERVER_EMAIL = "noreply@weblate.org"#' \
    -e 's#^DEFAULT_FROM_EMAIL.*#DEFAULT_FROM_EMAIL = "noreply@weblate.org"#' \
    -e "s#^SECRET_KEY.*#SECRET_KEY = '$WEBLATE_SECRET'#" \
    -e "s#^SITE_TITLE.*#SITE_TITLE = '$WEBLATE_TITLE'#" \
    -e "s#^SITE_DOMAIN.*#SITE_DOMAIN = '$WEBLATE_DOMAIN'#" \
    -e "s#^SENTRY_DSN.*#SENTRY_DSN = '$WEBLATE_SENTRY'#" \
    -e "s#^SENTRY_ENVIRONMENT.*#SENTRY_ENVIRONMENT = SITE_DOMAIN#" \
    -e "/HiredisParser/ D" \
    -e "/SENTRY_DSN/ a \
SENTRY_TOKEN = '$WEBLATE_SENTRY_TOKEN'" \
    -e "s#^        \"PASSWORD\":.*#        \"PASSWORD\": '$POSTGRES_PASS',#" \
    -e "s#.*your_email@example.com.*#    ('Michal Čihař', 'michal@cihar.com'),#" \
    -e '/social_core.pipeline.social_auth.load_extra_data/ a \
    "weblate.legal.pipeline.tos_confirm",' \
    -e '/weblate.middleware.SecurityMiddleware/ a \
    "weblate.legal.middleware.RequireTOSMiddleware",' \
    -e '/weblate.gitexport/ a \
    "wllegal",' \
    -e '/weblate.gitexport/ a \
    "weblate.legal",' \
    -e 's#^MT_APERTIUM_APY.*#MT_APERTIUM_APY = "http://172.16.0.9:2737/"#' \
    -e 's/^# MT_SERVICES/MT_SERVICES/' \
    -e 's/^#     "weblate.machinery.apertium./   "weblate.machinery.apertium./' \
    -e 's/^#     "weblate.machinery.weblatetm./    "weblate.machinery.weblatetm./' \
    -e 's/^#     "weblate.memory.machine/    "weblate.memory.machine/' \
    -e 's/^DEBUG =.*/DEBUG = False/' \
    -e 's/"admin.E408"/"admin.E408", "weblate.E012", "weblate.E013"/' \
    -e 's/^REGISTRATION_OPEN =.*/REGISTRATION_OPEN = False/' \
    -e 's/^REQUIRE_LOGIN =.*/REQUIRE_LOGIN = True/' \
    -e 's/^COMPRESS_OFFLINE =.*/COMPRESS_OFFLINE = True/' \
    -e 's/#     "weblate.machinery.apertium.ApertiumAPYTranslation",/"weblate.machinery.apertium.ApertiumAPYTranslation",/' \
    "$SETTINGS_PY"

cat << EOT >> "$SETTINGS_PY"

# Hosted customization
ADMINS_CONTACT = ['care@weblate.org']
DEFAULT_COMMITER_EMAIL = 'hosted@weblate.org'
DEFAULT_COMMITER_NAME = 'Hosted Weblate'
STATUS_URL = "https://status.weblate.org/"
GET_HELP_URL = "https://care.weblate.org/"
CONTACT_FORM = "from"
EOT

# Fill the database
sudo -u weblate $WEBLATE_HOME/weblate-env/bin/weblate migrate
if [ -n "$WEBLATE_PASSWORD" ]; then
    sudo -u weblate $WEBLATE_HOME/weblate-env/bin/weblate createadmin --username nijel --email michal@cihar.com --name 'Michal Čihař' --password "$WEBLATE_PASSWORD"
else
    sudo -u weblate $WEBLATE_HOME/weblate-env/bin/weblate createadmin --username nijel --email michal@cihar.com --name 'Michal Čihař'
fi
sudo -u weblate $WEBLATE_HOME/weblate-env/bin/weblate collectstatic --noinput
sudo -u weblate $WEBLATE_HOME/weblate-env/bin/weblate compress --force
# Track deploy at Sentry
if ! grep -q "SENTRY_TOKEN = ''" "$SETTINGS_PY"; then
    sudo -u weblate "$WEBLATE_HOME/weblate-env/bin/weblate" sentry_deploy
fi

# Celery and uwsgi
cd "$WEBLATE_HOME/weblate-env/lib/python$PYVER/site-packages/weblate/examples/"
cp celery-weblate.logrotate /etc/logrotate.d/
cp celery-weblate.service /etc/systemd/system/
cp celery-weblate.conf /etc/default/celery-weblate
cp weblate.uwsgi.ini /etc/uwsgi/apps-available/weblate.ini
systemctl daemon-reload
systemctl enable celery-weblate.service
systemctl start celery-weblate.service
ln -s ../apps-available/weblate.ini /etc/uwsgi/apps-enabled/
systemctl restart uwsgi.service

# SSL cert
if [ "$1" != "--nocert" ]; then
    certbot --agree-tos --email care@weblate.org --redirect --no-eff-email -d "$WEBLATE_DOMAIN"
fi

# Enable http/2
sed -i -e 's/ssl;/ssl http2;/' -e 's/ssl ipv6only=on/ssl ipv6only=on http2/' /etc/nginx/sites-available/default
# Enable status locally
sed -i '/server_name _/a location = /nginx_status {\n    stub_status;\n}' /etc/nginx/sites-available/default
# Enable compression for js/css
sed -i 's/^\t# gzip/\tgzip/' /etc/nginx/nginx.conf
# Hide server version
sed -i 's/# server_tokens off/server_tokens off/' /etc/nginx/nginx.conf
# Weblate nginx snippet
cat > /etc/nginx/snippets/weblate.conf << EOT
    location /static/ {
        # DATA_DIR/static/
        alias $WEBLATE_HOME/data/static/;
        expires 30d;
    }

    location /media/ {
        # DATA_DIR/media/
        alias $WEBLATE_HOME/data/media/;
        expires 30d;
    }

    location / {
        include uwsgi_params;
        # Needed for long running operations in admin interface
        uwsgi_read_timeout 3600;
        # Adjust based to uwsgi configuration:
        uwsgi_pass unix:///run/uwsgi/app/weblate/socket;
        # uwsgi_pass 127.0.0.1:8080;
    }
    client_max_body_size 20m;
    error_page 500 502 504 /weblate_50x.html;
    error_page 503 /weblate_503.html;
    location = /weblate_503.html {
            root $WEBLATE_HOME/weblate-env/lib/python$PYVER/site-packages/wllegal/templates;
            internal;
    }
    location = /weblate_50x.html {
            root $WEBLATE_HOME/weblate-env/lib/python$PYVER/site-packages/wllegal/templates;
            internal;
    }
    access_log /var/log/nginx/access.log;
EOT
# Insert include after first server_name stanza
sed -i "0,/server_name $WEBLATE_DOMAIN.*/s//&\\ninclude snippets\/weblate.conf;/" /etc/nginx/sites-available/default
# Delete default location, replaced by snippet
sed -i ':a;N;$!ba;s/\(snippets\/weblate.conf;\)[^}]*}/\1/g' /etc/nginx/sites-available/default
systemctl enable nginx.service
systemctl restart nginx.service

# Licensee
apt install -y ruby-licensee

# Fail2ban
sudo -u weblate git clone https://github.com/WeblateOrg/fail2ban.git $WEBLATE_HOME/fail2ban
ln -s $WEBLATE_HOME/fail2ban/filter.d/* /etc/fail2ban/filter.d/
ln -s $WEBLATE_HOME/fail2ban/jail.d/* /etc/fail2ban/jail.d/
ln -s $WEBLATE_HOME/fail2ban/action.d/* /etc/fail2ban/action.d/
systemctl restart fail2ban.service