Improve Dockerized setup

- Include matomo and fail2ban integrations - Use system reverse proxy instead of dockerized one
2025-10-03 15:01:00 +08:00 · 2023-03-15 14:20:57 +01:00 · 2023-03-15 14:20:57 +01:00 · 505693fd03
commit 505693fd03
parent 194d08acfc
1 changed files with 92 additions and 6 deletions
--- a/98
+++ b/98
@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash

 set -e

@ -19,8 +19,6 @@ else
    IGNORE_CHECKS=""
 fi

-
-
 adduser weblate --disabled-password --gecos Weblate
 usermod --append --groups adm weblate
 usermod --append --groups docker weblate
@ -28,13 +26,91 @@ usermod --append --groups docker weblate
 WEBLATE_HOME=~weblate
 WEBLATE_DOCKER="$WEBLATE_HOME/weblate"

-# Install Weblate and deps
-mkdir -p "$WEBLATE_DOCKER" "$WEBLATE_HOME/data" "$WEBLATE_HOME/postgresql" "$WEBLATE_HOME/redis" "$WEBLATE_HOME/ssl-certs"
+cd /tmp
+apt-get update
+apt-get install --no-install-recommends -y\
+    fail2ban python3-pyinotify python3-systemd \
+    nginx \
+    openssh-client \
+    python3-certbot-nginx
+
+# SSL cert
+if [ "$HTTPS_STAGE" = "production" ] ; then
+    certbot --agree-tos --email care@weblate.org --redirect --no-eff-email -d "$WEBLATE_DOMAIN"
+fi
+
+# Enable http/2
+sed -i -e 's/ssl;/ssl http2;/' -e 's/ssl ipv6only=on/ssl ipv6only=on http2/' /etc/nginx/sites-available/default
+# Enable status locally
+sed -i '/server_name _/a location = /nginx_status {\n    stub_status;\n}'   /etc/nginx/sites-available/default
+# Hide server version
+sed -i 's/# server_tokens off/server_tokens off/' /etc/nginx/nginx.conf
+
+# Weblate nginx snippet
+cat > /etc/nginx/snippets/weblate.conf <<EOT
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host \$server_name;
+    }
+    client_max_body_size 100m;
+    access_log /var/log/nginx/matomo.log matomo;
+    access_log /var/log/nginx/access.log;
+EOT
+cat > /etc/nginx/conf.d/matomo.conf <<EOT
+log_format  matomo                   '{"ip": "\$remote_addr",'
+                                    '"host": "\$host",'
+                                    '"path": "\$request_uri",'
+                                    '"status": "\$status",'
+                                    '"referrer": "\$http_referer",'
+                                    '"user_agent": "\$http_user_agent",'
+                                    '"length": \$bytes_sent,'
+                                    '"generation_time_milli": \$request_time,'
+                                    '"date": "\$time_iso8601"}';
+EOT
+# Insert include after first server_name stanza
+sed -i "0,/server_name $WEBLATE_DOMAIN.*/s//&\\ninclude snippets\/weblate.conf;/" /etc/nginx/sites-available/default
+# Delete default location, replaced by snippet
+sed -i ':a;N;$!ba;s/\(snippets\/weblate.conf;\)[^}]*}/\1/g' /etc/nginx/sites-available/default
+systemctl enable nginx.service
+systemctl restart nginx.service
+
+# Matomo
+sudo -u weblate git clone https://github.com/matomo-org/matomo-log-analytics.git $WEBLATE_HOME/matomo-log-analytics
+cat > $WEBLATE_HOME/run-matomo.sh <<EOT
+#!/bin/sh
+/usr/bin/python3 \
+        $WEBLATE_HOME/matomo-log-analytics/import_logs.py \
+        --url=https://stats.cihar.com \
+        --enable-http-errors \
+        --idsite=$MATOMO_SITE \
+        --token-auth=$MATOMO_TOKEN \
+        /var/log/nginx/matomo.log.1
+EOT
+chmod +x $WEBLATE_HOME/run-matomo.sh
+chown weblate:weblate $WEBLATE_HOME/run-matomo.sh
+echo "$(( RANDOM % 60 )) 7 * * * $WEBLATE_HOME/run-matomo.sh | logger -t matomo" > /tmp/weblate-cron
+crontab /tmp/weblate-cron
+rm /tmp/weblate-cron
+
+
+# Fail2ban
+sudo -u weblate git clone https://github.com/WeblateOrg/fail2ban.git $WEBLATE_HOME/fail2ban
+ln -s $WEBLATE_HOME/fail2ban/filter.d/* /etc/fail2ban/filter.d/
+ln -s $WEBLATE_HOME/fail2ban/jail.d/* /etc/fail2ban/jail.d/
+systemctl restart fail2ban.service
+
+
+# Install Weblate dirs
+mkdir -p "$WEBLATE_DOCKER" "$WEBLATE_HOME/cache" "$WEBLATE_HOME/data" "$WEBLATE_HOME/postgresql" "$WEBLATE_HOME/redis" "$WEBLATE_HOME/ssl-certs"

 # Go to the docker dir
 cd $WEBLATE_DOCKER

-curl -fsSL https://raw.githubusercontent.com/WeblateOrg/docker-compose/main/docker-compose-https.yml > docker-compose.yml
+curl -fsSL https://raw.githubusercontent.com/WeblateOrg/docker-compose/main/docker-compose.yml > docker-compose.yml
 curl -fsSL https://raw.githubusercontent.com/WeblateOrg/docker-compose/main/environment > environment
 cat > docker-compose.override.yml <<EOT
 services:
@ -51,6 +127,12 @@ volumes:
      type: 'none'
      o: 'bind'
      device: '$WEBLATE_HOME/data'
+  weblate-cache:
+    driver: local
+    driver_opts:
+      type: 'none'
+      o: 'bind'
+      device: '$WEBLATE_HOME/cache'
  postgres-data:
    driver: local
    driver_opts:
@ -105,6 +187,10 @@ WEBLATE_REGISTRATION_OPEN=0
 WEBLATE_REQUIRE_LOGIN=1
 WEBLATE_LEGAL_INTEGRATION=wllegal

+# SSL
+WEBLATE_ENABLE_HTTPS=1
+WEBLATE_IP_PROXY_HEADER=HTTP_X_FORWARDED_FOR
+
 # Machinery, see https://github.com/WeblateOrg/weblate/issues/8908
 WEBLATE_MT_APERTIUM_APY="http://172.16.0.9:2737/"
 WEBLATE_MT_LIBRETRANSLATE_API_URL="http://172.16.0.9:5000/"