diff --git a/upgrade-weblate b/upgrade-weblate
index 9252a5c..ded111a 100755
--- a/upgrade-weblate
+++ b/upgrade-weblate
@@ -9,6 +9,8 @@ if [ -f /etc/weblate-bootstrap ]; then
. /etc/weblate-bootstrap
fi
+SCRIPTS_DIR="$(dirname "$(readlink -f "$0")")"
+
DO_DIFF=1
LAZY_RESTART=0
@@ -234,6 +236,13 @@ if [ -d /usr/share/munin/plugins ]; then
wget -O - https://raw.githubusercontent.com/WeblateOrg/munin/master/ksm > /usr/share/munin/plugins/ksm
fi
+# Upgrade Anubis policy
+if [ -f "/etc/anubis/weblate.botPolicies.yaml" ]; then
+ sed s@WEBLATE_ANUBIS_DATA_PATH@/var/lib/anubis/weblate/@ "$SCRIPTS_DIR/weblate.botPolicies.yaml" > /etc/anubis/weblate.botPolicies.yaml
+elif [ -f "/home/weblate/anubis/botPolicies.yaml" ]; then
+ sed s@WEBLATE_ANUBIS_DATA_PATH@/data/@ "$SCRIPTS_DIR/weblate.botPolicies.yaml" > /etc/anubis/weblate.botPolicies.yaml
+fi
+
# Upgrade fail2ban
if [ -d "$WEBLATE_HOME/fail2ban" ]; then
sudo -u "$USERNAME" sh -c "cd $WEBLATE_HOME/fail2ban && git pull"
diff --git a/weblate.botPolicies.yaml b/weblate.botPolicies.yaml
new file mode 100644
index 0000000..f77c0db
--- /dev/null
+++ b/weblate.botPolicies.yaml
@@ -0,0 +1,243 @@
+## Anubis has the ability to let you import snippets of configuration into the main
+## configuration file. This allows you to break up your config into smaller parts
+## that get logically assembled into one big file.
+##
+## Of note, a bot rule can either have inline bot configuration or import a
+## bot config snippet. You cannot do both in a single bot rule.
+##
+## Import paths can either be prefixed with (data) to import from the common/shared
+## rules in the data folder in the Anubis source tree or will point to absolute/relative
+## paths in your filesystem. If you don't have access to the Anubis source tree, check
+## /usr/share/docs/anubis/data or in the tarball you extracted Anubis from.
+
+bots:
+ # Pathological bots to deny
+ # This correlates to data/bots/_deny-pathological.yaml in the source tree
+ # https://github.com/TecharoHQ/anubis/blob/main/data/bots/_deny-pathological.yaml
+- import: (data)/bots/_deny-pathological.yaml
+- import: (data)/bots/aggressive-brazilian-scrapers.yaml
+
+ # Aggressively block AI/LLM related bots/agents by default
+- import: (data)/meta/ai-block-aggressive.yaml
+
+ # Consider replacing the aggressive AI policy with more selective policies:
+ # - import: (data)/meta/ai-block-moderate.yaml
+ # - import: (data)/meta/ai-block-permissive.yaml
+
+ # Search engine crawlers to allow, defaults to:
+ # - Google (so they don't try to bypass Anubis)
+ # - Apple
+ # - Bing
+ # - DuckDuckGo
+ # - Qwant
+ # - The Internet Archive
+ # - Kagi
+ # - Marginalia
+ # - Mojeek
+- import: (data)/crawlers/_allow-good.yaml
+ # Challenge Firefox AI previews
+- import: (data)/clients/x-firefox-ai.yaml
+
+ # Allow common "keeping the internet working" routes (well-known, favicon, robots.txt)
+- import: (data)/common/keep-internet-working.yaml
+
+ # # Punish any bot with "bot" in the user-agent string
+ # # This is known to have a high false-positive rate, use at your own risk
+ # - name: generic-bot-catchall
+ # user_agent_regex: (?i:bot|crawler)
+ # action: CHALLENGE
+ # challenge:
+ # difficulty: 16 # impossible
+ # report_as: 4 # lie to the operator
+ # algorithm: slow # intentionally waste CPU cycles and time
+
+ # Requires a subscription to Thoth to use, see
+ # https://anubis.techaro.lol/docs/admin/thoth#geoip-based-filtering
+- name: countries-with-aggressive-scrapers
+ action: WEIGH
+ geoip:
+ countries:
+ - BR
+ - CN
+ weight:
+ adjust: 10
+
+ # Requires a subscription to Thoth to use, see
+ # https://anubis.techaro.lol/docs/admin/thoth#asn-based-filtering
+- name: aggressive-asns-without-functional-abuse-contact
+ action: WEIGH
+ asns:
+ match:
+ - 13335 # Cloudflare
+ - 136907 # Huawei Cloud
+ - 45102 # Alibaba Cloud
+ weight:
+ adjust: 10
+
+ # ## System load based checks.
+ # # If the system is under high load, add weight.
+ # - name: high-load-average
+ # action: WEIGH
+ # expression: load_1m >= 10.0 # make sure to end the load comparison in a .0
+ # weight:
+ # adjust: 20
+
+ ## If your backend service is running on the same operating system as Anubis,
+ ## you can uncomment this rule to make the challenge easier when the system is
+ ## under low load.
+ ##
+ ## If it is not, remove weight.
+ # - name: low-load-average
+ # action: WEIGH
+ # expression: load_15m <= 4.0 # make sure to end the load comparison in a .0
+ # weight:
+ # adjust: -10
+
+ # Generic catchall rule
+- name: generic-browser
+ user_agent_regex: >-
+ Mozilla|Opera
+ action: WEIGH
+ weight:
+ adjust: 10
+
+dnsbl: false
+
+# #
+# impressum:
+# # Displayed at the bottom of every page rendered by Anubis.
+# footer: >-
+# This website is hosted by Zombocom. If you have any complaints or notes
+# about the service, please contact
+# contact@domainhere.example
+# and we will assist you as soon as possible.
+
+# # The imprint page that will be linked to at the footer of every Anubis page.
+# page:
+# # The HTML of the page
+# title: Imprint and Privacy Policy
+# # The HTML contents of the page. The exact contents of this page can
+# # and will vary by locale. Please consult with a lawyer if you are not
+# # sure what to put here
+# body: >-
+# <p>Last updated: June 2025</p>
+
+# <h2>Information that is gathered from visitors</h2>
+
+# <p>In common with other websites, log files are stored on the web server saving details such as the visitor's IP address, browser type, referring page and time of visit.</p>
+
+# <p>Cookies may be used to remember visitor preferences when interacting with the website.</p>
+
+# <p>Where registration is required, the visitor's email and a username will be stored on the server.</p>
+
+# <!-- ... -->
+
+# Open Graph passthrough configuration, see here for more information:
+# https://anubis.techaro.lol/docs/admin/configuration/open-graph/
+openGraph:
+ # Enables Open Graph passthrough
+ enabled: false
+ # Enables the use of the HTTP host in the cache key, this enables
+ # caching metadata for multiple http hosts at once.
+ considerHost: false
+ # How long cached OpenGraph metadata should last in memory
+ ttl: 24h
+ # # If set, return these opengraph values instead of looking them up with
+ # # the target service.
+ # #
+ # # Correlates to properties in https://ogp.me/
+ # override:
+ # # og:title is required, it is the title of the website
+ # "og:title": "Techaro Anubis"
+ # "og:description": >-
+ # Anubis is a Web AI Firewall Utility that helps you fight the bots
+ # away so that you can maintain uptime at work!
+ # "description": >-
+ # Anubis is a Web AI Firewall Utility that helps you fight the bots
+ # away so that you can maintain uptime at work!
+
+# By default, send HTTP 200 back to clients that either get issued a challenge
+# or a denial. This seems weird, but this is load-bearing due to the fact that
+# the most aggressive scraper bots seem to really, really, want an HTTP 200 and
+# will stop sending requests once they get it.
+status_codes:
+ CHALLENGE: 200
+ DENY: 403
+
+# Anubis can store temporary data in one of a few backends. See the storage
+# backends section of the docs for more information:
+#
+# https://anubis.techaro.lol/docs/admin/policies#storage-backends
+store:
+ backend: bbolt
+ parameters:
+ path: WEBLATE_ANUBIS_DATA_PATH/anubis.bdb
+
+# The weight thresholds for when to trigger individual challenges. Any
+# CHALLENGE will take precedence over this.
+#
+# A threshold has four configuration options:
+#
+# - name: the name that is reported down the stack and used for metrics
+# - expression: A CEL expression with the request weight in the variable
+# weight
+# - action: the Anubis action to apply, similar to in a bot policy
+# - challenge: which challenge to send to the user, similar to in a bot policy
+#
+# See https://anubis.techaro.lol/docs/admin/configuration/thresholds for more
+# information.
+thresholds:
+ # By default Anubis ships with the following thresholds:
+- name: minimal-suspicion # This client is likely fine, its soul is lighter than a feather
+ expression: weight <= 0 # a feather weighs zero units
+ action: ALLOW # Allow the traffic through
+ # For clients that had some weight reduced through custom rules, give them a
+ # lightweight challenge.
+- name: mild-suspicion
+ expression:
+ all:
+ - weight > 0
+ - weight < 10
+ action: CHALLENGE
+ challenge:
+ # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh
+ algorithm: metarefresh
+ difficulty: 1
+ report_as: 1
+ # For clients that are browser-like but have either gained points from custom rules or
+ # report as a standard browser.
+- name: moderate-suspicion
+ expression:
+ all:
+ - weight >= 10
+ - weight < 20
+ action: CHALLENGE
+ challenge:
+ # https://anubis.techaro.lol/docs/admin/configuration/challenges/preact
+ #
+ # This challenge proves the client can run a webapp written with Preact.
+ # The preact webapp simply loads, calculates the SHA-256 checksum of the
+ # challenge data, and forwards that to the client.
+ algorithm: preact
+ difficulty: 1
+ report_as: 1
+- name: mild-proof-of-work
+ expression:
+ all:
+ - weight >= 20
+ - weight < 30
+ action: CHALLENGE
+ challenge:
+ # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
+ algorithm: fast
+ difficulty: 2 # two leading zeros, very fast for most clients
+ report_as: 2
+ # For clients that are browser like and have gained many points from custom rules
+- name: extreme-suspicion
+ expression: weight >= 30
+ action: CHALLENGE
+ challenge:
+ # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
+ algorithm: fast
+ difficulty: 4
+ report_as: 4