#!/bin/bash set -e # shellcheck disable=SC1091 . /etc/weblate-bootstrap if [ "$1" = "--nocert" ]; then CERT=0 shift else CERT=1 fi if [ "$1" = "--nomail" ]; then IGNORE_CHECKS=,weblate.E003 shift else IGNORE_CHECKS="" fi if [ "$1" = "--migrate" ]; then MIGRATE=1 CERT=0 shift else MIGRATE=0 fi if [ "$MIGRATE" -eq 0 ]; then adduser weblate --disabled-password --gecos Weblate fi usermod --append --groups adm weblate usermod --append --groups docker weblate WEBLATE_HOME=~weblate WEBLATE_DOCKER="$WEBLATE_HOME/weblate" cd /tmp apt-get update apt-get install --no-install-recommends -y fail2ban python3-pyinotify python3-systemd \ systemd-timesyncd \ rsyslog \ nginx \ openssh-client \ python3-certbot-nginx \ git # Legal stuff sudo -u weblate git clone https://github.com/WeblateOrg/wllegal.git $WEBLATE_HOME/wllegal # SSL cert if [ "$CERT" -eq 1 ]; then certbot --agree-tos --email care@weblate.org --redirect --no-eff-email -d "$WEBLATE_DOMAIN" fi # Enable http/2 sed -i -e 's/ssl;/ssl http2;/' -e 's/ssl ipv6only=on/ssl ipv6only=on http2/' /etc/nginx/sites-available/default if [ "$MIGRATE" -eq 0 ]; then # Enable status locally sed -i '/server_name _/a location = /nginx_status {\n stub_status;\n}' /etc/nginx/sites-available/default fi # Hide server version sed -i 's/# server_tokens off/server_tokens off/' /etc/nginx/nginx.conf # Weblate nginx snippet cat > /etc/nginx/snippets/weblate.conf << EOT location / { proxy_pass http://127.0.0.1:8080; proxy_read_timeout 3600s; proxy_connect_timeout 3600; proxy_set_header Host \$host; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host \$server_name; } client_max_body_size 1000m; error_page 500 502 504 /weblate_50x.html; error_page 503 /weblate_503.html; location = /weblate_503.html { root $WEBLATE_HOME/wllegal/wllegal/templates; internal; } location = /weblate_50x.html { root $WEBLATE_HOME/wllegal/wllegal/templates; internal; } access_log /var/log/nginx/access.log; EOT if [ "$MIGRATE" -eq 0 ]; then # Insert include after first server_name stanza sed -i "0,/server_name $WEBLATE_DOMAIN.*/s//&\\ninclude snippets\/weblate.conf;/" /etc/nginx/sites-available/default # Delete default location, replaced by snippet sed -i ':a;N;$!ba;s/\(snippets\/weblate.conf;\)[^}]*}/\1/g' /etc/nginx/sites-available/default fi systemctl enable nginx.service systemctl restart nginx.service # Fail2ban if [ ! -d "$WEBLATE_HOME/fail2ban" ]; then sudo -u weblate git clone https://github.com/WeblateOrg/fail2ban.git $WEBLATE_HOME/fail2ban ln -s $WEBLATE_HOME/fail2ban/filter.d/* /etc/fail2ban/filter.d/ ln -s $WEBLATE_HOME/fail2ban/jail.d/* /etc/fail2ban/jail.d/ systemctl restart fail2ban.service fi # Install Weblate dirs mkdir -p "$WEBLATE_DOCKER" "$WEBLATE_HOME/cache" "$WEBLATE_HOME/data" "$WEBLATE_HOME/postgresql" "$WEBLATE_HOME/redis" # Go to the docker dir cd "$WEBLATE_DOCKER" curl -fsSL https://raw.githubusercontent.com/WeblateOrg/docker-compose/main/docker-compose.yml > docker-compose.yml curl -fsSL https://raw.githubusercontent.com/WeblateOrg/docker-compose/main/environment > environment cat > docker-compose.override.yml << EOT services: weblate: image: weblate/weblate:latest hostname: $(hostname) ports: - 127.0.0.1:8080:8080 database: ports: - 127.0.0.1:5432:5432 cache: ports: - 127.0.0.1:6379:6379 volumes: weblate-data: driver: local driver_opts: type: 'none' o: 'bind' device: '$WEBLATE_HOME/data' weblate-cache: driver: local driver_opts: type: 'none' o: 'bind' device: '$WEBLATE_HOME/cache' postgres-data: driver: local driver_opts: type: 'none' o: 'bind' device: '$WEBLATE_HOME/postgresql' redis-data: driver: local driver_opts: type: 'none' o: 'bind' device: '$WEBLATE_HOME/redis' EOT cat >> environment << EOT # E-mail setup WEBLATE_EMAIL_HOST=172.16.0.84 WEBLATE_EMAIL_PORT=587 WEBLATE_EMAIL_USE_TLS=0 # Hosted customization WEBLATE_SERVER_EMAIL=noreply@weblate.org WEBLATE_DEFAULT_FROM_EMAIL=noreply@weblate.org WEBLATE_SITE_TITLE="$WEBLATE_TITLE" WEBLATE_SITE_DOMAIN="$WEBLATE_DOMAIN" WEBLATE_ADMIN_NAME='Michal Čihař' WEBLATE_ADMIN_EMAIL='michal@cihar.com' WEBLATE_DEFAULT_COMMITER_EMAIL='hosted@weblate.org' WEBLATE_DEFAULT_COMMITER_NAME='Hosted Weblate' WEBLATE_STATUS_URL="https://status.weblate.org/" WEBLATE_GET_HELP_URL="https://care.weblate.org/" WEBLATE_CONTACT_FORM="from" WEBLATE_ADMINS_CONTACT='care@weblate.org' WEBLATE_SILENCED_SYSTEM_CHECKS=weblate.E012,weblate.E013$IGNORE_CHECKS WEBLATE_ZAMMAD_URL=https://care.weblate.org WEBLATE_WEBSITE_REQUIRED=0 WEBLATE_LOG_GELF_HOST=172.16.0.78 # Sentry integration SENTRY_DSN="$WEBLATE_SENTRY" SENTRY_TOKEN="$WEBLATE_SENTRY_TOKEN" SENTRY_TRACES_SAMPLE_RATE="0.1" # Registration WEBLATE_REGISTRATION_OPEN=0 WEBLATE_REQUIRE_LOGIN=1 WEBLATE_LEGAL_INTEGRATION=wllegal # SSL WEBLATE_ENABLE_HTTPS=1 WEBLATE_IP_PROXY_HEADER=HTTP_X_FORWARDED_FOR WEBLATE_SECURE_PROXY_SSL_HEADER=HTTP_X_FORWARDED_PROTO,https EOT # Fix permissions chown -R weblate:weblate $WEBLATE_HOME # Fetch Weblate containers sudo -u weblate docker compose pull if [ "$MIGRATE" -eq 1 ]; then exit 0 fi # Start Weblate sudo -u weblate docker compose up -d --wait # Show logs sudo -u weblate docker compose logs # Track deploy to Sentry if [ -n "$WEBLATE_SENTRY_TOKEN" ]; then sudo -u weblate docker compose exec --user weblate weblate weblate sentry_deploy || true fi # Create admin user if [ -n "$WEBLATE_PASSWORD" ]; then sudo -u weblate docker compose exec --user weblate weblate weblate createadmin --username nijel --email michal@weblate.org --name 'Michal Čihař' --password "$WEBLATE_PASSWORD" --update fi # Machinery configuration if [ "$CERT" -eq 1 ]; then sudo -u weblate docker compose exec --user weblate weblate weblate install_machinery --service libretranslate --configuration '{"key": "", "url": "http://172.16.0.9:5000/"}' sudo -u weblate docker compose exec --user weblate weblate weblate install_machinery --service apertium-apy --configuration '{"url": "http://172.16.0.9:2737/"}' fi # Check sudo -u weblate docker compose exec --user weblate weblate weblate check --deploy