From 68a98dbabcee8a27ee19bcd8e4e50420ac960b28 Mon Sep 17 00:00:00 2001 From: Felix Date: Sat, 29 Feb 2020 20:42:45 +0100 Subject: [PATCH] Add weblate --- .gitignore | 1 + files/docker-compose.yml | 38 +++++++++++++++++++++++++++++- gitea.yml | 19 ++++++++++++++- templates/env | 3 +++ templates/weblate.conf | 50 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 109 insertions(+), 2 deletions(-) create mode 100644 templates/weblate.conf diff --git a/.gitignore b/.gitignore index e845c18..310892e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ inventory +passwords/ diff --git a/files/docker-compose.yml b/files/docker-compose.yml index 740fbe2..214b4ee 100644 --- a/files/docker-compose.yml +++ b/files/docker-compose.yml @@ -3,7 +3,7 @@ version: "3.3" services: gitea: - image: gitea/gitea:1.10 + image: gitea/gitea:1.11 restart: always volumes: - ./volumes/gitea:/data @@ -16,6 +16,42 @@ services: - redis - postfix + weblate: + image: weblate/weblate:3.11.2-1 + restart: always + ports: + - 127.0.0.1:3001:8080 + environment: + - WEBLATE_EMAIL_HOST=postfix:25 + - WEBLATE_ALLOWED_HOSTS=127.0.0.1 + - WEBLATE_ADMIN_PASSWORD=${WEBLATE_ADMIN_PASSWORD} + - WEBLATE_ADMIN_NAME="Weblate admin" + - WEBLATE_ADMIN_EMAIL=noreply@${WEBLATE_HOSTNAME} + - WEBLATE_SERVER_EMAIL=noreply@${WEBLATE_HOSTNAME} + - WEBLATE_DEFAULT_FROM_EMAIL=noreply@${WEBLATE_HOSTNAME} + - REDIS_HOST=redis + - REDIS_DB=2 + - POSTGRES_PASSWORD=${WEBLATE_POSTGRES_PASSWORD} + - POSTGRES_USER=weblate + - POSTGRES_DATABASE=weblate + - POSTGRES_HOST=postgres + - POSTGRES_PORT= + volumes: + - ./volumes/weblate:/app/data + depends_on: + - postgres + - redis + + postgres: + image: postgres:12-alpine + restart: always + environment: + - POSTGRES_USER=weblate + - POSTGRES_PASSWORD=${WEBLATE_POSTGRES_PASSWORD} + volumes: + - ./volumes/postgres:/var/lib/postgresql/data + restart: always + redis: image: redis:5.0-alpine restart: always diff --git a/gitea.yml b/gitea.yml index 6ce81c9..10a2f29 100644 --- a/gitea.yml +++ b/gitea.yml @@ -20,12 +20,20 @@ with_items: - { path: '/gitea/', owner: 'root' } - { path: '/gitea/volumes/', owner: 'root' } + - { path: '/gitea/volumes/gitea/', owner: 'root' } + - { path: '/gitea/volumes/redis/', owner: 'root' } + - { path: '/gitea/volumes/weblate/', owner: '1000' } + - { path: '/gitea/volumes/postgres/', owner: 'root' } - name: add all templates template: src={{item.src}} dest={{item.dest}} mode={{item.mode}} with_items: - { src: 'templates/gitea.conf', dest: '/etc/nginx/sites-enabled/gitea.conf', mode: '0600' } + - { src: 'templates/weblate.conf', dest: '/etc/nginx/sites-enabled/weblate.conf', mode: '0600' } - { src: 'templates/env', dest: '/gitea/.env', mode: '0600' } + vars: + weblate_admin_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/weblate_admin_password chars=ascii_letters,digits') }}" + weblate_postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/weblate_postgres_password chars=ascii_letters,digits') }}" - name: copy all files copy: src={{item.src}} dest={{item.dest}} mode={{item.mode}} @@ -50,7 +58,9 @@ services: nginx - name: request letsencrypt certificates - shell: certbot certonly --nginx --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n + shell: | + certbot certonly --nginx --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n + certbot certonly --nginx --agree-tos -d 'weblate.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n - name: start docker-compose docker_compose: @@ -68,3 +78,10 @@ user=root job="certbot certonly -d {{ domain }} -n --webroot --deploy-hook 'nginx -s reload'" + - name: renew weblate certificates + cron: + special_time=daily + name=certbot-renew-gitea + user=root + job="certbot certonly -d weblate.{{ domain }} -n --webroot --deploy-hook 'nginx -s reload'" + diff --git a/templates/env b/templates/env index b09eb23..df8e19a 100644 --- a/templates/env +++ b/templates/env @@ -1 +1,4 @@ GITEA_HOSTNAME={{ domain }} +WEBLATE_HOSTNAME=weblate.{{ domain }} +WEBLATE_ADMIN_PASSWORD={{ weblate_admin_password }} +WEBLATE_POSTGRES_PASSWORD={{ weblate_postgres_password }} diff --git a/templates/weblate.conf b/templates/weblate.conf new file mode 100644 index 0000000..ff80989 --- /dev/null +++ b/templates/weblate.conf @@ -0,0 +1,50 @@ +server { + # TODO: http redirect seems broken + listen 80; + server_name weblate.{{ domain }}; + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + server_name weblate.{{ domain }}; + + ssl_certificate /etc/letsencrypt/live/weblate.{{ domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/weblate.{{ domain }}/privkey.pem; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + + ssl_stapling on; + ssl_stapling_verify on; + + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=15768000"; + add_header Referrer-Policy "same-origin"; + fastcgi_hide_header X-Powered-By; + server_tokens off; + + client_max_body_size 100M; + + # No compression for json to avoid BREACH attack. + gzip on; + gzip_types text/plain text/xml text/css application/xml application/javascript image/svg+xml image/svg; + gzip_proxied any; + gzip_vary on; + + location / { + proxy_pass http://127.0.0.1:3001; + } +}