Add weblate

This commit is contained in:
Felix 2020-02-29 20:42:45 +01:00
parent 9d332d5ce9
commit 68a98dbabc
5 changed files with 109 additions and 2 deletions

1
.gitignore vendored
View file

@ -1 +1,2 @@
inventory
passwords/

View file

@ -3,7 +3,7 @@ version: "3.3"
services:
gitea:
image: gitea/gitea:1.10
image: gitea/gitea:1.11
restart: always
volumes:
- ./volumes/gitea:/data
@ -16,6 +16,42 @@ services:
- redis
- postfix
weblate:
image: weblate/weblate:3.11.2-1
restart: always
ports:
- 127.0.0.1:3001:8080
environment:
- WEBLATE_EMAIL_HOST=postfix:25
- WEBLATE_ALLOWED_HOSTS=127.0.0.1
- WEBLATE_ADMIN_PASSWORD=${WEBLATE_ADMIN_PASSWORD}
- WEBLATE_ADMIN_NAME="Weblate admin"
- WEBLATE_ADMIN_EMAIL=noreply@${WEBLATE_HOSTNAME}
- WEBLATE_SERVER_EMAIL=noreply@${WEBLATE_HOSTNAME}
- WEBLATE_DEFAULT_FROM_EMAIL=noreply@${WEBLATE_HOSTNAME}
- REDIS_HOST=redis
- REDIS_DB=2
- POSTGRES_PASSWORD=${WEBLATE_POSTGRES_PASSWORD}
- POSTGRES_USER=weblate
- POSTGRES_DATABASE=weblate
- POSTGRES_HOST=postgres
- POSTGRES_PORT=
volumes:
- ./volumes/weblate:/app/data
depends_on:
- postgres
- redis
postgres:
image: postgres:12-alpine
restart: always
environment:
- POSTGRES_USER=weblate
- POSTGRES_PASSWORD=${WEBLATE_POSTGRES_PASSWORD}
volumes:
- ./volumes/postgres:/var/lib/postgresql/data
restart: always
redis:
image: redis:5.0-alpine
restart: always

View file

@ -20,12 +20,20 @@
with_items:
- { path: '/gitea/', owner: 'root' }
- { path: '/gitea/volumes/', owner: 'root' }
- { path: '/gitea/volumes/gitea/', owner: 'root' }
- { path: '/gitea/volumes/redis/', owner: 'root' }
- { path: '/gitea/volumes/weblate/', owner: '1000' }
- { path: '/gitea/volumes/postgres/', owner: 'root' }
- name: add all templates
template: src={{item.src}} dest={{item.dest}} mode={{item.mode}}
with_items:
- { src: 'templates/gitea.conf', dest: '/etc/nginx/sites-enabled/gitea.conf', mode: '0600' }
- { src: 'templates/weblate.conf', dest: '/etc/nginx/sites-enabled/weblate.conf', mode: '0600' }
- { src: 'templates/env', dest: '/gitea/.env', mode: '0600' }
vars:
weblate_admin_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/weblate_admin_password chars=ascii_letters,digits') }}"
weblate_postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/weblate_postgres_password chars=ascii_letters,digits') }}"
- name: copy all files
copy: src={{item.src}} dest={{item.dest}} mode={{item.mode}}
@ -50,7 +58,9 @@
services: nginx
- name: request letsencrypt certificates
shell: certbot certonly --nginx --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
shell: |
certbot certonly --nginx --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
certbot certonly --nginx --agree-tos -d 'weblate.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
- name: start docker-compose
docker_compose:
@ -68,3 +78,10 @@
user=root
job="certbot certonly -d {{ domain }} -n --webroot --deploy-hook 'nginx -s reload'"
- name: renew weblate certificates
cron:
special_time=daily
name=certbot-renew-gitea
user=root
job="certbot certonly -d weblate.{{ domain }} -n --webroot --deploy-hook 'nginx -s reload'"

View file

@ -1 +1,4 @@
GITEA_HOSTNAME={{ domain }}
WEBLATE_HOSTNAME=weblate.{{ domain }}
WEBLATE_ADMIN_PASSWORD={{ weblate_admin_password }}
WEBLATE_POSTGRES_PASSWORD={{ weblate_postgres_password }}

50
templates/weblate.conf Normal file
View file

@ -0,0 +1,50 @@
server {
# TODO: http redirect seems broken
listen 80;
server_name weblate.{{ domain }};
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
server_name weblate.{{ domain }};
ssl_certificate /etc/letsencrypt/live/weblate.{{ domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/weblate.{{ domain }}/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=15768000";
add_header Referrer-Policy "same-origin";
fastcgi_hide_header X-Powered-By;
server_tokens off;
client_max_body_size 100M;
# No compression for json to avoid BREACH attack.
gzip on;
gzip_types text/plain text/xml text/css application/xml application/javascript image/svg+xml image/svg;
gzip_proxied any;
gzip_vary on;
location / {
proxy_pass http://127.0.0.1:3001;
}
}