TODO.on.site - sourcearcade - Gitiles

 Create secret seed:
 We use a single secret seed that internal passwords (e.g.
 robot mail accounts, databases) are derived from.
 * `dd if=/dev/urandom bs=1 count=16 | base 64 >.seed`

 Create environment files (cf. `git ls-files \*environment.template`):
 * Set SA_PUBLIC_DOMAIN_NAME in `environment`
 * Set CANONICAL_WEB_URL in `gerrit/environment`
 * Enable GitHub OAUTH in `keycloak/environment`

 Building using self-signed certificates:
 We always create a temporary, self-signed certificate which
 can be overwritten by certbot. If intending to test with the
 self-signed certificate, build nginx first:
 * `docker-compose build nginx`,
 then everything else:
 * `docker-compose build --build-arg SSL_VARIANT=selfsigned`
 which will register the self-signed certificate with Gerrit.

 Get containers up:
 * `docker-compose up`

 Mail setup:
 * A 'gerrit@' mail account will be added automatically
 * See `docker-compose exec mailserver setup` for more
 * Add account or alias for 'postmaster@'

 When the containers are up run `certbot`:
 * Make sure to set SA_DOMAIN_CONTACT in `environment`
 * Once `docker-compose -f sa-certbot.yml run new`
 * Every x < 30 days `docker-compose -f sa-certbot.yml run renew`
 * Always reload nginx `docker-compose exec nginx nginx -s reload`

 DKIM:
 * `docker-compose exec mailserver setup config dkim`
 * If using a subdomain, set `use_esld = false;`
   in `mail/rspamd-override.d/dkim_signing.conf`
 * Publish key from `mail/config/rspamd/dkim/*.public.dns.txt` via DNS

 Mail testing with dial-in IP:
 Some popular (german) email providers greet with a 554 error when the IP is
 blacklisted. Seems out of standard and hence can lead to not bouncing the
 message immediately.
 * Set `smtp_skip_5xx_greeting = no` in `mail/config/postfix-main.cf`,
   if you want immediate bounces.

 Import projects into Gerrit:
 * `sudo git -C gerrit/git/ clone --mirror ...`
   - Update `groups` and groups in `project.config`
     in branch `refs/meta/config`
 * Import foreign server IDs if needed, e.g.
   `sudo git config -f gerrit/etc/gerrit.config --add gerrit.importedServerId fb9ff590-4b50-4f01-be71-0aafd704c4b4`
 * Import foreign account IDs:
   - Check out refs/meta/external-ids` of `All-Users.git`
   - `sha1sum` the imported ID, e.g. `echo -n imported:1000000@fb9ff590-4b50-4f01-be71-0aafd704c4b4 | sha1sum`
   - Use SHA1 sum as filename, contents:
     [externalId "imported:1000000@fb9ff590-4b50-4f01-be71-0aafd704c4b4"]
 	accountId = 1000123
   - import_account_id() {
 	imported=imported:$1
 	sha1=$(printf "%s" ${imported} | sha1sum | awk '{ printf $1; }')
 	local=$2
 	printf "[externalId \"${imported}\"]\n\taccountId = ${local}\n" >${sha1}
     }
   - Commit & push
 * Restart containers
	Create secret seed:
	We use a single secret seed that internal passwords (e.g.
	robot mail accounts, databases) are derived from.
	* `dd if=/dev/urandom bs=1 count=16 \| base 64 >.seed`

	Create environment files (cf. `git ls-files \*environment.template`):
	* Set SA_PUBLIC_DOMAIN_NAME in `environment`
	* Set CANONICAL_WEB_URL in `gerrit/environment`
	* Enable GitHub OAUTH in `keycloak/environment`

	Building using self-signed certificates:
	We always create a temporary, self-signed certificate which
	can be overwritten by certbot. If intending to test with the
	self-signed certificate, build nginx first:
	* `docker-compose build nginx`,
	then everything else:
	* `docker-compose build --build-arg SSL_VARIANT=selfsigned`
	which will register the self-signed certificate with Gerrit.

	Get containers up:
	* `docker-compose up`

	Mail setup:
	* A 'gerrit@' mail account will be added automatically
	* See `docker-compose exec mailserver setup` for more
	* Add account or alias for 'postmaster@'

	When the containers are up run `certbot`:
	* Make sure to set SA_DOMAIN_CONTACT in `environment`
	* Once `docker-compose -f sa-certbot.yml run new`
	* Every x < 30 days `docker-compose -f sa-certbot.yml run renew`
	* Always reload nginx `docker-compose exec nginx nginx -s reload`

	DKIM:
	* `docker-compose exec mailserver setup config dkim`
	* If using a subdomain, set `use_esld = false;`
	in `mail/rspamd-override.d/dkim_signing.conf`
	* Publish key from `mail/config/rspamd/dkim/*.public.dns.txt` via DNS

	Mail testing with dial-in IP:
	Some popular (german) email providers greet with a 554 error when the IP is
	blacklisted. Seems out of standard and hence can lead to not bouncing the
	message immediately.
	* Set `smtp_skip_5xx_greeting = no` in `mail/config/postfix-main.cf`,
	if you want immediate bounces.

	Import projects into Gerrit:
	* `sudo git -C gerrit/git/ clone --mirror ...`
	- Update `groups` and groups in `project.config`
	in branch `refs/meta/config`
	* Import foreign server IDs if needed, e.g.
	`sudo git config -f gerrit/etc/gerrit.config --add gerrit.importedServerId fb9ff590-4b50-4f01-be71-0aafd704c4b4`
	* Import foreign account IDs:
	- Check out refs/meta/external-ids` of `All-Users.git`
	- `sha1sum` the imported ID, e.g. `echo -n imported:1000000@fb9ff590-4b50-4f01-be71-0aafd704c4b4 \| sha1sum`
	- Use SHA1 sum as filename, contents:
	[externalId "imported:1000000@fb9ff590-4b50-4f01-be71-0aafd704c4b4"]
	accountId = 1000123
	- import_account_id() {
	imported=imported:$1
	sha1=$(printf "%s" ${imported} \| sha1sum \| awk '{ printf $1; }')
	local=$2
	printf "[externalId \"${imported}\"]\n\taccountId = ${local}\n" >${sha1}
	}
	- Commit & push
	* Restart containers