Create secret seed:
We use a single secret seed that internal passwords (e.g.
robot mail accounts, databases) are derived from.
* `dd if=/dev/urandom bs=1 count=16 | base 64 >.seed`

Create environment files (cf. `git ls-files \*environment.template`):
* Set SA_PUBLIC_DOMAIN_NAME in `environment`
* Set CANONICAL_WEB_URL in `gerrit/environment`
* Enable GitHub OAUTH in `gerrit/environment`

Building using self-signed certificates:
We always create a temporary, self-signed certificate which
can be overwritten by certbot. If intending to test with the
self-signed certificate, build nginx first:
* `docker-compose build nginx`,
then everything else:
* `docker-compose build --build-arg SSL_VARIANT=selfsigned`
which will register the self-signed certificate with Gerrit.

Get containers up:
* `docker-compose up`

Mail setup:
* A 'gerrit@' mail account will be added automatically
* See `docker-compose exec mailserver setup` for more
* Add account or alias for 'postmaster@'

When the containers are up run `certbot`:
* Make sure to set SA_DOMAIN_CONTACT in `environment`
* Once `docker-compose -f sa-certbot.yml run new`
* Every x < 30 days `docker-compose -f sa-certbot.yml run renew`
* Always reload nginx `docker-compose exec nginx nginx -s reload`

DKIM:
* `docker-compose exec mailserver setup config dkim`
* If using a subdomain, set `use_esld = false;`
  in `mail/rspamd-override.d/dkim_signing.conf`
* Publish key from `mail/config/rspamd/dkim/*.public.dns.txt` via DNS

Mail testing with dial-in IP:
Some popular (german) email providers greet with a 554 error when the IP is
blacklisted. Seems out of standard and hence can lead to not bouncing the
message immediately.
* Set `smtp_skip_5xx_greeting = no` in `mail/config/postfix-main.cf`,
  if you want immediate bounces.

Import projects into Gerrit:
* `sudo git -C gerrit/git/ clone --mirror ...`
  - Update `groups` and groups in `project.config`
    in branch `refs/meta/config`
* Import foreign server IDs if needed, e.g.
  `sudo git config -f gerrit/etc/gerrit.config --add gerrit.importedServerId fb9ff590-4b50-4f01-be71-0aafd704c4b4`
* Import foreign account IDs:
  - Check out refs/meta/external-ids` of `All-Users.git`
  - `sha1sum` the imported ID, e.g. `echo -n imported:1000000@fb9ff590-4b50-4f01-be71-0aafd704c4b4 | sha1sum`
  - Use SHA1 sum as filename, contents:
    [externalId "imported:1000000@fb9ff590-4b50-4f01-be71-0aafd704c4b4"]
	accountId = 1000123
  - import_account_id() {
	imported=imported:$1
	sha1=$(printf "%s" ${imported} | sha1sum | awk '{ printf $1; }')
	local=$2
	printf "[externalId \"${imported}\"]\n\taccountId = ${local}\n" >${sha1}
    }
  - Commit & push
* Restart containers