Add Gerrit email account and send-email configuration
We'll have to store Gerrit's email credentials in plain text. Protecting
from outside connections using these in case they'd ever leak is tricky.
We match the account `gerrit@...` in `user.access` and then the local IP
address of the gerrit container in `gerrit-client.access`, only allowing
authenticated users (`permit_sasl_authenticated`) from this IP.
Alternatively, we could use `permit` which would allow the whole gerrit
container to send emails from `gerrit@...` without login. Then the setup
would also allow more efficient, plain-text communication between Gerrit
and Postfix. The password would still be needed to login to IMAP (assu-
ming no further, invasive changes).
diff --git a/docker-compose.yml b/docker-compose.yml
index cbabb0b..a120e6c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -41,13 +41,18 @@
build:
context: .
dockerfile: gerrit/Dockerfile
- env_file: gerrit/environment
+ hostname: review.${SA_PUBLIC_DOMAIN_NAME}
+ env_file:
+ - gerrit/environment
+ - environment
environment:
+ - GERRIT_USER_EMAIL=gerrit@${SA_PUBLIC_DOMAIN_NAME}
- HTTPD_LISTEN_URL=proxy-https://*:8080/
networks:
- gerritnet
volumes:
- ./logs/gerrit/:/var/gerrit/logs/:rw
+ - ./mail/passwd/gerrit/:/var/gerrit/passwd/:rw
- ./gerrit/etc/:/var/gerrit/etc/:rw
- ./gerrit/db/:/var/gerrit/db/:rw
- ./gerrit/git/:/var/gerrit/git/:rw
@@ -69,10 +74,13 @@
- "465:465" # ESMTP (implicit TLS)
- "587:587" # ESMTP (explicit TLS => STARTTLS)
- "993:993" # IMAP4 (implicit TLS)
+ networks:
+ - gerritnet
volumes:
- ./logs/mail-supervisor/:/var/log/supervisor/:rw
- ./logs/mail/:/var/log/mail/:rw
- ./certs/:/etc/letsencrypt/:ro
+ - ./mail/passwd/:/tmp/passwd/:ro
- ./mail/data/:/var/mail/:rw
- ./mail/state/:/var/mail-state/:rw
- ./mail/config/:/tmp/docker-mailserver/:rw