Add Gerrit email account and send-email configuration
We'll have to store Gerrit's email credentials in plain text. Protecting
from outside connections using these in case they'd ever leak is tricky.
We match the account `gerrit@...` in `user.access` and then the local IP
address of the gerrit container in `gerrit-client.access`, only allowing
authenticated users (`permit_sasl_authenticated`) from this IP.
Alternatively, we could use `permit` which would allow the whole gerrit
container to send emails from `gerrit@...` without login. Then the setup
would also allow more efficient, plain-text communication between Gerrit
and Postfix. The password would still be needed to login to IMAP (assu-
ming no further, invasive changes).
diff --git a/gerrit/Dockerfile.entrypoint-unprivileged b/gerrit/Dockerfile.entrypoint-unprivileged
index 86574b1..5af70c9 100644
--- a/gerrit/Dockerfile.entrypoint-unprivileged
+++ b/gerrit/Dockerfile.entrypoint-unprivileged
@@ -11,4 +11,25 @@
plugin.gerrit-oauth-provider-github-oauth.client-secret "${GITHUB_OAUTH_CLIENT_SECRET}"
fi
+secret=/var/gerrit/passwd/secret
+
+{
+ if [ ! -f ${secret} ]; then
+ echo $(mktemp -u XXXXXXXXXXXXXXXX) >${secret}
+ fi
+ chmod 400 ${secret}
+}
+
+if [ "${GERRIT_USER_EMAIL}" ]; then
+ passwd=$(cat ${secret})
+
+ git config -f /etc/gerrit/gerrit.config user.email ${GERRIT_USER_EMAIL}
+ git config -f /etc/gerrit/gerrit.config sendemail.smtpServer mail.${SA_PUBLIC_DOMAIN_NAME}
+ git config -f /etc/gerrit/gerrit.config sendemail.smtpServerPort 465
+ git config -f /etc/gerrit/gerrit.config sendemail.smtpEncryption ssl
+ git config -f /etc/gerrit/gerrit.config sendemail.smtpUser ${GERRIT_USER_EMAIL}
+ git config -f /etc/gerrit/gerrit.config sendemail.smtpPass ${passwd}
+ git config -f /etc/gerrit/gerrit.config sendemail.html false
+fi
+
exec /entrypoint.sh "$@"