| Nico Huber | d652872 | 2023-07-01 14:38:39 +0000 | [diff] [blame] | 1 | Create environment files (cf. `git ls-files \*environment.template`): |
| 2 | * Set SA_PUBLIC_DOMAIN_NAME in `environment` |
| Nico Huber | a1a296f | 2023-06-25 10:07:07 +0000 | [diff] [blame] | 3 | * Set CANONICAL_WEB_URL in `gerrit/environment` |
| Nico Huber | 5407310 | 2023-06-25 11:36:59 +0000 | [diff] [blame] | 4 | * Enable GitHub OAUTH in `gerrit/environment` |
| Nico Huber | 59c365c | 2023-07-01 18:18:12 +0000 | [diff] [blame] | 5 | |
| Nico Huber | f3c7125 | 2023-07-21 13:03:49 +0000 | [diff] [blame] | 6 | Building using self-signed certificates: |
| 7 | We always create a temporary, self-signed certificate which |
| 8 | can be overwritten by certbot. If intending to test with the |
| 9 | self-signed certificate, build nginx first: |
| 10 | * `docker-compose build nginx`, |
| 11 | then everything else: |
| 12 | * `docker-compose build --build-arg SSL_VARIANT=selfsigned` |
| 13 | which will register the self-signed certificate with Gerrit. |
| Nico Huber | aa15aee | 2023-07-01 22:35:45 +0000 | [diff] [blame] | 14 | |
| Nico Huber | 59c365c | 2023-07-01 18:18:12 +0000 | [diff] [blame] | 15 | Get containers up: |
| 16 | * `docker-compose up` |
| Nico Huber | 15edd77 | 2023-07-01 18:16:50 +0000 | [diff] [blame] | 17 | |
| Nico Huber | 804b41b | 2023-07-02 15:53:42 +0000 | [diff] [blame] | 18 | Mail setup: |
| 19 | * A 'gerrit@' mail account will be added automatically |
| 20 | * See `docker-compose exec mailserver setup` for more |
| 21 | * Add account or alias for 'postmaster@' |
| 22 | |
| Nico Huber | 15edd77 | 2023-07-01 18:16:50 +0000 | [diff] [blame] | 23 | When the containers are up run `certbot`: |
| Nico Huber | c5ab17f | 2023-07-21 22:30:59 +0000 | [diff] [blame] | 24 | * Make sure to set SA_DOMAIN_CONTACT in `environment` |
| Nico Huber | 15edd77 | 2023-07-01 18:16:50 +0000 | [diff] [blame] | 25 | * Once `docker-compose -f sa-certbot.yml run new` |
| 26 | * Every x < 30 days `docker-compose -f sa-certbot.yml run renew` |
| 27 | * Always reload nginx `docker-compose exec nginx nginx -s reload` |
| Nico Huber | 22aecea | 2023-07-19 01:39:58 +0000 | [diff] [blame] | 28 | |
| 29 | DKIM: |
| 30 | * `docker-compose exec mailserver setup config dkim` |
| 31 | * If using a subdomain, set `use_esld = false;` |
| 32 | in `mail/rspamd-override.d/dkim_signing.conf` |
| 33 | * Publish key from `mail/config/rspamd/dkim/*.public.dns.txt` via DNS |
| Nico Huber | ed486d5 | 2023-07-19 14:00:59 +0000 | [diff] [blame] | 34 | |
| 35 | Mail testing with dial-in IP: |
| 36 | Some popular (german) email providers greet with a 554 error when the IP is |
| 37 | blacklisted. Seems out of standard and hence can lead to not bouncing the |
| 38 | message immediately. |
| 39 | * Set `smtp_skip_5xx_greeting = no` in `mail/config/postfix-main.cf`, |
| 40 | if you want immediate bounces. |
| Nico Huber | 5132ca7 | 2023-07-20 23:40:48 +0000 | [diff] [blame] | 41 | |
| 42 | Import projects into Gerrit: |
| 43 | * `sudo git -C gerrit/git/ clone --mirror ...` |
| 44 | - Update `groups` and groups in `project.config` |
| 45 | in branch `refs/meta/config` |
| 46 | * Import foreign server IDs if needed, e.g. |
| 47 | `sudo git config -f gerrit/etc/gerrit.config --add gerrit.importedServerId fb9ff590-4b50-4f01-be71-0aafd704c4b4` |
| 48 | * Import foreign account IDs: |
| 49 | - Check out refs/meta/external-ids` of `All-Users.git` |
| 50 | - `sha1sum` the imported ID, e.g. `echo -n imported:1000000@fb9ff590-4b50-4f01-be71-0aafd704c4b4 | sha1sum` |
| 51 | - Use SHA1 sum as filename, contents: |
| 52 | [externalId "imported:1000000@fb9ff590-4b50-4f01-be71-0aafd704c4b4"] |
| 53 | accountId = 1000123 |
| 54 | - import_account_id() { |
| 55 | imported=imported:$1 |
| 56 | sha1=$(printf "%s" ${imported} | sha1sum | awk '{ printf $1; }') |
| 57 | local=$2 |
| 58 | printf "[externalId \"${imported}\"]\n\taccountId = ${local}\n" >${sha1} |
| 59 | } |
| 60 | - Commit & push |
| 61 | * Restart containers |