Gitiles
Code Review Sign In
review.sourcearcade.org / sourcearcade / 7f8dc5b59a817cb65c622668389efcb0542f1a18 / . / TODO.on.site
blob: ac2f4f1cee5b06159c02df1e95a074b8939a417e [file] [log] [blame]
Nico Huber8d9f45e2023-07-25 13:22:32 +0000[diff] [blame]1Create secret seed:
2We use a single secret seed that internal passwords (e.g.
3robot mail accounts, databases) are derived from.
4* `dd if=/dev/urandom bs=1 count=16 | base 64 >.seed`
5
Nico Huberd6528722023-07-01 14:38:39 +0000[diff] [blame]6Create environment files (cf. `git ls-files \*environment.template`):
7* Set SA_PUBLIC_DOMAIN_NAME in `environment`
Nico Hubera1a296f2023-06-25 10:07:07 +0000[diff] [blame]8* Set CANONICAL_WEB_URL in `gerrit/environment`
Nico Huber7f8dc5b2023-07-25 16:48:01 +0000[diff] [blame^]9* Enable GitHub OAUTH in `keycloak/environment`
Nico Huber59c365c2023-07-01 18:18:12 +0000[diff] [blame]10
Nico Huberf3c71252023-07-21 13:03:49 +0000[diff] [blame]11Building using self-signed certificates:
12We always create a temporary, self-signed certificate which
13can be overwritten by certbot. If intending to test with the
14self-signed certificate, build nginx first:
15* `docker-compose build nginx`,
16then everything else:
17* `docker-compose build --build-arg SSL_VARIANT=selfsigned`
18which will register the self-signed certificate with Gerrit.
Nico Huberaa15aee2023-07-01 22:35:45 +0000[diff] [blame]19
Nico Huber59c365c2023-07-01 18:18:12 +0000[diff] [blame]20Get containers up:
21* `docker-compose up`
Nico Huber15edd772023-07-01 18:16:50 +0000[diff] [blame]22
Nico Huber804b41b2023-07-02 15:53:42 +0000[diff] [blame]23Mail setup:
24* A 'gerrit@' mail account will be added automatically
25* See `docker-compose exec mailserver setup` for more
26* Add account or alias for 'postmaster@'
27
Nico Huber15edd772023-07-01 18:16:50 +0000[diff] [blame]28When the containers are up run `certbot`:
Nico Huberc5ab17f2023-07-21 22:30:59 +0000[diff] [blame]29* Make sure to set SA_DOMAIN_CONTACT in `environment`
Nico Huber15edd772023-07-01 18:16:50 +0000[diff] [blame]30* Once `docker-compose -f sa-certbot.yml run new`
31* Every x < 30 days `docker-compose -f sa-certbot.yml run renew`
32* Always reload nginx `docker-compose exec nginx nginx -s reload`
Nico Huber22aecea2023-07-19 01:39:58 +0000[diff] [blame]33
34DKIM:
35* `docker-compose exec mailserver setup config dkim`
36* If using a subdomain, set `use_esld = false;`
37 in `mail/rspamd-override.d/dkim_signing.conf`
38* Publish key from `mail/config/rspamd/dkim/*.public.dns.txt` via DNS
Nico Hubered486d52023-07-19 14:00:59 +0000[diff] [blame]39
40Mail testing with dial-in IP:
41Some popular (german) email providers greet with a 554 error when the IP is
42blacklisted. Seems out of standard and hence can lead to not bouncing the
43message immediately.
44* Set `smtp_skip_5xx_greeting = no` in `mail/config/postfix-main.cf`,
45 if you want immediate bounces.
Nico Huber5132ca72023-07-20 23:40:48 +0000[diff] [blame]46
47Import projects into Gerrit:
48* `sudo git -C gerrit/git/ clone --mirror ...`
49 - Update `groups` and groups in `project.config`
50 in branch `refs/meta/config`
51* Import foreign server IDs if needed, e.g.
52 `sudo git config -f gerrit/etc/gerrit.config --add gerrit.importedServerId fb9ff590-4b50-4f01-be71-0aafd704c4b4`
53* Import foreign account IDs:
54 - Check out refs/meta/external-ids` of `All-Users.git`
55 - `sha1sum` the imported ID, e.g. `echo -n imported:1000000@fb9ff590-4b50-4f01-be71-0aafd704c4b4 | sha1sum`
56 - Use SHA1 sum as filename, contents:
57 [externalId "imported:1000000@fb9ff590-4b50-4f01-be71-0aafd704c4b4"]
58 accountId = 1000123
59 - import_account_id() {
60 imported=imported:$1
61 sha1=$(printf "%s" ${imported} | sha1sum | awk '{ printf $1; }')
62 local=$2
63 printf "[externalId \"${imported}\"]\n\taccountId = ${local}\n" >${sha1}
64 }
65 - Commit & push
66* Restart containers