feat(ops): configure sendemail for gerrit

This configures Gerrit to use the "Gerrit" Message Stream on our "Snix" server in Postmark. Change-Id: I4d021919c666aabc94008f9f705163cb9639f1aa Reviewed-on: https://cl.snix.dev/c/snix/+/30205 Autosubmit: Florian Klink <flokli@flokli.de> Tested-by: besadii Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
2025-03-20 19:03:54 +00:00 · 2025-03-20 19:03:54 +00:00 · 3191a6c8d0
commit 3191a6c8d0
parent be949fb122
4 changed files with 26 additions and 10 deletions
--- a/ops/machines/gerrit01/default.nix
+++ b/ops/machines/gerrit01/default.nix
@ -64,6 +64,7 @@ in
    {
      gerrit-oauth-secret.file = secretFile "gerrit-oauth-secret";
      gerrit-replication-key.file = secretFile "gerrit-replication-key";
+      gerrit-sendemail-smtp-pass.file = secretFile "gerrit-sendemail-smtp-pass";
      gerrit-autosubmit.file = secretFile "gerrit-autosubmit";
      gerrit-besadii-config = {
        file = secretFile "buildkite-besadii-config";
--- a/ops/modules/monorepo-gerrit.nix
+++ b/ops/modules/monorepo-gerrit.nix
@ -145,16 +145,17 @@ in
      # $site_path/etc/secure.config and is *not* controlled by Nix.
      #
      # Receiving email is not currently supported.
-      # sendemail = {
-      #   enable = true;
-      #   html = false;
-      #   connectTimeout = "10sec";
-      #   from = "TVL Code Review <tvlbot@tazj.in>";
-      #   includeDiff = true;
-      #   smtpEncryption = "none";
-      #   smtpServer = "localhost";
-      #   smtpServerPort = 2525;
-      # };
+      sendemail = {
+        enable = true;
+        html = true; # multi-part, both html and plaintext
+        connectTimeout = "10sec";
+        from = "Snix Code Review <gerrit@snix.dev>";
+        includeDiff = true;
+        smtpEncryption = "tls";
+        smtpServer = "smtp.postmarkapp.com";
+        smtpUser = "PM-T-snix-gerrit-2reTInskye8FLoYt11_";
+        smtpServerPort = 2525;
+      };
    };

    # Replication of the snix repository to secondary machines, for
@ -235,6 +236,8 @@ in
      # ... and finally, plop our secrets inside, and give the file to gerrit.
      git config -f $CONF plugin.gerrit-oauth-provider-keycloak-oauth.client-secret \
        "$(cat ${config.age.secrets.gerrit-oauth-secret.path})"
+      git config -f $CONF sendemail.smtpPass \
+        "$(cat ${config.age.secrets.gerrit-sendemail-smtp-pass.path})"

      chown git:git $CONF
    '';
--- a/ops/secrets/gerrit-sendemail-smtp-pass.age
+++ b/ops/secrets/gerrit-sendemail-smtp-pass.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 +qVung aBjr4zZO5ndoL0/tbaQbxZAEUHb1Gj8xHNwHOjOvTz0
+F3k5w0BbmjQSk70k1pclS5xpzTjtFAzRbFDl6/sUN6Q
+-> X25519 k1Q7xe5aOcc13MgEu6SiVm3e9vxnzaDI8RfyiUCbpRw
+5QVIuw5c3ivkXpmTHXLbyNWzITjHyM2QiAQPy0/KsPk
+-> ssh-ed25519 C2zWnA n/XXSXy0ik3u1EiqZlZMnhx5eMhI7rxaKIwWlescZUA
+CmgFmp9YRuhdQFemcALNwHiMXSgMzmC7TLRxruu5Bg
+-> ssh-ed25519 x3gRmg QqKrosSOJNSm5NHVOuIfzGbCl9WNJM2SnnzJdW0Vdjo
+gRmD8UtobTWj6fTpBnKL3irGN0lAE3fX81cDjalLjnA
+--- 6cnSxBokWSQ9hu9nX0akHUQdpuhVKzyBHorRQdaLLEg
+¢X™&†7§_Ëp‚,¤À¦ýê9=î’ôm2'û0%¸fº\Iê²Hÿ.Ýˆ9YY/sZðœ¿@ñ—ð–€·Ž®œ¤>½l”
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@ -37,6 +37,7 @@ in
  "keycloak-db-password.age" = public01Default;
  "gerrit-oauth-secret.age" = gerrit01Default;
  "gerrit-replication-key.age" = gerrit01Default;
+  "gerrit-sendemail-smtp-pass.age" = gerrit01Default;
  "gerrit-autosubmit.age" = gerrit01Default;

  "forgejo-oauth-secret.age" = public01Default;