NotNet's one stop shop for authentication and account onboarding

Go to file

Julian 940e2621bc update nix hash		2023-05-10 22:37:38 +00:00
.vscode	first commit didnt happen	2023-04-24 22:40:19 -04:00
prisma	Extremely hacky Nix support	2023-04-29 01:19:06 +00:00
public	add lunchtype fonts	2023-04-28 07:39:04 -07:00
src	add api route for querying user information	2023-05-10 18:29:11 -04:00
.eslintrc.json	first commit didnt happen	2023-04-24 22:40:19 -04:00
.gitignore	Extremely hacky Nix support	2023-04-29 01:19:06 +00:00
.prettierrc	first commit didnt happen	2023-04-24 22:40:19 -04:00
.vsls.json	Descriptive commit message	2023-04-24 22:13:35 -07:00
LICENSE	first commit didnt happen	2023-04-24 22:40:19 -04:00
README.md	Extremely hacky Nix support	2023-04-29 01:19:06 +00:00
codegen.ts	Extremely hacky Nix support	2023-04-29 01:19:06 +00:00
environment.d.ts	add api route for querying user information	2023-05-10 18:29:11 -04:00
flake.lock	Extremely hacky Nix support	2023-04-29 01:19:06 +00:00
flake.nix	update nix hash	2023-05-10 22:37:38 +00:00
get-token.js	add graphql codegen + fix some things	2023-04-25 14:33:16 -04:00
introspection.json	Extremely hacky Nix support	2023-04-29 01:19:06 +00:00
next.config.js	Extremely hacky Nix support	2023-04-29 01:19:06 +00:00
package-lock.json	update packages	2023-05-09 17:56:36 -07:00
package.json	update packages	2023-05-09 17:56:36 -07:00
tsconfig.json	first commit didnt happen	2023-04-24 22:40:19 -04:00

README.md

gluestick

gluestick is NotNet's one stop shop for authentication and account onboarding. It connects Discord and GitHub OAuth to NotNet's LDAP server (LLDAP), manages email inboxes with Migadu, and configures Tailscale ACLs.

gluestick is developed in house by NotNite and skip, written in Next.js.

Deploying

Note: gluestick is heavily designed for NotNet specific infrastructure, and as such, may require modification for your use.

You will need:

A recent enough Node.js version
An LLDAP server
- Ports are assumed to not have been changed from the defaults
A Discord application for authentication
- Set the redirect URL to (your domain)/oauth/discord/redirect
Both a GitHub OAuth app and personal access token
- The OAuth app will be used for authentication, and the PAT will be used for inviting users automatically
- Set the redirect URL to (your domain)/oauth/github/redirect

Cloning & config

First, clone the repository:

git clone https://git.n2.pm/NotNet/gluestick.git
cd gluestick

After cloning, create an .env.local with the following contents (in key=value form, separated by newlines):

DISCORD_CLIENT_ID: the client ID from your Discord application
DISCORD_CLIENT_SECRET: the client secret from your Discord application
DISCORD_ALLOWED_GUILDS: a comma separated list of guild IDs
- Users must be in one of these guilds to register with gluestick
- Enable "Advanced > Developer Mode" in your Discord client to copy IDs
GITHUB_CLIENT_ID: the client ID from your GitHub OAuth app
GITHUB_CLIENT_SECRET: the client secret from your GitHub OAuth app
GITHUB_TOKEN: a personal access token, with the ability to modify organization members
GITHUB_ORG: an organization name
- Users must be in this organization to register with gluestick
LDAP_HOST: the IP address or hostname of your LLDAP server
LDAP_DC: your LDAP dc
LDAP_BIND_USER: the bind user of your LLDAP server
LDAP_BIND_PASSWORD: the password of the bind user
BASE_DOMAIN: the domain gluestick is deployed on, with a protocol and trailing slash
- This domain will be used for OAuth redirects - if you are testing locally, set it to http://localhost:3000/
DATABASE_URL: a Prisma-like path to your database

Example config:

DISCORD_CLIENT_ID=1100257729844621324
DISCORD_CLIENT_SECRET=redacted
DISCORD_ALLOWED_GUILDS=986268106416611368,805978396974514206

LDAP_HOST=auth
LDAP_DC=dc=n2,dc=pm
LDAP_BIND_USER=admin
LDAP_BIND_PASSWORD=redactedd

GITHUB_CLIENT_ID=2c946381e680acfa5e4a
GITHUB_CLIENT_SECRET=redacted
GITHUB_TOKEN=redacted
GITHUB_ORG=n2pm

BASE_DOMAIN=https://gluestick.n2.pm/
DATABASE_URL=file:./database.db

Generating code

gluestick makes use of code generation from both prisma and graphql-codegen. Before you can deploy it, you need to run their CLI tools.

First, install required dependencies:

npm i

Because the LLDAP GraphQL API is locked behind authentication, and of a quirk with graphl-codegen configuration files, we need to set a temporary environment variable to generate GraphQL code.

Run the get-token.js helper script and set the environment variable from its output:

node get-token.js
export GRAPHQL_CODEDGEN_AUTH=...

Then, generate the GraphQL and database code:

GRAPHQL_USE_INTROSPECTION=true npm run graphql-codegen
npm run prisma-generate

Running

Now, build and run the server:

npm run build
npm run start

Developing

Generating GraphQL code

Because the LLDAP GraphQL API is locked behind authentication, and of a quirk with graphl-codegen configuration files, we need to set a temporary environment variable to generate GraphQL code. If not using introspection, you will need a running LLDAP server.

Run the get-token.js helper script and set the environment variable from its output:

node get-token.js
export GRAPHQL_CODEDGEN_AUTH=...

Then, generate the GraphQL code:

npm run graphql-codegen

If you want to use introspection, set GRAPHQL_USE_INTROSPECTION=true before generating the code. You won't need to set the auth environment variable in this case.

Working with Prisma

gluestick uses Prisma for accessing the database. If you will be modifying the database schema, you will need to work with it. Consider taking some time to familiarize yourself with the Prisma CLI first.

When first cloning, generate the Prisma client:

npm run prisma-generate

Running the server

# Next.js hot reload
# Pipe to pino-pretty for human readable logging - optional
npm run dev | pino-pretty

# GraphQL hot reload
# Only required if working on GraphQL code
npm run graphql-codegen -- -w