152 lines
5 KiB
Markdown
152 lines
5 KiB
Markdown
# gluestick
|
|
|
|
<p align="center">
|
|
<img src="https://git.n2.pm/NotNet/gluestick/raw/branch/main/public/icon.svg" alt="gluestick" width="256">
|
|
</p>
|
|
|
|
gluestick is NotNet's one stop shop for authentication and account onboarding. It connects Discord and GitHub OAuth to NotNet's LDAP server (LLDAP), manages email inboxes with Migadu, and configures Tailscale ACLs.
|
|
|
|
gluestick is developed in house by [NotNite](https://notnite.com/) and [skip](https://slice.zone/), written in Next.js.
|
|
|
|
## Deploying
|
|
|
|
Note: gluestick is heavily designed for NotNet specific infrastructure, and as such, may require modification for your use.
|
|
|
|
You will need:
|
|
|
|
- A recent enough Node.js version
|
|
- An [LLDAP](https://github.com/lldap/lldap) server
|
|
- Ports are assumed to not have been changed from the defaults
|
|
- A [Discord application](https://discord.com/developers/applications) for authentication
|
|
- Set the redirect URL to `(your domain)/oauth/discord/redirect`
|
|
- Both a [GitHub](https://github.com/settings/developers) OAuth app and personal access token
|
|
- The OAuth app will be used for authentication, and the PAT will be used for inviting users automatically
|
|
- Set the redirect URL to `(your domain)/oauth/github/redirect`
|
|
|
|
### Cloning & config
|
|
|
|
First, clone the repository:
|
|
|
|
```shell
|
|
git clone https://git.n2.pm/NotNet/gluestick.git
|
|
cd gluestick
|
|
```
|
|
|
|
After cloning, create an `.env.local` with the following contents (in `key=value` form, separated by newlines):
|
|
|
|
- `DISCORD_CLIENT_ID`: the client ID from your Discord application
|
|
- `DISCORD_CLIENT_SECRET`: the client secret from your Discord application
|
|
- `DISCORD_ALLOWED_GUILDS`: a comma separated list of guild IDs
|
|
- Users must be in one of these guilds to register with gluestick
|
|
- Enable "Advanced > Developer Mode" in your Discord client to copy IDs
|
|
- `GITHUB_CLIENT_ID`: the client ID from your GitHub OAuth app
|
|
- `GITHUB_CLIENT_SECRET`: the client secret from your GitHub OAuth app
|
|
- `GITHUB_TOKEN`: a personal access token, with the ability to modify organization members
|
|
- `GITHUB_ORG`: an organization name
|
|
- Users must be in this organization to register with gluestick
|
|
- `LDAP_HOST`: the IP address or hostname of your LLDAP server
|
|
- `LDAP_DC`: your LDAP dc
|
|
- `LDAP_BIND_USER`: the bind user of your LLDAP server
|
|
- `LDAP_BIND_PASSWORD`: the password of the bind user
|
|
- `BASE_DOMAIN`: the domain gluestick is deployed on, with a protocol and trailing slash
|
|
- This domain will be used for OAuth redirects - if you are testing locally, set it to `http://localhost:3000/`
|
|
- `DATABASE_URL`: a Prisma-like path to your database
|
|
|
|
Example config:
|
|
|
|
```env
|
|
DISCORD_CLIENT_ID=1100257729844621324
|
|
DISCORD_CLIENT_SECRET=redacted
|
|
DISCORD_ALLOWED_GUILDS=986268106416611368,805978396974514206
|
|
|
|
LDAP_HOST=auth
|
|
LDAP_DC=dc=n2,dc=pm
|
|
LDAP_BIND_USER=admin
|
|
LDAP_BIND_PASSWORD=redactedd
|
|
|
|
GITHUB_CLIENT_ID=2c946381e680acfa5e4a
|
|
GITHUB_CLIENT_SECRET=redacted
|
|
GITHUB_TOKEN=redacted
|
|
GITHUB_ORG=n2pm
|
|
|
|
BASE_DOMAIN=https://gluestick.n2.pm/
|
|
DATABASE_URL=file:./database.db
|
|
```
|
|
|
|
### Generating code
|
|
|
|
gluestick makes use of code generation from both `prisma` and `graphql-codegen`. Before you can deploy it, you need to run their CLI tools.
|
|
|
|
First, install required dependencies:
|
|
|
|
```shell
|
|
npm i
|
|
```
|
|
|
|
Because the LLDAP GraphQL API is locked behind authentication, and of a quirk with `graphl-codegen` configuration files, we need to set a temporary environment variable to generate GraphQL code.
|
|
|
|
Run the `get-token.js` helper script and set the environment variable from its output:
|
|
|
|
```shell
|
|
node get-token.js
|
|
export GRAPHQL_CODEDGEN_AUTH=...
|
|
```
|
|
|
|
Then, generate the GraphQL and database code:
|
|
|
|
```shell
|
|
GRAPHQL_USE_INTROSPECTION=true npm run graphql-codegen
|
|
npm run prisma-generate
|
|
```
|
|
|
|
### Running
|
|
|
|
Now, build and run the server:
|
|
|
|
```shell
|
|
npm run build
|
|
npm run start
|
|
```
|
|
|
|
## Developing
|
|
|
|
### Generating GraphQL code
|
|
|
|
Because the LLDAP GraphQL API is locked behind authentication, and of a quirk with `graphl-codegen` configuration files, we need to set a temporary environment variable to generate GraphQL code. If not using introspection, you will need a running LLDAP server.
|
|
|
|
Run the `get-token.js` helper script and set the environment variable from its output:
|
|
|
|
```shell
|
|
node get-token.js
|
|
export GRAPHQL_CODEDGEN_AUTH=...
|
|
```
|
|
|
|
Then, generate the GraphQL code:
|
|
|
|
```shell
|
|
npm run graphql-codegen
|
|
```
|
|
|
|
If you want to use introspection, set `GRAPHQL_USE_INTROSPECTION=true` before generating the code. You won't need to set the auth environment variable in this case.
|
|
|
|
### Working with Prisma
|
|
|
|
gluestick uses [Prisma](https://www.prisma.io/) for accessing the database. If you will be modifying the database schema, you will need to work with it. Consider taking some time to familiarize yourself with the [Prisma CLI](https://www.prisma.io/docs/reference/api-reference/command-reference) first.
|
|
|
|
When first cloning, generate the Prisma client:
|
|
|
|
```shell
|
|
npm run prisma-generate
|
|
```
|
|
|
|
### Running the server
|
|
|
|
```shell
|
|
# Next.js hot reload
|
|
# Pipe to pino-pretty for human readable logging - optional
|
|
npm run dev | pino-pretty
|
|
|
|
# GraphQL hot reload
|
|
# Only required if working on GraphQL code
|
|
npm run graphql-codegen -- -w
|
|
```
|