From c5c2d4fb33b503e0a967a811e0ecfb0aefb5665d Mon Sep 17 00:00:00 2001
From: Moon <moon@shipoclu.com>
Date: Wed, 16 Oct 2024 16:35:38 +0000
Subject: [PATCH] instructions and a systemd unit file

---
 README.md                            | 11 +++++++++-
 service/zulip-fediverse-auth.service | 30 ++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 service/zulip-fediverse-auth.service

diff --git a/README.md b/README.md
index 27614c3..a92db37 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,12 @@
 # zulip-fediverse-auth
 
-Authenticate to Zulip using Pleroma or Mastodon.
\ No newline at end of file
+Authenticate to Zulip using Pleroma or Mastodon.
+
+You will need to have a user on the zulip system that has permission to create new users and have an api key for it.
+Instructions will be added to this document at a later point.
+
+1. `useradd -r -m -d /var/lib/fedi-auth -s /bin/bash fedi-auth`
+2. clone this repo into a subdirectory in fedi-auth user's home directory
+3. create a venv, start it and run `pip install -r requirements.txt`
+4. copy the systemd unit file into /etc/systemd/system and tailor it to your environment, and enable and start it
+5. using nginx and letsencrypt or your other preference, to reverse-proxy the command under TLS at /fedi-auth/
diff --git a/service/zulip-fediverse-auth.service b/service/zulip-fediverse-auth.service
new file mode 100644
index 0000000..db8a0b2
--- /dev/null
+++ b/service/zulip-fediverse-auth.service
@@ -0,0 +1,30 @@
+[Unit]
+Description=Zulip Fediverse Authentication
+Before=nginx.service
+
+[Service]
+# Zulip API key for user with create user rights
+Environment=API_KEY=your-api-key
+# JWT secret
+Environment=SECRET=your-jwt-secret
+Environment=PORT=8091
+Environment=ZULIP=your-server.tld
+Environment=DB=/var/lib/zulip-fedi/db/db.sqlite
+Environment=PYTHONUNBUFFERED=1
+
+#ExecStart=/var/lib/zulip-fedi/venv/bin/python3 auth.py
+ExecStart=/var/lib/zulip-fedi/venv/bin/gunicorn --bind 127.0.0.1:8091 auth:app
+WorkingDirectory=/var/lib/zulip-fedi/zulip-fediverse-auth
+User=zulip-fedi
+Group=zulip-fedi
+
+PrivateDevices=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+NoNewPrivileges=true
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+ReadWritePaths=/var/lib/zulip-fedi/db
+
+[Install]
+WantedBy=multi-user.target