instructions and a systemd unit file

README.md

@@ -1,3 +1,12 @@
 # zulip-fediverse-auth
 
 Authenticate to Zulip using Pleroma or Mastodon.
+
+You will need to have a user on the zulip system that has permission to create new users and have an api key for it.
+Instructions will be added to this document at a later point.
+
+1. `useradd -r -m -d /var/lib/fedi-auth -s /bin/bash fedi-auth`
+2. clone this repo into a subdirectory in fedi-auth user's home directory
+3. create a venv, start it and run `pip install -r requirements.txt`
+4. copy the systemd unit file into /etc/systemd/system and tailor it to your environment, and enable and start it
+5. using nginx and letsencrypt or your other preference, to reverse-proxy the command under TLS at /fedi-auth/

service/zulip-fediverse-auth.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=Zulip Fediverse Authentication
+Before=nginx.service
+
+[Service]
+# Zulip API key for user with create user rights
+Environment=API_KEY=your-api-key
+# JWT secret
+Environment=SECRET=your-jwt-secret
+Environment=PORT=8091
+Environment=ZULIP=your-server.tld
+Environment=DB=/var/lib/zulip-fedi/db/db.sqlite
+Environment=PYTHONUNBUFFERED=1
+
+#ExecStart=/var/lib/zulip-fedi/venv/bin/python3 auth.py
+ExecStart=/var/lib/zulip-fedi/venv/bin/gunicorn --bind 127.0.0.1:8091 auth:app
+WorkingDirectory=/var/lib/zulip-fedi/zulip-fediverse-auth
+User=zulip-fedi
+Group=zulip-fedi
+
+PrivateDevices=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+NoNewPrivileges=true
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+ReadWritePaths=/var/lib/zulip-fedi/db
+
+[Install]
+WantedBy=multi-user.target