Discord RBAC Gateway

The Discord RBAC gateway lets the docs site check a user's Discord server roles before showing protected sections.

It supports these roles:

CIV
LSPD
EMS
STAFF

What It Protects

/docs/civ          CIV, LSPD, EMS, STAFF
/docs/lspd         LSPD, STAFF
/docs/pd           LSPD, STAFF
/docs/ems          EMS, STAFF
/docs/staff        STAFF
/docs/staff-rules  STAFF

Required Discord Setup

In the Discord Developer Portal:

Create or open the application for the docs login.
Go to OAuth2 settings.
Add this redirect URL:

https://docs.nextgendevstudios.dev/auth/discord/callback

Copy the client ID.
Copy the client secret.
In Discord, enable Developer Mode.
Copy the server ID.
Copy the role IDs for CIV, LSPD, EMS, and STAFF.

Use role IDs, not role names. Names can change.

Server Environment File

On the server:

cd /root/home/StreetsDocs
cp scripts/rbac-gateway/env.example .env
openssl rand -hex 32
nano .env

Fill in the values:

PORT=3100
PUBLIC_BASE_URL=https://docs.nextgendevstudios.dev
BUILD_DIR=build
SESSION_SECRET=replace-with-output-from-openssl
SESSION_TTL_HOURS=12
REQUIRE_LOGIN_FOR_ALL_DOCS=false

DISCORD_CLIENT_ID=replace-with-discord-client-id
DISCORD_CLIENT_SECRET=replace-with-discord-client-secret
DISCORD_GUILD_ID=replace-with-discord-server-id

CIV_ROLE_ID=replace-with-civ-role-id
LSPD_ROLE_ID=replace-with-lspd-role-id
EMS_ROLE_ID=replace-with-ems-role-id
STAFF_ROLE_ID=replace-with-staff-role-id

Do not commit .env.

Start With PM2

Build the docs first:

npm install
npm run build

Start the gateway:

pm2 start npm --name StreetsDocsRBAC -- run serve:rbac
pm2 save

Check logs:

pm2 logs StreetsDocsRBAC

Nginx Proxy Config

Change the docs.nextgendevstudios.dev Nginx site so requests go to the gateway:

server {
    server_name docs.nextgendevstudios.dev;

    location / {
        proxy_pass http://127.0.0.1:3100;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/docs.nextgendevstudios.dev/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/docs.nextgendevstudios.dev/privkey.pem;
}

server {
    listen 80;
    server_name docs.nextgendevstudios.dev;
    return 301 https://$host$request_uri;
}

Certbot may already manage part of this file. Keep the certificate lines that Certbot created.

Then run:

nginx -t
systemctl reload nginx

Test

curl -I https://docs.nextgendevstudios.dev/healthz

Expected:

HTTP/1.1 200 OK

Then open:

https://docs.nextgendevstudios.dev/docs/lspd

You should be sent to Discord login if you are not logged in.

Future Deploys With RBAC

After RBAC is enabled, the deploy flow is:

cd /root/home/StreetsDocs
git pull
npm install
npm run build
pm2 restart StreetsDocsRBAC --update-env

The gateway serves the build/ folder directly, so copying files into /var/www/docs.nextgendevstudios.dev/ is no longer required for this setup.

Security Note

This gateway checks routes before serving protected pages. For highly sensitive staff material, the safest pattern is still a separate private docs site where every page and asset is behind Discord login.

Do not store real API keys, bot tokens, passwords, or private investigation material in Docusaurus pages.

What It Protects​

Required Discord Setup​

Server Environment File​

Start With PM2​

Nginx Proxy Config​

Test​

Future Deploys With RBAC​

Security Note​