From f8ce89c6e7f204d82513a016e339b9a21ceb9813 Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@daplie.com>
Date: Fri, 5 May 2017 14:03:02 -0600
Subject: [PATCH] add some installer stuff

---
 README.md                                     |  6 ++
 .../LaunchDaemons/com.daplie.walnut.web.plist | 52 ++++++++++++++
 dist/etc/systemd/system/walnut.service        | 68 +++++++++++++++++++
 dist/etc/tmpfiles.d/walnut.conf               | 12 ++++
 4 files changed, 138 insertions(+)
 create mode 100644 dist/Library/LaunchDaemons/com.daplie.walnut.web.plist
 create mode 100644 dist/etc/systemd/system/walnut.service
 create mode 100644 dist/etc/tmpfiles.d/walnut.conf

diff --git a/README.md b/README.md
index 378a0d8..fb38413 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,12 @@ walnut
 
 Small, light, and secure iot application framework.
 
+```bash
+curl https://git.daplie.com/Daplie/daplie-snippets/raw/master/install.sh | bash
+
+daplie-install-cloud
+```
+
 Features
 ------
 
diff --git a/dist/Library/LaunchDaemons/com.daplie.walnut.web.plist b/dist/Library/LaunchDaemons/com.daplie.walnut.web.plist
new file mode 100644
index 0000000..4c9a382
--- /dev/null
+++ b/dist/Library/LaunchDaemons/com.daplie.walnut.web.plist
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>WALNUT</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/usr/local/bin/walnut</string>
+		<string>--config</string>
+		<string>/etc/walnut/walnut.yml</string>
+	</array>
+	<key>EnvironmentVariables</key>
+	<dict>
+		<key>WALNUT_PATH</key>
+    <string>/opt/walnut</string>
+	</dict>
+
+	<key>UserName</key>
+	<string>root</string>
+	<key>GroupName</key>
+	<string>wheel</string>
+	<key>InitGroups</key>
+	<true/>
+
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<dict>
+		<key>Crashed</key>
+		<true/>
+		<key>SuccessfulExit</key>
+		<false/>
+	</dict>
+
+	<key>SoftResourceLimits</key>
+	<dict>
+		<key>NumberOfFiles</key>
+		<integer>8192</integer>
+	</dict>
+	<key>HardResourceLimits</key>
+	<dict/>
+
+	<key>WorkingDirectory</key>
+  <string>/srv/www</string>
+
+	<key>StandardErrorPath</key>
+	<string>/var/log/walnut/error.log</string>
+	<key>StandardOutPath</key>
+	<string>/var/log/walnut/info.log</string>
+</dict>
+</plist>
diff --git a/dist/etc/systemd/system/walnut.service b/dist/etc/systemd/system/walnut.service
new file mode 100644
index 0000000..061e113
--- /dev/null
+++ b/dist/etc/systemd/system/walnut.service
@@ -0,0 +1,68 @@
+[Unit]
+Description=WALNUT IoT App Infrastructure
+Documentation=https://git.daplie.com/Daplie/walnut.js
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+# Restart on crash (bad signal), and on 'clean' failure (error exit code)
+# Allow up to 3 restarts within 10 seconds
+# (it's unlikely that a user or properly-running script will do this)
+Restart=on-failure
+StartLimitInterval=10
+StartLimitBurst=3
+
+# The v8 VM will output a "clean" for JavaScript errors.
+# If we knew we were never going to accidentally exit cleanly
+# we would use on-abnormal:
+; Restart=on-abnormal
+
+# User and group the process will run as
+# (www-data is the de facto standard on most systems)
+User=www-data
+Group=www-data
+
+# If we need to pass environment variables in the future
+; Environment=GOLDILOCKS_PATH=/opt/walnut
+
+# Set a sane working directory, sane flags, and specify how to reload the config file
+WorkingDirectory=/srv/www
+ExecStart=/usr/local/bin/walnut --config=/etc/walnut/walnut.yml
+ExecReload=/bin/kill -USR1 $MAINPID
+
+# Limit the number of file descriptors and processes; see `man systemd.exec` for more limit settings.
+# We don't expected to use more than this.
+LimitNOFILE=1048576
+LimitNPROC=64
+
+# Use private /tmp and /var/tmp, which are discarded after the process stops.
+PrivateTmp=true
+# Use a minimal /dev
+PrivateDevices=true
+# Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+# Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
+# … except TLS/SSL, ACME, and Let's Encrypt certificates
+#   and /var/log/, because we want a place where logs can go.
+#   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
+ReadWriteDirectories=/etc/walnut /etc/acme /etc/letsencrypt /etc/ssl /var/log/walnut /var/walnut /opt/walnut /srv/www
+
+# Note: in v231 and above ReadWritePaths has been renamed to ReadWriteDirectories
+; ReadWritePaths=/etc/walnut /var/log/walnut
+;
+# The following additional security directives only work with systemd v229 or later.
+# They further retrict privileges that can be gained.
+# Note that you may have to add capabilities required by any plugins in use.
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+
+# Caveat: Some plugins need additional capabilities.
+# For example "upload" needs CAP_LEASE
+; CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_LEASE
+; AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_LEASE
+; NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/dist/etc/tmpfiles.d/walnut.conf b/dist/etc/tmpfiles.d/walnut.conf
new file mode 100644
index 0000000..3f16a3d
--- /dev/null
+++ b/dist/etc/tmpfiles.d/walnut.conf
@@ -0,0 +1,12 @@
+# /etc/tmpfiles.d/walnut.conf
+# See https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
+
+# Type Path           Mode UID      GID      Age Argument
+d /etc/walnut          0755 www-data www-data -   -
+d /etc/ssl/walnut      0750 www-data www-data -   -
+d /srv/walnut          0775 www-data www-data -   -
+d /srv/www             0775 www-data www-data -   -
+d /opt/walnut          0775 www-data www-data -   -
+d /var/walnut          0775 www-data www-data -   -
+d /var/log/walnut      0750 www-data www-data -   -
+#d /run/walnut          0755 www-data www-data -   -