A lightweight IOT application server with a hard shell written for node.js

Go to file

AJ ONeal 7159151352 document how packages are accessed		2017-05-19 07:45:41 +00:00
bin	remove symlink	2017-05-04 23:12:29 -06:00
boot	update deps and add a bunch of debug logging	2017-05-10 23:26:25 +00:00
dist	add empty walnut.yml	2017-05-15 18:11:49 +00:00
etc	include special and auto cert dirs	2016-03-28 21:12:35 -04:00
lib	add shortcut to loading any static app	2017-05-19 07:40:20 +00:00
snippets	add undo instructions	2015-02-23 19:30:34 +00:00
tests	apppath => pagespath	2015-11-21 20:47:28 +00:00
.gitignore	Squashed 'lib/com.daplie.walnut/' content from commit be01307	2017-05-19 00:56:09 -05:00
.jshintrc	add .jshintrc	2017-05-04 23:10:24 -06:00
LICENSE	open source, again	2015-11-28 06:14:03 +00:00
README.md	document how packages are accessed	2017-05-19 07:45:41 +00:00
add-subtree.sh	add subtree script	2017-05-19 00:57:34 -05:00
install.sh	add group perms	2017-05-15 18:21:07 +00:00
package.json	update package.json deps	2017-05-18 01:00:53 +00:00
setup-dev-deps.sh	refactoring to use fs config	2016-04-09 19:14:00 -04:00
uninstall.sh	update installer	2017-05-09 10:27:47 -06:00
walnut.js	removed letsencrypt and other	2017-05-04 23:09:56 -06:00

README.md

walnut

Small, light, and secure iot application framework.

curl https://git.daplie.com/Daplie/daplie-snippets/raw/master/install.sh | bash

daplie-install-cloud

Features

Works with Goldilocks for secure, Let's Encrypt maneged, https-only serving
IOT Application server written in Node.js
Small memory footprint (for a node app)
Secure
- Uses JWT, not Cookies*
- HTTPS-only (checks for X-Forwarded-For)
- AES, RSA, and ECDSA encryption and signing
- Safe against CSRF, XSS, and SQL injection
- Safe against Compression attacks
Multi-Tentated Application Management
Built-in OAuth2 & OAuth3 support

*Cookies are used only for GETs and only where using a token would be less secure such as images which would otherwise require the token to be passed into the img src. They are also scoped such that CSRF attacks are not possible.

In Progress

HTTPS Key Pinning
Heroku (pending completion of PostgreSQL support)
GunDB Support
OpenID support

Structure

Currently being tested with Ubuntu, Raspbian, and Debian on Digital Ocean, Raspberry Pi, and Heroku.

/srv/walnut/
├── setup.sh (in-progress)
├── core
│   ├── bin
│   ├── boot
│   ├── holepunch
│   └── lib
├── node_modules
├── packages
│   ├── apis
│   ├── pages
│   └── services
└── var

core contains all walnut code
node_modules is a flat installation of all dependencies
certs is a directory for Let's Encrypt (or custom) certificates
var is a directory for database files and such
packages contains 3 types of packages

Will install to

/srv/walnut/core/
/etc/walnut
/opt/walnut
/var/log/walnut
/etc/systemd/system/walnut.service
/etc/tmpfiles.d/walnut.conf

Implementation details

Initialization

needs to know its primary domain

POST https://api.<domain.tld>/api/com.daplie.walnut.init

{ "domain": "<domain.tld>" }

Resetting the Initialization

Once you run the app the initialization files will appear in these locations

/srv/walnut/var/com.daplie.walnut.config.sqlite3
/srv/walnut/config/<domain.tld>.json

Deleting those files will rese

Accessing static apps

Static apps are stored in packages/pages

# App ID as files with a list of packages they should load
/srv/walnut/packages/pages/<domain.tld#path>       # https://domain.tld/path
/srv/walnut/packages/pages/<domain.tld>            # https://domain.tld and https://domain.tld/foo match

# packages are directories with reverse dns name   # used for debugging
/srv/walnut/packages/pages/<tld.domain.package>    # matches apps.<domain.tld>/<package-name> and <domain.tld>/apps/<package-name>