chore: bump version to v0.20.251025

Rachel's edits to index.html to make information easier to understand.

.gitignore

@@ -1,4 +1,19 @@
 node_modules.*
+*.*.sw*
+etc/acme/
+bin/node
+bin/npm
+bin/npx
+bin/telebit
+bin/telebitd
+bin/telebit_uninstall
+usr/share/dist/Library/LaunchDaemons/cloud.telebit.remote.plist
+usr/share/dist/etc/skel/Library/LaunchAgents/cloud.telebit.remote.plist
+usr/share/dist/etc/systemd/system/telebit.service
+usr/share/dist/etc/skel/.config/systemd/user/telebit.service
+./etc/
+./include/
+./share/
 
 # Logs
 logs

README.md

@@ -1,12 +1,14 @@
-# Telebit™ Remote
+# Telebit™ Remote | a [Root](https://rootprojects.org) project
 
 Because friends don't let friends localhost™
 
-| Sponsored by [ppl](https://ppl.family)
 | **Telebit Remote**
-| [Telebit Relay](https://git.coolaj86.com/coolaj86/telebitd.js)
+| [Telebit Relay](https://git.coolaj86.com/coolaj86/telebit-relay.js)
+| [sclient](https://telebit.cloud/sclient)
 |
 
+<img align="center" src="https://git.coolaj86.com/coolaj86/telebit.js/raw/branch/master/usr/share/docs/terminal-example-1.png">
+
 Break out of localhost.
 =======
 
@@ -31,49 +33,32 @@ Features
 Examples
 ========
 
-As a user service
+You do this:
 
-```bash
-telebit daemon --config ~/.config/telebit/telebit.yml &
-```
+    curl -fsSL https://get.telebit.io | bash
 
-As a system service
-```bash
-sudo telebit daemon --config ~/.config/telebit/telebit.yml
-```
+You get this:
 
-Example output:
+    ~/telebit http 3000
+    > Forwarding lucky-duck-42.telebit.cloud => localhost:3000
 
-```
-Connect to your device by any of the following means:
+    ~/telebit http ~/sites/example.com/
+    > Serving ~/sites/example.com/ as lucky-duck-42.telebit.cloud
 
-SSH+HTTPS
-        ssh+https://young-grasshopper-37.telebit.cloud:443
-        ex: ssh -o ProxyCommand='openssl s_client -connect %h:%p -quiet' young-grasshopper-37.telebit.cloud -p 443
+And this:
 
-SSH
-        ssh://ssh.telebit.cloud:32852
-        ex: ssh ssh.telebit.cloud -p 32852
+    ~/telebit tcp 5050
+    > Forwarding telebit.cloud:1337 => localhost:5050
 
-TCP
-        tcp://tcp.telebit.cloud:32852
-        ex: netcat tcp.telebit.cloud 32852
+And even this:
 
-HTTPS
-        https://young-grasshopper-37.telebit.cloud
-        ex: curl https://young-grasshopper-37.telebit.cloud
-```
+    ~/telebit ssh auto
+    > Forwarding ssh telebit.cloud -p 1337 => localhost:22
+    > Forwarding ssh+https (openssl proxy) => localhost:22
 
-```bash
-# Forward all https traffic to port 3000
-telebit http 3000
+No privileged ports. No sudo. End-to-end encryption.
 
-# Forward all tcp traffic to port 5050
-telebit tcp 5050
-
-# List all rules
-telebit list
-```
+Fastest way to test a site, share a file, and pair over ssh.
 
 Install
 =======
@@ -84,56 +69,71 @@ Mac & Linux
 Open Terminal and run this install script:
 
 ```
-curl -fsSL https://get.telebit.cloud | bash
+curl -fsSL https://get.telebit.io | bash
 ```
 
 <!--
 ```
-bash <( curl -fsSL https://get.telebit.cloud )
+bash <( curl -fsSL https://get.telebit.io )
 ```
 
 <small>
 Note: **fish**, **zsh**, and other **non-bash** users should do this
 
 ```
-curl -fsSL https://get.telebit.cloud/ > get.sh; bash get.sh
+curl -fsSL https://get.telebit.io/ > get.sh; bash get.sh
 ```
 </small>
 -->
 
-Of course, feel free to inspect the install script before you run it: `curl -fsSL https://get.telebit.cloud`
+What does the installer do?
 
-This will install Telebit Remote to `/opt/telebit` and
-put a symlink to `/opt/telebit/bin/telebit.js` in `/usr/local/bin/telebit`
-for convenience.
+  * install Telebit Remote to `~/Applications/telebit/`
+  * symlink the executable to `~/telebit` for convenience
+  * create the appropriate system launcher file
+    * `/etc/systemd/system/telebit.service`
+    * `~/Library/LaunchAgents/cloud.telebit.remote.plist`
+  * create local user config
+    * `~/.config/telebit/telebit.yml`
+    * `~/.local/share/telebit`
+
+Of course, feel free to inspect it before you run it: `curl -fsSL https://get.telebit.io`
 
 **You can customize the installation**:
 
 ```bash
-export NODEJS_VER=v10.2
+export NODEJS_VER=v10.2                   # v10.2 is tested working, but we can test other versions
+export TELEBIT_VERSION=master             # git tag or branch to install from
+export TELEBIT_USERSPACE=no               # install as a system service (launchd, systemd only)
 export TELEBIT_PATH=/opt/telebit
-curl -fsSL https://get.telebit.cloud/
+export TELEBIT_USER=telebit
+export TELEBIT_GROUP=telebit
+curl -fsSL https://get.telebit.io/ | bash
 ```
 
 That will change the bundled version of node.js is bundled with Telebit Relay
 and the path to which Telebit Relay installs.
 
-You can get rid of the tos + email and server domain name prompts by providing them right away:
-
-```bash
-curl -fsSL https://get.telebit.cloud/ | bash -- jon@example.com example.com telebit.example.com xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-```
-
 Windows & Node.js
 -----------------
 
 1. Install [node.js](https://nodejs.org)
 2. Open _Node.js_
 2. Run the command `npm install -g telebit`
+2. Copy the example daemon config to your user folder `.config/telebit/telebitd.yml` (such as `/Users/John/.config/telebit/telebitd.yml`)
+2. Copy the example remote config to your user folder `.config/telebit/telebit.yml` (such as `/Users/John/.config/telebit/telebit.yml`)
+2. Change the email address
+2. Run `npx telebit init` and follow the instructions
+2. Run `npx telebit list`
 
-**Note**: Use node.js v8.x or v10.x
+**Note**: Use node.js **v10.2.1**
 
-There is [a bug](https://github.com/nodejs/node/issues/20241) in node v9.x that causes telebit to crash.
+(there are specific bugs in each of
+v8.x,
+[v9.x](https://github.com/nodejs/node/issues/20241),
+v10.0,
+and v10.3
+that each cause telebit to crash)
 
 Remote Usage
 ============
@@ -184,30 +184,35 @@ telebit tcp /module/path                # handle all tcp with a node module
 telebit tcp none 6565                   # remove tcp handler from external port 6565
 telebit tcp 5050 6565                   # forward external port 6565 to local 5050
 telebit tcp /module/path 6565           # handle external port 6565 with a node module
+
+telebit ssh disable                     # disable ssh access
+telebit ssh 22                          # port-forward all ssh connections to port 22
+
+telebit save                            # save http and tcp configuration changes
 ```
 
 ### Using SSH
 
 SSH over HTTPS
 ```
-ssh -o ProxyCommand='openssl s_client -connect %h:443 -quiet' slippery-bobcat-39.telebit.cloud
+ssh -o ProxyCommand='openssl s_client -connect %h:443 -servername %h -quiet' lucky-duck-42.telebit.cloud
 ```
 
 SSH over non-standard port
 ```
-ssh slippery-bobcat-39.telebit.cloud -p 3031
+ssh lucky-duck-42.telebit.cloud -p 3031
 ```
 
-Daemon Usage
+Daemon Usage (non-global)
 ============
 
 ```bash
-telebit daemon --config /opt/telebit/etc/telebit.yml
+~/Applications/bin/node ~/Applications/bin/telebitd.js --config ~/.config/telebit/telebitd.yml
 ```
 
 Options
 
-`/opt/telebit/etc/telebit.yml:`
+`~/.config/telebit/telebitd.yml:`
 ```
 email: 'jon@example.com'          # must be valid (for certificate recovery and security alerts)
 agree_tos: true                   # agree to the Telebit, Greenlock, and Let's Encrypt TOSes
@@ -224,7 +229,7 @@ servernames:                      # servernames that will be forwarded here
 Choosing A Relay
 ================
 
-You can create a free or paid account at https://telebit.cloud
+You can create a free or paid account at <https://telebit.cloud>
 or you can run [Telebit Relay](https://git.coolaj86.com/coolaj86/telebitd.js)
 open source on a VPS (Vultr, Digital Ocean)
 or your Raspberry Pi at home (with port-forwarding).
@@ -261,7 +266,7 @@ port_forward:
 
 greenlock:
   store: le-store-certbot         # certificate storage plugin
-  config_dir: /etc/acme           # directory for ssl certificates
+  config_dir: etc/acme            # directory for ssl certificates
 ```
 
 Using Telebit with node.js
@@ -304,25 +309,25 @@ Or if you want to bow down to the kings of the centralized dictator-net:
 How to use Telebit Remote with your own instance of Telebit Relay:
 
 ```bash
-telebit \
+telebitd \
   --locals <<external domain name>> \
   --relay wss://<<tunnel domain>>:<<tunnel port>> \
   --secret <<128-bit hex key>>
 ```
 
 ```bash
-telebit --locals john.example.com --relay wss://tunnel.example.com:443 --secret abc123
+telebitd --locals john.example.com --relay wss://tunnel.example.com:443 --secret abc123
 ```
 
 ```bash
-telebit \
+telebitd \
   --locals <<protocol>>:<<external domain name>>:<<local port>> \
   --relay wss://<<tunnel domain>>:<<tunnel port>> \
   --secret <<128-bit hex key>>
 ```
 
 ```bash
-telebit \
+telebitd \
   --locals http:john.example.com:3000,https:john.example.com \
   --relay wss://tunnel.example.com:443 \
   --secret abc123
@@ -481,17 +486,17 @@ Check Logs
 **Linux**:
 
 ```
-sudo journalctl -xefu telebit
+SYSTEMD_LOG_LEVEL=debug journalctl -xef --user-unit=telebit
 ```
 
 **macOS**:
 
 ```
-sudo tail -f /opt/telebit/var/log/info.log
+tail -f ~/local/share/telebit/var/log/info.log
 ```
 
 ```
-sudo tail -f /opt/telebit/var/log/error.log
+tail -f ~/.local/share/telebit/var/log/error.log
 ```
 
 Uninstall
@@ -500,16 +505,18 @@ Uninstall
 **Linux**:
 
 ```
-sudo systemctl disable telebit; sudo systemctl stop telebit
-sudo rm -rf /etc/systemd/system/telebit.service /opt/telebit /usr/local/bin/telebit
+systemctl --user disable telebit; systemctl --user stop telebit
+rm -f ~/.config/systemd/user/telebit.service
+rm -rf ~/telebit ~/Applications/telebit
 rm -rf ~/.config/telebit ~/.local/share/telebit
 ```
 
 **macOS**:
 
 ```
-sudo launchctl unload -w /Library/LaunchDaemons/cloud.telebit.remote.plist
-sudo rm -rf /Library/LaunchDaemons/cloud.telebit.remote.plist /opt/telebit /usr/local/bin/telebit
+launchctl unload -w ~/Library/LaunchAgents/cloud.telebit.remote.plist
+rm -f ~/Library/LaunchAgents/cloud.telebit.remote.plist
+rm -rf ~/telebit ~/Applications/telebit
 rm -rf ~/.config/telebit ~/.local/share/telebit
 ```
 
@@ -521,4 +528,4 @@ This is implemented with websockets, so you should be able to
 LICENSE
 =======
 
-Copyright 2016 AJ ONeal
+Copyright 2016-2018+ AJ ONeal

bin/telebit-remote.js

@@ -0,0 +1,812 @@
+#!/usr/bin/env node
+(function () {
+'use strict';
+
+var pkg = require('../package.json');
+var os = require('os');
+
+//var url = require('url');
+var fs = require('fs');
+var path = require('path');
+var http = require('http');
+//var https = require('https');
+var YAML = require('js-yaml');
+var TOML = require('toml');
+var TPLS = TOML.parse(fs.readFileSync(path.join(__dirname, "../lib/en-us.toml"), 'utf8'));
+/*
+if ('function' !== typeof TOML.stringify) {
+  TOML.stringify = require('json2toml');
+}
+*/
+var recase = require('recase').create({});
+var camelCopy = recase.camelCopy.bind(recase);
+//var snakeCopy = recase.snakeCopy.bind(recase);
+
+var urequest = require('@coolaj86/urequest');
+var common = require('../lib/cli-common.js');
+
+var argv = process.argv.slice(2);
+
+var argIndex = argv.indexOf('--config');
+if (-1 === argIndex) {
+  argIndex = argv.indexOf('-c');
+}
+var confpath;
+var useTty;
+var state = {};
+if (-1 === argIndex) {
+  argIndex = argv.indexOf('-c');
+}
+if (-1 !== argIndex) {
+  confpath = argv.splice(argIndex, 2)[1];
+}
+argIndex = argv.indexOf('--tty');
+if (-1 !== argIndex) {
+  useTty = argv.splice(argIndex, 1);
+}
+
+function help() {
+  var keys = Object.keys(TPLS.help).filter(function (key) {
+    return 'remote' !== key;
+  });
+  var key = keys.filter(function (key) {
+    return -1 !== process.argv.indexOf(key);
+  })[0] || 'remote';
+  console.info(TPLS.help[key].replace(/{version}/g, pkg.version));
+}
+
+var verstr = [ pkg.name + ' remote v' + pkg.version ];
+if (!confpath) {
+  confpath = path.join(os.homedir(), '.config/telebit/telebit.yml');
+  verstr.push('(--config \'' + confpath.replace(new RegExp('^' + os.homedir()), '~') + '\')');
+}
+
+if ([ '-h', '--help', 'help' ].some(function (arg) {
+  return -1 !== argv.indexOf(arg);
+})) {
+  help();
+  process.exit(0);
+}
+if (!confpath || /^--/.test(confpath)) {
+  help();
+  process.exit(1);
+}
+
+function askForConfig(state, mainCb) {
+  var fs = require('fs');
+  var ttyname = '/dev/tty';
+  var stdin = useTty ? fs.createReadStream(ttyname, {
+    fd: fs.openSync(ttyname, fs.constants.O_RDONLY | fs.constants.O_NOCTTY)
+  }) : process.stdin;
+  var readline = require('readline');
+  var rl = readline.createInterface({
+    input: stdin
+  , output: process.stdout
+    // https://github.com/nodejs/node/issues/21771
+    // https://github.com/nodejs/node/issues/21319
+  , terminal: !/^win/i.test(os.platform()) && !useTty
+  });
+  state._useTty = useTty;
+
+  // NOTE: Use of setTimeout
+  // We're using setTimeout just to make the user experience a little
+  // nicer, as if we're doing something inbetween steps, so that it
+  // is a smooth rather than jerky experience.
+  // >= 300ms is long enough to become distracted and change focus (a full blink, time for an idea to form as a thought)
+  // <= 100ms is shorter than normal human reaction time (ability to place events chronologically, which happened first)
+  // ~ 150-250ms is the sweet spot for most humans (long enough to notice change and not be jarred, but stay on task)
+  var firstSet = [
+    function askEmail(cb) {
+      if (state.config.email) { cb(); return; }
+      console.info(TPLS.remote.setup.email);
+      // TODO attempt to read email from npmrc or the like?
+      rl.question('email: ', function (email) {
+        email = /@/.test(email) && email.trim();
+        if (!email) { askEmail(cb); return; }
+        state.config.email = email.trim();
+        state.config.agreeTos = true;
+        console.info("");
+        setTimeout(cb, 250);
+      });
+    }
+  , function askRelay(cb) {
+      function checkRelay(relay) {
+        // TODO parse and check https://{{relay}}/.well-known/telebit.cloud/directives.json
+        if (!relay) { relay = 'telebit.cloud'; }
+        relay = relay.trim();
+        var urlstr = common.parseUrl(relay) + common.apiDirectory;
+        urequest({ url: urlstr, json: true }, function (err, resp, body) {
+          if (err) {
+            console.error("[Network Error] Failed to retrieve '" + urlstr + "'");
+            console.error(err);
+            askRelay(cb);
+            return;
+          }
+          if (200 !== resp.statusCode || (Buffer.isBuffer(body) || 'object' !== typeof body) || !body.api_host) {
+            console.warn("===================");
+            console.warn("      WARNING      ");
+            console.warn("===================");
+            console.warn("");
+            console.warn("[" + resp.statusCode + "] '" + urlstr + "'");
+            console.warn("This server does not describe a current telebit version (but it may still work).");
+            console.warn("");
+            console.warn(body);
+          } else if (body && body.pair_request) {
+            state._can_pair = true;
+          }
+          state.config.relay = relay;
+          cb();
+        });
+      }
+
+      if (state.config.relay) { checkRelay(state.config.relay); return; }
+      console.info("");
+      console.info("");
+      console.info("What relay will you be using? (press enter for default)");
+      console.info("");
+      rl.question('relay [default: telebit.cloud]: ', checkRelay);
+    }
+  , function checkRelay(cb) {
+      nextSet = [];
+      if ('telebit.cloud' !== state.config.relay) {
+        nextSet = nextSet.concat(standardSet);
+      }
+      if (!state._can_pair) {
+        nextSet = nextSet.concat(fossSet);
+      }
+      cb();
+    }
+  ];
+  var standardSet = [
+    // There are questions that we need to aks in the CLI
+    // if we can't guarantee that they are being asked in the web interface
+    function askAgree(cb) {
+      if (state.config.agreeTos) { cb(); return; }
+      console.info("");
+      console.info("");
+      console.info("Do you accept the terms of service for each and all of the following?");
+      console.info("");
+      console.info("\tTelebit - End-to-End Encrypted Relay");
+      console.info("\tGreenlock - Automated HTTPS");
+      console.info("\tLet's Encrypt - TLS Certificates");
+      console.info("");
+      console.info("Type 'y' or 'yes' to accept these Terms of Service.");
+      console.info("");
+      rl.question('agree to all? [y/N]: ', function (resp) {
+        resp = resp.trim();
+        if (!/^y(es)?$/i.test(resp) && 'true' !== resp) {
+          throw new Error("You didn't accept the Terms of Service... not sure what to do...");
+        }
+        state.config.agreeTos = true;
+        console.info("");
+        setTimeout(cb, 250);
+      });
+    }
+  , function askUpdates(cb) {
+      // required means transactional, security alerts, mandatory updates
+      var options = [ 'newsletter', 'important', 'required' ];
+      if (-1 !== options.indexOf(state._updates)) { cb(); return; }
+      console.info("");
+      console.info("");
+      console.info("What updates would you like to receive? (" + options.join(',') + ")");
+      console.info("");
+      rl.question('messages (default: important): ', function (updates) {
+        state._updates = (updates || '').trim().toLowerCase();
+        if (!state._updates) { state._updates = 'important'; }
+        if (-1 === options.indexOf(state._updates)) { askUpdates(cb); return; }
+
+        if ('newsletter' === state._updates) {
+          state.config.newsletter = true;
+          state.config.communityMember = true;
+        } else if ('important' === state._updates) {
+          state.config.communityMember = true;
+        }
+
+        setTimeout(cb, 250);
+      });
+    }
+  , function askTelemetry(cb) {
+      if (state.config.telemetry) { cb(); return; }
+      console.info("");
+      console.info("");
+      console.info("Contribute project telemetry data? (press enter for default [yes])");
+      console.info("");
+      rl.question('telemetry [Y/n]: ', function (telemetry) {
+        if (!telemetry || /^y(es)?$/i.test(telemetry)) {
+          state.config.telemetry = true;
+        }
+        setTimeout(cb, 250);
+      });
+    }
+  ];
+  var fossSet = [
+    function askTokenOrSecret(cb) {
+      if (state._can_pair || state.token || state.config.token
+        || state.secret || state.config.secret) { cb(); return; }
+      console.info("");
+      console.info("");
+      console.info("What's your authorization for '" + state.config.relay + "'?");
+      console.info("");
+      // TODO check .well-known to learn supported token types
+      console.info("Currently supported:");
+      console.info("");
+      console.info("\tToken (JWT format)");
+      console.info("\tShared Secret (HMAC hex)");
+      //console.info("\tPrivate key (hex)");
+      console.info("");
+      rl.question('auth: ', function (resp) {
+        var jwt = require('jsonwebtoken');
+        resp = (resp || '').trim();
+        try {
+          jwt.decode(resp);
+          state.config.token = resp;
+        } catch(e) {
+          // is not jwt
+        }
+        if (!state.config.token) {
+          resp = resp.toLowerCase();
+          if (resp === Buffer.from(resp, 'hex').toString('hex')) {
+            state.config.secret = resp;
+          }
+        }
+        if (!state.config.token && !state.config.secret) {
+          askTokenOrSecret(cb);
+          return;
+        }
+        setTimeout(cb, 250);
+      });
+    }
+  , function askServernames(cb) {
+      if (!state.config.secret || state.config._servernames) { cb(); return; }
+      console.info("");
+      console.info("");
+      console.info("What servername(s) will you be relaying here?");
+      console.info("(use a comma-separated list such as example.com,example.net)");
+      console.info("");
+      rl.question('domain(s): ', function (resp) {
+        resp = (resp || '').trim().split(/,/g);
+        if (!resp.length) { askServernames(); return; }
+        // TODO validate the domains
+        state.config._servernames = resp;
+        setTimeout(cb, 250);
+      });
+    }
+  , function askPorts(cb) {
+      if (!state.config.secret || state.config._ports) { cb(); return; }
+      console.info("");
+      console.info("");
+      console.info("What tcp port(s) will you be relaying here?");
+      console.info("(use a comma-separated list such as 2222,5050)");
+      console.info("");
+      rl.question('port(s) [default:none]: ', function (resp) {
+        resp = (resp || '').trim().split(/,/g);
+        if (!resp.length) { askPorts(); return; }
+        // TODO validate the domains
+        state.config._ports = resp;
+        setTimeout(cb, 250);
+      });
+    }
+  ];
+  var nextSet = firstSet;
+
+  function next() {
+    var q = nextSet.shift();
+    if (!q) {
+      // https://github.com/nodejs/node/issues/21319
+      if (useTty) { try { stdin.push(null); } catch(e) { /*ignore*/ } }
+      rl.close();
+      if (useTty) { try { stdin.close(); } catch(e) { /*ignore*/ } }
+      mainCb(null, state);
+      return;
+    }
+    q(next);
+  }
+
+  next();
+}
+
+var utils = {
+  request: function request(opts, fn) {
+    if (!opts) { opts = {}; }
+    var service = opts.service || 'config';
+    var req = http.request({
+      socketPath: state._ipc.path
+    , method: opts.method || 'GET'
+    , path: '/rpc/' + service
+    }, function (resp) {
+      var body = '';
+
+      function finish() {
+        if (200 !== resp.statusCode) {
+          console.warn(resp.statusCode);
+          console.warn(body || ('get' + service + ' failed'));
+          //cb(new Error("not okay"), body);
+          return;
+        }
+
+        if (!body) { fn(null, null); return; }
+
+        try {
+          body = JSON.parse(body);
+        } catch(e) {
+          // ignore
+        }
+
+        fn(null, body);
+      }
+
+      if (resp.headers['content-length']) {
+        resp.on('data', function (chunk) {
+          body += chunk.toString();
+        });
+        resp.on('end', function () {
+          finish();
+        });
+      } else {
+        finish();
+      }
+    });
+    req.on('error', function (err) {
+      // ENOENT - never started, cleanly exited last start, or creating socket at a different path
+      // ECONNREFUSED - leftover socket just needs to be restarted
+      if ('ENOENT' === err.code || 'ECONNREFUSED' === err.code) {
+        if (opts._taketwo) {
+          console.error("Either the telebit service was not already (and could not be started) or its socket could not be written to.");
+          console.error(err);
+          return;
+        }
+        require('../usr/share/install-launcher.js').install({ env: process.env }, function (err) {
+          if (err) { fn(err); return; }
+          opts._taketwo = true;
+          setTimeout(function () {
+            utils.request(opts, fn);
+          }, 2500);
+        });
+        return;
+      }
+      if ('ENOTSOCK' === err.code) {
+        console.error(err);
+        return;
+      }
+      console.error(err);
+      return;
+    });
+    req.end();
+  }
+, putConfig: function putConfig(service, args, fn) {
+    var req = http.request({
+      socketPath: state._ipc.path
+    , method: 'POST'
+    , path: '/rpc/' + service + '?_body=' + encodeURIComponent(JSON.stringify(args))
+    }, function (resp) {
+
+      function finish() {
+        if ('function' === typeof fn) {
+          fn(null, resp);
+          return;
+        }
+
+        console.info("");
+        if (200 !== resp.statusCode) {
+          console.warn("'" + service + "' may have failed."
+           + " Consider peaking at the logs either with 'journalctl -xeu telebit' or /opt/telebit/var/log/error.log");
+          console.warn(resp.statusCode, body);
+          //cb(new Error("not okay"), body);
+          return;
+        }
+
+        if (!body) {
+          console.info("👌");
+          return;
+        }
+
+        try {
+          body = JSON.parse(body);
+        } catch(e) {
+          // ignore
+        }
+
+        if ("AWAIT_AUTH" === body.code) {
+          console.info(body.message);
+        } else if ("CONFIG" === body.code) {
+          delete body.code;
+          //console.info(TOML.stringify(body));
+          console.info(YAML.safeDump(body));
+        } else {
+          if ('http' === body.module) {
+            // TODO we'll support slingshot-ing in the future
+            if (String(body.local) === String(parseInt(body.local, 10))) {
+              console.info('> Forwarding https://' + body.remote + ' => localhost:' + body.local);
+            } else {
+              console.info('> Serving ' + body.local + ' as https://' + body.remote);
+            }
+          } else if ('tcp' === body.module) {
+              console.info('> Forwarding ' + state.config.relay + ':' + body.remote + ' => localhost:' + body.local);
+          } else if ('ssh' === body.module) {
+              //console.info('> Forwarding ' + state.config.relay + ' -p ' + JSON.stringify(body) + ' => localhost:' + body.local);
+              console.info('> Forwarding ssh+https (openssl proxy) => localhost:' + body.local);
+          } else {
+            console.info(JSON.stringify(body, null, 2));
+          }
+          console.info();
+        }
+      }
+
+      var body = '';
+      if (resp.headers['content-length']) {
+        resp.on('data', function (chunk) {
+          body += chunk.toString();
+        });
+        resp.on('end', function () {
+          finish();
+        });
+      } else {
+        finish();
+      }
+    });
+    req.on('error', function (err) {
+      console.error('Put Config Error:');
+      console.error(err);
+      return;
+    });
+    req.end();
+  }
+};
+
+// Two styles:
+//     http 3000
+//     http modulename
+function makeRpc(key) {
+  if (key !== argv[0]) {
+    return false;
+  }
+  utils.putConfig(argv[0], argv.slice(1));
+  return true;
+}
+
+function packConfig(config) {
+  return Object.keys(config).map(function (key) {
+    var val = config[key];
+    if ('undefined' === val) {
+      throw new Error("'undefined' used as a string value");
+    }
+    if ('undefined' === typeof val) {
+      //console.warn('[DEBUG]', key, 'is present but undefined');
+      return;
+    }
+    if (val && 'object' === typeof val && !Array.isArray(val)) {
+      val = JSON.stringify(val);
+    }
+    return key + ':' + val; // converts arrays to strings with ,
+  });
+}
+
+function getToken(err, state) {
+  if (err) {
+    console.error("Error while initializing config [init]:");
+    throw err;
+  }
+  state.relay = state.config.relay;
+
+  // { _otp, config: {} }
+  common.api.token(state, {
+    error: function (err/*, next*/) {
+      console.error("[Error] common.api.token:");
+      console.error(err);
+      return;
+    }
+  , directory: function (dir, next) {
+      //console.log('[directory] Telebit Relay Discovered:');
+      //console.log(dir);
+      state._apiDirectory = dir;
+      next();
+    }
+  , tunnelUrl: function (tunnelUrl, next) {
+      //console.log('[tunnelUrl] Telebit Relay Tunnel Socket:', tunnelUrl);
+      state.wss = tunnelUrl;
+      next();
+    }
+  , requested: function (authReq, next) {
+      //console.log("[requested] Pairing Requested");
+      state.config._otp = state.config._otp = authReq.otp;
+
+      if (!state.config.token && state._can_pair) {
+        console.info("");
+        console.info("==============================================");
+        console.info("                 Hey, Listen!                 ");
+        console.info("==============================================");
+        console.info("                                              ");
+        console.info("  GO CHECK YOUR EMAIL!                        ");
+        console.info("                                              ");
+        console.info("  DEVICE PAIR CODE:     0000                  ".replace(/0000/g, state.config._otp));
+        console.info("                                              ");
+        console.info("==============================================");
+        console.info("");
+      }
+
+      next();
+    }
+  , connect: function (pretoken, next) {
+      //console.log("[connect] Enabling Pairing Locally...");
+      state.config.pretoken = pretoken;
+      state._connecting = true;
+
+      // TODO use php-style object querification
+      utils.putConfig('config', packConfig(state.config), function (err/*, body*/) {
+        if (err) {
+          state._error = err;
+          console.error("Error while initializing config [connect]:");
+          console.error(err);
+          return;
+        }
+        console.info(TPLS.remote.waiting.replace(/{email}/, state.config.email));
+        next();
+      });
+    }
+  , offer: function (token, next) {
+      //console.log("[offer] Pairing Enabled by Relay");
+      state.config.token = token;
+      if (state._error) {
+        return;
+      }
+      state._connecting = true;
+      try {
+        require('jsonwebtoken').decode(token);
+        //console.log(require('jsonwebtoken').decode(token));
+      } catch(e) {
+        console.warn("[warning] could not decode token");
+      }
+      utils.putConfig('config', packConfig(state.config), function (err/*, body*/) {
+        if (err) {
+          state._error = err;
+          console.error("Error while initializing config [offer]:");
+          console.error(err);
+          return;
+        }
+        //console.log("Pairing Enabled Locally");
+        next();
+      });
+    }
+  , granted: function (_, next) {
+      //console.log("[grant] Pairing complete!");
+      next();
+    }
+  , end: function () {
+      utils.putConfig('enable', [], function (err) {
+        if (err) { console.error(err); return; }
+        console.info(TPLS.remote.success);
+
+        // workaround for https://github.com/nodejs/node/issues/21319
+        if (state._useTty) {
+          setTimeout(function () {
+            console.info(TPLS.remote.next_steps);
+            process.exit(0);
+          }, 0.5 * 1000);
+          return;
+        }
+        // end workaround
+
+        parseCli(state);
+      });
+    }
+  });
+}
+
+function parseCli(/*state*/) {
+  var special = [
+    'false', 'none', 'off', 'disable'
+  , 'true', 'auto', 'on', 'enable'
+  ];
+  if (-1 !== argv.indexOf('init')) {
+    utils.putConfig('list', []/*, function (err) {
+    }*/);
+    return;
+  }
+
+  if ([ 'ssh', 'http', 'tcp' ].some(function (key) {
+    if (key !== argv[0]) {
+      return false;
+    }
+    if (argv[1]) {
+      if (String(argv[1]) === String(parseInt(argv[1], 10))) {
+        // looks like a port
+        argv[1] = parseInt(argv[1], 10);
+      } else if (/\/|\\/.test(argv[1])) {
+        // looks like a path
+        argv[1] = path.resolve(argv[1]);
+        // TODO make a default assignment here
+      } else if (-1 === special.indexOf(argv[1])) {
+        console.error("Not sure what you meant by '" + argv[1] + "'.");
+        console.error("Remember: paths should begin with ." + path.sep + ", like '." + path.sep + argv[1] + "'");
+        return true;
+      }
+      utils.putConfig(argv[0], argv.slice(1));
+      return true;
+    }
+    return true;
+  })) {
+    return;
+  }
+
+  if ([ 'status', 'enable', 'disable', 'restart', 'list', 'save' ].some(makeRpc)) {
+    return;
+  }
+
+  help();
+  process.exit(11);
+}
+
+function handleConfig(err, config) {
+  //console.log('CONFIG');
+  //console.log(config);
+  state.config = config;
+  var verstrd = [ pkg.name + ' daemon v' + state.config.version ];
+  if (state.config.version && state.config.version !== pkg.version) {
+    console.info(verstr.join(' '), verstrd.join(' '));
+  } else {
+    console.info(verstr.join(' '));
+  }
+
+  if (err) { console.error(err); process.exit(101); return; }
+
+  //
+  // check for init first, before anything else
+  // because it has arguments that may help in
+  // the next steps
+  //
+  if (-1 !== argv.indexOf('init')) {
+    parsers.init(argv, getToken);
+    return;
+  }
+
+  if (!state.config.relay || !state.config.token) {
+    if (!state.config.relay) {
+      state.config.relay = 'telebit.cloud';
+    }
+
+    //console.log("question the user?", Date.now());
+    askForConfig(state, function (err, state) {
+      // no errors actually get passed, so this is just future-proofing
+      if (err) { throw err; }
+
+      if (!state.config.token && state._can_pair) {
+        state.config._otp = common.otp();
+      }
+
+      //console.log("done questioning:", Date.now());
+      if (!state.token && !state.config.token) {
+        getToken(err, state);
+      } else {
+        parseCli(state);
+      }
+    });
+    return;
+  }
+
+  //console.log("no questioning:");
+  parseCli(state);
+}
+
+function parseConfig(err, text) {
+  try {
+    state._clientConfig = JSON.parse(text || '{}');
+  } catch(e1) {
+    try {
+      state._clientConfig = YAML.safeLoad(text || '{}');
+    } catch(e2) {
+      try {
+        state._clientConfig = TOML.parse(text || '');
+      } catch(e3) {
+        console.error(e1.message);
+        console.error(e2.message);
+        process.exit(1);
+        return;
+      }
+    }
+  }
+
+  state._clientConfig = camelCopy(state._clientConfig || {}) || {};
+  common._init(
+    // make a default working dir and log dir
+    state._clientConfig.root || path.join(os.homedir(), '.local/share/telebit')
+  , (state._clientConfig.root && path.join(state._clientConfig.root, 'etc'))
+      || path.resolve(common.DEFAULT_CONFIG_PATH, '..')
+  );
+  state._ipc = common.pipename(state._clientConfig, true);
+
+  if (!Object.keys(state._clientConfig).length) {
+    console.info('(' + state._ipc.comment + ": " + state._ipc.path + ')');
+    console.info("");
+  }
+
+  if ((err && 'ENOENT' === err.code) || !Object.keys(state._clientConfig).length) {
+    if (!err || 'ENOENT' === err.code) {
+      //console.warn("Empty config file. Run 'telebit init' to configure.\n");
+    } else {
+      console.warn("Couldn't load config:\n\n\t" + err.message + "\n");
+    }
+  }
+
+  utils.request({ service: 'config' }, handleConfig);
+}
+
+var parsers = {
+  init: function (argv, parseCb) {
+    var answers = {};
+    var boolish = [ '--advanced' ];
+    if ('init' !== argv[0]) {
+      throw new Error("init must be the first argument");
+    }
+    argv.shift();
+
+    // init --foo bar
+    argv.forEach(function (arg, i) {
+      if (!/^--/.test(arg)) { return; }
+      if (-1 !== boolish.indexOf(arg)) {
+        answers['_' + arg.replace(/^--/, '')] = true;
+      }
+      if (/^-/.test(argv[i + 1])) {
+        throw new Error(argv[i + 1] + ' requires an argument');
+      }
+      answers[arg] = argv[i + 1];
+    });
+
+    // init foo:bar
+    argv.forEach(function (arg) {
+      if (/^--/.test(arg)) { return; }
+      var parts = arg.split(/:/g);
+      if (2 !== parts.length) {
+        throw new Error("bad option to init: '" + arg + "'");
+      }
+      if (answers[parts[0]]) {
+        throw new Error("duplicate key to init '" + parts[0] + "'");
+      }
+      answers[parts[0]] = parts[1];
+    });
+
+    if (answers.relay) {
+      console.info("using --relay " + answers.relay);
+    }
+    // things that aren't straight-forward copy-over
+    if (!answers.advanced && !answers.relay) {
+      answers.relay = 'telebit.cloud';
+    }
+    if (Array.isArray(common._NOTIFICATIONS[answers.update])) {
+      common._NOTIFICATIONS[answers.update].forEach(function (name) {
+        state.config[name] = true;
+      });
+    }
+    if (answers.servernames) {
+      state.config._servernames = answers.servernames;
+    }
+    if (answers.ports) {
+      state.config._ports = answers.ports;
+    }
+
+    // things that are straight-forward copy-over
+    common.CONFIG_KEYS.forEach(function (key) {
+      if ('true' === answers[key]) { answers[key] = true; }
+      if ('false' === answers[key]) { answers[key] = false; }
+      if ('null' === answers[key]) { answers[key] = null; }
+      if ('undefined' === answers[key]) { delete answers[key]; }
+      if ('undefined' !== typeof answers[key]) {
+        state.config[key] = answers[key];
+      }
+    });
+
+    askForConfig(state, function (err, state) {
+      if (err) { parseCb(err); return; }
+
+      if (!state.config.token && state._can_pair) {
+        state.config._otp = common.otp();
+      }
+
+      argv.unshift('init');
+      parseCb(null, state);
+    });
+  }
+};
+
+fs.readFile(confpath, 'utf8', parseConfig);
+
+}());

bin/telebit.js

@@ -2,702 +2,35 @@
 (function () {
 'use strict';
 
-var pkg = require('../package.json');
-console.info(pkg.name, pkg.version);
-
-var url = require('url');
-var path = require('path');
-var http = require('http');
-var state = { servernames: {}, ports: {} };
-
-var argv = process.argv.slice(2);
-
-var confIndex = argv.indexOf('--config');
-var confpath;
-var confargs;
-if (-1 === confIndex) {
-  confIndex = argv.indexOf('-c');
-}
-if (-1 !== confIndex) {
-  confargs = argv.splice(confIndex, 2);
-  confpath = confargs[1];
-}
-
-function help() {
-  console.info('');
-  console.info('Telebit Remote v' + pkg.version);
-  console.info('');
-  console.info('Daemon Usage:');
-  console.info('');
-  console.info('\tsudo telebit daemon --config <path>');
-  console.info('\tex: sudo telebit daemon --config /opt/telebit/etc/telebit.yml');
-  console.info('');
-  console.info('Remote Usage:');
-  console.info('');
-  console.info('\ttelebit [--config <path>] <module> <module-option>');
-  console.info('');
-  console.info('Examples:');
-  console.info('');
-  console.info('\ttelebit status                          # whether enabled or disabled');
-  console.info('\ttelebit enable                          # disallow incoming connections');
-  console.info('\ttelebit disable                         # allow incoming connections');
-  console.info('');
-  console.info('\ttelebit list                            # list rules for servernames and ports');
-  console.info('');
-  console.info('\ttelebit http none                       # remove all https handlers');
-  console.info('\ttelebit http 3000                       # forward all https traffic to port 3000');
-  console.info('\ttelebit http /module/path               # load a node module to handle all https traffic');
-  console.info('');
-  console.info('\ttelebit http none example.com           # remove https handler from example.com');
-  console.info('\ttelebit http 3001 example.com           # forward https traffic for example.com to port 3001');
-  console.info('\ttelebit http /module/path example.com   # forward https traffic for example.com to port 3001');
-  console.info('');
-  console.info('\ttelebit tcp none                        # remove all tcp handlers');
-  console.info('\ttelebit tcp 5050                        # forward all tcp to port 5050');
-  console.info('\ttelebit tcp /module/path                # handle all tcp with a node module');
-  console.info('');
-  console.info('\ttelebit tcp none 6565                   # remove tcp handler from external port 6565');
-  console.info('\ttelebit tcp 5050 6565                   # forward external port 6565 to local 5050');
-  console.info('\ttelebit tcp /module/path 6565           # handle external port 6565 with a node module');
-  console.info('');
-  console.info('Config:');
-  console.info('');
-  console.info('\tSee https://git.coolaj86.com/coolaj86/telebit.js');
-  console.info('');
-  console.info('');
-  process.exit(0);
-}
-
-if (-1 === confIndex) {
-  confpath = path.join(require('os').homedir(), '.config/telebit/telebit.yml');
-  console.info('Using default --config "' + confpath + '"');
-}
-
-if (-1 !== argv.indexOf('-h') || -1 !== argv.indexOf('--help')) {
-  help();
-}
-if (!confpath || /^--/.test(confpath)) {
-  help();
-}
-var defaultSockname = '/opt/telebit/var/telebit.sock';
-var tokenfile = 'access_token.txt';
-var tokenpath = path.join(path.dirname(confpath), tokenfile);
-var token;
-try {
-  token = require('fs').readFileSync(tokenpath, 'ascii').trim();
-} catch(e) {
-  // ignore
-}
-var controlServer;
-require('fs').readFile(confpath, 'utf8', function (err, text) {
-  var config;
-
-  var recase = require('recase').create({});
-  var camelCopy = recase.camelCopy.bind(recase);
-  var snakeCopy = recase.snakeCopy.bind(recase);
-
-  if (err) {
-    console.error("\nCouldn't load config:\n\n\t" + err.message + "\n");
-    process.exit(1);
-    return;
-  }
-
-  try {
-    config = JSON.parse(text);
-  } catch(e1) {
-    try {
-      config = require('js-yaml').safeLoad(text);
-    } catch(e2) {
-      console.error(e1.message);
-      console.error(e2.message);
-      process.exit(1);
-      return;
-    }
-  }
-
-  state._confpath = confpath;
-  state.config = camelCopy(config);
-  if (state.config.token && token) {
-    console.warn();
-    console.warn("Found two tokens:");
-    console.warn();
-    console.warn("\t1. " + tokenpath);
-    console.warn("\n2. " + confpath);
-    console.warn();
-    console.warn("Choosing the first.");
-    console.warn();
-  }
-  state.token = token;
-
-  if (!state.config.servernames) {
-    state.config.servernames = {};
-  }
-  if (!state.config.ports) {
-    state.config.ports = {};
-  }
-  state.servernames = JSON.parse(JSON.stringify(state.config.servernames));
-  state.ports = JSON.parse(JSON.stringify(state.config.ports));
-
-  function putConfig(service, args) {
-    var http = require('http');
-    var req = http.get({
-      socketPath: state.config.sock || defaultSockname
-    , method: 'POST'
-    , path: '/rpc/' + service + '?_body=' + JSON.stringify(args)
-    }, function (resp) {
-
-      function finish() {
-        if (200 !== resp.statusCode) {
-          console.warn("'" + service + "' may have failed."
-           + " Consider peaking at the logs either with 'journalctl -xeu telebit' or /opt/telebit/var/log/error.log");
-        } else {
-          if (body) {
-            console.info('Response');
-            console.info(body);
-          } else {
-            console.info("👌");
-          }
-        }
-      }
-
-      var body = '';
-      if (resp.headers['content-length']) {
-        resp.on('data', function (chunk) {
-          body += chunk.toString();
-        });
-        resp.on('end', function () {
-          finish();
-        });
-      } else {
-        finish();
-      }
-    });
-    req.on('error', function (err) {
-      console.error('Error');
-      console.error(err);
-      return;
-    });
-  }
-
-  var tun;
-  function serveControls() {
-    if (!state.config.disable) {
-      tun = rawTunnel();
-    }
-    controlServer = http.createServer(function (req, res) {
-      var opts = url.parse(req.url, true);
-      if (opts.query._body) {
-        try {
-          opts.body = JSON.parse(opts.query._body, true);
-        } catch(e) {
-          res.statusCode = 500;
-          res.end('{"error":{"message":"?_body={{bad_format}}"}}');
-          return;
-        }
-      }
-
-      if (/enable/.test(opts.path)) {
-        delete state.config.disable;// = undefined;
-        if (!tun) { tun = rawTunnel(); }
-        fs.writeFile(confpath, require('js-yaml').safeDump(snakeCopy(state.config)), function () {
-          if (err) {
-            res.statusCode = 500;
-            res.end('{"error":{"message":"Could not save config file. Perhaps you\'re not running as root?"}}');
-            return;
-          }
-          res.end('{"success":true}');
-        });
-        return;
-      }
-
-      if (/disable/.test(opts.path)) {
-        state.config.disable = true;
-        if (tun) { tun.end(); tun = null; }
-        fs.writeFile(confpath, require('js-yaml').safeDump(snakeCopy(state.config)), function () {
-          if (err) {
-            res.statusCode = 500;
-            res.end('{"error":{"message":"Could not save config file. Perhaps you\'re not running as root?"}}');
-            return;
-          }
-          res.end('{"success":true}');
-        });
-        return;
-      }
-
-      if (/status/.test(opts.path)) {
-        res.end('{"status":' + (state.config.disable ? 'disabled' : 'enabled') + '}');
-        return;
-      }
-
-      if (/restart/.test(opts.path)) {
-        tun.end();
-        res.end('{"success":true}');
-        controlServer.close(function () {
-          // TODO closeAll other things
-          process.nextTick(function () {
-            // system daemon will restart the process
-            process.exit();
-          });
-        });
-        return;
-      }
-
-      if (/list/.test(opts.path)) {
-        res.end(JSON.stringify({
-          servernames: state.servernames
-        , ports: state.ports
-        }));
-        return;
-      }
-
-      if (/http/.test(opts.path)) {
-        if (!opts.body) {
-          res.statusCode = 422;
-          res.end('{"error":{"message":"needs more arguments"}}');
-          return;
-        }
-        if (opts.body[1]) {
-          if (!state.servernames[opts.body[1]]) {
-            res.statusCode = 400;
-            res.end('{"error":{"message":"bad servername \'' + opts.body[1] + '\'"');
-            return;
-          }
-          state.servernames[opts.body[1]].handler = opts.body[0];
-        } else {
-          Object.keys(state.servernames).forEach(function (key) {
-            state.servernames[key].handler = opts.body[0];
-          });
-        }
-        res.end('{"success":true}');
-        return;
-      }
-
-      if (/tcp/.test(opts.path)) {
-        if (!opts.body) {
-          res.statusCode = 422;
-          res.end('{"error":{"message":"needs more arguments"}}');
-          return;
-        }
-
-        // portnum
-        if (opts.body[1]) {
-          if (!state.ports[opts.body[1]]) {
-            res.statusCode = 400;
-            res.end('{"error":{"message":"bad servername \'' + opts.body[1] + '\'"');
-            return;
-          }
-          // forward-to port-or-module
-          state.ports[opts.body[1]].handler = opts.body[0];
-        } else {
-          Object.keys(state.ports).forEach(function (key) {
-            state.ports[key].handler = opts.body[0];
-          });
-        }
-        res.end('{"success":true}');
-        return;
-      }
-
-      res.end('{"error":{"message":"unrecognized rpc"}}');
-    });
-    var pipename = (state.config.sock || defaultSockname);
-    var fs = require('fs');
-    if (fs.existsSync(pipename)) {
-      fs.unlinkSync(pipename);
-    }
-    if (/^win/i.test(require('os').platform())) {
-      pipename = '\\\\?\\pipe' + pipename.replace(/\//, '\\');
-    }
-    // mask is so that processes owned by other users
-    // can speak to this process, which is probably root-owned
-    var oldUmask = process.umask(0x0000);
-    controlServer.listen({
-      path: pipename
-    , writableAll: true
-    , readableAll: true
-    , exclusive: false
-    }, function () {
-      process.umask(oldUmask);
-    });
-  }
-
-  // Two styles:
-  //     http 3000
-  //     http modulename
-  function makeRpc(key) {
-    var cmdIndex = argv.indexOf(key);
-    if (-1 !== cmdIndex) {
-      putConfig(argv[cmdIndex], argv.slice(1));
-      return true;
-    }
-  }
-
-  if ([ 'status', 'enable', 'disable', 'restart', 'list' ].some(makeRpc)) {
-    return;
-  }
-  if ([ 'http', 'tcp' ].some(function (key) {
-    var cmdIndex = argv.indexOf(key);
-    if (-1 !== cmdIndex && argv[cmdIndex + 1]) {
-      putConfig(argv[cmdIndex], argv.slice(1));
-      return true;
-    }
-  })) {
-    return true;
-  }
-
-  if (-1 !== argv.indexOf('daemon')) {
-    serveControls();
-    return;
-  }
-
-  help();
-});
-
-function connectTunnel() {
-  function sigHandler() {
-    console.info('Received kill signal. Attempting to exit cleanly...');
-
-    // We want to handle cleanup properly unless something is broken in our cleanup process
-    // that prevents us from exitting, in which case we want the user to be able to send
-    // the signal again and exit the way it normally would.
-    process.removeListener('SIGINT', sigHandler);
-    tun.end();
-    controlServer.close();
-  }
-  process.on('SIGINT', sigHandler);
-  state.net = state.net || {
-    createConnection: function (info, cb) {
-      // data is the hello packet / first chunk
-      // info = { data, servername, port, host, remoteFamily, remoteAddress, remotePort }
-      var net = require('net');
-      // socket = { write, push, end, events: [ 'readable', 'data', 'error', 'end' ] };
-      var socket = net.createConnection({ port: info.port, host: info.host }, cb);
-      return socket;
-    }
-  };
-
-  state.greenlock = state.config.greenlock || {};
-  state.sortingHat = state.config.sortingHat || path.resolve(__dirname, '..', 'lib/sorting-hat.js');
-
-  // TODO sortingHat.print(); ?
-
-  if (state.config.email && !state.token) {
-    console.info();
-    console.info('==================================');
-    console.info('=          HEY! LISTEN!          =');
-    console.info('==================================');
-    console.info('=                                =');
-    console.info('= 1. Open your email             =');
-    console.info('= 2. Click the magic login link  =');
-    console.info('= 3. Check back here for deets   =');
-    console.info('=                                =');
-    console.info('==================================');
-    console.info();
-  }
-  // TODO Check undefined vs false for greenlock config
-  var remote = require('../');
-  state.handlers = {
-    grant: function (grants) {
-      console.info("");
-      console.info("Connect to your device by any of the following means:");
-      console.info("");
-      grants.forEach(function (arr) {
-        if ('https' === arr[0]) {
-          if (!state.servernames[arr[1]]) {
-            state.servernames[arr[1]] = {};
-          }
-        } else if ('tcp' === arr[0]) {
-          if (!state.ports[arr[2]]) {
-            state.ports[arr[2]] = {};
-          }
-        }
-
-        if ('ssh+https' === arr[0]) {
-          console.info("SSH+HTTPS");
-        } else if ('ssh' === arr[0]) {
-          console.info("SSH");
-        } else if ('tcp' === arr[0]) {
-          console.info("TCP");
-        } else if ('https' === arr[0]) {
-          console.info("HTTPS");
-        }
-        console.info('\t' + arr[0] + '://' + arr[1] + (arr[2] ? (':' + arr[2]) : ''));
-        if ('ssh+https' === arr[0]) {
-          console.info("\tex: ssh -o ProxyCommand='openssl s_client -connect %h:%p -quiet' " + arr[1] + " -p 443\n");
-        } else if ('ssh' === arr[0]) {
-          console.info("\tex: ssh " + arr[1] + " -p " + arr[2] + "\n");
-        } else if ('tcp' === arr[0]) {
-          console.info("\tex: netcat " + arr[1] + " " + arr[2] + "\n");
-        } else if ('https' === arr[0]) {
-          console.info("\tex: curl https://" + arr[1] + "\n");
-        }
-      });
-    }
-  , access_token: function (opts) {
-      console.info("Updating '" + tokenpath + "' with new token:");
-      try {
-        require('fs').writeFileSync(tokenpath, opts.jwt);
-      } catch (e) {
-        console.error("Token not saved:");
-        console.error(e);
-      }
-    }
-  };
-  state.greenlockConfig = {
-    version: state.greenlock.version || 'draft-11'
-  , server: state.greenlock.server || 'https://acme-v02.api.letsencrypt.org/directory'
-  , communityMember: state.greenlock.communityMember || state.config.communityMember
-  , telemetry: state.greenlock.telemetry || state.config.telemetry
-  , configDir: state.greenlock.configDir || path.resolve(__dirname, '..', '/etc/acme/')
-  // TODO, store: require(state.greenlock.store.name || 'le-store-certbot').create(state.greenlock.store.options || {})
-  , approveDomains: function (opts, certs, cb) {
-      // Certs being renewed are listed in certs.altnames
-      if (certs) {
-        opts.domains = certs.altnames;
-        cb(null, { options: opts, certs: certs });
-        return;
-      }
-
-      // by virtue of the fact that it's being tunneled through a
-      // trusted source that is already checking, we're good
-      //if (-1 !== state.config.servernames.indexOf(opts.domains[0])) {
-        opts.email = state.greenlock.email || state.config.email;
-        opts.agreeTos = state.greenlock.agree || state.config.agreeTos;
-        cb(null, { options: opts, certs: certs });
-        return;
-      //}
-
-      //cb(new Error("servername not found in allowed list"));
-    }
-  };
-  state.insecure = state.config.relay_ignore_invalid_certificates;
-  // { relay, config, servernames, ports, sortingHat, net, insecure, token, handlers, greenlockConfig }
-
-  var tun = remote.connect({
-    relay: state.relay
-  , config: state.config
-  , sortingHat: state.sortingHat
-  , net: state.net
-  , insecure: state.insecure
-  , token: state.token
-  , servernames: state.servernames
-  , ports: state.ports
-  , handlers: state.handlers
-  , greenlockConfig: state.greenlockConfig
-  });
-
-  return tun;
-}
-
-function rawTunnel() {
-  state.relay = state.config.relay;
-  if (!state.relay) {
-    throw new Error("'" + state._confpath + "' is missing 'relay'");
-  }
-
-  /*
-  if (!(state.config.secret || state.config.token)) {
-    console.error("You must use --secret or --token with --relay");
-    process.exit(1);
-    return;
-  }
-  */
-
-  var location = url.parse(state.relay);
-  if (!location.protocol || /\./.test(location.protocol)) {
-    state.relay = 'wss://' + state.relay;
-    location = url.parse(state.relay);
-  }
-  var aud = location.hostname + (location.port ? ':' + location.port : '');
-  state.relay = location.protocol + '//' + aud;
-
-  if (!state.config.token && state.config.secret) {
-    var jwt = require('jsonwebtoken');
-    var tokenData = {
-      domains: Object.keys(state.config.servernames || {}).filter(function (name) { return /\./.test(name); })
-    , aud: aud
-    , iss: Math.round(Date.now() / 1000)
-    };
-
-    state.token = jwt.sign(tokenData, state.config.secret);
-  }
-  state.token = state.token || state.config.token;
-
-  // TODO sign token with own private key, including public key and thumbprint
-  //      (much like ACME JOSE account)
-
-  return connectTunnel();
-}
-
-/*
-var domainsMap = {};
-var services = {};
-
-function collectDomains(val, memo) {
-  var vals = val.split(/,/g);
-
-  function parseProxy(location) {
-    // john.example.com
-    // http:john.example.com:3000
-    // http://john.example.com:3000
-    var parts = location.split(':');
-    if (1 === parts.length) {
-      // john.example.com -> :john.example.com:0
-      parts[1] = parts[0];
-
-      parts[0] = '';
-      parts[2] = 0;
-    }
-    else if (2 === parts.length) {
-      throw new Error("invalid arguments for --domains, should use the format <domainname> or <scheme>:<domainname>:<local-port>");
-    }
-    if (!parts[1]) {
-      throw new Error("invalid arguments for --domains, should use the format <domainname> or <scheme>:<domainname>:<local-port>");
-    }
-
-    parts[0] = parts[0].toLowerCase();
-    parts[1] = parts[1].toLowerCase().replace(/(\/\/)?/, '');
-    parts[2] = parseInt(parts[2], 10) || 0;
-
-    memo.push({
-      protocol: parts[0]
-    , hostname: parts[1]
-    , port: parts[2]
-    });
-  }
-
-  vals.map(function (val) {
-    return parseProxy(val);
-  });
-
-  return memo;
-}
-function collectProxies(val, memo) {
-  var vals = val.split(/,/g);
-
-  function parseProxy(location) {
-    // john.example.com
-    // https:3443
-    // http:john.example.com:3000
-    // http://john.example.com:3000
-    var parts = location.split(':');
-    var dual = false;
-    if (1 === parts.length) {
-      // john.example.com -> :john.example.com:0
-      parts[1] = parts[0];
-
-      parts[0] = '';
-      parts[2] = 0;
-
-      dual = true;
-    }
-    else if (2 === parts.length) {
-      // https:3443 -> https:*:3443
-      parts[2] = parts[1];
-
-      parts[1] = '*';
-    }
-
-    parts[0] = parts[0].toLowerCase();
-    parts[1] = parts[1].toLowerCase().replace(/(\/\/)?/, '') || '*';
-    parts[2] = parseInt(parts[2], 10) || 0;
-    if (!parts[2]) {
-      // TODO grab OS list of standard ports?
-      if (!parts[0] || 'http' === parts[0]) {
-        parts[2] = 80;
-      }
-      else if ('https' === parts[0]) {
-        parts[2] = 443;
-      }
-      else {
-        throw new Error("port must be specified - ex: tls:*:1337");
-      }
-    }
-
-    memo.push({
-      protocol: parts[0] || 'https'
-    , hostname: parts[1]
-    , port: parts[2] || 443
-    });
-
-    if (dual) {
-      memo.push({
-        protocol: 'http'
-      , hostname: parts[1]
-      , port: 80
-      });
-    }
-  }
-
-  vals.map(function (val) {
-    return parseProxy(val);
-  });
-
-  return memo;
-}
-
-var program = require('commander');
-program
-  .version(pkg.version)
-  //.command('jsurl <url>')
-  .arguments('<url>')
-  .action(function (url) {
-    program.url = url;
-  })
-  .option('-k --insecure', 'Allow TLS connections to a Telebit Relay without valid certs (rejectUnauthorized: false)')
-  .option('--locals <LIST>', 'comma separated list of <proto>:<port> to which matching incoming http and https should forward (reverse proxy). Ex: https:8443,smtps:8465', collectProxies, [ ]) // --reverse-proxies
-  .option('--domains <LIST>', 'comma separated list of domain names to set to the tunnel (to capture a specific protocol to a specific local port use the format https:example.com:1337 instead). Ex: example.com,example.net', collectDomains, [ ])
-  .option('--device [HOSTNAME]', 'Tunnel all domains associated with this device instead of specific domainnames. Use with --locals <proto>:<port>. Ex: macbook-pro.local (the output of `hostname`)')
-  .option('--relay <URL>', 'the domain (or ip address) at which you are running Telebit Relay (the proxy)') // --proxy
-  .option('--secret <STRING>', 'the same secret used by the Telebit Relay (used for JWT authentication)')
-  .option('--token <STRING>', 'a pre-generated token for use with the Telebit Relay (instead of generating one with --secret)')
-  .option('--agree-tos', 'agree to the Telebit Terms of Service (requires user validation)')
-  .option('--email <EMAIL>', 'email address (or cloud address) for user validation')
-  .option('--oauth3-url <URL>', 'Cloud Authentication to use (default: https://oauth3.org)')
-  .parse(process.argv)
-  ;
-
-
-program.locals = (program.locals || []).concat(program.domains || []);
-program.locals.forEach(function (proxy) {
-  // Create a map from which we can derive a list of all domains we want forwarded to us.
-  if (proxy.hostname && proxy.hostname !== '*') {
-    domainsMap[proxy.hostname] = true;
-  }
-
-  // Create a map of which port different protocols should be forwarded to, allowing for specific
-  // domains to go to different ports if need be (though that only works for HTTP and HTTPS).
-  if (proxy.protocol && proxy.port) {
-    services[proxy.protocol] = services[proxy.protocol] || {};
-
-    if (/http/.test(proxy.protocol) && proxy.hostname && proxy.hostname !== '*') {
-      services[proxy.protocol][proxy.hostname] = proxy.port;
-    }
-    else {
-      if (services[proxy.protocol]['*'] && services[proxy.protocol]['*'] !== proxy.port) {
-        console.error('cannot forward generic', proxy.protocol, 'traffic to multiple ports');
-        process.exit(1);
-      }
-      else {
-        services[proxy.protocol]['*'] = proxy.port;
-      }
-    }
-  }
-});
-
-if (Object.keys(domainsMap).length === 0) {
-  console.error('no domains specified');
-  process.exit(1);
+//
+// node telebit daemon arg1 arg2
+//
+if ('daemon' === process.argv[2]) {
+  require('./telebitd.js');
   return;
 }
 
-// Make sure we have generic ports for HTTP and HTTPS
-services.https = services.https || {};
-services.https['*'] = services.https['*'] || 8443;
+//
+// sclient proxies
+//
+if ('sclient' === process.argv[2]) {
+  process.argv.splice(1,1);
+  return;
+}
+if ('rsync' === process.argv[2]) {
+  require('sclient/bin/sclient.js');
+  return;
+}
+if ('ssh' === process.argv[2] && /[\w-]+\.[a-z]{2,}/i.test(process.argv[3])) {
+  process.argv.splice(1,1,'sclient');
+  process.argv.splice(2,1,'ssh');
+  require('sclient/bin/sclient.js');
+  return;
+}
 
-services.http = services.http || {};
-services.http['*'] = services.http['*'] || services.https['*'];
-
-program.services = services;
-*/
+//
+// telebit remote
+//
+require('./telebit-remote.js');
 
 }());

examples/telebit.full.yml

@@ -2,8 +2,8 @@ email: 'jon@example.com'        # must be valid (for certificate recovery and se
 agree_tos: true                 # agree to the Telebit, Greenlock, and Let's Encrypt TOSes
 community_member: true          # receive infrequent relevant updates
 telemetry: true                 # contribute to project telemetric data
-relay: wss://telebit.cloud      # Which Telebit Relay to use
-secret: ''                      # Shared Secret with Telebit Relay for authorization
+relay: telebit.cloud            # Which Telebit Relay to use
+#secret: ''                      # Shared Secret with Telebit Relay for authorization
 #token: ''                       # Token created by Telebit Relay for authorization
 ssh_auto: 22                    # forward ssh-looking packets, from any connection, to port 22
 servernames:                    # hostnames that direct to the Telebit Relay admin console

examples/telebit.minimal.yml

@@ -0,0 +1,7 @@
+email: 'jon@example.com'        # must be valid (for certificate recovery and security alerts)
+agree_tos: true                 # agree to the Telebit, Greenlock, and Let's Encrypt TOSes
+community_member: true          # receive infrequent relevant updates
+telemetry: true                 # contribute to project telemetric data
+relay: telebit.cloud            # Which Telebit Relay to use
+#secret: ''                      # Shared Secret with Telebit Relay for authorization
+#token: ''                       # Token created by Telebit Relay for authorization

lib/cli-common.js

@@ -0,0 +1,310 @@
+'use strict';
+
+module.exports.debug = (-1 !== (process.env.NODE_DEBUG||'').split(/\s+/g).indexOf('telebit'));
+var common = module.exports;
+
+var path = require('path');
+var url = require('url');
+var fs = require('fs');
+var mkdirp = require('mkdirp');
+var os = require('os');
+var homedir = os.homedir();
+var urequest = require('@coolaj86/urequest');
+
+common._NOTIFICATIONS = {
+  'newsletter': [ 'newsletter', 'communityMember' ]
+, 'important': [ 'communityMember' ]
+};
+common.CONFIG_KEYS = [
+  'newsletter'
+, 'communityMember'
+, 'telemetry'
+, 'sshAuto'
+, 'email'
+, 'agreeTos'
+, 'relay'
+, 'token'
+, 'pretoken'
+, 'secret'
+];
+//, '_servernames' // list instead of object
+//, '_ports'       // list instead of object
+//, '_otp'         // otp should not be saved
+//, '_token'       // temporary token
+
+common.getPort = function (config, cb) {
+  var portfile = path.resolve(config.sock || common.DEFAULT_SOCK_PATH, '..', 'telebit.port');
+  if (cb) {
+    return fs.readFile(portfile, 'utf8', function (err, text) {
+      cb(err, parseInt((text||'').trim(), 10) || null);
+    });
+  } else {
+    try {
+      return parseInt(fs.readFileSync(portfile, 'utf8').trim(), 10) || null;
+    } catch(e) {
+      return null;
+    }
+  }
+};
+common.setPort = function (config, num, cb) {
+  var portfile = path.resolve(config.sock || common.DEFAULT_SOCK_PATH, '..', 'telebit.port');
+  var numstr = (num || '').toString();
+  if (cb) {
+    return fs.writeFile(portfile, numstr, 'utf8', function (err) {
+      cb(err);
+    });
+  } else {
+    try {
+      return fs.writeFileSync(portfile, numstr, 'utf8');
+    } catch(e) {
+      return null;
+    }
+  }
+};
+common.removePort = function (config, cb) {
+  var portfile = path.resolve(config.sock || common.DEFAULT_SOCK_PATH, '..', 'telebit.port');
+  if (cb) {
+    return fs.unlink(portfile, function (err, text) {
+      cb(err, (text||'').trim());
+    });
+  } else {
+    try {
+      return fs.unlinkSync(portfile);
+    } catch(e) {
+      return null;
+    }
+  }
+};
+common.pipename = function (config) {
+  var _ipc = {
+    path: (config.sock || common.DEFAULT_SOCK_PATH)
+  , comment: (/^win/i.test(os.platform()) ? 'windows pipe' : 'unix socket')
+  , type: (/^win/i.test(os.platform()) ? 'pipe' : 'socket')
+  };
+  if ('pipe' === _ipc.type) {
+    // https://docs.microsoft.com/en-us/windows/desktop/ipc/pipe-names
+    // Allows all characters accept backslash as part of the name
+    _ipc.path = '\\\\.\\pipe\\' + _ipc.path.replace(/\\/g, '/');
+  }
+  return _ipc;
+};
+common.DEFAULT_SOCK_PATH = path.join(homedir, '.local/share/telebit/var/run', 'telebit.sock');
+common.DEFAULT_CONFIG_PATH = path.join(homedir, '.config/telebit', 'telebitd.yml');
+
+common.parseUrl = function (hostname) {
+  var location = url.parse(hostname);
+  if (!location.protocol || /\./.test(location.protocol)) {
+    hostname = 'https://' + hostname;
+    location = url.parse(hostname);
+  }
+  hostname = location.hostname + (location.port ? ':' + location.port : '');
+  hostname = location.protocol.replace(/https?/, 'https') + '//' + hostname + location.pathname;
+  return hostname;
+};
+common.parseHostname = function (hostname) {
+  var location = url.parse(hostname);
+  if (!location.protocol || /\./.test(location.protocol)) {
+    hostname = 'https://' + hostname;
+    location = url.parse(hostname);
+  }
+  //hostname = location.hostname + (location.port ? ':' + location.port : '');
+  //hostname = location.protocol.replace(/https?/, 'https') + '//' + hostname + location.pathname;
+  return location.hostname;
+};
+
+common.apiDirectory = '_apis/telebit.cloud/index.json';
+
+common.otp = function getOtp() {
+  return Math.round(Math.random() * 9999).toString().padStart(4, '0');
+};
+common.signToken = function (state) {
+  var jwt = require('jsonwebtoken');
+  var tokenData = {
+    domains: Object.keys(state.config.servernames || {}).filter(function (name) {
+      return /\./.test(name);
+    })
+  , ports: Object.keys(state.config.ports || {}).filter(function (port) {
+      port = parseInt(port, 10);
+      return port > 0 && port <= 65535;
+    })
+  , aud: state._relayUrl
+  , iss: Math.round(Date.now() / 1000)
+  };
+
+  return jwt.sign(tokenData, state.config.secret);
+};
+common.api = {};
+common.api.directory = function (state, next) {
+  state._relayUrl = common.parseUrl(state.relay);
+  urequest({ url: state._relayUrl + common.apiDirectory, json: true }, function (err, resp, dir) {
+    if (!dir) { dir = { api_host: ':hostname', tunnel: { method: "wss", pathname: "" } }; }
+    state._apiDirectory = dir;
+    next(err, dir);
+  });
+};
+common.api._parseWss = function (state, dir) {
+  if (!dir || !dir.api_host) {
+    dir = { api_host: ':hostname', tunnel: { method: "wss", pathname: "" } };
+  }
+  state._relayHostname = common.parseHostname(state.relay);
+  return dir.tunnel.method + '://' + dir.api_host.replace(/:hostname/g, state._relayHostname) + dir.tunnel.pathname;
+};
+common.api.wss = function (state, cb) {
+  common.api.directory(state, function (err, dir) {
+    cb(err, common.api._parseWss(state, dir));
+  });
+};
+common.api.token = function (state, handlers) {
+  common.api.directory(state, function (err, dir) {
+    // directory, requested, connect, tunnelUrl, offer, granted, end
+    function afterDir() {
+      if (common.debug) { console.log('[debug] after dir'); }
+      state.wss = common.api._parseWss(state, dir);
+
+      handlers.tunnelUrl(state.wss, function () {
+        if (common.debug) { console.log('[debug] after tunnelUrl'); }
+        if (state.config.secret /* && !state.config.token */) {
+          state.config._token = common.signToken(state);
+        }
+        state.token = state.token || state.config.token || state.config._token;
+        if (state.token) {
+          if (common.debug) { console.log('[debug] token via token or secret'); }
+          // { token, pretoken }
+          handlers.connect(state.token, function () {
+            handlers.end(null, function () {});
+          });
+          return;
+        }
+
+        // backwards compat (TODO remove)
+        if (err || !dir || !dir.pair_request) {
+          if (common.debug) { console.log('[debug] no dir, connect'); }
+          handlers.error(new Error("No token found or generated, and no pair_request api found."));
+          return;
+        }
+
+        // TODO sign token with own private key, including public key and thumbprint
+        //      (much like ACME JOSE account)
+        var otp = state.config._otp; // common.otp();
+        var authReq = {
+          subject: state.config.email
+        , subject_scheme: 'mailto'
+          // TODO create domains list earlier
+        , scope: (state.config._servernames || Object.keys(state.config.servernames || {}))
+            .concat(state.config._ports || Object.keys(state.config.ports || {})).join(',')
+        , otp: otp
+        , hostname: os.hostname()
+          // Used for User-Agent
+        , os_type: os.type()
+        , os_platform: os.platform()
+        , os_release: os.release()
+        , os_arch: os.arch()
+        };
+        var pairRequestUrl = url.resolve('https://' + dir.api_host.replace(/:hostname/g, state._relayHostname), dir.pair_request.pathname);
+        var req = {
+          url: pairRequestUrl
+        , method: dir.pair_request.method
+        , json: authReq
+        };
+        var firstReq = true;
+        var firstReady = true;
+
+        function gotoNext(req) {
+          if (common.debug) { console.log('[debug] gotoNext called'); }
+          if (common.debug) { console.log(req); }
+          urequest(req, function (err, resp, body) {
+            if (err) {
+              if (common.debug) { console.log('[debug] gotoNext error'); }
+              err._request = req;
+              err._hint = '[telebitd.js] pair request';
+              handlers.error(err, function () {});
+              return;
+            }
+
+            function checkLocation() {
+              if (common.debug) { console.log('[debug] checkLocation'); }
+              if (common.debug) { console.log(body); }
+              // pending, try again
+              if ('pending' === body.status && resp.headers.location) {
+                if (common.debug) { console.log('[debug] pending'); }
+                setTimeout(gotoNext, 2 * 1000, { url: resp.headers.location, json: true });
+                return;
+              }
+
+              if ('ready' === body.status) {
+                if (common.debug) { console.log('[debug] ready'); }
+                if (firstReady) {
+                  if (common.debug) { console.log('[debug] first ready'); }
+                  firstReady = false;
+                  state.token = body.access_token;
+                  state.config.token = state.token;
+                  handlers.offer(body.access_token, function () {
+                    /*ignore*/
+                  });
+                }
+                setTimeout(gotoNext, 2 * 1000, req);
+                return;
+              }
+
+              if ('complete' === body.status) {
+                if (common.debug) { console.log('[debug] complete'); }
+                handlers.granted(null, function () {
+                  handlers.end(null, function () {});
+                });
+                return;
+              }
+
+              if (common.debug) { console.log('[debug] bad status'); }
+              var err = new Error("Bad State:" + body.status);
+              err._request = req;
+              handlers.error(err, function () {});
+            }
+
+            if (firstReq) {
+              if (common.debug) { console.log('[debug] first req'); }
+              handlers.requested(authReq, function () {
+                handlers.connect(body.access_token || body.jwt, function () {
+                  var err;
+                  if (!resp.headers.location) {
+                    err = new Error("bad authentication request response");
+                    err._resp = resp.toJSON();
+                    handlers.error(err, function () {});
+                    return;
+                  }
+                  setTimeout(gotoNext, 2 * 1000, { url: resp.headers.location, json: true });
+                });
+              });
+              firstReq = false;
+              return;
+            } else {
+              if (common.debug) { console.log('[debug] other req'); }
+              checkLocation();
+            }
+          });
+        }
+
+        gotoNext(req);
+
+      });
+    }
+
+    if (dir && dir.api_host) {
+      handlers.directory(dir, afterDir);
+    } else {
+      // backwards compat
+      dir = { api_host: ':hostname', tunnel: { method: "wss", pathname: "" } };
+      afterDir();
+    }
+  });
+
+};
+
+common._init = function (rootpath, confpath) {
+  try {
+    mkdirp.sync(path.join(rootpath, 'var', 'log'));
+    mkdirp.sync(path.join(rootpath, 'var', 'run'));
+    mkdirp.sync(path.join(confpath));
+  } catch(e) {
+    console.error(e);
+  }
+};

lib/en-us.toml

@@ -0,0 +1,493 @@
+[help]
+
+remote = "telebit remote v{version}
+
+Telebit Remote is the T-Rex long-arm of the Internet. UNSTOPPABLE!
+
+Using reliable HTTPS tunneling to establishing peer-to-peer connections,
+Telebit is empowering the next generation of tinkerers. Access your devices.
+Share your stuff. Be UNSTOPPABLE! (Join us at https://rootprojects.org)
+
+Usage:
+
+        telebit [flags] <command> [arguments]
+        ex: telebit http ~/Public
+
+The flags are:
+
+        --config <path> specify config file (default is ~/.config/telebit/telebit.yml)
+        --json        output json instead of text, if available
+        -h,--help     display this menu (or sub-command menus)
+
+The commands are:
+
+        status        show status and configuration info
+
+        http          access files, folders, and local apps via https (secure)
+        ssh           enable remote access to this device with ssh-over-https
+        ssh (client)  access devices via ssh-over-https (telebit, stunnel, openssl, etc)
+        tcp           forward tcp locally
+
+        enable        turn on remote access and sharing
+        disable       turn off remote access and sharing
+
+        activate      start and register the telebit service
+        disable       stop and unregister the telebit service
+
+        config (doc)  config file format and settings
+        client (doc)  vpn, ftp, rsync, scp, ssh-proxy, sclient
+
+Use \"telebit help [command]\" for more information about a command, including flags.
+
+Additional help topics:
+
+        daemon        telebit daemon secure background service
+        relay         telebit secure relay, hosted, and self-hosting options
+
+Copyright 2015-2018 AJ ONeal https://telebit.cloud MPL-2.0 Licensed (RAWR!)"
+
+client = "telebit client v{version}
+
+        ftp           secure ftp file transfer between devices
+        rsync         rsync over https and proxy commands
+        scp           scp over https and proxy commands
+        sclient       use the sclient emebbed within telebit
+        ssh-proxy     ssh over https and proxy commands
+        vpn (client)  home network access and private web browsing via socks5
+
+Use \"telebit help [command]\" for more information about a command, including flags.
+
+Copyright 2015-2018 AJ ONeal https://telebit.cloud MPL-2.0 Licensed (RAWR!)"
+
+status = "usage: telebit status
+
+'telebit status' shows details about the current connections (or lack thereof).
+
+Example:
+
+        Status: RAWR! (uptime: 45 minutes)
+
+        Forwarding ssh+https://jon.telebit.io => localhost:22
+        Forwarding https://client.jon.telebit.io => localhost:3000
+        Serving https://public.jon.telebit.io from ~/Public
+        Syncing ~/shared => home.jon.telebit.io:shared
+
+        Relay: https://telebit.cloud
+        Launcher: user
+
+Additional help topics: enable, disable"
+
+enable = "Enable Telebit - Re-enable and accept incoming connections
+
+usage: telebit enable
+
+        enable                Re-enable incoming connections for https, ssh, etc"
+
+disable = "Disable Telebit - Reject https, ssh, and tcp connections
+
+usage: telebit disable
+
+        disable               (Temporarily) reject incoming connections for https,
+                              ssh, etc without deleting the current configuration.
+
+                              Perists on restart, but can be re-enabled remotely
+                              (with your authorization only)."
+
+activate = "Activate Telebit - Start telebit (if not running) and register a launcher
+
+Usage:
+
+        telebit activate [flags]
+        ex: telebit activate --launcher none
+
+The flags may be exactly one of:
+
+        --no-launcher uregister any launchers (start manually)
+        --user-launcher (default) register an unprivileged launcher (start on login)
+        --system-launcher register with the system launcher (start on boot)
+
+Note: telebit relies on the system launcher to recover from certain error conditions"
+
+deactivate = "Deactivate Telebit - Unregister userspace (or system) launcher and stop
+
+Usage:
+
+        telebit deactivate [flags]
+        ex: telebit deactivate --keep alive
+
+The flags are:
+
+        --keep-launcher stop telebit without unregistering the launcher
+        --keep-alive unregister launcher without stopping"
+
+http = "Telebit HTTP - The UNSTOPPABLE way to share files, folders, and local apps.
+
+usage: telebit http <path/port/none> [subdomain]
+
+        http <DIR> [subdomain]          serve a file, folder, or node express app
+        ex: telebit http ~/Public pub   ex: securely host ~/Public as pub.johndoe.telebit.io
+
+        http <PORT> [subdomain]         forward all https traffic to a local app
+        ex: telebit http 3000 app       ex: publicize localhost:3000 as app.johndoe.telebit.io
+
+        http none [subdomain]           remove secure http access for (any or all) subdomain(s)
+        ex: telebit http none           ex: remove all https access
+
+Use cases:
+
+        - Lazy man's AirDrop (works for lazy women too!)
+        - Testing dev sites on a phone
+        - Sharing indie music and movies with friends"
+
+ssh = "Telebit SSH - The UNSTOPPABLE way to remote into your devices.
+
+usage: telebit ssh <auto|port|none>
+
+All https traffic will be inspected to see if it looks like ssh Once enabled all traffic that looks
+
+        ssh auto                        Make ssh Just Work™ (on port 22)
+
+        ssh <port>                      forward ssh traffic to non-standard port
+        ex: telebit ssh 22              ex: explicitly forward ssh-looking packets to localhost:22
+
+        ssh none                        Disables ssh tunneling
+
+Telebit SSH Client
+
+usage: telebit ssh <remote> [ssh flags and options]
+
+This is just a shortcut for \"ssh\", with all ssh-over-https options turned on.
+
+        ssh <remote>                    Make ssh Just Work™ (over https)
+        ex: telebit ssh jon.telebit.io  ex:
+
+\"telebit help ssh-proxy\" for more info
+
+Use cases:
+
+        - Access your home computer from work.
+        - Access your work computer from home.
+        - Good ol' fashioned screen/tmux style pair programming"
+
+ssh-proxy = "Proxying SSH over HTTPS
+
+Wrapping SSH in HTTPS makes it accessible anywhere and also makes it routable.
+Whether inside a harsh network environment or even if hindered by a poorly
+configured firewall, once wrapped in tls, ssh becomes UNSTOPPABLE.
+
+Usage:
+        telebit ssh <remote> [ssh flags and options]
+
+Example:
+
+        telebit ssh jon.telebit.io
+
+It is NOT at all neccessary to use \"telebit ssh\", it's just a convenience.
+Wanna know why, and the alternatives? Keep reading!
+
+## History
+
+When TLS sends an encrypted packet over the network it begins with a handshake
+which shows the things like the tls version and the host SERVERNAME unencrypted
+so that the remote server can respond with the correct certificate.
+
+SSH was created well before TLS and has a completely different header. The good
+news is that, unlike some other early internet protocols, it does have a header
+with its name and version, but it doesn't have anything to identify the server.
+
+##  Telebit + SSH
+
+Here's why:
+
+When you're running ssh through an https tunnel (as telebit does) you
+can't just use \"ssh me.example.com\" to get in. You have to tell ssh that you
+want to use an https tunnel. Using \"telebit ssh\" as a client will specify
+all of the correct ssh options.
+
+However, when you want to connect to ssh over https, you either have to pass
+the correct arguments or modify your ~/.ssh/config to use \"openssl s_client\".
+
+We explain the different configurations below:
+
+## SSH + openssl
+
+The configuration that's most likely to work with what's already installed on
+your machine is this:
+
+        Host jon.telebit.io
+          ProxyCommand openssl s_client -quiet -connect %h:443 -servername %h
+
+Or you would call ssh directly, like this:
+
+        ssh jon.telebit.io -o ProxyCommand=\"openssl s_client -quiet -connect %h:443 -servername %h\"
+
+It's rather simple, but it looks quite daunting.
+
+## SSH + sclient
+
+Because that looks a little hairy, we created \"sclient\", so that the example
+could look a bit more digestible:
+
+        Host jon.telebit.io
+          ProxyCommand sclient %h
+
+Or
+
+        ssh jon.telebit.io -o ProxyCommand=\"sclient %h\"
+
+## Inverse SSH Tunnel (same as stunnel)
+
+The commands above instruct ssh to open a pipe into openssl or sclient. If we
+instead want to connect ssh to a local tunnel, it looks like this:
+
+        Host jon.telebit.io
+          Hostname localhost
+          Port 3000
+          HostKeyAlias jon.telebit.io
+          CheckHostIP no
+          RequestTTY force
+
+Or
+
+        ssh localhost -p 3000 -t -o CheckHostIP=no -o HostKeyAlias=jon.telebit.io
+
+## See also
+
+    telebit ftp
+    telebit vpn"
+
+tcp = "Telebit TCP - Seemless connectivity to LEGACY apps.
+Use 'telebit http' instead, where possible (including for ssh).
+
+usage: telebit tcp <path/port/none>
+
+        tcp <local> [remote]          forward tcp to <local> from <remote>
+        ex: telebit tcp 5050 6565     ex: forward tcp port 6565 locally to port 5050
+
+        tcp <path> [remote]           show ftp-style directory listing
+        ex: telebit tcp ~/Public      ex: show listing of ~/Public
+
+        tcp none [remote]             disable tcp access for [remote] port
+        ex: telebit tcp none 6565     ex: remove access to port 6565
+
+Use cases:
+
+        - Debugging plain TCP when troubleshooting a legacy app
+        - You can't install a secure client (like telebit, sclient, openssl, or stunnel)
+
+See also sclient <https://telebit.cloud/sclient> for connecting to legacy apps
+with telebit-upscaled secure https access."
+
+scp = "Telebit (Client) scp
+
+See \"telebit rsync\"."
+
+rsync = "Telebit (Client) rsync - Sync files to or from another computer
+
+Sync files and directories from one computer to another.
+
+Usage:
+
+        telebit rsync [flags] <src> <dst> [arguments]
+        ex: telebit rsync -av home.jon.telebit.cloud:shared/ ~/shared/ --exclude=tmp
+
+This is not a full implementation of rsync, but rather a convenience wrapper
+around rsync which passes the correct options to ssh for https tunneling.
+
+Due to the way telebit wraps rsync, all flags which take an argumnt must
+go after the source and destination paths / addresses.
+
+See also: telebit help ssh-proxy"
+
+vpn = "Telebit (Client) vpn - Use with Firefox for UNSTOPPABLE web browsing
+
+This provides a very easy-to-use, lightweight VPN known as Socks5 that can be
+used directly by Firefox and Chrome without requiring administrator privileges.
+
+Usage:
+
+        telebit vpn --socks5 <port> <remote>
+        ex: telebit vpn --socks5 6789 home.jon.telebit.io
+
+The flags are:
+
+        --socks5 <port> You MUST specify the socks5 port
+
+Firefox Configuration:
+
+        Firefox -> Preferences
+        Advanced -> Network
+        Connection -> Settings
+
+        Manual proxy configuration:
+
+        SOCKS Host: localhost
+        Port: 6789
+        SOCKS v5
+
+Just like a full vpn client, it routes your IP traffic places through the VPN
+server (which in this case is another one of your telebit devices), but only
+for traffic in the configured browser. You can still access school and office
+resources in the other browser (and other applications) the need to switch a
+full VPN on and off.
+
+As will all other telebit functionality, this use https tunneling and will not
+be disrupted by unfavorable network conditions.
+
+Use cases:
+
+        - Watch your US Netflix using your home IP while traveling abroad.
+        - Log into your router as if from inside your home network.
+        - Disregard poorly configured web proxies at school or work.
+
+See also: telebit help ssh-proxy"
+
+ftp = "Telebit (Client) Secure FTP
+
+Alias of \"telebit rsync\"
+
+The original FTP was superseded by sftp and then rsync a few decades ago,
+however, sometimes we refer to its successors, generically, as \"FTP\"
+(just like you might say \"hang up\" the phone).
+
+## History
+
+FTP is a legacy of the 1970s. It served its purpose well on local networks, but
+was extremely dangerous on the Internet due to its lack of security and various
+vulnerabilities. On some legacy systems it remains an easy target to steal
+passwords and load viruses onto computers.
+
+Although very few systems have ftp installed today (thank goodness), almost every
+computer comes with rsync already installed and ready to go.
+
+Use \"telebit rsync\" instead."
+
+daemon = "telebit daemon v{version}
+
+Usage:
+
+        telebit daemon --config <path>
+        ex: telebit daemon --config ~/.config/telebit/telebitd.yml
+
+Additional help topics:
+
+        config    config file format and settings
+        remote    telebit cli remote control
+
+Copyright 2015-2018 https://telebit.cloud MPL-2.0 Licensed"
+
+config = "Telebit Config (docs)
+
+There are TWO config files:
+
+        remote    ~/.config/telebit/telebit.yml
+
+        daemon    ~/.config/telebit/telebitd.yml
+
+### Remote Config
+
+This only specifies the ipc - socket path (dir), address, or pipe name.
+All other options are handled by the daemon.
+
+    ipc: /Users/aj/.local/share/telebit/var/run/
+
+### Daemon Config
+
+    relay: telebit.cloud            the relay to use
+    secret: null                    HMAC secret for self-hosted relay
+    email: jon@example.com          the email to authenticate
+    agree_tos: true                 agree to Telebit, Greenlock, & Let's Encrypt, ToS
+    community_member: true          get rare but relevant community updates
+    telemetry: true                 contribute to project telemetry
+    servernames:
+      example.com:                  don't reject https traffic for example.com
+        wildcard: true              allow assignment to subdomains
+        handler: ~/Public           whether to use a static server by path or app by port
+      home.example.com:
+        wildcard: true
+        handler: 3000
+    ssh_auto: 22                    forward ssh-ish traffic to port 22
+
+See also: telebit help relay"
+
+sclient = "sclient
+
+Usage:
+
+        sclient [flags] <remote> [local]
+        ex: sclient whatever.com:443 localhost:3000
+        ex: sclient whatever.com -
+        ex: printf \"GET / HTTP/1.1\\n\\n\" | sclient whatever.com
+
+sclient is a standalane tls unwrapper. For convenience it's bundled with telebit
+as the passthru subcommand \"telebit sclient\" and functions exactly the name.
+
+        telebit sclient [flags] <remote> [local]
+        ex: printf \"GET / HTTP/1.1\\n\\n\" | telebit sclient whatever.com
+
+See https://telebit.cloud/sclient/"
+
+relay = "Telebit Relay
+
+We envision a future with better routers capable of providing reliable Internet
+connectivity, and trusted peers bridging the gaps between unfavorable network
+conditions.
+
+We plan to always run telebit.cloud as a relay-as-a-service for convenience,
+but it is our hope that, if your network conditions permit, you will also run
+your own telebit relay for your friends, family, and yourself.
+
+See https://git.coolaj86.com/coolaj86/telebit-relay.js"
+
+in-n-out = "Telebit Secret Menu
+
+The secret flags are:
+
+        --profile <name>            Use config files, sockets, and pipes with this name.
+                                    For debugging and development. (default: telbit, telebitd)
+        --set-profile <name>        Switch from the default profile
+        --address <path|host:port>  Use explicit socket path (or address) or pipe name
+                                    Overrides \"--profile\""
+
+[remote]
+version = "telebit remote v{version}"
+
+code = "
+==============================================
+                 Hey, Listen!
+==============================================
+
+  GO CHECK YOUR EMAIL!
+
+  DEVICE PAIR CODE:     0000
+
+==============================================
+"
+
+waiting = "waiting for you to check your email..."
+
+success = "Success"
+
+next_steps = "Some fun things to try first:
+
+    ~/telebit http ~/Public
+    ~/telebit tcp 5050
+    ~/telebit ssh auto
+
+Press any key to continue...
+"
+
+[remote.setup]
+
+email = "Welcome!
+
+By using Telebit you agree to:
+
+      [x] Accept the Telebit™ terms of service
+      [x] Accept the Let's Encrypt™ terms of service
+
+Enter your email to agree and login/create your account:
+"
+
+[daemon]
+version = "telebit daemon v{version}"

lib/handlers/local-app-error.js

@@ -0,0 +1,19 @@
+'use strict';
+
+module.exports = function (opts) {
+  console.log("Could not connect");
+  var socket = opts.socket;
+  var handler = opts.handler;
+  var http = require('http');
+  var server = http.createServer(function (req, res) {
+    console.log('responding to thing');
+    res.statusCode = 500;
+    res.setHeader('Content-Type', 'text/html');
+    res.end("<html>"
+      + "<head><title>Couldn't Connect</title></head>"
+      + "<body>Could not connect to localhost:" + handler + "</body>"
+    + "</html>");
+  });
+  //server.emit('connection', socket);
+  socket.end("Could not connect to localhost:" + handler);
+};

lib/html/css/main.css

@@ -0,0 +1,31 @@
+
+
+
+body {
+    font-family: Source Sans Pro, sans-serif;
+    font-size: 18px;
+    color: #1a1a1a;
+    letter-spacing: -0.022222222em;
+    line-height: 1.33;
+    margin: 0;
+    text-align: center;
+    padding: 2em 0 2em 0;
+}
+
+code {}
+
+code, pre {
+    font-family: Source Code Pro, monospace;
+}
+
+.code-block {
+    text-align: left;
+    display: inline-block;
+}
+
+span.logo {
+    font-size: 1.666em;
+    font-weight: bold;
+}
+
+p {margin-bottom: 0.5em;margin-top: 1.5em;}

lib/html/index.html

@@ -3,39 +3,93 @@
   <head>
     <title>Telebit</title>
     <meta charset="utf-8">
+    <link href="./css/main.css" rel="stylesheet">
+    <style>
+      @font-face {
+        font-family: 'Source Sans Pro';
+        font-style: normal;
+        font-display: block;
+        font-weight: 400;
+        src: local('Source Sans Pro Regular'), local('SourceSansPro-Regular'), url(./fonts/6xK3dSBYKcSV-LCoeQqfX1RYOo3qOK7l.woff2) format('woff2');
+        unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
+      }
+      @font-face {
+        font-family: 'Source Sans Pro';
+        font-style: normal;
+        font-weight: 700;
+        font-display: block;
+        src: local('Source Sans Pro Bold'), local('SourceSansPro-Bold'), url(./fonts/6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwlxdu.woff2) format('woff2');
+        unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
+      }
+      @font-face {
+        font-family: 'Source Code Pro';
+        font-style: normal;
+        font-weight: 400;
+        src: local('Source Code Pro'), local('SourceCodePro-Regular'), url(./fonts/HI_SiYsKILxRpg3hIP6sJ7fM7PqlPevW.woff2) format('woff2');
+        unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
+      }
+    </style>
+    <link rel="preload" href="./fonts/6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwlxdu.woff2" as="font" crossorigin="anonymous">
+    <link rel="preload" href="./fonts/6xK3dSBYKcSV-LCoeQqfX1RYOo3qOK7l.woff2" as="font" crossorigin="anonymous">
+    <link rel="preload" href="./fonts/HI_SiYsKILxRpg3hIP6sJ7fM7PqlPevW.woff2" as="font" crossorigin="anonymous">
+
   </head>
   <body>
     <script>document.body.hidden = true;</script>
-
+  <!-- let's define our SVG that we will use later -->
+    <svg width="0" height="0" viewBox="0 0 24 24">
+      <defs>
+        <g id="svg-lock">
+          <path d="M0 0h24v24H0z" fill="none"/>
+          <path d="M18 8h-1V6c0-2.76-2.24-5-5-5S7 3.24 7 6v2H6c-1.1 0-2 .9-2 2v10c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V10c0-1.1-.9-2-2-2zm-6 9c-1.1 0-2-.9-2-2s.9-2 2-2 2 .9 2 2-.9 2-2 2zm3.1-9H8.9V6c0-1.71 1.39-3.1 3.1-3.1 1.71 0 3.1 1.39 3.1 3.1v2z"/>
+        </g>
+      </defs>
+    </svg>
+    <span class="logo">Telebit</span>
     <h1>Welcome Home <!-- as in 127.0.0.1, y'know ;) --></h1>
-    <p>Go ahead and bookmark this page. It's yours now.</p>
+    <div>Go ahead and bookmark this page. It's yours now.</div>
 
     <div>
       <h2>You've claimed <span class="js-servername">{{servername}}</span></h2>
-      <p>Here's some ways you can use it:</p>
-      <pre><code>
-telebit http 3000                # forward all https traffic to localhost:3000
-telebit http /path/to/module     # handle incoming https traffic with a node module
-telebit http none                # remove all https handlers</code></pre>
+      <p>Here are some ways you can use Telebit via Terminal or other Command Line Interface:</p>
+      <div class="code-block">
+	      <br />
+        <pre><code>~/telebit ssh auto            # allows you to connect to your computer with <br />                                ssh-over-https from a different computer</span></code></pre>
+        <pre><code>~/telebit http ~/Public            # serve a public folder
+~/telebit http 3000                # forward all https traffic to localhost:3000
+~/telebit http none                # remove all https handlers</code></pre>
+      </div>
     </div>
-    <p>You can <em>always</em> use this port for <strong>SSH over HTTPS</strong>, even while you're using it for something else:</p>
-    <pre><code>
-ssh -o ProxyCommand='openssl s_client -connect %h:443 -quiet' <span class="js-servername">{{servername}}</span></code></pre>
-
-
-    <div class="js-port" hidden>
+    <p>And remember you can <em>always</em> tunnel <strong>SSH over HTTPS</strong>,
+      even while you're using it for something else:</p>
+  <p>&nbsp;</p>
+  
+    <details>
+    <p><summary><strong>Here are some examples for those of you that want to access files and folders remotely.  </strong></summary></p>
+    <p><strong>This function allows you to connect one computer to another computer you also have SSH on.</strong></p>
+      <div class="code-block"><pre><code>~/telebit ssh <span class="js-servername">{{servername}}</span></code></pre>
+      	<br>
+    		- or -
+    		<pre><code>ssh -o ProxyCommand='<a href="https://telebit.cloud/sclient">sclient</a> %h' <span class="js-servername">{{servername}}</span></code></pre>
+    		- or -
+    		<pre><code>proxy_cmd='openssl s_client -connect %h:443 -servername %h -quiet'
+ssh -o ProxyCommand="$proxy_cmd" <span class="js-servername">{{servername}}</span></code></pre>
+			</div>
+    <pre><code>ssh -o ProxyCommand='openssl s_client -connect %h:443 -servername %h -quiet' <span class="js-servername">{{servername}}</span></code></pre>
+    </details>
+    <!--div class="js-port" hidden>
       <h2>You've claimed port <span class="js-serviceport">{{serviceport}}</span></h2>
       <p>Here's some ways you can use it:</p>
-      <pre><code>
-telebit tcp 3000                 # forward all tcp traffic to localhost:3000
+      <div class="code-block"><pre><code>telebit tcp 3000                 # forward all tcp traffic to localhost:3000
 telebit tcp /path/to/module      # handle incoming tcp traffic with a node module
 telebit tcp none                 # remove all tcp handlers</code></pre>
-    </div>
-    <p>You can <em>always</em> use this port for <strong>SSH</strong>, even while you're using it for something else:</p>
-    <pre><code>
-ssh <span class="js-servername">{{servername}}</span> -p <span class="js-serviceport">{{serviceport}}</span></code></pre>
+      </div>
+      <p>You can <em>always</em> use this port for <strong>SSH</strong>, even while you're using it for something else:</p>
+      <div class="code-block"><pre><code>telebit ssh 22
 
+ssh <span class="js-servername">{{servername}}</span> -p <span class="js-serviceport">{{serviceport}}</span></code></pre></div>
+    </div -->
 
     <script src="js/app.js"></script>
   </body>
-</html>
+</html>

lib/html/js/app.js

@@ -3,7 +3,7 @@
 
 document.body.hidden = false;
 
-var hash = window.location.hash.substr(1);
+var hash = window.location.hash.replace(/^[\/#?]+/, '');
 var query = window.location.search;
 
 function parseQuery(search) {

lib/remote.js

@@ -1,11 +1,17 @@
 (function () {
 'use strict';
 
+var PromiseA;
+try {
+  PromiseA = require('bluebird');
+} catch(e) {
+  PromiseA = global.Promise;
+}
 var WebSocket = require('ws');
-var PromiseA = require('bluebird');
 var sni = require('sni');
 var Packer = require('proxy-packer');
 var os = require('os');
+var EventEmitter = require('events').EventEmitter;
 
 function timeoutPromise(duration) {
   return new PromiseA(function (resolve) {
@@ -13,37 +19,58 @@ function timeoutPromise(duration) {
   });
 }
 
-function _connect(state) {
+function TelebitRemote(state) {
   // jshint latedef:false
-  var defaultHttpTimeout = (2 * 60);
-  var activityTimeout = state.activityTimeout || (defaultHttpTimeout - 5) * 1000;
+
+  if (!(this instanceof TelebitRemote)) {
+    return new TelebitRemote(state);
+  }
+  EventEmitter.call(this);
+  var me = this;
+  var priv = {};
+
+  //var defaultHttpTimeout = (2 * 60);
+  //var activityTimeout = state.activityTimeout || (defaultHttpTimeout - 5) * 1000;
+  var activityTimeout = 6 * 1000;
   var pongTimeout = state.pongTimeout || 10*1000;
   // Allow the tunnel client to be created with no token. This will prevent the connection from
   // being established initialy and allows the caller to use `.append` for the first token so
   // they can get a promise that will provide feedback about invalid tokens.
-  var tokens = [];
+  priv.tokens = [];
   var auth;
+  if(!state.sortingHat) {
+    state.sortingHat = "./sorting-hat.js";
+  }
   if (state.token) {
-    tokens.push(state.token);
+    if ('undefined' === state.token) {
+      throw new Error("passed string 'undefined' as token");
+    }
+    priv.tokens.push(state.token);
   }
 
   var wstunneler;
   var authenticated = false;
   var authsent = false;
+  var initialConnect = true;
 
-  var localclients = {};
+  priv.localclients = {};
   var pausedClients = [];
   var clientHandlers = {
     add: function (conn, cid, tun) {
-      localclients[cid] = conn;
-      console.info("[connect] new client '" + cid + "' for '" + tun.name + ":" + tun.serviceport + "' "
+      priv.localclients[cid] = conn;
+      console.info("[connect] new client '" + tun.name + ":" + tun.serviceport + "' for  '" + cid + "'"
         + "(" + clientHandlers.count() + " clients)");
 
       conn.tunnelCid = cid;
-      conn.tunnelRead = tun.data.byteLength;
-      conn.tunnelWritten    = 0;
+      if (tun.data) {
+        conn.tunnelRead = tun.data.byteLength;
+      } else {
+        conn.tunnelRead = 0;
+      }
+      conn.tunnelWritten = 0;
 
       conn.on('data', function onLocalData(chunk) {
+        //var chunk = conn.read();
         if (conn.tunnelClosing) {
           console.warn("[onLocalData] received data for '"+cid+"' over socket after connection was ended");
           return;
@@ -55,8 +82,10 @@ function _connect(state) {
         // down the data we are getting to send over. We also want to pause all active connections
         // if any connections are paused to make things more fair so one connection doesn't get
         // stuff waiting for all other connections to finish because it tried writing near the border.
-        var bufSize = wsHandlers.sendMessage(Packer.pack(tun, chunk));
-        if (pausedClients.length || bufSize > 1024*1024) {
+        var bufSize = sendMessage(Packer.packHeader(tun, chunk));
+        // Sending 2 messages instead of copying the buffer
+        var bufSize2 = sendMessage(chunk);
+        if (pausedClients.length || (bufSize + bufSize2) > 1024*1024) {
           // console.log('[onLocalData] paused connection', cid, 'to allow websocket to catch up');
           conn.pause();
           pausedClients.push(conn);
@@ -65,32 +94,33 @@ function _connect(state) {
 
       var sentEnd = false;
       conn.on('end', function onLocalEnd() {
-        console.info("[onLocalEnd] connection '" + cid + "' ended, will probably close soon");
+        //console.info("[onLocalEnd] connection '" + cid + "' ended, will probably close soon");
         conn.tunnelClosing = true;
         if (!sentEnd) {
-          wsHandlers.sendMessage(Packer.pack(tun, null, 'end'));
+          sendMessage(Packer.packHeader(tun, null, 'end'));
           sentEnd = true;
         }
       });
       conn.on('error', function onLocalError(err) {
         console.info("[onLocalError] connection '" + cid + "' errored:", err);
         if (!sentEnd) {
-          wsHandlers.sendMessage(Packer.pack(tun, {message: err.message, code: err.code}, 'error'));
+          var packBody = true;
+          sendMessage(Packer.packHeader(tun, {message: err.message, code: err.code}, 'error', packBody));
           sentEnd = true;
         }
       });
       conn.on('close', function onLocalClose(hadErr) {
-        delete localclients[cid];
+        delete priv.localclients[cid];
         console.log('[onLocalClose] closed "' + cid + '" read:'+conn.tunnelRead+', wrote:'+conn.tunnelWritten+' (' + clientHandlers.count() + ' clients)');
         if (!sentEnd) {
-          wsHandlers.sendMessage(Packer.pack(tun, null, hadErr && 'error' || 'end'));
+          sendMessage(Packer.packHeader(tun, null, hadErr && 'error' || 'end'));
           sentEnd = true;
         }
       });
     }
 
   , write: function (cid, opts) {
-      var conn = localclients[cid];
+      var conn = priv.localclients[cid];
       if (!conn) {
         return false;
       }
@@ -107,11 +137,13 @@ function _connect(state) {
       conn.tunnelRead += opts.data.byteLength;
 
       if (!conn.remotePaused && conn.bufferSize > 1024*1024) {
-        wsHandlers.sendMessage(Packer.pack(opts, conn.tunnelRead, 'pause'));
+        var packBody = true;
+        sendMessage(Packer.packHeader(opts, conn.tunnelRead, 'pause', packBody));
         conn.remotePaused = true;
 
         conn.once('drain', function () {
-          wsHandlers.sendMessage(Packer.pack(opts, conn.tunnelRead, 'resume'));
+          var packBody = true;
+          sendMessage(Packer.packHeader(opts, conn.tunnelRead, 'resume', packBody));
           conn.remotePaused = false;
         });
       }
@@ -119,13 +151,13 @@ function _connect(state) {
     }
 
   , closeSingle: function (cid) {
-      if (!localclients[cid]) {
+      if (!priv.localclients[cid]) {
         return;
       }
 
-      console.log('[closeSingle]', cid);
+      //console.log('[closeSingle]', cid);
       PromiseA.resolve().then(function () {
-        var conn = localclients[cid];
+        var conn = priv.localclients[cid];
         conn.tunnelClosing = true;
         conn.end();
 
@@ -143,40 +175,49 @@ function _connect(state) {
           });
         });
       }).then(function () {
-        if (localclients[cid]) {
+        if (priv.localclients[cid]) {
           console.warn('[closeSingle]', cid, 'connection still present after calling `end`');
-          localclients[cid].destroy();
+          priv.localclients[cid].destroy();
           return timeoutPromise(500);
         }
       }).then(function () {
-        if (localclients[cid]) {
+        if (priv.localclients[cid]) {
           console.error('[closeSingle]', cid, 'connection still present after calling `destroy`');
-          delete localclients[cid];
+          delete priv.localclients[cid];
         }
       }).catch(function (err) {
         console.error('[closeSingle] failed to close connection', cid, err.toString());
-        delete localclients[cid];
+        delete priv.localclients[cid];
       });
     }
   , closeAll: function () {
       console.log('[closeAll]');
-      Object.keys(localclients).forEach(function (cid) {
+      Object.keys(priv.localclients).forEach(function (cid) {
         clientHandlers.closeSingle(cid);
       });
     }
 
   , count: function () {
-      return Object.keys(localclients).length;
+      return Object.keys(priv.localclients).length;
     }
   };
 
   var pendingCommands = {};
+  function sendMessage(msg) {
+    // There is a chance that this occurred after the websocket was told to close
+    // and before it finished, in which case we don't need to log the error.
+    if (wstunneler.readyState !== wstunneler.CLOSING) {
+        wstunneler.send(msg, {binary: true});
+        return wstunneler.bufferedAmount;
+    }
+  }
   function sendCommand(name) {
     var id = Math.ceil(1e9 * Math.random());
     var cmd = [id, name].concat(Array.prototype.slice.call(arguments, 1));
     if (state.debug) { console.log('[DEBUG] command sending', cmd); }
 
-    wsHandlers.sendMessage(Packer.pack(null, cmd, 'control'));
+    var packBody = true;
+    sendMessage(Packer.packHeader(null, cmd, 'control', packBody));
     setTimeout(function () {
       if (pendingCommands[id]) {
         console.warn('command', name, id, 'timed out');
@@ -199,24 +240,6 @@ function _connect(state) {
     });
   }
 
-  function sendAllTokens() {
-    if (auth) {
-      authsent = true;
-      sendCommand('auth', auth).catch(function (err) { console.error('1', err); });
-    }
-    tokens.forEach(function (jwtoken) {
-      if (state.debug) { console.log('[DEBUG] send token'); }
-      authsent = true;
-      sendCommand('add_token', jwtoken)
-        .catch(function (err) {
-          console.error('failed re-adding token', jwtoken, 'after reconnect', err);
-          // Not sure if we should do something like remove the token here. It worked
-          // once or it shouldn't have stayed in the list, so it's less certain why
-          // it would have failed here.
-        });
-    });
-  }
-
   function noHandler(cmd) {
     console.warn("[telebit] state.handlers['" + cmd[1] + "'] not set");
     console.warn(cmd[2]);
@@ -224,6 +247,23 @@ function _connect(state) {
 
   var connCallback;
 
+  function hyperPeek(tun) {
+    var m;
+    var str;
+    if (tun.data) {
+      if ('http' === tun.service) {
+        str = tun.data.toString();
+        m = str.match(/(?:^|[\r\n])Host: ([^\r\n]+)[\r\n]*/im);
+        tun._name = tun._hostname = (m && m[1].toLowerCase() || '').split(':')[0];
+      }
+      else if ('https' === tun.service || 'tls' === tun.service) {
+        tun._name = tun._servername = sni(tun.data);
+      } else {
+        tun._name = '';
+      }
+    }
+  }
+
   var packerHandlers = {
     oncontrol: function (opts) {
       var cmd, err;
@@ -255,7 +295,21 @@ function _connect(state) {
 
       if (cmd[1] === 'hello') {
         if (state.debug) { console.log('[DEBUG] hello received'); }
-        sendAllTokens();
+        if (auth) {
+          authsent = true;
+          sendCommand('auth', auth).catch(function (err) { console.error('1', err); });
+        }
+        priv.tokens.forEach(function (jwtoken) {
+          if (state.debug) { console.log('[DEBUG] send token'); }
+          authsent = true;
+          sendCommand('add_token', jwtoken)
+            .catch(function (err) {
+              console.error('failed re-adding token', jwtoken, 'after reconnect', err);
+              // Not sure if we should do something like remove the token here. It worked
+              // once or it shouldn't have stayed in the list, so it's less certain why
+              // it would have failed here.
+            });
+        });
         if (connCallback) {
           connCallback();
         }
@@ -282,28 +336,19 @@ function _connect(state) {
         err = { message: 'unknown command "'+cmd[1]+'"', code: 'E_UNKNOWN_COMMAND' };
       }
 
-      wsHandlers.sendMessage(Packer.pack(null, [-cmd[0], err], 'control'));
+      var packBody = true;
+      sendMessage(Packer.packHeader(null, [-cmd[0], err], 'control', packBody));
     }
 
-  , onmessage: function (tun) {
+  , onconnection: function (tun) {
       var cid = tun._id = Packer.addrToId(tun);
-      var str;
-      var m;
 
-      if ('http' === tun.service) {
-        str = tun.data.toString();
-        m = str.match(/(?:^|[\r\n])Host: ([^\r\n]+)[\r\n]*/im);
-        tun._name = tun._hostname = (m && m[1].toLowerCase() || '').split(':')[0];
-      }
-      else if ('https' === tun.service || 'tls' === tun.service) {
-        tun._name = tun._servername = sni(tun.data);
-      } else {
-        tun._name = '';
-      }
+      // this data should have been gathered already as part of the proxy protocol
+      // but if it's available again here we can double check
+      hyperPeek(tun);
 
-      if (clientHandlers.write(cid, tun)) { return; }
-
-      wstunneler.pause();
+      // TODO use readable streams instead
+      wstunneler._socket.pause();
       require(state.sortingHat).assign(state, tun, function (err, conn) {
         if (err) {
           err.message = err.message.replace(/:tun_id/, tun._id);
@@ -312,32 +357,46 @@ function _connect(state) {
         }
         clientHandlers.add(conn, cid, tun);
         if (tun.data) { conn.write(tun.data); }
-        wstunneler.resume();
+        wstunneler._socket.resume();
       });
     }
 
+  , onmessage: function (tun) {
+      var cid = tun._id = Packer.addrToId(tun);
+      var handled;
+
+      hyperPeek(tun);
+
+      handled = clientHandlers.write(cid, tun);
+
+      // quasi backwards compat
+      if (!handled) { console.log("[debug] did not get 'connection' event"); packerHandlers.onconnection(tun); }
+    }
+
   , onpause: function (opts) {
       var cid = Packer.addrToId(opts);
-      if (localclients[cid]) {
-        console.log("[TunnelPause] pausing '"+cid+"', remote received", opts.data.toString(), 'of', localclients[cid].tunnelWritten, 'sent');
-        localclients[cid].manualPause = true;
-        localclients[cid].pause();
+      if (priv.localclients[cid]) {
+        console.log("[TunnelPause] pausing '"+cid+"', remote received", opts.data.toString(), 'of', priv.localclients[cid].tunnelWritten, 'sent');
+        priv.localclients[cid].manualPause = true;
+        priv.localclients[cid].pause();
       } else {
         console.log('[TunnelPause] remote tried pausing finished connection', cid);
         // Often we have enough latency that we've finished sending before we're told to pause, so
         // don't worry about sending back errors, since we won't be sending data over anyway.
-        // wsHandlers.sendMessage(Packer.pack(opts, {message: 'no matching connection', code: 'E_NO_CONN'}, 'error'));
+        // var packBody = true;
+        // sendMessage(Packer.packHeader(opts, {message: 'no matching connection', code: 'E_NO_CONN'}, 'error', packBody));
       }
     }
   , onresume: function (opts) {
       var cid = Packer.addrToId(opts);
-      if (localclients[cid]) {
-        console.log("[TunnelResume] resuming '"+cid+"', remote received", opts.data.toString(), 'of', localclients[cid].tunnelWritten, 'sent');
-        localclients[cid].manualPause = false;
-        localclients[cid].resume();
+      if (priv.localclients[cid]) {
+        console.log("[TunnelResume] resuming '"+cid+"', remote received", opts.data.toString(), 'of', priv.localclients[cid].tunnelWritten, 'sent');
+        priv.localclients[cid].manualPause = false;
+        priv.localclients[cid].resume();
       } else {
         console.log('[TunnelResume] remote tried resuming finished connection', cid);
-        // wsHandlers.sendMessage(Packer.pack(opts, {message: 'no matching connection', code: 'E_NO_CONN'}, 'error'));
+        // var packBody = true;
+        // sendMessage(Packer.packHeader(opts, {message: 'no matching connection', code: 'E_NO_CONN'}, 'error', packBody));
       }
     }
 
@@ -354,55 +413,74 @@ function _connect(state) {
 
   , _onConnectError: function (cid, opts, err) {
       console.info("[_onConnectError] opening '" + cid + "' failed because " + err.message);
-      wsHandlers.sendMessage(Packer.pack(opts, null, 'error'));
+      sendMessage(Packer.packHeader(opts, null, 'error'));
     }
   };
 
-  var lastActivity;
-  var timeoutId;
-  var wsHandlers = {
-    refreshTimeout: function () {
-      lastActivity = Date.now();
+  priv.timeoutId = null;
+  priv.lastActivity = Date.now();
+  priv.refreshTimeout = function refreshTimeout() {
+    priv.lastActivity = Date.now();
+  };
+  priv.checkTimeout = function checkTimeout() {
+    if (!wstunneler) {
+      console.warn('checkTimeout called when websocket already closed');
+      return;
     }
-  , checkTimeout: function () {
-      if (!wstunneler) {
-        console.warn('checkTimeout called when websocket already closed');
-        return;
-      }
-      // Determine how long the connection has been "silent", ie no activity.
-      var silent = Date.now() - lastActivity;
+    // Determine how long the connection has been "silent", ie no activity.
+    var silent = Date.now() - priv.lastActivity;
 
-      // If we have had activity within the last activityTimeout then all we need to do is
-      // call this function again at the soonest time when the connection could be timed out.
-      if (silent < activityTimeout) {
-        timeoutId = setTimeout(wsHandlers.checkTimeout, activityTimeout-silent);
-      }
-
-      // Otherwise we check to see if the pong has also timed out, and if not we send a ping
-      // and call this function again when the pong will have timed out.
-      else if (silent < activityTimeout + pongTimeout) {
-        console.log('pinging tunnel server');
-        try {
-          wstunneler.ping();
-        } catch (err) {
-          console.warn('failed to ping tunnel server', err);
-        }
-        timeoutId = setTimeout(wsHandlers.checkTimeout, pongTimeout);
-      }
-
-      // Last case means the ping we sent before didn't get a response soon enough, so we
-      // need to close the websocket connection.
-      else {
-        console.log('connection timed out');
-        wstunneler.close(1000, 'connection timeout');
-      }
+    // If we have had activity within the last activityTimeout then all we need to do is
+    // call this function again at the soonest time when the connection could be timed out.
+    if (silent < activityTimeout) {
+      priv.timeoutId = setTimeout(priv.checkTimeout, activityTimeout-silent);
     }
 
-  , onOpen: function () {
-      console.info("[open] connected to '" + state.relay + "'");
-      wsHandlers.refreshTimeout();
-      timeoutId = setTimeout(wsHandlers.checkTimeout, activityTimeout);
+    // Otherwise we check to see if the pong has also timed out, and if not we send a ping
+    // and call this function again when the pong will have timed out.
+    else if (silent < activityTimeout + pongTimeout) {
+      //console.log('DEBUG: pinging tunnel server');
+      try {
+        wstunneler.ping();
+      } catch (err) {
+        console.warn('failed to ping tunnel server', err);
+      }
+      priv.timeoutId = setTimeout(priv.checkTimeout, pongTimeout);
+    }
 
+    // Last case means the ping we sent before didn't get a response soon enough, so we
+    // need to close the websocket connection.
+    else {
+      console.info('[info] closing due to connection timeout');
+      wstunneler.close(1000, 'connection timeout');
+    }
+  };
+
+  me.destroy = function destroy() {
+    console.info('[info] destroy()');
+    try {
+      //wstunneler.close(1000, 're-connect');
+      wstunneler._socket.destroy();
+    } catch(e) {
+      // ignore
+    }
+  };
+  me.connect = function connect() {
+    if (!priv.tokens.length && state.config.email) {
+      auth = TelebitRemote._tokenFromState(state);
+    }
+    priv.timeoutId = null;
+    var machine = Packer.create(packerHandlers);
+
+    console.info("[telebit:lib/remote.js] [connect] '" + (state.wss || state.relay) + "'");
+    var tunnelUrl = (state.wss || state.relay).replace(/\/$/, '') + '/'; // + auth;
+    wstunneler = new WebSocket(tunnelUrl, { rejectUnauthorized: !state.insecure });
+    // XXXXXX
+    wstunneler.on('open', function () {
+      console.info("[telebit:lib/remote.js] [open] connected to '" + (state.wss || state.relay) + "'");
+      me.emit('connect');
+      priv.refreshTimeout();
+      priv.timeoutId = setTimeout(priv.checkTimeout, activityTimeout);
       wstunneler._socket.on('drain', function () {
         // the websocket library has it's own buffer apart from node's socket buffer, but that one
         // is much more difficult to watch, so we watch for the lower level buffer to drain and
@@ -419,15 +497,13 @@ function _connect(state) {
             conn.resume();
           }
         });
-
         pausedClients.length = 0;
       });
-    }
-
-  , onClose: function () {
-      console.log('ON CLOSE');
-      clearTimeout(timeoutId);
-      wstunneler = null;
+      initialConnect = false;
+    });
+    wstunneler.on('close', function () {
+      console.info("[info] [closing] received close signal from relay");
+      clearTimeout(priv.timeoutId);
       clientHandlers.closeAll();
 
       var error = new Error('websocket connection closed before response');
@@ -439,178 +515,69 @@ function _connect(state) {
         connCallback(error);
       }
 
-      if (!authenticated) {
-        console.info('[close] failed on first attempt... check authentication.');
-        timeoutId = null;
-      }
-      else if (tokens.length) {
-        console.info('[retry] disconnected and waiting...');
-        timeoutId = setTimeout(connect, 5000);
-      }
-    }
-
-  , onError: function (err) {
-      console.error("[tunnel error] " + err.message);
-      console.error(err);
-      if (connCallback) {
-        connCallback(err);
-      }
-    }
-
-  , sendMessage: function (msg) {
-      if (wstunneler) {
-        try {
-          wstunneler.send(msg, {binary: true});
-          return wstunneler.bufferedAmount;
-        } catch (err) {
-          // There is a chance that this occurred after the websocket was told to close
-          // and before it finished, in which case we don't need to log the error.
-          if (wstunneler.readyState !== wstunneler.CLOSING) {
-            console.warn('[sendMessage] error sending websocket message', err);
-          }
-        }
-      }
-    }
-  };
-
-  function connect() {
-    if (wstunneler) {
-      console.warn('attempted to connect with connection already active');
-      return;
-    }
-    if (!tokens.length) {
-      if (state.config.email) {
-        auth = {
-          subject: state.config.email
-        , subject_scheme: 'mailto'
-          // TODO create domains list earlier
-        , scope: Object.keys(state.config.servernames || {}).join(',')
-        , hostname: os.hostname()
-          // Used for User-Agent
-        , os_type: os.type()
-        , os_platform: os.platform()
-        , os_release: os.release()
-        , os_arch: os.arch()
-        };
-      }
-    }
-    timeoutId = null;
-    var machine = Packer.create(packerHandlers);
-
-    console.info("[connect] '" + state.relay + "'");
-    var tunnelUrl = state.relay.replace(/\/$/, '') + '/'; // + auth;
-    wstunneler = new WebSocket(tunnelUrl, { rejectUnauthorized: !state.insecure });
-    wstunneler.on('open', wsHandlers.onOpen);
-    wstunneler.on('close', wsHandlers.onClose);
-    wstunneler.on('error', wsHandlers.onError);
+      me.emit('close');
+    });
+    wstunneler.on('error', function (err) {
+      me.emit('error', err);
+    });
 
     // Our library will automatically handle sending the pong respose to ping requests.
-    wstunneler.on('ping', wsHandlers.refreshTimeout);
-    wstunneler.on('pong', wsHandlers.refreshTimeout);
+    wstunneler.on('ping', priv.refreshTimeout);
+    wstunneler.on('pong', function () {
+      //console.log('DEBUG received pong');
+      priv.refreshTimeout();
+    });
     wstunneler.on('message', function (data, flags) {
-      wsHandlers.refreshTimeout();
+      priv.refreshTimeout();
       if (data.error || '{' === data[0]) {
         console.log(data);
         return;
       }
       machine.fns.addChunk(data, flags);
     });
-  }
-  connect();
-
-  var connPromise;
-  return {
-    end: function() {
-      tokens.length = 0;
-      if (timeoutId) {
-        clearTimeout(timeoutId);
-        timeoutId = null;
-      }
-
-      if (wstunneler) {
-        try {
-          wstunneler.close();
-        } catch(e) {
-          console.error("[error] wstunneler.close()");
-          console.error(e);
-        }
-      }
-    }
-  , append: function (token) {
-      if (tokens.indexOf(token) >= 0) {
-        return PromiseA.resolve();
-      }
-      tokens.push(token);
-      var prom;
-      if (tokens.length === 1 && !wstunneler) {
-        // We just added the only token in the list, and the websocket connection isn't up
-        // so we need to restart the connection.
-        if (timeoutId) {
-          // Handle the case were the last token was removed and this token added between
-          // reconnect attempts to make sure we don't try openning multiple connections.
-          clearTimeout(timeoutId);
-          timeoutId = null;
-        }
-
-        // We want this case to behave as much like the other case as we can, but we don't have
-        // the same kind of reponses when we open brand new connections, so we have to rely on
-        // the 'hello' and the 'un-associated' error commands to determine if the token is good.
-        prom = connPromise = new PromiseA(function (resolve, reject) {
-          connCallback = function (err) {
-            connCallback = null;
-            connPromise = null;
-            if (err) {
-              reject(err);
-            } else {
-              resolve();
-            }
-          };
-        });
-        connect();
-      }
-      else if (connPromise) {
-        prom = connPromise.then(function () {
-          return sendCommand('add_token', token);
-        });
-      }
-      else {
-        prom = sendCommand('add_token', token);
-      }
-
-      prom.catch(function (err) {
-        console.error('adding token', token, 'failed:', err);
-        // Most probably an invalid token of some kind, so we don't really want to keep it.
-        tokens.splice(tokens.indexOf(token), 1);
-      });
-
-      return prom;
-    }
-  , clear: function (token) {
-      if (typeof token === 'undefined') {
-        token = '*';
-      }
-
-      if (token === '*') {
-        tokens.length = 0;
-      } else {
-        var index = tokens.indexOf(token);
-        if (index < 0) {
-          return PromiseA.resolve();
-        }
-        tokens.splice(index);
-      }
-
-      var prom = sendCommand('delete_token', token);
-      prom.catch(function (err) {
-        console.error('clearing token', token, 'failed:', err);
-      });
-
-      return prom;
+  };
+  me.end = function() {
+    priv.tokens.length = 0;
+    if (priv.timeoutId) {
+      clearTimeout(priv.timeoutId);
+      priv.timeoutId = null;
     }
+    console.info('[info] closing due to tr.end()');
+    wstunneler.close(1000, 're-connect');
+    wstunneler.on('close', function () {
+      me.emit('end');
+    });
   };
 }
 
-module.exports.connect = _connect;
-module.exports.createConnection = _connect;
+TelebitRemote.prototype = EventEmitter.prototype;
+TelebitRemote._tokenFromState = function (state) {
+  return {
+    subject: state.config.email
+  , subject_scheme: 'mailto'
+    // TODO create domains list earlier
+  , scope: Object.keys(state.config.servernames || {}).join(',')
+  , otp: state.otp
+  , hostname: os.hostname()
+    // Used for User-Agent
+  , os_type: os.type()
+  , os_platform: os.platform()
+  , os_release: os.release()
+  , os_arch: os.arch()
+  };
+};
+
+TelebitRemote.create = function (opts) {
+  return new TelebitRemote(opts);
+};
+TelebitRemote.createConnection = function (opts, cb) {
+  var tunnel = TelebitRemote.create(opts);
+  tunnel.connect(opts);
+  tunnel.once('connect', cb);
+  return tunnel;
+};
+TelebitRemote.connect = TelebitRemote.createConnection;
+
+module.exports.TelebitRemote = TelebitRemote;
 
 }());

lib/sorting-hat.js

@@ -1,6 +1,8 @@
 'use strict';
+
 var os = require('os');
 var path = require('path');
+var fs = require('fs');
 
 module.exports.print = function (config) {
   var services = { https: {}, http: {}, tcp: {} };
@@ -57,17 +59,23 @@ module.exports.print = function (config) {
 };
 
 module.exports.assign = function (state, tun, cb) {
-  console.log('first message from', tun);
+  //console.log('first message from', tun);
   var net = state.net || require('net');
 
   function trySsh(tun, cb) {
     // https://security.stackexchange.com/questions/43231/plausibly-deniable-ssh-does-it-make-sense?rq=1
     // https://tools.ietf.org/html/rfc4253#section-4.2
-    if (false === state.config.ssh_auto || 'SSH-2.0-' !== tun.data.slice(0, 8).toString()) {
+    var sshPort;
+    if (-1 !== ['true', 'enable', 'auto', 'on'].indexOf(state.config.sshAuto)) {
+      sshPort = 22;
+    } else {
+      sshPort = parseInt(state.config.sshAuto, 10);
+    }
+    if (!sshPort || 'SSH-2.0-' !== tun.data.slice(0, 8).toString()) {
       cb(null, false);
       return;
     }
-    cb(null, getNetConn(state.config.sshPort || 22));
+    getNetConn(sshPort, cb);
   }
 
   var handlers = {};
@@ -80,6 +88,7 @@ module.exports.assign = function (state, tun, cb) {
       state.httpRedirectServer = require('http').createServer(state.greenlock.middleware(state.redirectHttps));
     }
     state.httpRedirectServer.emit('connection', socket);
+    process.nextTick(function () { socket.resume(); });
   };
   handlers.https = function (tlsSocket) {
     console.log('Encrypted', tlsSocket.encrypted, tlsSocket.remoteAddress, tlsSocket.remotePort);
@@ -88,13 +97,15 @@ module.exports.assign = function (state, tun, cb) {
       state._serveStatic = require('serve-static');
       state._defaultServe = state._serveStatic(path.join(__dirname, 'html'));
       state.defaultHttpServer = require('http').createServer(function (req, res) {
+        // TODO serve api
         state._defaultServe(req, res, state._finalHandler(req, res));
       });
     }
     state.defaultHttpServer.emit('connection', tlsSocket);
+    process.nextTick(function () { tlsSocket.resume(); });
   };
 
-  function getNetConn(port) {
+  function getNetConn(port, cb) {
     var netOpts = {
       port: port
     , host: '127.0.0.1'
@@ -111,8 +122,12 @@ module.exports.assign = function (state, tun, cb) {
       // this will happen before 'data' or 'readable' is triggered
       // We use the data from the netOpts object so that the createConnection function has
       // the oppurtunity of removing/changing it if it wants/needs to handle it differently.
+      cb(null, conn);
+      cb = function () {}; // for error events
+    });
+    conn.on('error', function (err) {
+      cb(err);
     });
-    return conn;
   }
 
   function redirectHttp(cb) {
@@ -126,6 +141,40 @@ module.exports.assign = function (state, tun, cb) {
     return conn;
   }
 
+  function errorTcp(conf, cb) {
+    var socketPair = require('socket-pair');
+    var conn = socketPair.create(function (err, other) {
+      if (err) { cb(err); return; }
+
+      cb(null, conn);
+
+      other.write("\n" +
+      [ "[Telebit Error Server]"
+      , "Could not load '" + conf.handler + "' as a module, file, or directory."
+      ].join("\n") + "\n\n");
+      other.end();
+    });
+    //if (tun.data) { conn.write(tun.data); }
+    return conn;
+  }
+  function fileDirTcp(opts, cb) {
+    var socketPair = require('socket-pair');
+    var conn = socketPair.create(function (err, other) {
+      if (err) { cb(err); return; }
+
+      if (opts.stat.isFile()) {
+        fs.createReadStream(opts.config.handler).pipe(other);
+      } else {
+        fs.readdir(opts.config.handler, function (err, nodes) {
+          other.write('\n' + nodes.join('\n') + '\n\n');
+          other.end();
+        });
+      }
+      cb(null, conn);
+    });
+    //if (tun.data) { conn.write(tun.data); }
+    return conn;
+  }
   function echoTcp(cb) {
     var socketPair = require('socket-pair');
     var conn = socketPair.create(function (err, other) {
@@ -188,8 +237,7 @@ module.exports.assign = function (state, tun, cb) {
   function invokeTcpHandler(conf, socket, tun, id, cb) {
     var conn;
     if (parseInt(conf.handler, 10)) {
-      conn = getNetConn(conf.handler);
-      cb(null, conn);
+      getNetConn(conf.handler, cb);
       return conn;
     }
 
@@ -211,27 +259,47 @@ module.exports.assign = function (state, tun, cb) {
         handler = require(path.join(localshare, handlerpath));
         console.info("Handling '" + handle + ":" + id + "' with '" + handlerpath + "'");
       } catch(e2) {
-        console.error("Failed to load '" + handlerpath + "':", e1.message);
-        console.error("Failed to load '" + path.join(localshare, handlerpath) + "':", e2.message);
-        console.warn("Using default handler for '" + handle + ":" + id + "'");
-        echoTcp(cb);
+        console.error("Failed to require('" + handlerpath + "'):", e1.message);
+        console.error("Failed to require('" + path.join(localshare, handlerpath) + "'):", e2.message);
+        console.warn("Trying static and index handlers for '" + handle + ":" + id + "'");
+        handler = null;
+        // fallthru
       }
     }
-    var socketPair = require('socket-pair');
-    conn = socketPair.create(function (err, other) {
-      handler(other, tun, id);
-      cb(null, conn);
+
+    if (handler) {
+      var socketPair = require('socket-pair');
+      conn = socketPair.create(function (err, other) {
+        handler(other, tun, id);
+        cb(null, conn);
+      });
+      return conn;
+    }
+
+    fs.access(conf.handler, fs.constants.R_OK, function (err1) {
+      fs.stat(conf.handler, function (err2, stat) {
+        if ((err1 || err2) || !(stat.isFile() || stat.isDirectory())) {
+          errorTcp(conf, cb);
+          return;
+        }
+        fileDirTcp({ config: conf, stat: stat }, cb);
+      });
     });
-    return conn;
   }
+  var handlerservers = {};
   function invokeHandler(conf, tlsSocket, tun, id) {
-    var conn;
     if (parseInt(conf.handler, 10)) {
       // TODO http-proxy with proper headers and ws support
-      conn = getNetConn(conf.handler);
-      console.info("Port-Forwarding '" + (tun.name || tun.serviceport) + "' to '" + conf.handler + "'");
-      conn.pipe(tlsSocket);
-      tlsSocket.pipe(conn);
+      getNetConn(conf.handler, function (err, conn) {
+        process.nextTick(function () { tlsSocket.resume(); });
+        if (err) {
+          require('./handlers/local-app-error.js')({ handler: conf.handler, socket: tlsSocket });
+          return;
+        }
+        console.info("Port-Forwarding '" + (tun.name || tun.serviceport) + "' to '" + conf.handler + "'");
+        conn.pipe(tlsSocket);
+        tlsSocket.pipe(conn);
+      });
       return;
     }
     var handle = tun.name || tun.port;
@@ -239,27 +307,108 @@ module.exports.assign = function (state, tun, cb) {
     var handlerpath = conf.handler;
     var homedir = os.homedir();
     var localshare = path.join(homedir, '.local/share/telebit/apps');
+    var http = require('http');
+
+    // 1. No modification handlerpath may be an aboslute path
+    // 2. it may be relative to a user home directory
+    // 3. it may be relative to a user ~/local/share
+
+    tlsSocket._tun = tun;
+    tlsSocket._id = id;
+    if (handlerservers[conf.handler]) {
+      handlerservers[conf.handler].emit('connection', tlsSocket);
+      process.nextTick(function () { tlsSocket.resume(); });
+      return;
+    }
 
     if (/^~/.test(handlerpath)) {
+      // TODO have the telebit remote tell which user is running
       handlerpath = path.join(homedir, handlerpath.replace(/^~(\/?)/, ''));
     }
 
     try {
       handler = require(handlerpath);
-      console.info("Handling '" + handle + ":" + id + "' with '" + handlerpath + "'");
-      handler(tlsSocket, tun, id);
+      console.info("Trying to handle '" + handle + ":" + id + "' with '" + handlerpath + "'");
     } catch(e1) {
       try {
         handler = require(path.join(localshare, handlerpath));
-        console.info("Handling '" + handle + ":" + id + "' with '" + handlerpath + "'");
-        handler(tlsSocket, tun, id);
+        console.info("Skip. (couldn't require('" + handlerpath + "'):", e1.message + ")");
+        console.info("Trying to handle '" + handle + ":" + id + "' with '" + handlerpath + "'");
       } catch(e2) {
-        console.error("Failed to load '" + handlerpath + "':", e1.message);
-        console.error("Failed to load '" + path.join(localshare, handlerpath) + "':", e2.message);
-        console.warn("Using default handler for '" + handle + ":" + id + "'");
-        handlers.https(tlsSocket, tun, id);
+        console.info("Skip. (couldn't require('" + path.join(localshare, handlerpath) + "'):", e2.message + ")");
+        console.info("Last chance! (using static and index handlers for '" + handle + ":" + id + "')");
+        handler = null;
+        // fallthru
       }
     }
+
+    if (handler) {
+      handlerservers[conf.handler] = http.createServer(handler);
+      handlerservers[conf.handler].emit('connection', tlsSocket);
+      process.nextTick(function () { tlsSocket.resume(); });
+      return;
+    }
+
+    fs.access(conf.handler, fs.constants.R_OK, function (err1) {
+      fs.stat(conf.handler, function (err2, stat) {
+        if (err1 || err2) {
+          // TODO handle errors
+          handlers.https(tlsSocket, tun, id);
+          return;
+        }
+        var isFile = stat.isFile();
+        state._finalHandler = require('finalhandler');
+        state._serveStatic = require('serve-static');
+        state._serveIndex = require('serve-index');
+        var serveIndex;
+        var serveStatic;
+        var dlStatic;
+        if (isFile) {
+          serveStatic = state._serveStatic(path.dirname(conf.handler), { dotfiles: 'allow', index: [ 'index.html' ] });
+          dlStatic = state._serveStatic(path.dirname(conf.handler), { acceptRanges: false, dotfiles: 'allow', index: [ 'index.html' ] });
+          serveIndex = function (req, res, next) { next(); };
+          isFile = path.basename(conf.handler);
+        } else {
+          serveStatic = state._serveStatic(conf.handler, { dotfiles: 'allow', index: [ 'index.html' ] });
+          dlStatic = state._serveStatic(conf.handler, { acceptRanges: false, dotfiles: 'allow', index: [ 'index.html' ] });
+          serveIndex = state._serveIndex(conf.handler, {
+            hidden: true, icons: true
+          , template: require('serve-tpl-attachment')({ privatefiles: 'ignore' })
+          });
+        }
+        handler = function (req, res) {
+          var qIndex = req.url.indexOf('?');
+          var fIndex;
+          var fname;
+          if (-1 === qIndex) {
+            qIndex = req.url.length;
+          }
+          req.querystring = req.url.substr(qIndex);
+          req.url = req.url.substr(0, qIndex);
+          req.query = require('querystring').parse(req.querystring.substr(1));
+          if (isFile) {
+            req.url = '/' + isFile;
+          }
+          //console.log('[req.query]', req.url, req.query);
+          if (req.query.download) {
+            fIndex = req.url.lastIndexOf('/');
+            fname = req.url.substr(fIndex + 1);
+            res.setHeader('Content-Disposition', 'attachment; filename="'+decodeURIComponent(fname)+'"');
+            res.setHeader('Content-Type', 'application/octet-stream');
+            dlStatic(req, res, function () {
+              serveIndex(req, res, state._finalHandler(req, res));
+            });
+          } else {
+            serveStatic(req, res, function () {
+              serveIndex(req, res, state._finalHandler(req, res));
+            });
+          }
+        };
+        handlerservers[conf.handler] = http.createServer(handler);
+        handlerservers[conf.handler].emit('connection', tlsSocket);
+        process.nextTick(function () { tlsSocket.resume(); });
+      });
+    });
   }
 
   function terminateTls(tun, cb) {
@@ -291,8 +440,6 @@ module.exports.assign = function (state, tun, cb) {
             tlsSocket._handle.onread(firstChunk.length, firstChunk);
 
             trySsh({ data: firstChunk }, function (err, conn) {
-              process.nextTick(function () { tlsSocket.resume(); });
-
               if (conn) {
                 conn.pipe(tlsSocket);
                 tlsSocket.pipe(conn);
@@ -305,7 +452,7 @@ module.exports.assign = function (state, tun, cb) {
                 return;
               }
 
-              console.log('https invokeHandler');
+              //console.log('https invokeHandler');
               invokeHandler(conf, tlsSocket, tun, id);
             });
           });

lib/updater.js

@@ -0,0 +1,141 @@
+'use strict';
+
+module.exports = function (pkg) {
+  function checkUpgrade() {
+    var https = require('https');
+
+    function getFile(url, cb) {
+      https.get(url, function (resp) {
+        var str = '';
+        resp.on('data', function (chunk) {
+          //var chunk = conn.read();
+          str += chunk.toString('utf8');
+        });
+        resp.on('end', function () {
+          cb(null, str);
+        });
+        resp.on('error', function (err) {
+          // ignore
+          cb(err);
+        });
+      }).on('error', function (err) {
+        // ignore
+        cb(err);
+      });
+    }
+
+    function isNewer(latest, myPkg) {
+      //console.log('sort result:', sortLatest(latest, myPkg));
+      return sortLatest(latest, myPkg) < 0;
+    }
+    function sortLatest(latest, myPkg) {
+      var m = /^(v)?(\d+)\.(\d+)\.(\d+)(.*)/.exec(latest);
+      var n = /^(v)?(\d+)\.(\d+)\.(\d+)(.*)/.exec(myPkg);
+      //console.log('m', m);
+      //console.log('n', n);
+      if (!m) {
+        if (!n) {
+          return 0;
+        }
+        return 1;
+      } else if (!n) {
+        return -1;
+      }
+
+      if (parseInt(m[2], 10) > parseInt(n[2], 10)) {
+        return -1;
+      } else if (parseInt(m[2], 10) === parseInt(n[2], 10)) {
+        if (parseInt(m[3], 10) > parseInt(n[3], 10)) {
+          return -1;
+        } else if (parseInt(m[3], 10) === parseInt(n[3], 10)) {
+          if (parseInt(m[4], 10) > parseInt(n[4], 10)) {
+            return -1;
+          } else if (parseInt(m[4], 10) === parseInt(n[4], 10)) {
+            // lex sorting
+            if (m[5] > n[5]) {
+              return -1;
+            } else if (m[5] === n[5]) {
+              return 0;
+            } else {
+              return 1;
+            }
+          } else {
+            return 1;
+          }
+        } else {
+          return 1;
+        }
+      } else {
+        return 1;
+      }
+    }
+
+    getFile("https://telebit.cloud/dist/index.tab", function (err, tab) {
+      if (err) { /*ignore*/ return; }
+      if (tab) { tab = tab && tab.toString() || ''; }
+      var versions = [];
+      var lines = tab.split(/[\r\n]/g);
+      var headers = lines.shift().split(/\t/g);
+      var chan = 'prod';
+      var next;
+      lines.forEach(function (line) {
+        var tsv = {};
+        var fields = line.split(/\t/g);
+        fields.forEach(function (value, i) {
+          tsv[headers[i]] = value;
+        });
+        versions.push(tsv);
+      });
+      // find matching version
+      versions.some(function (v) {
+        if (('v' + pkg.version) === v.version) {
+          chan = v.channel;
+          return true;
+        }
+      });
+      // find first (most recent) version in channel
+      versions.some(function (v) {
+        if (chan === v.channel) {
+          next = v;
+          return true;
+        }
+      });
+      if (!next || !isNewer(next.version, pkg.version)) {
+        //console.log('DEBUG can\'t upgrade from', pkg.version, 'in channel', chan);
+        return;
+      }
+      console.log('Upgrade Available: ' + next.version + ' in \'' + next.channel + '\'channel');
+      getFile("https://telebit.cloud/dist/upgrade.js", function (err, script) {
+        if (err) { /*ignore*/ return; }
+        var os = require('os');
+        var fs = require('fs');
+        var path = require('path');
+        var scriptname = 'telebit-upgrade-' + Math.round(Math.random() * 99999) + '.js';
+        var pathname = path.join(os.tmpdir(), scriptname);
+        fs.writeFile(pathname, script, function (err) {
+          if (err) { /*ignore*/ return; }
+          // console.log('DEBUG wrote', pathname);
+          //var str =
+          require(pathname)({
+            package: pkg
+          , root: path.resolve(__dirname, '..')
+          , latest: next
+          , channel: chan
+          }, function () {
+            // console.log('upgrade complete');
+          });
+          //console.log(str);
+        });
+      });
+    });
+  }
+
+  var _interval = setInterval(checkUpgrade, 2 * 60 * 60 * 1000);
+  process.nextTick(function () {
+    checkUpgrade();
+  });
+
+  return function cancel() {
+    clearInterval(_interval);
+  };
+};

package.json

@@ -1,10 +1,16 @@
 {
   "name": "telebit",
-  "version": "0.13.2",
+  "version": "0.20.251025",
   "description": "Break out of localhost. Connect to any device from anywhere over any tcp port or securely in a browser. A secure tunnel. A poor man's reverse VPN.",
   "main": "lib/remote.js",
+  "files": [
+    "bin",
+    "lib",
+    "usr"
+  ],
   "bin": {
-    "telebit": "bin/telebit.js"
+    "telebit": "bin/telebit.js",
+    "telebitd": "bin/telebitd.js"
   },
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
@@ -47,18 +53,30 @@
   },
   "homepage": "https://git.coolaj86.com/coolaj86/telebit.js#readme",
   "dependencies": {
-    "bluebird": "^3.5.1",
-    "commander": "^2.9.0",
+    "@coolaj86/urequest": "^1.3.5",
     "finalhandler": "^1.1.1",
-    "greenlock": "^2.2.19",
+    "greenlock": "^2.3.1",
     "js-yaml": "^3.11.0",
     "jsonwebtoken": "^7.1.9",
-    "proxy-packer": "^1.4.3",
+    "mkdirp": "^0.5.1",
+    "proxy-packer": "^2.0.2",
+    "ps-list": "^5.0.0",
     "recase": "^1.0.4",
     "redirect-https": "^1.1.5",
+    "sclient": "^1.4.1",
+    "serve-index": "^1.9.1",
     "serve-static": "^1.13.2",
+    "serve-tpl-attachment": "^1.0.4",
     "sni": "^1.0.0",
     "socket-pair": "^1.0.3",
-    "ws": "^2.2.3"
+    "toml": "^0.4.1",
+    "ws": "^6.0.0"
+  },
+  "trulyOptionalDependencies": {
+    "bluebird": "^3.5.1"
+  },
+  "enginesStrict": true,
+  "engines": {
+    "node": "10.2.1 10.4 10.6"
   }
 }

tests/README.md

@@ -0,0 +1,21 @@
+There are a number of conditions and whatnot that must be tested in more-or-less real-world conditions.
+
+telebit init                    // fresh install
+telebit init                    // after install complete
+
+telebit http 3000               // have an app listening on localhost:3000
+telebit http 4545               // do not have an app listening
+
+telebit http ./path/to/site
+telebit http ./path/to/dir
+telebit http ./path/to/file
+telebit http ./doesnt/exist
+
+telebit ssh auto                // do have ssh listening on localhost:22
+telebit ssh 4545                // do have ssh listenening
+
+telebit tcp 3000                // have an echo server listening on localhost:3000
+telebit tcp 4545                // no server listening
+
+telebit tcp ./path/to/file
+telebit tcp ./path/to/dir

tests/echo.js

@@ -0,0 +1,27 @@
+'use strict';
+
+var net = require('net');
+var server = net.createServer(function (conn) {
+  function echo(chunk) {
+    conn.write(chunk);
+    if (chunk.length <= 10 && /\b(q|quit|end|cancel)\b/i.test(chunk.toString('utf8'))) {
+      conn.end();
+      conn.removeListener('data', echo);
+    }
+  }
+  conn.on('data', echo);
+  // NOTE: early versions of telebit do not support a 'connection' event
+  // and therefore will say hello after the first message from the client
+  conn.write(
+    "[Echo Server] Hello! I'm an echo server.\n"
+  + "[Echo Server] I try to be your friend but when I see things like q|quit|end|cancel, I give up.\n"
+  );
+});
+server.on('error', function (err) {
+  console.error("[echo server]");
+  console.error(err);
+});
+server.listen(process.argv[2] || 3000, function () {
+  console.info("Listening on", this.address());
+  console.info('ctrl+c to cancel');
+});

tests/pair-request.js

@@ -0,0 +1,37 @@
+'use strict';
+
+var email = 'jon@example.com';
+var pin = Math.round(Math.random() * 999999).toString().padStart(6, '0'); // '321654'
+
+console.log('Pair Code:', pin);
+
+var urequest = require('@coolaj86/urequest');
+var req =  {
+  url: 'https://api.telebit.ppl.family/api/telebit.cloud/pair_request'
+, method: 'POST'
+, headers: { 'cOntEnt-tYpE': 'application/json;charset=utf-8' }
+, json: {
+    subject: email
+  , subject_scheme: 'mailto'
+  , scope: ''
+  , otp: pin
+  , hostname: "User's Macbook Pro"
+  , os_type: 'Linux'
+  , os_platform: 'linux'
+  , os_release: '4.4.0-116-generic'
+  , os_arch: 'x64'
+  }
+};
+urequest(req, function (err, resp, body) {
+  if (err) {
+    console.error(err);
+    return;
+  }
+  console.log('Location:', resp.headers.location);
+  console.log('Body:');
+  console.log(body);
+  /*
+  { jwt: '...'
+  }
+   */
+});

tests/pair-state.js

@@ -0,0 +1,22 @@
+'use strict';
+
+var stateUrl = 'https://api.telebit.ppl.family/api/telebit.cloud/pair_state/bca27428719e9c67805359f1';
+
+var urequest = require('@coolaj86/urequest');
+var req =  {
+  url: stateUrl
+, method: 'GET'
+, json: true
+};
+urequest(req, function (err, resp, body) {
+  if (err) {
+    console.error(err);
+    return;
+  }
+  console.log('Done:');
+  console.log(body);
+  /*
+   body.status = 'ready' | 'pending' | 'complete' | 'invalid'
+   body.access_token // only in 'ready' state
+   */
+});

tests/windows-pipe.js

@@ -0,0 +1,20 @@
+'use strict';
+
+var os = require('os');
+var net = require('net');
+var ipc = {
+  path: /^win/.test(os.platform()) ? '\\\\.\\pipe\\X:/name/of/pipe' : (__dirname + '/tmp.sock')
+};
+var oldUmask = process.umask(0x0000);
+var server = net.createServer();
+
+server.listen({
+  path: ipc.path || null
+, host: 'localhost'
+, port: ipc.port || null
+, writeableAll: true
+, readableAll: true
+}, function () {
+  process.umask(oldUmask);
+  console.log("Listening on", this.address());
+});

tests/windows-spawn-pipe.js

@@ -0,0 +1,22 @@
+'use strict';
+
+var path = require('path');
+var spawn = require('child_process').spawn;
+var args = [
+  path.join(__dirname, 'windows-pipe.js')
+];
+var subprocess = spawn(
+  'node'
+, args
+, { detached: true
+  , stdio: [ 'ignore', process.stdout, process.stderr ]
+  }
+);
+//console.log('[debug]', vars.telebitNode, args.join(' '));
+subprocess.unref();
+subprocess.on('error', function (_err) {
+  console.error(_err);
+});
+subprocess.on('exit', function (code, signal) {
+  console.error('' + code + ' ' + signal + ' failure to launch');
+});

usr/share/dist/Library/LaunchDaemons/cloud.telebit.remote.plist.tpl

@@ -6,38 +6,41 @@
 	<string>Telebit Remote</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/opt/telebit/bin/node</string>
-		<string>/opt/telebit/bin/telebit.js</string>
+		<string>{TELEBIT_NODE}</string>
+		<string>{TELEBITD_JS}</string>
 		<string>daemon</string>
 		<string>--config</string>
-    <string>/opt/telebit/etc/telebit.yml</string>
+		<string>{TELEBITD_CONFIG}</string>
 	</array>
 	<key>EnvironmentVariables</key>
 	<dict>
 		<key>TELEBIT_PATH</key>
-		<string>/opt/telebit</string>
+		<string>{TELEBIT_PATH}</string>
 		<key>NODE_PATH</key>
-		<string>/opt/telebit/lib/node_modules</string>
+		<string>{NODE_PATH}</string>
 		<key>NPM_CONFIG_PREFIX</key>
-		<string>/opt/telebit</string>
+		<string>{NPM_CONFIG_PREFIX}</string>
 	</dict>
 
 	<key>UserName</key>
-	<string>root</string>
+	<string>{TELEBIT_USER}</string>
 	<key>GroupName</key>
-	<string>wheel</string>
+	<string>{TELEBIT_GROUP}</string>
 	<key>InitGroups</key>
 	<true/>
 
 	<key>RunAtLoad</key>
 	<true/>
 	<key>KeepAlive</key>
-	<dict>
+	<true/>
+	<!--dict>
 		<key>Crashed</key>
 		<true/>
-		<key>SuccessfulExit</key>
+		<key>NetworkState</key>
 		<true/>
-	</dict>
+		<key>SuccessfulExit</key>
+		<false/>
+	</dict-->
 
 	<key>SoftResourceLimits</key>
 	<dict>
@@ -48,11 +51,11 @@
 	<dict/>
 
 	<key>WorkingDirectory</key>
-  <string>/opt/telebit</string>
+	<string>{TELEBIT_PATH}</string>
 
 	<key>StandardErrorPath</key>
-  <string>/opt/telebit/var/log/error.log</string>
+	<string>{TELEBIT_LOG_DIR}/telebit.log</string>
 	<key>StandardOutPath</key>
-  <string>/opt/telebit/var/log/info.log</string>
+	<string>{TELEBIT_LOG_DIR}/telebit.log</string>
 </dict>
 </plist>

usr/share/dist/bin/telebit.tpl

@@ -0,0 +1,2 @@
+#!/bin/bash
+{TELEBIT_NODE} {TELEBIT_JS} "$@"

usr/share/dist/bin/telebitd.tpl

@@ -0,0 +1,2 @@
+#!/bin/bash
+{TELEBIT_NODE} {TELEBITD_JS} daemon "$@"

usr/share/dist/etc/skel/.config/systemd/user/telebit.service.tpl

@@ -1,54 +1,57 @@
 # Pre-req
-# sudo adduser telebit --home /opt/telebit
-# sudo mkdir -p /opt/telebit/
-# sudo chown -R telebit:telebit /opt/telebit/
+# sudo adduser telebit --home {TELEBIT_PATH}
+# sudo mkdir -p {TELEBIT_PATH}/
+# sudo chown -R {TELEBIT_USER}:{TELEBIT_GROUP} {TELEBIT_PATH}/
 
 [Unit]
 Description=Telebit Remote
 Documentation=https://git.coolaj86.com/coolaj86/telebit.js/
+; After=network-online.target
+; Wants=network-online.target systemd-networkd-wait-online.service
 
 [Service]
-# Restart on crash (bad signal), but not on 'clean' failure (error exit code)
+# Restart on crash (bad signal), and also on 'clean' failure (error exit code)
 # Allow up to 3 restarts within 10 seconds
 # (it's unlikely that a user or properly-running script will do this)
 Restart=always
 StartLimitInterval=10
 StartLimitBurst=3
 
-# https://wiki.archlinux.org/index.php/Systemd/User
-# ~/.local/share/systemd/user/
-WorkingDirectory=%h/.config/telebit
-# custom directory cannot be set and will be the place where gitea exists, not the working directory
-ExecStart=/opt/telebit/bin/node /opt/telebit/bin/telebit.js --config /etc/telebit/telebit.yml
+# User and group the process will run as
+;User={TELEBIT_USER}
+;Group={TELEBIT_GROUP}
+
+WorkingDirectory={TELEBIT_PATH}
+# custom directory cannot be set and will be the place where this exists, not the working directory
+ExecStart={TELEBIT_NODE} {TELEBITD_JS} daemon --config {TELEBITD_CONFIG}
 ExecReload=/bin/kill -USR1 $MAINPID
 
 # Limit the number of file descriptors and processes; see `man systemd.exec` for more limit settings.
-# Unmodified gitea is not expected to use more than this.
-LimitNOFILE=1048576
-LimitNPROC=64
+# Unmodified, this is not expected to use more than this.
+;LimitNOFILE=1048576    # no issues yet, but disabled just in case
+;LimitNPROC=64          # doesn't work on some systems
 
-# Use private /tmp and /var/tmp, which are discarded after gitea stops.
+# Use private /tmp and /var/tmp, which are discarded after this stops.
 PrivateTmp=true
 # Use a minimal /dev
 PrivateDevices=true
 # Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
-ProtectHome=true
+;ProtectHome=true
 # Make /usr, /boot, /etc and possibly some more folders read-only.
 ProtectSystem=full
-# ... except /opt/gitea because we want a place for the database
-# and /var/log/gitea because we want a place where logs can go.
+# ... except for a few because we want a place for config, logs, etc
 # This merely retains r/w access rights, it does not add any new.
 # Must still be writable on the host!
-ReadWriteDirectories=/opt/telebit /etc/telebit
+ReadWriteDirectories={TELEBIT_RW_DIRS}
 
 # Note: in v231 and above ReadWritePaths has been renamed to ReadWriteDirectories
-; ReadWritePaths=/opt/telebit /etc/telebit
+; ReadWritePaths={TELEBIT_RW_DIRS}
 
 # The following additional security directives only work with systemd v229 or later.
-# They further retrict privileges that can be gained by gitea.
+# They further retrict privileges that can be gained.
 # Note that you may have to add capabilities required by any plugins in use.
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
+;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+;AmbientCapabilities=CAP_NET_BIND_SERVICE
 NoNewPrivileges=true
 
 # Caveat: Some features may need additional capabilities.
@@ -58,4 +61,5 @@ NoNewPrivileges=true
 ; NoNewPrivileges=true
 
 [Install]
-WantedBy=multi-user.target
+# For userspace service
+WantedBy=default.target

usr/share/dist/etc/skel/Library/LaunchAgents/cloud.telebit.remote.plist.tpl

@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>Telebit Remote</string>
+
+	<key>ProgramArguments</key>
+	<array>
+		<string>{TELEBIT_NODE}</string>
+		<string>{TELEBITD_JS}</string>
+		<string>daemon</string>
+		<string>--config</string>
+		<string>{TELEBITD_CONFIG}</string>
+	</array>
+
+	<key>EnvironmentVariables</key>
+	<dict>
+		<key>TELEBIT_PATH</key>
+		<string>{TELEBIT_PATH}</string>
+		<key>NODE_PATH</key>
+		<string>{NODE_PATH}</string>
+		<key>NPM_CONFIG_PREFIX</key>
+		<string>{NPM_CONFIG_PREFIX}</string>
+	</dict>
+
+	<!--
+	:: LaunchDaemon Only ::
+	<key>UserName</key>
+	<string>{TELEBIT_USER}</string>
+	<key>GroupName</key>
+	<string>{TELEBIT_GROUP}</string>
+	<key>InitGroups</key>
+	<true/>
+	-->
+
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+	<!--
+	<dict>
+		<key>Crashed</key>
+		<true/>
+		<key>NetworkState</key>
+		<true/>
+		<key>SuccessfulExit</key>
+		<false/>
+	</dict>
+  -->
+
+  <!--
+	<key>SoftResourceLimits</key>
+	<dict>
+		<key>NumberOfFiles</key>
+		<integer>8192</integer>
+	</dict>
+	<key>HardResourceLimits</key>
+	<dict/>
+  -->
+
+	<key>WorkingDirectory</key>
+	<string>{TELEBIT_PATH}</string>
+
+	<key>StandardErrorPath</key>
+	<string>{TELEBIT_LOG_DIR}/telebit.log</string>
+	<key>StandardOutPath</key>
+	<string>{TELEBIT_LOG_DIR}/telebit.log</string>
+</dict>
+</plist>

usr/share/dist/etc/systemd/system/telebit.service.tpl

@@ -1,7 +1,7 @@
 # Pre-req
-# sudo adduser telebit --home /opt/telebit
-# sudo mkdir -p /opt/telebit/
-# sudo chown -R telebit:telebit /opt/telebit/
+# sudo adduser telebit --home {TELEBIT_PATH}
+# sudo mkdir -p {TELEBIT_PATH}/
+# sudo chown -R {TELEBIT_USER}:{TELEBIT_GROUP} {TELEBIT_PATH}/
 
 [Unit]
 Description=Telebit Remote
@@ -10,7 +10,7 @@ After=network-online.target
 Wants=network-online.target systemd-networkd-wait-online.service
 
 [Service]
-# Restart on crash (bad signal), but not on 'clean' failure (error exit code)
+# Restart on crash (bad signal), and also on 'clean' failure (error exit code)
 # Allow up to 3 restarts within 10 seconds
 # (it's unlikely that a user or properly-running script will do this)
 Restart=always
@@ -18,13 +18,12 @@ StartLimitInterval=10
 StartLimitBurst=3
 
 # User and group the process will run as
-# (git is the de facto standard on most systems)
-User=telebit
-Group=telebit
+User={TELEBIT_USER}
+Group={TELEBIT_GROUP}
 
-WorkingDirectory=/opt/telebit
+WorkingDirectory={TELEBIT_PATH}
 # custom directory cannot be set and will be the place where this exists, not the working directory
-ExecStart=/opt/telebit/bin/node /opt/telebit/bin/telebit.js daemon --config /opt/telebit/etc/telebit.yml
+ExecStart={TELEBIT_NODE} {TELEBITD_JS} daemon --config {TELEBITD_CONFIG}
 ExecReload=/bin/kill -USR1 $MAINPID
 
 # Limit the number of file descriptors and processes; see `man systemd.exec` for more limit settings.
@@ -40,13 +39,13 @@ PrivateDevices=true
 ProtectHome=true
 # Make /usr, /boot, /etc and possibly some more folders read-only.
 ProtectSystem=full
-# ... except /opt/telebit because we want a place for config, logs, etc
+# ... except for a few because we want a place for config, logs, etc
 # This merely retains r/w access rights, it does not add any new.
 # Must still be writable on the host!
-ReadWriteDirectories=/opt/telebit
+ReadWriteDirectories={TELEBIT_RW_DIRS}
 
 # Note: in v231 and above ReadWritePaths has been renamed to ReadWriteDirectories
-; ReadWritePaths=/opt/telebit
+; ReadWritePaths={TELEBIT_RW_DIRS}
 
 # The following additional security directives only work with systemd v229 or later.
 # They further retrict privileges that can be gained.
@@ -62,4 +61,7 @@ NoNewPrivileges=true
 ; NoNewPrivileges=true
 
 [Install]
+# For system-level service
 WantedBy=multi-user.target
+# For userspace service
+;WantedBy=default.target

usr/share/install-launcher.js

@@ -0,0 +1,448 @@
+'use strict';
+
+//var fs = require('fs');
+var os = require('os');
+var mkdirp = require('mkdirp');
+var exec = require('child_process').exec;
+var path = require('path');
+
+var Launcher = module.exports;
+Launcher._killAll = function (fn) {
+  var psList = require('ps-list');
+  psList().then(function (procs) {
+    procs.forEach(function (proc) {
+      if ('node' === proc.name && /\btelebitd\b/i.test(proc.cmd)) {
+        console.log(proc);
+        process.kill(proc.pid);
+        return true;
+      }
+    });
+    // Two things:
+    // 1) wait to see if the process dies
+    // 2) wait to give time for the socket to connect
+    setTimeout(function () {
+      if (fn) { fn(null); return; }
+    }, 1.75 * 1000);
+  });
+};
+Launcher._getError = function getError(err, stderr) {
+  if (err) { return err; }
+  if (stderr) {
+    err = new Error(stderr);
+    err.code = 'ELAUNCHER';
+    return err;
+  }
+};
+Launcher._detect = function (things, fn) {
+  if (things.launcher) {
+    if ('string' === typeof things.launcher) {
+      fn(null, things.launcher);
+      return;
+    }
+    if ('function' === typeof things.launcher) {
+      things.launcher(things);
+      return;
+    }
+  }
+
+  // could have used "command-exists" but I'm trying to stay low-dependency
+  // os.platform(), os.type()
+  if (!/^win/i.test(os.platform())) {
+    if (/^darwin/i.test(os.platform())) {
+      exec('command -v launchctl', things._execOpts, function (err, stdout, stderr) {
+        err = Launcher._getError(err, stderr);
+        fn(err, 'launchctl');
+      });
+    } else {
+      exec('command -v systemctl', things._execOpts, function (err, stdout, stderr) {
+        err = Launcher._getError(err, stderr);
+        fn(err, 'systemctl');
+      });
+    }
+  } else {
+    // https://stackoverflow.com/questions/17908789/how-to-add-an-item-to-registry-to-run-at-startup-without-uac
+    // wininit? regedit? SCM?
+    // REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My App" /t REG_SZ /F /D "C:\MyAppPath\MyApp.exe"
+    // https://www.microsoft.com/developerblog/2015/11/09/reading-and-writing-to-the-windows-registry-in-process-from-node-js/
+    // https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-add
+    // https://social.msdn.microsoft.com/Forums/en-US/5b318f44-281e-4098-8dee-3ba8435fa391/add-registry-key-for-autostart-of-app-in-ice?forum=quebectools
+    // utils.elevate
+    // https://github.com/CatalystCode/windows-registry-node
+    exec('where reg.exe', things._execOpts, function (err, stdout, stderr) {
+      //console.log((stdout||'').trim());
+      if (stderr) {
+        console.error(stderr);
+      }
+      fn(err, 'reg.exe');
+    });
+  }
+};
+Launcher.install = function (things, fn) {
+  if (!fn) { fn = function (err) { if (err) { console.error(err); } }; }
+  things = things || {};
+  // in some future version we can take this file out
+  // and accept process.env from things
+  var installLauncher = require('./template-launcher');
+
+  // Right now this is just for npm install -g and npx
+  if (things.env) {
+    things.env.PATH = things.env.PATH || process.env.PATH;
+  } else {
+    things.env = process.env;
+  }
+  things.argv = things.argv || process.argv;
+  things._execOpts = { windowsHide: true, env: things.env };
+  var telebitRoot = path.join(__dirname, '../..');
+  var vars = {
+    telebitPath: telebitRoot
+  , telebitUser: os.userInfo().username
+  , telebitGroup: (/^darwin/i.test(os.platform()) ? 'staff' : os.userInfo().username)
+  , telebitRwDirs: [
+      telebitRoot
+    , path.join(os.homedir(), '.config/telebit')
+    , path.join(os.homedir(), '.local/share/telebit')
+    ]
+  , telebitNode: (things.argv[0]||'').replace(/\.exe/i, '') // path.join(telebitRoot, 'bin/node')
+  , telebitBin: path.join(telebitRoot, 'bin/telebit')
+  , telebitdBin: path.join(telebitRoot, 'bin/telebitd')
+  , telebitJs: path.join(telebitRoot, 'bin/telebit.js')
+  , telebitdJs: path.join(telebitRoot, 'bin/telebitd.js')
+  , telebitConfig: path.join(os.homedir(), '.config/telebit/telebit.yml')
+  , telebitdConfig: path.join(os.homedir(), '.config/telebit/telebitd.yml')
+  , TELEBIT_LOG_DIR: path.join(os.homedir(), '.local/share/telebit/var/log')
+  , TELEBIT_SOCK_DIR: path.join(os.homedir(), '.local/share/telebit/var/run')
+  };
+  vars.telebitBinTpl = path.join(telebitRoot, 'usr/share/dist/bin/telebit.tpl');
+  vars.telebitNpm = path.resolve(vars.telebitNode, '../npm');
+  vars.nodePath = path.resolve(vars.telebitNode, '../../lib/node_modules');
+  vars.npmConfigPrefix = path.resolve(vars.telebitNode, '..', '..');
+  vars.userspace = (!things.telebitUser || (things.telebitUser === os.userInfo().username)) ? true : false;
+  if (-1 === vars.telebitRwDirs.indexOf(vars.npmConfigPrefix)) {
+    vars.telebitRwDirs.push(vars.npmConfigPrefix);
+  }
+  vars.telebitRwDirs = vars.telebitRwDirs.join(' ');
+  var launchers = {
+    'node': function () {
+      var fs = require('fs');
+      var spawn = require('child_process').spawn;
+      var logpath = path.join(os.homedir(), '.local/share/telebit/var/log');
+      try {
+        mkdirp.sync(logpath);
+      } catch(e) {
+        if (fn) { fn(e); return; }
+        return;
+      }
+      var stdout = fs.openSync(path.join(logpath, 'info.log'), 'a');
+      var stderr = fs.openSync(path.join(logpath, 'error.log'), 'a');
+
+      var killed = 0;
+      var err;
+      var args = [
+        path.join(telebitRoot, 'bin/telebitd.js')
+      , 'daemon'
+      , '--config'
+      , vars.telebitdConfig
+      ];
+      var subprocess = spawn(
+        vars.telebitNode
+      , args
+      , { detached: true
+        , stdio: [ 'ignore', stdout, stderr ]
+        }
+      );
+      //console.log('[debug]', vars.telebitNode, args.join(' '));
+      subprocess.unref();
+      subprocess.on('error', function (_err) {
+        err = _err;
+        killed += 1;
+      });
+      subprocess.on('exit', function (code, signal) {
+        if (!err) { err = new Error('' + code + ' ' + signal + ' failure to launch'); }
+        killed += 1;
+      });
+
+      // Two things:
+      // 1) wait to see if the process dies
+      // 2) wait to give time for the socket to connect
+      setTimeout(function () {
+        if (fn) { fn(err); return; }
+      }, 1.75 * 1000);
+      return;
+    }
+  , 'launchctl': function () {
+      var launcher = path.join(os.homedir(), 'Library/LaunchAgents/cloud.telebit.remote.plist');
+      try {
+        mkdirp.sync(path.join(os.homedir(), 'Library/LaunchAgents'));
+        installLauncher.sync({
+            file: {
+              tpl: vars.telebitBinTpl
+            , launcher: path.join(vars.telebitPath, 'bin/telebit')
+            , executable: true
+          }
+        , vars: vars
+        });
+        installLauncher({
+          file: {
+              tpl: path.join(vars.telebitPath, 'usr/share/dist/etc/skel/Library/LaunchAgents/cloud.telebit.remote.plist.tpl')
+            , launcher: launcher
+            }
+          , vars: vars
+        });
+        var launcherstr = (vars.userspace ? "" : "sudo ") + "launchctl ";
+        var execstr = launcherstr + "unload -w " + launcher;
+        exec(execstr, things._execOpts, function (/*err, stdout, stderr*/) {
+          // we probably only need to skip the stderr (saying that it can't stop something that isn't started)
+          //err = Launcher._getError(err, stderr);
+          //if (err) { fn(err); return; }
+          //console.log((stdout||'').trim());
+          //console.log('unload worked?');
+          execstr = launcherstr + "load -w " + launcher;
+          exec(execstr, things._execOpts, function (err, stdout, stderr) {
+            err = Launcher._getError(err, stderr);
+            if (err) { fn(err); return; }
+            //console.log((stdout||'').trim());
+            //console.log('load worked?');
+            setTimeout(function () {
+              fn(null);
+            }, 1.25 * 1000);
+          });
+        });
+      } catch(e) {
+        console.error("'" + launcher + "' error:");
+        console.error(e);
+        if (fn) { fn(e); return; }
+      }
+    }
+   , 'systemctl': function () {
+      var launcher = path.join(os.homedir(), '.config/systemd/user/telebit.service');
+      var launchername = 'telebit.service';
+      try {
+        mkdirp.sync(path.join(os.homedir(), '.config/systemd/user'));
+        installLauncher({
+          file: {
+            tpl: path.join(vars.telebitPath, 'usr/share/dist/etc/skel/.config/systemd/user/telebit.service.tpl')
+          , launcher: launcher
+          }
+        , vars: vars
+        }, function () {
+          // IMPORTANT
+          // It's a dangerous to go alone, take this:
+          // SYSTEMD_LOG_LEVEL=debug journalctl -xef --user-unit=telebit
+          // (makes debugging systemd issues not "easy" per se, but possible)
+          var launcherstr = (vars.userspace ? "" : "sudo ") + "systemctl " + (vars.userspace ? "--user " : "");
+          var execstr = launcherstr + "daemon-reload";
+          exec(execstr, things._execOpts, function (err, stdout, stderr) {
+            err = Launcher._getError(err, stderr);
+            if (err) { fn(err); return; }
+            //console.log((stdout||'').trim());
+            var execstr = launcherstr + "enable " + launchername;
+            exec(execstr, things._execOpts, function (err, stdout, stderr) {
+              err = Launcher._getError(err, stderr && !/Created symlink/i.test(stderr) && stderr || '');
+              if (err) { fn(err); return; }
+              //console.log((stdout||'').trim());
+              var execstr = launcherstr + "restart " + launchername;
+              exec(execstr, things._execOpts, function (err, stdout, stderr) {
+                err = Launcher._getError(err, stderr);
+                if (err) { fn(err); return; }
+                //console.log((stdout||'').trim());
+                setTimeout(function () {
+                  var execstr = launcherstr + "status " + launchername;
+                  exec(execstr, things._execOpts, function (err, stdout, stderr) {
+                    err = Launcher._getError(err, stderr);
+                    if (err) { fn(err); return; }
+                    if (!/active.*running/i.test(stdout)) {
+                      err = new Error("systemd failed to start '" + launchername + "'");
+                    }
+                    if (err) { fn(err); return; }
+                    //console.log((stdout||'').trim());
+                    fn(null);
+                  });
+                }, 1.25 * 1000);
+              });
+            });
+          });
+        });
+      } catch(e) {
+        console.error("'" + launcher + "' error:");
+        console.error(e);
+        if (fn) { fn(e); return; }
+      }
+    }
+  , 'reg.exe': function () {
+      if (!vars.userspace) {
+        console.warn("sysetm-level, privileged services are not yet supported on windows");
+      }
+      vars.telebitNode += '.exe';
+      var cmd = 'reg.exe add "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"'
+        + ' /V "Telebit" /t REG_SZ /D '
+        + '"' + things.argv[0] + ' /c '  // something like C:\\Program Files (x64)\nodejs\node.exe
+        + [ path.join(__dirname, 'bin/telebitd.js')
+          , 'daemon'
+          , '--config'
+          , path.join(os.homedir(), '.config/telebit/telebitd.yml')
+          ].join(' ')
+        + '" /F'
+        ;
+      exec(cmd, things._execOpts, function (err, stdout, stderr) {
+        err = Launcher._getError(err, stderr);
+        if (err) { fn(err); return; }
+        // need to start it for the first time ourselves
+        run(null, 'node');
+      });
+    }
+  };
+
+  function run(err, launcher) {
+    if (err) {
+      console.error("No luck with '" + launcher + "', trying a child process instead...");
+      console.error(err);
+      launcher = 'node';
+    }
+
+    if (launchers[launcher]) {
+      // console.log('Launching with launcher ' + launcher);
+      mkdirp.sync(path.join(vars.telebitPath, 'bin'));
+      mkdirp.sync(vars.TELEBIT_LOG_DIR);
+      mkdirp.sync(vars.TELEBIT_SOCK_DIR);
+      launchers[launcher]();
+      return;
+    } else {
+      console.error("No launcher handler for '" + launcher+ "'");
+    }
+  }
+
+  things._vars = vars;
+  things._userspace = vars.userspace;
+  Launcher._detect(things, run);
+};
+Launcher.uninstall = function (things, fn) {
+  if (!fn) { fn = function (err) { if (err) { console.error(err); } }; }
+  things = things || {};
+
+  // Right now this is just for npm install -g and npx
+  if (things.env) {
+    things.env.PATH = things.env.PATH || process.env.PATH;
+  } else {
+    things.env = process.env;
+  }
+  things.argv = things.argv || process.argv;
+  things._execOpts = { windowsHide: true, env: things.env };
+  var vars = {
+    telebitUser: os.userInfo().username
+  };
+  vars.userspace = (!things.telebitUser || (things.telebitUser === os.userInfo().username)) ? true : false;
+  var launchers = {
+    'node': function () {
+      Launcher._killAll(fn);
+    }
+  , 'launchctl': function () {
+      var launcher = path.join(os.homedir(), 'Library/LaunchAgents/cloud.telebit.remote.plist');
+      try {
+        var launcherstr = (vars.userspace ? "" : "sudo ") + "launchctl ";
+        var execstr = launcherstr + "unload -w " + launcher;
+        exec(execstr, things._execOpts, function (err, stdout, stderr) {
+          // we probably only need to skip the stderr (saying that it can't stop something that isn't started)
+          //err = Launcher._getError(err, stderr);
+          //if (err) { fn(err); return; }
+          //console.log((stdout||'').trim());
+          //console.log('unload worked?');
+          err = Launcher._getError(err, stderr);
+          if (err) { fn(err); return; }
+          //console.log((stdout||'').trim());
+          //console.log('load worked?');
+          setTimeout(function () {
+            fn(null);
+          }, 1.25 * 1000);
+        });
+      } catch(e) {
+        console.error("'" + launcher + "' error (uninstall):");
+        console.error(e);
+        if (fn) { fn(e); return; }
+      }
+    }
+   , 'systemctl': function () {
+      var launcher = path.join(os.homedir(), '.config/systemd/user/telebit.service');
+      var launchername = 'telebit.service';
+      try {
+        mkdirp.sync(path.join(os.homedir(), '.config/systemd/user'));
+        // IMPORTANT
+        // It's a dangerous to go alone, take this:
+        // SYSTEMD_LOG_LEVEL=debug journalctl -xef --user-unit=telebit
+        // (makes debugging systemd issues not "easy" per se, but possible)
+        var launcherstr = (vars.userspace ? "" : "sudo ") + "systemctl " + (vars.userspace ? "--user " : "");
+        var execstr = launcherstr + "disable " + launchername;
+        exec(execstr, things._execOpts, function (err, stdout, stderr) {
+          err = Launcher._getError(err, stderr && !/Removed symlink/i.test(stderr) && stderr || '');
+          if (err) { fn(err); return; }
+          //console.log((stdout||'').trim());
+          var execstr = launcherstr + "stop " + launchername;
+          exec(execstr, things._execOpts, function (err, stdout, stderr) {
+            err = Launcher._getError(err, stderr);
+            if (err) { fn(err); return; }
+            //console.log((stdout||'').trim());
+            setTimeout(function () {
+              var execstr = launcherstr + "status " + launchername;
+              exec(execstr, things._execOpts, function (err, stdout, stderr) {
+                err = Launcher._getError(err, stderr);
+                if (err) { fn(err); return; }
+                if (!/inactive.*dead/i.test(stdout)) {
+                  err = new Error("systemd failed to stop '" + launchername + "'");
+                }
+                if (err) { fn(err); return; }
+                //console.log((stdout||'').trim());
+                fn(null);
+              });
+            }, 1.25 * 1000);
+          });
+        });
+      } catch(e) {
+        console.error("'" + launcher + "' error:");
+        console.error(e);
+        if (fn) { fn(e); return; }
+      }
+    }
+  , 'reg.exe': function () {
+      if (!vars.userspace) {
+        console.warn("sysetm-level, privileged services are not yet supported on windows");
+      }
+      var cmd = 'reg.exe add "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"'
+        + ' /V "Telebit" /F'
+        ;
+      exec(cmd, things._execOpts, function (err, stdout, stderr) {
+        err = Launcher._getError(err, stderr);
+        if (err) { fn(err); return; }
+        // need to start it for the first time ourselves
+        kill(null, 'node');
+      });
+    }
+  };
+
+  function kill(err, launcher) {
+    if (err) {
+      console.error("No luck with '" + launcher + "', trying a process.kill() instead...");
+      console.error(err);
+      launcher = 'node';
+    }
+
+    if (launchers[launcher]) {
+      launchers[launcher]();
+      return;
+    } else {
+      console.error("No launcher handler (uninstall) for '" + launcher + "'");
+    }
+  }
+
+  things._vars = vars;
+  things._userspace = vars.userspace;
+  Launcher._detect(things, kill);
+};
+
+if (module === require.main) {
+  Launcher.install({
+    argv: process.argv
+  , env: process.env
+  }, function (err) {
+    if (err) { console.error(err); return; }
+    console.log("Telebit launched, or so it seems.");
+  });
+}

usr/share/install.sh

@@ -59,10 +59,11 @@ http_get()
 
 http_bash()
 {
-  _http_url=$1
-  my_args=${2:-}
-  my_tmp=$(mktemp)
-  $_my_http_get $_my_http_opts $_my_http_out "$my_tmp" "$_http_url"; bash "$my_tmp" $my_args; rm "$my_tmp"
+  local _http_bash_url=$1
+  local _http_bash_args=${2:-}
+  local _http_bash_tmp=$(mktemp)
+  $_my_http_get $_my_http_opts $_my_http_out "$_http_bash_tmp" "$_http_bash_url"
+  bash "$_http_bash_tmp" $_http_bash_args; rm "$_http_bash_tmp"
 }
 
 detect_http_get
@@ -73,9 +74,12 @@ export -f http_bash
 ##       END HTTP_GET        ##
 ###############################
 
-my_branch=master
+if [ -n "${TELEBIT_VERSION:-}" ]; then
+  echo 'TELEBIT_VERSION='${TELEBIT_VERSION}
+fi
+export TELEBIT_VERSION=${TELEBIT_VERSION:-master}
 if [ -e "usr/share/install_helper.sh" ]; then
   bash usr/share/install_helper.sh "$@"
 else
-  http_bash https://git.coolaj86.com/coolaj86/telebit.js/raw/branch/$my_branch/usr/share/install_helper.sh "$@"
+  http_bash https://git.coolaj86.com/coolaj86/telebit.js/raw/branch/$TELEBIT_VERSION/usr/share/install_helper.sh "$@"
 fi

usr/share/install_helper.sh

@@ -31,19 +31,56 @@ set -u
 
 ### http_bash exported by get.sh
 
+TELEBIT_DEBUG=${TELEBIT_DEBUG:-}
+
+# NOTE: On OS X logname works from a pipe, but on Linux it does not
+my_logname=$(who am i </dev/tty | awk '{print $1}')
+#my_logname=${my_logname:-$(logname)}
+#my_logname=${my_logname:-$SUDO_USER}
+if [ -n "$my_logname" ] && [ "$my_logname" != "$(id -u -n)" ]; then
+  echo "WARNING:"
+  echo "    You are logged in as '$(logname)' but acting as '$(id -u -n)'."
+  echo "    If the installation is not successful please log in as '$(id -u -n)' directly."
+  sleep 3
+fi
+
+if [ -n "${TELEBIT_DEBUG:-}" ]; then
+  echo 'TELEBIT_DEBUG='${TELEBIT_DEBUG}
+fi
+if [ -n "${TELEBIT_PATH:-}" ]; then
+  echo 'TELEBIT_PATH='${TELEBIT_PATH}
+fi
+if [ -n "${TELEBIT_USERSPACE:-}" ]; then
+  echo 'TELEBIT_USERSPACE='${TELEBIT_USERSPACE}
+fi
+if [ -n "${TELEBIT_USER:-}" ]; then
+  echo 'TELEBIT_USER='${TELEBIT_USER}
+fi
+if [ -n "${TELEBIT_GROUP:-}" ]; then
+  echo 'TELEBIT_GROUP='${TELEBIT_GROUP}
+fi
+TELEBIT_VERSION=${TELEBIT_VERSION:-master}
+TELEBIT_USERSPACE=${TELEBIT_USERSPACE:-no}
 my_email=${1:-}
 my_relay=${2:-}
 my_servernames=${3:-}
 my_secret=${4:-}
-my_user="telebit"
+
+cur_user="$(id -u -n)"
+TELEBIT_USER="${TELEBIT_USER:-$cur_user}"
+
+cur_group="$(id -g -n)"
+TELEBIT_GROUP="${TELEBIT_GROUP:-$cur_group}"
+
 my_app_pkg_name="cloud.telebit.remote"
 my_app="telebit"
+my_daemon="telebitd"
 my_bin="telebit.js"
 my_name="Telebit Remote"
 my_repo="telebit.js"
 my_root=${my_root:-} # todo better install script
-sudo_cmd="sudo"
-sudo_cmde="sudo "
+soft_sudo_cmd="sudo"
+soft_sudo_cmde="sudo "
 exec 3<>/dev/tty
 read_cmd="read -u 3"
 # TODO detect if rsync is available and use rsync -a (more portable)
@@ -69,92 +106,79 @@ fi
 set -e
 
 if [ "root" == $(whoami) ] || [ 0 == $(id -u) ]; then
-  sudo_cmd=" "
-  sudo_cmde=""
-fi
-
-if [ -z "${my_email}" ]; then
-  echo ""
-  echo ""
-  echo "Telebit uses Greenlock for free automated ssl through Let's Encrypt."
-  echo ""
-  echo "To accept the Terms of Service for Telebit, Greenlock and Let's Encrypt,"
-  echo "please enter your email."
-  echo ""
-  $read_cmd -p "email: " my_email
-  echo ""
-  # UX - just want a smooth transition
-  sleep 0.25
-fi
-
-if [ -z "${my_relay}" ]; then
-  echo "What relay will you be using? (press enter for default)"
-  echo ""
-  $read_cmd -p "relay [default: telebit.cloud]: " my_relay
-  echo ""
-  my_relay=${my_relay:-telebit.cloud}
-  # UX - just want a smooth transition
-  sleep 0.25
-fi
-
-if [ -n "$my_relay" ] && [ "$my_relay" != "telebit.cloud" ]; then
-  if [ -z "${my_servernames}" ]; then
-    #echo "What servername(s) will you be relaying here? (press enter for default)"
-    echo "What servername(s) will you be relaying here?"
-    echo ""
-    #$read_cmd -p "domain [default: <random>.telebit.cloud]: " my_servernames
-    $read_cmd -p "domain: " my_servernames
-    echo ""
-    # UX - just want a smooth transition
-    sleep 0.25
-  fi
-
-  if [ -z "${my_secret}" ]; then
-    #echo "What's your authorization for the relay server? (press enter for default)"
-    echo "What's your authorization for the relay server?"
-    echo ""
-    #$read_cmd -p "auth [default: new account]: " my_secret
-    $read_cmd -p "secret: " my_secret
-    echo ""
-    # UX - just want a smooth transition
-    sleep 0.25
-  fi
+  soft_sudo_cmd=" "
+  soft_sudo_cmde=""
 fi
 
 echo ""
 
-if [ -z "${TELEBIT_PATH:-}" ]; then
-  echo 'TELEBIT_PATH="'${TELEBIT_PATH:-}'"'
-  TELEBIT_PATH=/opt/$my_app
+TELEBIT_REAL_PATH=${TELEBIT_PATH:-}
+
+if [ $(id -u) -ne 0 ] && [ "$TELEBIT_USER" == "$cur_user" ]; then
+  TELEBIT_USERSPACE="yes"
+  if [ -z "${TELEBIT_REAL_PATH:-}" ]; then
+    TELEBIT_REAL_PATH=$HOME/Applications/$my_app
+  fi
+else
+  TELEBIT_USERSPACE="no"
+  if [ -z "${TELEBIT_REAL_PATH:-}" ]; then
+    TELEBIT_REAL_PATH=/opt/$my_app
+  fi
+fi
+TELEBIT_PATH="$TELEBIT_REAL_PATH"
+TELEBIT_TMP="$TELEBIT_REAL_PATH"
+# this works slightly differently between bsd (macOS) and gnu mktemp
+# bsd requires the Xes for templates while GNU uses them literally
+my_tmp="$(mktemp -d -t telebit.XXXXXXXX)"
+#TELEBIT_TMP="$my_tmp/telebit"
+
+echo "Installing $my_name to '$TELEBIT_REAL_PATH'"
+# v10.2+ has much needed networking fixes, but breaks ursa.
+# v9.x has severe networking bugs.
+# v8.x has working ursa, but requires tls workarounds"
+# v10.13 seems to work for me locally (new greenlock)
+NODEJS_VER="${NODEJS_VER:-v10.13}"
+export NODEJS_VER
+export NODE_PATH="$TELEBIT_TMP/lib/node_modules"
+export NPM_CONFIG_PREFIX="$TELEBIT_TMP"
+# this comes last for security
+export PATH="$PATH:$TELEBIT_REAL_PATH/bin"
+sleep 0.25
+real_sudo_cmd=$soft_sudo_cmd
+real_sudo_cmde=$soft_sudo_cmde
+
+set +e
+mkdir -p $my_tmp "$TELEBIT_REAL_PATH" "$TELEBIT_REAL_PATH/etc" "$TELEBIT_REAL_PATH/var/log" 2>/dev/null && \
+  chown -R $(id -u -n):$(id -g -n) $my_tmp "$TELEBIT_REAL_PATH" 2>/dev/null
+if [ $? -eq 0 ]; then
+  soft_sudo_cmd=" "
+  soft_sudo_cmde=""
+else
+  $soft_sudo_cmd mkdir -p $my_tmp "$TELEBIT_REAL_PATH" "$TELEBIT_REAL_PATH/etc" "$TELEBIT_REAL_PATH/var/log"
+  $soft_sudo_cmd chown -R $(id -u -n):$(id -g -n) $my_tmp "$TELEBIT_REAL_PATH"
+fi
+set -e
+
+
+if [ -n "${TELEBIT_DEBUG}" ]; then
+  echo "  - installing node.js runtime to '$TELEBIT_REAL_PATH'..."
+  http_bash https://git.coolaj86.com/coolaj86/node-installer.sh/raw/branch/master/install.sh --no-dev-deps
+else
+  echo -n "."
+  #bash -c 'while true; do echo -n "."; sleep 2; done' 2>/dev/null &
+  #_my_pid=$!
+  http_bash https://git.coolaj86.com/coolaj86/node-installer.sh/raw/branch/master/install.sh --no-dev-deps >/dev/null 2>/dev/null
+  #kill $_my_pid >/dev/null 2>/dev/null
 fi
 
-echo "Installing $my_name to '$TELEBIT_PATH'"
-# v10.2+ has much needed networking fixes, but breaks ursa. v9.x has severe networking bugs. v8.x has working ursa, but requires tls workarounds"
-NODEJS_VER="${NODEJS_VER:-v10}"
-export NODEJS_VER
-export NODE_PATH="$TELEBIT_PATH/lib/node_modules"
-export NPM_CONFIG_PREFIX="$TELEBIT_PATH"
-export PATH="$TELEBIT_PATH/bin:$PATH"
-sleep 0.25
-echo "(your password may be required to complete installation)"
+#
+# TODO create "upgrade" script and run that instead
+#
 
-echo "  - installing node.js runtime to '$TELEBIT_PATH'..."
-http_bash https://git.coolaj86.com/coolaj86/node-installer.sh/raw/branch/master/install.sh --no-dev-deps >/dev/null 2>/dev/null
-
-my_tree="telebit" # my_branch
-my_node="$TELEBIT_PATH/bin/node"
-my_npm="$my_node $TELEBIT_PATH/bin/npm"
-my_tmp="$(mktemp -d)"
-mkdir -p $my_tmp
-
-#echo "${sudo_cmde}mkdir -p '$TELEBIT_PATH'{etc,var/log}"
-$sudo_cmd mkdir -p "$TELEBIT_PATH"
-$sudo_cmd mkdir -p "$TELEBIT_PATH/etc"
-$sudo_cmd mkdir -p "$TELEBIT_PATH/var/log"
-$sudo_cmd chown -R $(id -u -n):$(id -g -n) "$TELEBIT_PATH"
-#echo "${sudo_cmde}mkdir -p '/etc/$my_app/'"
-#$sudo_cmd mkdir -p "/etc/$my_app/"
-#$sudo_cmd chown $(id -u -n):$(id -g -n) "/etc/$my_app/"
+my_node="$TELEBIT_REAL_PATH/bin/node"
+tmp_node="$TELEBIT_TMP/bin/node"
+my_npm="$my_node $TELEBIT_TMP/bin/npm"
+tmp_npm="$tmp_node $TELEBIT_TMP/bin/npm"
 
 #https://git.coolaj86.com/coolaj86/telebit.js.git
 #https://git.coolaj86.com/coolaj86/telebit.js/archive/:tree:.tar.gz
@@ -162,279 +186,389 @@ $sudo_cmd chown -R $(id -u -n):$(id -g -n) "$TELEBIT_PATH"
 set +e
 my_unzip=$(type -p unzip)
 my_tar=$(type -p tar)
+# TODO extract to temporary directory, configure, copy etc, replace
 if [ -n "$my_unzip" ]; then
-  rm -f $my_tmp/$my_app-$my_tree.zip
-  echo "  - installing telebit zip to '$TELEBIT_PATH'..."
-  http_get https://git.coolaj86.com/coolaj86/$my_repo/archive/$my_tree.zip $my_tmp/$my_app-$my_tree.zip
+  rm -f $my_tmp/$my_app-$TELEBIT_VERSION.zip
+  if [ -n "${TELEBIT_DEBUG}" ]; then
+    echo "  - installing telebit zip to '$TELEBIT_REAL_PATH'"
+  fi
+  echo -n "."
+  #bash -c 'while true; do echo -n "."; sleep 2; done' 2>/dev/null &
+  #_my_pid=$!
+  http_get https://git.coolaj86.com/coolaj86/$my_repo/archive/$TELEBIT_VERSION.zip $my_tmp/$my_app-$TELEBIT_VERSION.zip
+  #kill $_my_pid >/dev/null 2>/dev/null
   # -o means overwrite, and there is no option to strip
-  $my_unzip -o $my_tmp/$my_app-$my_tree.zip -d $TELEBIT_PATH/ > /dev/null 2>&1
-  $rsync_cmd  $TELEBIT_PATH/$my_repo/* $TELEBIT_PATH/ > /dev/null
-  rm -rf $TELEBIT_PATH/$my_bin
+  $my_unzip -o $my_tmp/$my_app-$TELEBIT_VERSION.zip -d $my_tmp/ >/dev/null
+  $rsync_cmd  $my_tmp/$my_repo/* $TELEBIT_TMP/ > /dev/null
+  rm -rf $my_tmp/$my_repo
 elif [ -n "$my_tar" ]; then
-  rm -f $my_tmp/$my_app-$my_tree.tar.gz
-  echo "  - installing telebit tar.gz to '$TELEBIT_PATH'..."
-  http_get https://git.coolaj86.com/coolaj86/$my_repo/archive/$my_tree.tar.gz $my_tmp/$my_app-$my_tree.tar.gz
-  ls -lah $my_tmp/$my_app-$my_tree.tar.gz
-  $my_tar -xzf $my_tmp/$my_app-$my_tree.tar.gz --strip 1 -C $TELEBIT_PATH/
+  rm -f $my_tmp/$my_app-$TELEBIT_VERSION.tar.gz
+  if [ -n "${TELEBIT_DEBUG}" ]; then
+    echo "  - installing telebit tar.gz to '$TELEBIT_REAL_PATH'"
+  fi
+  echo -n "."
+  #bash -c 'while true; do echo -n "."; sleep 2; done' 2>/dev/null &
+  #_my_pid=$!
+  http_get https://git.coolaj86.com/coolaj86/$my_repo/archive/$TELEBIT_VERSION.tar.gz $my_tmp/$my_app-$TELEBIT_VERSION.tar.gz
+  #kill $_my_pid >/dev/null 2>/dev/null
+  $my_tar -xzf $my_tmp/$my_app-$TELEBIT_VERSION.tar.gz --strip 1 -C $TELEBIT_TMP/ >/dev/null
 else
   echo "Neither tar nor unzip found. Abort."
   exit 13
 fi
 set -e
 
-pushd $TELEBIT_PATH >/dev/null
-  echo "  - installing telebit npm dependencies to '$TELEBIT_PATH'..."
-  echo "    (are you noticing a pattern of where things are installed?)"
-  $my_npm install >/dev/null 2>/dev/null
+#
+# TODO create slim packages that contain all the deps on each os and cpu
+#
+pushd $TELEBIT_TMP >/dev/null
+  if [ -n "${TELEBIT_DEBUG}" ]; then
+    echo "  - installing telebit npm dependencies to '$TELEBIT_REAL_PATH'..."
+  else
+    echo -n "."
+  fi
+  set +e
+  $tmp_npm install >/dev/null 2>/dev/null &
+  tmp_npm_pid=$!
+  while [ -n "$tmp_npm_pid" ]; do
+    sleep 2
+    echo -n "."
+    kill -s 0 $tmp_npm_pid >/dev/null 2>/dev/null || tmp_npm_pid=""
+  done
+  set -e
+  echo -n "."
+  $tmp_npm install >/dev/null 2>/dev/null
+  # ursa is now an entirely optional dependency for key generation
+  # but very much needed on ARM devices
+  $tmp_npm install ursa >/dev/null 2>/dev/null || true
 popd >/dev/null
 
-echo "  - configuring telebit..."
+if [ -n "${TELEBIT_DEBUG}" ]; then
+  echo "  - configuring telebit..."
+  echo ""
+fi
 
-echo '#!/bin/bash' > "$TELEBIT_PATH/bin/$my_app"
-echo "$my_node $TELEBIT_PATH/bin/$my_bin "'"$@"' >> "$TELEBIT_PATH/bin/$my_app"
-chmod a+x "$TELEBIT_PATH/bin/$my_app"
+###############################################
+#
+# TODO convert to node script
+#
+# Now that node is installed and the telebit
+# packeage is downloaded, everything can be
+# run from node, except things requiring sudo
+#
+###############################################
+
+# telebit remote
+echo '#!/bin/bash' > "$TELEBIT_TMP/bin/$my_app"
+echo "$my_node $TELEBIT_REAL_PATH/bin/$my_bin "'"$@"' >> "$TELEBIT_TMP/bin/$my_app"
+chmod a+x "$TELEBIT_TMP/bin/$my_app"
+
+# telebit daemon
+echo '#!/bin/bash' > "$TELEBIT_TMP/bin/$my_daemon"
+echo "$my_node $TELEBIT_REAL_PATH/bin/$my_daemon.js daemon "'"$@"' >> "$TELEBIT_TMP/bin/$my_daemon"
+chmod a+x "$TELEBIT_TMP/bin/$my_daemon"
 
 # Create uninstall script based on the install script variables
-cat << EOF > $TELEBIT_PATH/bin/${my_app}_uninstall
+cat << EOF > $TELEBIT_TMP/bin/${my_app}_uninstall
 #!/bin/bash
+set -x
 if [ "$(type -p launchctl)" ]; then
   sudo launchctl unload -w /Library/LaunchDaemons/${my_app_pkg_name}.plist
-  sudo rm -rf /Library/LaunchDaemons/cloud.telebit.remote.plist
+  sudo rm -f /Library/LaunchDaemons/${my_app_pkg_name}.plist
+
+  launchctl unload -w $HOME/Library/LaunchAgents/${my_app_pkg_name}.plist
+  rm -f $HOME/Library/LaunchAgents/${my_app_pkg_name}.plist
 fi
 if [ "$(type -p systemctl)" ]; then
-  sudo systemctl disable telebit; sudo systemctl stop telebit
-  sudo rm -rf /etc/systemd/system/$my_app.service
+  systemctl --user disable $my_app >/dev/null
+  systemctl --user stop $my_app
+  rm -f $HOME/.config/systemd/user/$my_app.service
+
+  sudo systemctl disable $my_app >/dev/null
+  sudo systemctl stop $my_app
+  sudo rm -f /etc/systemd/system/$my_app.service
 fi
-sudo rm -rf $TELEBIT_PATH /usr/local/bin/$my_app
-rm -rf ~/.config/$my_app ~/.local/share/$my_app
+sudo rm -rf $TELEBIT_REAL_PATH /usr/local/bin/$my_app
+sudo rm -rf $TELEBIT_REAL_PATH /usr/local/bin/$my_daemon
+rm -rf $HOME/.config/$my_app $HOME/.local/share/$my_app
 EOF
-chmod a+x $TELEBIT_PATH/bin/${my_app}_uninstall
+chmod a+x $TELEBIT_TMP/bin/${my_app}_uninstall
 
-echo "${sudo_cmde}ln -sf $TELEBIT_PATH/bin/$my_app /usr/local/bin/$my_app"
-$sudo_cmd ln -sf $TELEBIT_PATH/bin/$my_app /usr/local/bin/$my_app
-
-set +e
-if type -p setcap >/dev/null 2>&1; then
-  #echo "Setting permissions to allow $my_app to run on port 80 and port 443 without sudo or root"
-  echo "${sudo_cmde}setcap cap_net_bind_service=+ep $TELEBIT_PATH/bin/node"
-  $sudo_cmd setcap cap_net_bind_service=+ep $TELEBIT_PATH/bin/node
-fi
-set -e
+#set +e
+#if type -p setcap >/dev/null 2>&1; then
+#  #echo "Setting permissions to allow $my_app to run on port 80 and port 443 without sudo or root"
+#  echo "    > ${real_sudo_cmde}setcap cap_net_bind_service=+ep $TELEBIT_REAL_PATH/bin/node"
+#  $real_sudo_cmd setcap cap_net_bind_service=+ep $TELEBIT_REAL_PATH/bin/node
+#fi
+#set -e
 
+my_skip=""
 set +e
 # TODO for macOS https://apple.stackexchange.com/questions/286749/how-to-add-a-user-from-the-command-line-in-macos
-if type -p adduser >/dev/null 2>/dev/null; then
-  if [ -z "$(cat $my_root/etc/passwd | grep $my_user)" ]; then
-    $sudo_cmd adduser --home $TELEBIT_PATH --gecos '' --disabled-password $my_user >/dev/null 2>&1
+# TODO do stuff for groups too
+# TODO add ending $
+if type -p dscl >/dev/null 2>/dev/null; then
+  if [ -n "$(dscl . list /users | grep ^$TELEBIT_USER)" ] && [ -n "$(dscl . list /groups | grep ^$TELEBIT_GROUP)" ]; then
+    my_skip="yes"
+  fi
+elif [ -n "$(cat $my_root/etc/passwd | grep $TELEBIT_USER)" ] && [ -n "$(cat $my_root/etc/group | grep $TELEBIT_GROUP)" ]; then
+  my_skip="yes"
+fi
+
+if [ -z "$my_skip" ]; then
+  if type -p adduser >/dev/null 2>/dev/null; then
+    $real_sudo_cmd adduser --home $TELEBIT_REAL_PATH --gecos '' --disabled-password $TELEBIT_USER >/dev/null 2>&1
+    #TELEBIT_USER=$my_app_name
+    TELEBIT_GROUP=$TELEBIT_USER
+  elif [ -n "$(cat /etc/passwd | grep www-data:)" ]; then
+    # Linux (Ubuntu)
+    TELEBIT_USER=www-data
+    TELEBIT_GROUP=www-data
+  elif [ -n "$(cat /etc/passwd | grep _www:)" ]; then
+    # Mac
+    TELEBIT_USER=_www
+    TELEBIT_GROUP=_www
+  else
+    # Unsure
+    TELEBIT_USER=$(id -u -n) # $(whoami)
+    TELEBIT_GROUP=$(id -g -n)
   fi
-  #my_user=$my_app_name
-  my_group=$my_user
-elif [ -n "$(cat /etc/passwd | grep www-data:)" ]; then
-  # Linux (Ubuntu)
-  my_user=www-data
-  my_group=www-data
-elif [ -n "$(cat /etc/passwd | grep _www:)" ]; then
-  # Mac
-  my_user=_www
-  my_group=_www
-else
-  # Unsure
-  my_user=$(id -u -n) # $(whoami)
-  my_group=$(id -g -n)
 fi
 set -e
 
-# TODO don't create this in TMP_PATH if it exists in TELEBIT_PATH
-my_config="$TELEBIT_PATH/etc/$my_app.yml"
-mkdir -p "$(dirname $my_config)"
-if [ ! -e "$my_config" ]; then
+export TELEBIT_USER
+export TELEBIT_GROUP
+export TELEBIT_PATH
+export TELEBIT_CONFIG=$HOME/.config/$my_app/$my_app.yml
+# TODO check both expected sock paths in client by default
+if [ "yes" == "$TELEBIT_USERSPACE" ]; then
+  TELEBIT_TMP_CONFIGD=$HOME/.config/$my_app/$my_daemon.yml
+  TELEBITD_CONFIG=$HOME/.config/$my_app/$my_daemon.yml
+  TELEBIT_LOG_DIR=${TELEBIT_LOG_DIR:-$HOME/.local/share/$my_app/var/log/}
+  TELEBIT_SOCK_DIR=${TELEBIT_SOCK_DIR:-$HOME/.local/share/$my_app/var/run/}
+  TELEBIT_SOCK=${TELEBIT_SOCK:-$HOME/.local/share/$my_app/var/run/$my_app.sock}
+else
+  TELEBIT_TMP_CONFIGD=$TELEBIT_TMP/etc/$my_daemon.yml
+  TELEBITD_CONFIG=$TELEBIT_REAL_PATH/etc/$my_daemon.yml
+  TELEBIT_LOG_DIR=${TELEBIT_LOG_DIR:-$TELEBIT_REAL_PATH/var/log/}
+  TELEBIT_SOCK_DIR=${TELEBIT_SOCK_DIR:-$TELEBIT_REAL_PATH/var/run/}
+  TELEBIT_SOCK=${TELEBIT_SOCK:-$TELEBIT_REAL_PATH/var/run/$my_app.sock}
+fi
+export TELEBITD_CONFIG
+export TELEBIT_SOCK
+export TELEBIT_NODE=$TELEBIT_REAL_PATH/bin/node
+export TELEBIT_NPM=$TELEBIT_REAL_PATH/bin/npm
+export TELEBIT_BIN=$TELEBIT_REAL_PATH/bin/telebit
+export TELEBITD_BIN=$TELEBIT_REAL_PATH/bin/telebitd
+export TELEBIT_JS=$TELEBIT_REAL_PATH/bin/telebit.js
+export TELEBITD_JS=$TELEBIT_REAL_PATH/bin/telebitd.js
+export TELEBIT_LOG_DIR
+export TELEBIT_SOCK_DIR
+export NODE_PATH="$TELEBIT_REAL_PATH/lib/node_modules"
+export NPM_CONFIG_PREFIX="$TELEBIT_REAL_PATH"
 
-  #$rsync_cmd examples/$my_app.yml "$my_config"
+$my_node $TELEBIT_TMP/usr/share/template-launcher.js
 
-  if [ -n "$my_email" ]; then
-    echo "email: $my_email" >> "$my_config"
-    echo "agree_tos: true" >> "$my_config"
-  else
-    echo "#email: jon@example.com # used for Automated HTTPS and Telebit.Cloud registrations" >> "$my_config"
-    echo "#agree_tos: true # must be enabled to use Automated HTTPS and Telebit.Cloud" >> "$my_config"
-  fi
+# TODO don't create this in TMP_PATH if it exists in TELEBIT_REAL_PATH
+mkdir -p "$(dirname $TELEBIT_TMP_CONFIGD)"
+if [ ! -e "$TELEBITD_CONFIG" ]; then
 
-  if [ -n "$my_relay" ]; then
-    echo "relay: $my_relay" >> "$my_config"
-
-    if [ -n "$my_secret" ]; then
-      echo "secret: $my_secret" >> "$my_config"
-    fi
-    if [ -n "$my_servernames" ]; then
-      # TODO could use printf or echo -e,
-      # just not sure how portable they are
-      echo "servernames:" >> "$my_config"
-      echo "  $my_servernames: {}" >> "$my_config"
-    fi
-  else
-    echo "relay: telebit.cloud # the relay server to use" >> "$my_config"
-  fi
-  #echo "dynamic_ports:\n  []" >> "$my_config"
-  cat $TELEBIT_PATH/usr/share/$my_app.tpl.yml >> "$my_config"
+  echo "sock: $TELEBIT_SOCK" >> "$TELEBIT_TMP_CONFIGD"
+  echo "root: $TELEBIT_REAL_PATH" >> "$TELEBIT_TMP_CONFIGD"
+  cat $TELEBIT_REAL_PATH/usr/share/$my_daemon.tpl.yml >> "$TELEBIT_TMP_CONFIGD"
 
 fi
 
-#my_config_link="/etc/$my_app/$my_app.yml"
-#if [ ! -e "$my_config_link" ]; then
-#  echo "${sudo_cmde}ln -sf '$my_config' '$my_config_link'"
-#  #$sudo_cmd mkdir -p /etc/$my_app
-#  $sudo_cmd ln -sf "$my_config" "$my_config_link"
-#fi
+mkdir -p "$(dirname $TELEBIT_CONFIG)"
+if [ ! -e "$TELEBIT_CONFIG" ]; then
 
-my_config="$HOME/.config/$my_app/$my_app.yml"
-mkdir -p "$(dirname $my_config)"
-if [ ! -e "$my_config" ]; then
-
-  echo "cli: true" >> "$my_config"
-
-  if [ -n "$my_email" ]; then
-    echo "email: $my_email" >> "$my_config"
-    echo "agree_tos: true" >> "$my_config"
-  else
-    echo "#email: jon@example.com # used for Automated HTTPS and Telebit.Cloud registrations" >> "$my_config"
-    echo "#agree_tos: true # must be enabled to use Automated HTTPS and Telebit.Cloud" >> "$my_config"
-  fi
-
-  if [ -n "$my_relay" ]; then
-    echo "relay: $my_relay" >> "$my_config"
-
-    if [ -n "$my_secret" ]; then
-      echo "secret: $my_secret" >> "$my_config"
-    fi
-  else
-    echo "relay: telebit.cloud # the relay server to use" >> "$my_config"
-  fi
-
-  cat $TELEBIT_PATH/usr/share/$my_app.tpl.yml >> "$my_config"
+  echo "sock: $TELEBIT_SOCK" >> "$TELEBIT_CONFIG"
 
 fi
 
-echo "${sudo_cmde}chown -R $my_user '$TELEBIT_PATH' # '/etc/$my_app'"
-$sudo_cmd chown -R $my_user "$TELEBIT_PATH" # "/etc/$my_app"
 
-# ~/.config/systemd/user/
+
+# TODO
+# Backup final directory, if it exists
+# Move everything over to final directory
+# Restore config files, if they exist
+# rewrite system service file with real variables
+
+# This should only affect non-USERSPACE installs
+#echo "${soft_sudo_cmde}chown -R $TELEBIT_USER '$TELEBIT_REAL_PATH'
+$soft_sudo_cmd mkdir -p $TELEBIT_LOG_DIR
+$soft_sudo_cmd mkdir -p $TELEBIT_SOCK_DIR
+$soft_sudo_cmd chown -R $TELEBIT_USER "$TELEBIT_REAL_PATH"
+
+# $HOME/.config/systemd/user/
 # %h/.config/telebit/telebit.yml
-echo "### Adding $my_app as a system service"
+if [ -n "${TELEBIT_DEBUG}" ]; then
+  echo "  - adding $my_app as a system service"
+fi
 # TODO detect with type -p
 my_system_launcher=""
+my_app_launchd_service=""
 if [ -d "/Library/LaunchDaemons" ]; then
   my_system_launcher="launchd"
-  my_app_launchd_service="Library/LaunchDaemons/${my_app_pkg_name}.plist"
-  echo "${sudo_cmde}$rsync_cmd $TELEBIT_PATH/usr/share/dist/$my_app_launchd_service /$my_app_launchd_service"
-  $sudo_cmd $rsync_cmd "$TELEBIT_PATH/usr/share/dist/$my_app_launchd_service" "/$my_app_launchd_service"
+  my_sudo_cmde="$real_sudo_cmde"
+  my_sudo_cmd="$real_sudo_cmd"
 
-  echo "${sudo_cmde}chown root:wheel $my_root/$my_app_launchd_service"
-  $sudo_cmd chown root:wheel "$my_root/$my_app_launchd_service"
-  echo "${sudo_cmde}launchctl unload -w $my_root/$my_app_launchd_service >/dev/null 2>/dev/null"
-  $sudo_cmd launchctl unload -w "$my_root/$my_app_launchd_service" >/dev/null 2>/dev/null
-  echo "${sudo_cmde}launchctl load -w $my_root/$my_app_launchd_service"
-  $sudo_cmd launchctl load -w "$my_root/$my_app_launchd_service"
+
+  if [ "yes" == "$TELEBIT_USERSPACE" ]; then
+    my_app_launchd_service_skel="etc/skel/Library/LaunchAgents/${my_app_pkg_name}.plist"
+    my_app_launchd_service="$HOME/Library/LaunchAgents/${my_app_pkg_name}.plist"
+    if [ -n "${TELEBIT_DEBUG}" ]; then
+      echo "    > $rsync_cmd $TELEBIT_REAL_PATH/usr/share/dist/$my_app_launchd_service $my_app_launchd_service"
+    fi
+    mkdir -p $HOME/Library/LaunchAgents
+    $rsync_cmd "$TELEBIT_REAL_PATH/usr/share/dist/$my_app_launchd_service_skel" "$my_app_launchd_service"
+
+    if [ -n "${TELEBIT_DEBUG}" ]; then
+      echo "    > chown $(id -u -n):$(id -g -n) $my_app_launchd_service"
+    fi
+    chown $(id -u -n):$(id -g -n) "$my_app_launchd_service"
+    my_sudo_cmd=""
+    my_sudo_cmde=""
+
+    if [ -n "${TELEBIT_DEBUG}" ]; then
+      echo "    > launchctl unload -w $my_app_launchd_service >/dev/null 2>/dev/null"
+    fi
+    launchctl unload -w "$my_app_launchd_service" >/dev/null 2>/dev/null
+  else
+    my_app_launchd_service_skel="usr/share/dist/Library/LaunchDaemons/${my_app_pkg_name}.plist"
+    my_app_launchd_service="$my_root/Library/LaunchDaemons/${my_app_pkg_name}.plist"
+    echo "    > ${real_sudo_cmde}$rsync_cmd $TELEBIT_REAL_PATH/usr/share/dist/$my_app_launchd_service $my_app_launchd_service"
+    $real_sudo_cmd $rsync_cmd "$TELEBIT_REAL_PATH/usr/share/dist/$my_app_launchd_service_skel" "$my_app_launchd_service"
+
+    echo "    > ${real_sudo_cmde}chown root:wheel $my_app_launchd_service"
+    $real_sudo_cmd chown root:wheel "$my_app_launchd_service"
+
+    echo "    > ${real_sudo_cmde}launchctl unload -w $my_app_launchd_service >/dev/null 2>/dev/null"
+    $real_sudo_cmd launchctl unload -w "$my_app_launchd_service" >/dev/null 2>/dev/null
+  fi
 
 elif [ -d "$my_root/etc/systemd/system" ]; then
   my_system_launcher="systemd"
-  echo "${sudo_cmde}$rsync_cmd $TELEBIT_PATH/usr/share/dist/etc/systemd/system/$my_app.service /etc/systemd/system/$my_app.service"
-  $sudo_cmd $rsync_cmd "$TELEBIT_PATH/usr/share/dist/etc/systemd/system/$my_app.service" "/etc/systemd/system/$my_app.service"
 
-  $sudo_cmd systemctl daemon-reload
-  echo "${sudo_cmde}systemctl enable $my_app"
-  $sudo_cmd systemctl enable $my_app
-  echo "${sudo_cmde}systemctl start $my_app"
-  $sudo_cmd systemctl restart $my_app
+  if [ "yes" == "$TELEBIT_USERSPACE" ]; then
+    if [ -n "${TELEBIT_DEBUG}" ]; then
+      echo "    > $rsync_cmd $TELEBIT_REAL_PATH/usr/share/dist/etc/skel/.config/systemd/user/$my_app.service $HOME/.config/systemd/user/$my_app.service"
+    fi
+    mkdir -p $HOME/.config/systemd/user
+    $rsync_cmd "$TELEBIT_REAL_PATH/usr/share/dist/etc/skel/.config/systemd/user/$my_app.service" "$HOME/.config/systemd/user/$my_app.service"
+  else
+    echo "    > ${real_sudo_cmde}$rsync_cmd $TELEBIT_REAL_PATH/usr/share/dist/etc/systemd/system/$my_app.service /etc/systemd/system/$my_app.service"
+    $real_sudo_cmd $rsync_cmd "$TELEBIT_REAL_PATH/usr/share/dist/etc/systemd/system/$my_app.service" "/etc/systemd/system/$my_app.service"
+  fi
 fi
 
-sleep 2
-echo ""
-echo ""
-echo ""
-echo "=============================================="
-echo "               Privacy Settings               "
-echo "=============================================="
-echo ""
-echo "Privacy settings are managed in the config files:"
-echo ""
-echo "  $TELEBIT_PATH/etc/$my_app.yml"
-echo "  $HOME/.config/$my_app/$my_app.yml"
-echo ""
-echo "Your current settings:"
-echo ""
-echo "  telemetry: true   # You ARE contributing project telemetry"
-echo "  community: true   # You ARE receiving important email updates"
-echo "  newsletter: false # You ARE NOT receiving regular emails"
-echo ""
-echo "Please edit the config file to meet your needs before starting."
-echo ""
-sleep 3
+sleep 1
 
-echo ""
-echo ""
-echo "=============================================="
-echo "            Launcher Configuration            "
-echo "=============================================="
-echo ""
-echo "You MUST verify your email address to activate this device for your account"
+###############################
+# Actually Launch the Service #
+###############################
+if [ -n "${TELEBIT_DEBUG}" ]; then
+  echo ""
+fi
+if [ "launchd" == "$my_system_launcher" ]; then
 
-my_stopper=""
-if [ "systemd" == "$my_system_launcher" ]; then
+  if [ "yes" == "$TELEBIT_USERSPACE" ]; then
+    if [ -n "${TELEBIT_DEBUG}" ]; then
+      echo "  > launchctl load -w $my_app_launchd_service"
+    else
+      echo -n "."
+    fi
+    launchctl load -w "$my_app_launchd_service"
+  else
+    echo "  > ${real_sudo_cmde}launchctl load -w $my_app_launchd_service"
+    $real_sudo_cmd launchctl load -w "$my_app_launchd_service"
+  fi
+  sleep 2; # give it time to start
 
-  my_stopper="${sudo_cmde}systemctl stop $my_app"
-  echo "Edit the config and restart, if desired:"
-  echo ""
-  echo "    ${sudo_cmde}$my_edit $TELEBIT_PATH/etc/$my_app.yml"
-  echo "    ${sudo_cmde}systemctl restart $my_app"
-  echo ""
-  echo "Or disabled the service and start manually:"
-  echo ""
-  echo "    ${sudo_cmde}systemctl stop $my_app"
-  echo "    ${sudo_cmde}systemctl disable $my_app"
-  echo "    $my_app --config $TELEBIT_PATH/etc/$my_app.yml"
+elif [ "systemd" == "$my_system_launcher" ]; then
 
-elif [ "launchd" == "$my_system_launcher" ]; then
+  if [ "yes" == "$TELEBIT_USERSPACE" ]; then
+    # https://wiki.archlinux.org/index.php/Systemd/User
+    # sudo loginctl enable-linger username
 
-  my_stopper="${sudo_cmde}launchctl unload $my_root/$my_app_launchd_service"
-  echo "Edit the config and restart, if desired:"
-  echo ""
-  echo "    ${sudo_cmde}$my_edit $TELEBIT_PATH/etc/$my_app.yml"
-  echo "    ${sudo_cmde}launchctl unload $my_root/$my_app_launchd_service"
-  echo "    ${sudo_cmde}launchctl load -w $my_root/$my_app_launchd_service"
-  echo ""
-  echo "Or disabled the service and start manually:"
-  echo ""
-  echo "    ${sudo_cmde}launchctl unload -w $my_root/$my_app_launchd_service"
-  echo "    $my_app daemon --config $TELEBIT_PATH/etc/$my_app.yml"
+    if [ -n "${TELEBIT_DEBUG}" ]; then
+      echo "    > systemctl --user enable $my_app"
+    else
+      echo -n "."
+    fi
+    set +e
+    if systemctl --user daemon-reload; then
+      # enable also puts success output to stderr... why?
+      systemctl --user enable $my_app >/dev/null 2>/dev/null
+      #echo "    > systemctl --user enable systemd-tmpfiles-setup.service systemd-tmpfiles-clean.timer"
+      #systemctl --user enable systemd-tmpfiles-setup.service systemd-tmpfiles-clean.timer
+      if [ -n "${TELEBIT_DEBUG}" ]; then
+        echo "    > systemctl --user start $my_app"
+      fi
+      systemctl --user stop $my_app >/dev/null 2>/dev/null
+      systemctl --user start $my_app >/dev/null
+
+      sleep 2; # give it time to start
+      _is_running=$(systemctl --user status --no-pager $my_app 2>/dev/null | grep "active.*running")
+      if [ -z "$_is_running" ]; then
+        echo "Something went wrong:"
+        systemctl --user status --no-pager $my_app
+      fi
+    else
+      echo "libpam-systemd is missing, which is required on Linux to register Telebit with the user launcher."
+      echo "sudo apt-get install -y libpam-systemd"
+      sudo apt-get install -y libpam-systemd
+    fi
+    set -e
+    echo -n "."
+  else
+
+    $real_sudo_cmd systemctl daemon-reload
+    echo "    > ${real_sudo_cmde}systemctl enable $my_app"
+    $real_sudo_cmd systemctl enable $my_app >/dev/null
+    echo "    > ${real_sudo_cmde}systemctl start $my_app"
+    $real_sudo_cmd systemctl daemon-reload
+    $real_sudo_cmd systemctl restart $my_app
+    sleep 2; # give it time to start
+    $real_sudo_cmd systemctl status --no-pager $my_app
+  fi
 
 else
 
-  my_stopper="not started"
-  echo "Edit the config, if desired:"
-  echo ""
-  echo "    ${sudo_cmde}$my_edit $my_config"
-  echo ""
   echo "Run the service manually (we couldn't detect your system service to do that automatically):"
   echo ""
-  echo "    $my_app --config $my_config"
+  echo "    $TELEBITD_BIN --config $TELEBITD_CONFIG"
+  echo "    ~/$my_app --config $TELEBIT_CONFIG"
 
 fi
-sleep 3
 
-# TODO run 'telebit status'
-if [ "telebit.cloud" == $my_relay ]; then
-  echo ""
-  echo ""
-  echo "=============================================="
-  echo "                 Hey, Listen!                 "
-  echo "=============================================="
-  echo ""
-  echo "GO CHECK YOUR EMAIL"
-  echo ""
-  echo "You MUST verify your email address to activate this device."
-  echo "(if the activation link expires, just run 'telebit restart' and check your email again)"
+# NOTE: ln -sf *should* replace an existing link... but sometimes it doesn't, hence rm -f
+if [ "yes" == "$TELEBIT_USERSPACE" ]; then
+  if [ -n "${TELEBIT_DEBUG}" ]; then
+    echo "    > ${real_sudo_cmde}ln -sf $TELEBIT_REAL_PATH/bin/$my_app /usr/local/bin/$my_app"
+  fi
+  rm -f /usr/local/bin/$my_app 2>/dev/null || true
+  ln -sf $TELEBIT_REAL_PATH/bin/$my_app /usr/local/bin/$my_app 2>/dev/null || true
+else
+  echo "    > ${real_sudo_cmde}ln -sf $TELEBIT_REAL_PATH/bin/$my_app /usr/local/bin/$my_app"
+  rm -f /usr/local/bin/$my_app 2>/dev/null || \
+    $real_sudo_cmd rm -f /usr/local/bin/$my_app
+  ln -sf $TELEBIT_REAL_PATH/bin/$my_app /usr/local/bin/$my_app 2>/dev/null || \
+    $real_sudo_cmd ln -sf $TELEBIT_REAL_PATH/bin/$my_app /usr/local/bin/$my_app
+  # telebitd
+  echo "    > ${real_sudo_cmde}ln -sf $TELEBIT_REAL_PATH/bin/$my_daemon /usr/local/bin/$my_daemon"
+  rm -f $TELEBIT_REAL_PATH/bin/$my_daemon || $real_sudo_cmd rm -f $TELEBIT_REAL_PATH/bin/$my_daemon
+  ln -sf $TELEBIT_REAL_PATH/bin/$my_daemon /usr/local/bin/$my_daemon || \
+    $real_sudo_cmd ln -sf $TELEBIT_REAL_PATH/bin/$my_daemon /usr/local/bin/$my_daemon
+fi
+rm -f $HOME/$my_app; ln -s $TELEBIT_REAL_PATH/bin/$my_app $HOME/
+
+
+if [ -n "${TELEBIT_DEBUG}" ]; then
+  echo "  > telebit init --tty"
   echo ""
 fi
+sleep 0.25
 
 echo ""
-sleep 1
+$TELEBIT_REAL_PATH/bin/node $TELEBIT_REAL_PATH/bin/telebit.js init --tty

usr/share/install_launcher.sh

@@ -0,0 +1,46 @@
+echo ""
+echo ""
+echo "=============================================="
+echo "            Launcher Configuration            "
+echo "=============================================="
+echo ""
+
+my_stopper=""
+if [ "systemd" == "$my_system_launcher" ]; then
+
+  my_stopper="${real_sudo_cmde}systemctl stop $my_app"
+  echo "Edit the config and restart, if desired:"
+  echo ""
+  echo "    ${real_sudo_cmde}$my_edit $TELEBITD_CONFIG"
+  echo "    ${real_sudo_cmde}systemctl restart $my_app"
+  echo ""
+  echo "Or disabled the service and start manually:"
+  echo ""
+  echo "    ${real_sudo_cmde}systemctl stop $my_app"
+  echo "    ${real_sudo_cmde}systemctl disable $my_app"
+  echo "    $my_daemon --config $TELEBITD_CONFIG"
+
+elif [ "launchd" == "$my_system_launcher" ]; then
+
+  my_stopper="${real_sudo_cmde}launchctl unload $my_app_launchd_service"
+  echo "Edit the config and restart, if desired:"
+  echo ""
+  echo "    ${real_sudo_cmde}$my_edit $TELEBITD_CONFIG"
+  echo "    ${real_sudo_cmde}launchctl unload $my_app_launchd_service"
+  echo "    ${real_sudo_cmde}launchctl load -w $my_app_launchd_service"
+  echo ""
+  echo "Or disabled the service and start manually:"
+  echo ""
+  echo "    ${real_sudo_cmde}launchctl unload -w $my_app_launchd_service"
+  echo "    $my_daemon --config $TELEBITD_CONFIG"
+
+else
+
+  my_stopper="not started"
+  echo ""
+  echo "Run the service manually (we couldn't detect your system service to do that automatically):"
+  echo ""
+  echo "    $my_daemon --config $TELEBITD_CONFIG"
+  echo "    $my_app --config $TELEBIT_CONFIG"
+
+fi

usr/share/telebitd.tpl.yml

@@ -1,4 +1,5 @@
 #agree_tos: true                 # agree to the Telebit, Greenlock, and Let's Encrypt TOSes
 community_member: true          # receive infrequent relevant updates
 telemetry: true                 # contribute to project telemetric data
-ssh_auto: 22                    # forward ssh-looking packets, from any connection, to port 22
+newsletter: false               # contribute to project telemetric data
+ssh_auto: false                 # forward ssh-looking packets, from any connection, to port 22

usr/share/template-launcher.js

@@ -0,0 +1,97 @@
+'use strict';
+
+var path = require('path');
+var fs = require('fs');
+var os = require('os');
+
+module.exports = function (opts, fn) {
+  // TODO make async version
+  try {
+    module.exports.sync(opts);
+  } catch(e) {
+    if (fn) { fn(e); }
+  }
+
+  if (fn) { fn(null); }
+};
+module.exports.sync = function (opts) {
+  var f = opts.file;
+  var vars = opts.vars;
+  var text = fs.readFileSync(f.tpl, 'utf8')
+    .replace(/{TELEBIT_PATH}/g, vars.telebitPath || '{TELEBIT_PATH}')
+    .replace(/{TELEBIT_NODE}/g, vars.telebitNode || '{TELEBIT_NODE}')
+    .replace(/{NODE_PATH}/g, vars.nodePath || '{NODE_PATH}')
+    .replace(/{NPM_CONFIG_PREFIX}/g, vars.npmConfigPrefix || '{NPM_CONFIG_PREFIX}')
+    .replace(/{TELEBIT_NPM}/g, vars.telebitNpm || '{TELEBIT_NPM}')
+    .replace(/{TELEBIT_BIN}/g, vars.telebitBin || '{TELEBIT_BIN}')
+    .replace(/{TELEBITD_BIN}/g, vars.telebitdBin || '{TELEBITD_BIN}')
+    .replace(/{TELEBIT_JS}/g, vars.telebitJs || '{TELEBIT_JS}')
+    .replace(/{TELEBITD_JS}/g, vars.telebitdJs || '{TELEBITD_JS}')
+    .replace(/{TELEBIT_USER}/g, vars.telebitUser || '{TELEBIT_USER}')
+    .replace(/{TELEBIT_GROUP}/g, vars.telebitGroup || '{TELEBIT_GROUP}')
+    .replace(/{TELEBIT_RW_DIRS}/g, vars.telebitRwDirs || '{TELEBIT_RW_DIRS}')
+    .replace(/{TELEBIT_CONFIG}/g, vars.telebitConfig || '{TELEBIT_CONFIG}')
+    .replace(/{TELEBITD_CONFIG}/g, vars.telebitdConfig || '{TELEBITD_CONFIG}')
+    .replace(/{TELEBIT_LOG_DIR}/g, vars.TELEBIT_LOG_DIR || '{TELEBIT_LOG_DIR}')
+    .replace(/{TELEBIT_SOCK_DIR}/g, vars.TELEBIT_LOG_DIR || '{TELEBIT_SOCK_DIR}')
+    ;
+  fs.writeFileSync(f.launcher, text, 'utf8');
+  if (f.executable && !/^win/i.test(os.platform())) {
+    // TODO not sure if chmod works on windows
+    fs.chmodSync(f.launcher, parseInt('755', 8));
+  }
+};
+
+function run() {
+  var files = [
+    { tpl: (process.env.TELEBIT_SERVICE_TPL || path.join(__dirname, 'dist/etc/systemd/system/telebit.service.tpl'))
+    , launcher: (process.env.TELEBIT_SERVICE || path.join(__dirname, 'dist/etc/systemd/system/telebit.service'))
+    }
+  , { tpl: (process.env.TELEBIT_USER_SERVICE_TPL || path.join(__dirname, 'dist/etc/skel/.config/systemd/user/telebit.service.tpl'))
+    , launcher: (process.env.TELEBIT_USER_SERVICE || path.join(__dirname, 'dist/etc/skel/.config/systemd/user/telebit.service'))
+    }
+  , { tpl: (process.env.TELEBIT_PLIST_TPL || path.join(__dirname, 'dist/Library/LaunchDaemons/cloud.telebit.remote.plist.tpl'))
+    , launcher: (process.env.TELEBIT_PLIST || path.join(__dirname, 'dist/Library/LaunchDaemons/cloud.telebit.remote.plist'))
+    }
+  , { tpl: (process.env.TELEBIT_USER_PLIST_TPL || path.join(__dirname, 'dist/etc/skel/Library/LaunchAgents/cloud.telebit.remote.plist.tpl'))
+    , launcher: (process.env.TELEBIT_USER_PLIST || path.join(__dirname, 'dist/etc/skel/Library/LaunchAgents/cloud.telebit.remote.plist'))
+    }
+  ];
+
+  files.forEach(function (f) {
+    var telebitRoot = path.resolve(__dirname, '../..');
+    var vars = {
+      telebitPath: process.env.TELEBIT_PATH || telebitRoot
+    , telebitNode: process.env.TELEBIT_NODE || process.argv[0] || path.resolve(telebitRoot, 'bin/node')
+    , telebitBin: process.env.TELEBIT_BIN || path.resolve(telebitRoot, 'bin/telebit')
+    , telebitdBin: process.env.TELEBITD_BIN || path.resolve(telebitRoot, 'bin/telebitd')
+    , telebitJs: process.env.TELEBIT_JS || path.resolve(telebitRoot, 'bin/telebit.js')
+    , telebitdJs: process.env.TELEBITD_JS || path.resolve(telebitRoot, 'bin/telebitd.js')
+    , telebitRwDirs: [
+        (process.env.TELEBIT_PATH || path.resolve(__dirname, '../..'))
+      , path.join(os.homedir(), '.config/telebit')
+      , path.join(os.homedir(), '.local/share/telebit')
+      ]
+    , telebitUser: process.env.TELEBIT_USER || os.userInfo().username
+    , telebitGroup: process.env.TELEBIT_GROUP || ('darwin' === os.platform() ? 'staff' : os.userInfo().username)
+    , telebitConfig: process.env.TELEBIT_CONFIG || path.join(os.homedir(), '.config/telebit/telebit.yml')
+    , telebitdConfig: process.env.TELEBITD_CONFIG || path.join(os.homedir(), '.config/telebit/telebitd.yml')
+    , TELEBIT_LOG_DIR: process.env.TELEBIT_LOG_DIR || path.join(os.homedir(), '.local/share/telebit/var/log')
+    };
+    vars.telebitNpm = process.env.TELEBIT_NPM || path.resolve(vars.telebitNode, '../npm');
+    vars.nodePath = process.env.NODE_PATH || path.resolve(vars.telebitNode, '../../lib/node_modules');
+    vars.npmConfigPrefix = process.env.NPM_CONFIG_PREFIX || path.resolve(vars.telebitNode, '..', '..');
+    if (-1 === vars.telebitRwDirs.indexOf(vars.npmConfigPrefix)) {
+      vars.telebitRwDirs.push(vars.npmConfigPrefix);
+    }
+    vars.telebitRwDirs = vars.telebitRwDirs.join(' ');
+    module.exports({
+      file: f
+    , vars: vars
+    });
+  });
+}
+
+if (module === require.main) {
+  run();
+}