Initial code base for Sandstorm.IO support. Very beta.

.env.sandstorm

@@ -0,0 +1,55 @@
+APP_ENV=production
+APP_DEBUG=true
+APP_FORCE_SSL=false
+APP_FORCE_ROOT=
+APP_KEY=SomeRandomStringOf32CharsExactly
+APP_LOG=syslog
+APP_LOG_LEVEL=debug
+APP_URL=http://localhost
+
+DB_CONNECTION=mysql
+DB_HOST=127.0.0.1
+DB_PORT=3306
+DB_DATABASE=firefly
+DB_USERNAME=firefly
+DB_PASSWORD=firefly
+
+BROADCAST_DRIVER=log
+CACHE_DRIVER=file
+SESSION_DRIVER=file
+QUEUE_DRIVER=sync
+
+COOKIE_PATH="/"
+COOKIE_DOMAIN=
+COOKIE_SECURE=false
+
+REDIS_HOST=127.0.0.1
+REDIS_PASSWORD=null
+REDIS_PORT=6379
+
+MAIL_DRIVER=smtp
+MAIL_HOST=mailtrap.io
+MAIL_PORT=2525
+MAIL_FROM=changeme@example.com
+MAIL_USERNAME=null
+MAIL_PASSWORD=null
+MAIL_ENCRYPTION=null
+
+SEND_REGISTRATION_MAIL=true
+SEND_ERROR_MESSAGE=true
+SHOW_INCOMPLETE_TRANSLATIONS=false
+
+CACHE_PREFIX=firefly
+
+GOOGLE_MAPS_API_KEY=
+ANALYTICS_ID=
+SITE_OWNER=mail@example.com
+USE_ENCRYPTION=true
+
+PUSHER_KEY=
+PUSHER_SECRET=
+PUSHER_APP_ID=
+
+DEMO_USERNAME=
+DEMO_PASSWORD=
+

.sandstorm/.gitattributes

@@ -0,0 +1,5 @@
+
+
+# vagrant-spk creates shell scripts, which must end in \n, even on a \r\n system.
+*.sh text eol=lf
+

.sandstorm/.gitignore

@@ -0,0 +1,5 @@
+
+
+# This file stores a list of sub-paths of .sandstorm/ that should be ignored by git.
+.vagrant
+

.sandstorm/Vagrantfile

@@ -0,0 +1,103 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# Guess at a reasonable name for the VM based on the folder vagrant-spk is
+# run from.  The timestamp is there to avoid conflicts if you have multiple
+# folders with the same name.
+VM_NAME = File.basename(File.dirname(File.dirname(__FILE__))) + "_sandstorm_#{Time.now.utc.to_i}"
+
+# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
+VAGRANTFILE_API_VERSION = "2"
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  # Base on the Sandstorm snapshots of the official Debian 8 (jessie) box.
+  config.vm.box = "sandstorm/debian-jessie64"
+
+  if Vagrant.has_plugin?("vagrant-vbguest") then
+    # vagrant-vbguest is a Vagrant plugin that upgrades
+    # the version of VirtualBox Guest Additions within each
+    # guest. If you have the vagrant-vbguest plugin, then it
+    # needs to know how to compile kernel modules, etc., and so
+    # we give it this hint about operating system type.
+    config.vm.guest = "debian"
+  end
+
+  # We forward port 6080, the Sandstorm web port, so that developers can
+  # visit their sandstorm app from their browser as local.sandstorm.io:6080
+  # (aka 127.0.0.1:6080).
+  config.vm.network :forwarded_port, guest: 6080, host: 6080
+
+  # Use a shell script to "provision" the box. This installs Sandstorm using
+  # the bundled installer.
+  config.vm.provision "shell", inline: "sudo bash /opt/app/.sandstorm/global-setup.sh", keep_color: true
+  # Then, do stack-specific and app-specific setup.
+  config.vm.provision "shell", inline: "sudo bash /opt/app/.sandstorm/setup.sh", keep_color: true
+
+  # Shared folders are configured per-provider since vboxsf can't handle >4096 open files,
+  # NFS requires privilege escalation every time you bring a VM up,
+  # and 9p is only available on libvirt.
+
+  # Calculate the number of CPUs and the amount of RAM the system has,
+  # in a platform-dependent way; further logic below.
+  cpus = nil
+  total_kB_ram = nil
+
+  host = RbConfig::CONFIG['host_os']
+  if host =~ /darwin/
+    cpus = `sysctl -n hw.ncpu`.to_i
+    total_kB_ram =  `sysctl -n hw.memsize`.to_i / 1024
+  elsif host =~ /linux/
+    cpus = `nproc`.to_i
+    total_kB_ram = `grep MemTotal /proc/meminfo | awk '{print $2}'`.to_i
+  elsif host =~ /mingw/
+    # powershell may not be available on Windows XP and Vista, so wrap this in a rescue block
+    begin
+      cpus = `powershell -Command "(Get-WmiObject Win32_Processor -Property NumberOfLogicalProcessors | Select-Object -Property NumberOfLogicalProcessors | Measure-Object NumberOfLogicalProcessors -Sum).Sum"`.to_i
+      total_kB_ram = `powershell -Command "Get-CimInstance -class cim_physicalmemory | % $_.Capacity}"`.to_i / 1024
+    rescue
+    end
+  end
+  # Use the same number of CPUs within Vagrant as the system, with 1
+  # as a default.
+  #
+  # Use at least 512MB of RAM, and if the system has more than 2GB of
+  # RAM, use 1/4 of the system RAM. This seems a reasonable compromise
+  # between having the Vagrant guest operating system not run out of
+  # RAM entirely (which it basically would if we went much lower than
+  # 512MB) and also allowing it to use up a healthily large amount of
+  # RAM so it can run faster on systems that can afford it.
+  if cpus.nil? or cpus.zero?
+    cpus = 1
+  end
+  if total_kB_ram.nil? or total_kB_ram < 2048000
+    assign_ram_mb = 512
+  else
+    assign_ram_mb = (total_kB_ram / 1024 / 4)
+  end
+  # Actually apply these CPU/memory values to the providers.
+  config.vm.provider :virtualbox do |vb, override|
+    vb.cpus = cpus
+    vb.memory = assign_ram_mb
+    vb.name = VM_NAME
+    vb.customize ["modifyvm", :id, "--nictype1", "Am79C973"]
+
+    # /opt/app and /host-dot-sandstorm are used by vagrant-spk
+    override.vm.synced_folder "..", "/opt/app"
+    override.vm.synced_folder ENV["HOME"] + "/.sandstorm", "/host-dot-sandstorm"
+    # /vagrant is not used by vagrant-spk; we need this line so it gets disabled; if we removed the
+    # line, vagrant would automatically insert a synced folder in /vagrant, which is not what we want.
+    override.vm.synced_folder "..", "/vagrant", disabled: true
+  end
+  config.vm.provider :libvirt do |libvirt, override|
+    libvirt.cpus = cpus
+    libvirt.memory = assign_ram_mb
+    libvirt.default_prefix = VM_NAME
+
+    # /opt/app and /host-dot-sandstorm are used by vagrant-spk
+    override.vm.synced_folder "..", "/opt/app", type: "9p", accessmode: "passthrough"
+    override.vm.synced_folder ENV["HOME"] + "/.sandstorm", "/host-dot-sandstorm", type: "9p", accessmode: "passthrough"
+    # /vagrant is not used by vagrant-spk; we need this line so it gets disabled; if we removed the
+    # line, vagrant would automatically insert a synced folder in /vagrant, which is not what we want.
+    override.vm.synced_folder "..", "/vagrant", type: "9p", accessmode: "passthrough", disabled: true
+  end
+end

.sandstorm/build.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Checks if there's a composer.json, and if so, installs/runs composer.
+# Only runs when we connect the app to sandstorm (so once).
+set -euo pipefail
+
+
+
+cd /opt/app
+
+cp .env.sandstorm .env
+
+if [ -f /opt/app/composer.json ] ; then
+    if [ ! -f composer.phar ] ; then
+        curl -sS https://getcomposer.org/installer | php
+    fi
+    php composer.phar install --no-dev --no-suggest
+fi
+
+# link storage folder
+rm -rf /opt/app/storage
+ln -s /var/storage /opt/app

.sandstorm/global-setup.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+set -euo pipefail
+
+# Set options for curl. Since we only want to show errors from these curl commands, we also use
+# 'cat' to buffer the output; for more information:
+# https://github.com/sandstorm-io/vagrant-spk/issues/158
+
+CURL_OPTS="--silent --show-error"
+echo localhost > /etc/hostname
+hostname localhost
+
+# The following line copies stderr through stderr to cat without accidentally leaving it in the
+# output file. Be careful when changing. See: https://github.com/sandstorm-io/vagrant-spk/pull/159
+curl $CURL_OPTS https://install.sandstorm.io/ 2>&1 > /host-dot-sandstorm/caches/install.sh | cat
+
+SANDSTORM_CURRENT_VERSION=$(curl $CURL_OPTS -f "https://install.sandstorm.io/dev?from=0&type=install")
+SANDSTORM_PACKAGE="sandstorm-$SANDSTORM_CURRENT_VERSION.tar.xz"
+if [[ ! -f /host-dot-sandstorm/caches/$SANDSTORM_PACKAGE ]] ; then
+    echo -n "Downloading Sandstorm version ${SANDSTORM_CURRENT_VERSION}..."
+    curl $CURL_OPTS --output "/host-dot-sandstorm/caches/$SANDSTORM_PACKAGE.partial" "https://dl.sandstorm.io/$SANDSTORM_PACKAGE" 2>&1 | cat
+    mv "/host-dot-sandstorm/caches/$SANDSTORM_PACKAGE.partial" "/host-dot-sandstorm/caches/$SANDSTORM_PACKAGE"
+    echo "...done."
+fi
+if [ ! -e /opt/sandstorm/latest/sandstorm ] ; then
+    echo -n "Installing Sandstorm version ${SANDSTORM_CURRENT_VERSION}..."
+    bash /host-dot-sandstorm/caches/install.sh -d -e "/host-dot-sandstorm/caches/$SANDSTORM_PACKAGE" >/dev/null
+    echo "...done."
+fi
+modprobe ip_tables
+# Make the vagrant user part of the sandstorm group so that commands like
+# `spk dev` work.
+usermod -a -G 'sandstorm' 'vagrant'
+# Bind to all addresses, so the vagrant port-forward works.
+sudo sed --in-place='' \
+        --expression='s/^BIND_IP=.*/BIND_IP=0.0.0.0/' \
+        /opt/sandstorm/sandstorm.conf
+sudo service sandstorm restart
+# Enable apt-cacher-ng proxy to make things faster if one appears to be running on the gateway IP
+GATEWAY_IP=$(ip route  | grep ^default  | cut -d ' ' -f 3)
+if nc -z "$GATEWAY_IP" 3142 ; then
+    echo "Acquire::http::Proxy \"http://$GATEWAY_IP:3142\";" > /etc/apt/apt.conf.d/80httpproxy
+fi
+# Configure apt to retry fetching things that fail to download.
+echo "APT::Acquire::Retries \"10\";" > /etc/apt/apt.conf.d/80sandstorm-retry

.sandstorm/launcher.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+# Runs every time we create a new grain!
+
+# Create a bunch of folders under the clean /var that php, nginx, and mysql expect to exist
+mkdir -p /var/lib/mysql
+mkdir -p /var/lib/nginx
+mkdir -p /var/lib/php/sessions/
+mkdir -p /var/log
+mkdir -p /var/log/mysql
+mkdir -p /var/log/nginx
+# Wipe /var/run, since pidfiles and socket files from previous launches should go away
+# TODO someday: I'd prefer a tmpfs for these.
+rm -rf /var/run
+mkdir -p /var/run
+rm -rf /var/tmp
+mkdir -p /var/tmp
+mkdir -p /var/run/mysqld
+
+# make storage directories
+rm -rf /var/storage
+mkdir -p /var/storage/app/public
+mkdir -p /var/storage/build
+mkdir -p /var/storage/database
+mkdir -p /var/storage/debugbar
+mkdir -p /var/storage/export
+mkdir -p /var/storage/framework/cache
+mkdir -p /var/storage/framework/sessions
+mkdir -p /var/storage/framework/views
+mkdir -p /var/storage/logs
+mkdir -p /var/storage/upload
+
+
+# Ensure mysql tables created
+HOME=/etc/mysql /usr/bin/mysql_install_db --force
+
+# Spawn mysqld, php
+HOME=/etc/mysql /usr/sbin/mysqld &
+
+/usr/sbin/php-fpm7.0 --nodaemonize --fpm-config /etc/php/7.0/fpm/php-fpm.conf &
+
+# Wait until mysql and php have bound their sockets, indicating readiness
+while [ ! -e /var/run/mysqld/mysqld.sock ] ; do
+    echo "waiting for mysql to be available at /var/run/mysqld/mysqld.sock"
+    sleep .5
+done
+while [ ! -e /var/run/php7.0-fpm.sock ] ; do
+    echo "waiting for php7.0-fpm to be available at /var/run/php7.0-fpm.sock"
+    sleep .5
+done
+
+echo "Installing database.."
+# Install database for Firefly III
+echo "CREATE DATABASE IF NOT EXISTS firefly; GRANT ALL on firefly.* TO 'firefly'@'localhost' IDENTIFIED BY 'firefly';" | mysql -uroot
+echo "Done!"
+
+#echo "Generate key..."
+#php /opt/app/artisan key:generate
+#echo "Done!"
+
+echo "Migrating..."
+php /opt/app/artisan migrate:refresh --seed --force
+echo "Done!"
+
+# Start nginx.
+/usr/sbin/nginx -c /opt/app/.sandstorm/service-config/nginx.conf -g "daemon off;"

.sandstorm/sandstorm-pkgdef.capnp

@@ -0,0 +1,247 @@
+@0x9411e6c8b3c8a4b6;
+
+using Spk = import "/sandstorm/package.capnp";
+# This imports:
+#   $SANDSTORM_HOME/latest/usr/include/sandstorm/package.capnp
+# Check out that file to see the full, documented package definition format.
+
+const pkgdef :Spk.PackageDefinition = (
+  # The package definition. Note that the spk tool looks specifically for the
+  # "pkgdef" constant.
+
+  id = "uws252ya9mep4t77tevn85333xzsgrpgth8q4y1rhknn1hammw70",
+  # Your app ID is actually its public key. The private key was placed in
+  # your keyring. All updates must be signed with the same key.
+
+  manifest = (
+    # This manifest is included in your app package to tell Sandstorm
+    # about your app.
+
+    appTitle = (defaultText = "Firefly III"),
+
+    appVersion = 0,  # Increment this for every release.
+
+    appMarketingVersion = (defaultText = "3.4.3"),
+    # Human-readable representation of appVersion. Should match the way you
+    # identify versions of your app in documentation and marketing.
+
+    actions = [
+      # Define your "new document" handlers here.
+      ( nounPhrase = (defaultText = "administration"),
+        command = .myCommand
+        # The command to run when starting for the first time. (".myCommand"
+        # is just a constant defined at the bottom of the file.)
+      )
+    ],
+
+    continueCommand = .myCommand,
+    # This is the command called to start your app back up after it has been
+    # shut down for inactivity. Here we're using the same command as for
+    # starting a new instance, but you could use different commands for each
+    # case.
+
+    metadata = (
+      # Data which is not needed specifically to execute the app, but is useful
+      # for purposes like marketing and display.  These fields are documented at
+      # https://docs.sandstorm.io/en/latest/developing/publishing-apps/#add-required-metadata
+      # and (in deeper detail) in the sandstorm source code, in the Metadata section of
+      # https://github.com/sandstorm-io/sandstorm/blob/master/src/sandstorm/package.capnp
+      icons = (
+        # Various icons to represent the app in various contexts.
+        appGrid = (png = (dpi1x = embed "public/images/logo/firefly-iii-128.png")),
+                grain = (png = (dpi1x = embed "public/images/logo/firefly-iii-24.png",
+                                dpi2x = embed "public/images/logo/firefly-iii-48.png")),
+                market = (png = (dpi1x = embed "public/images/logo/firefly-iii-150.png"))
+      ),
+
+      website = "https://firefly-iii.github.io/",
+      # This should be the app's main website url.
+
+      codeUrl = "https://github.com/firefly-iii/firefly-iii",
+      # URL of the app's source code repository, e.g. a GitHub URL.
+      # Required if you specify a license requiring redistributing code, but optional otherwise.
+
+      license = (openSource = void),
+      # The license this package is distributed under.  See
+      # https://docs.sandstorm.io/en/latest/developing/publishing-apps/#license
+
+      categories = [productivity],
+      # A list of categories/genres to which this app belongs, sorted with best fit first.
+      # See the list of categories at
+      # https://docs.sandstorm.io/en/latest/developing/publishing-apps/#categories
+
+      author = (
+        # Fields relating to the author of this app.
+
+        contactEmail = "thegrumpydictator@gmail.com",
+        # Email address to contact for any issues with this app. This includes end-user support
+        # requests as well as app store administrator requests, so it is very important that this be a
+        # valid address with someone paying attention to it.
+
+        #pgpSignature = embed "path/to/pgp-signature",
+        # PGP signature attesting responsibility for the app ID. This is a binary-format detached
+        # signature of the following ASCII message (not including the quotes, no newlines, and
+        # replacing <app-id> with the standard base-32 text format of the app's ID):
+        #
+        # "I am the author of the Sandstorm.io app with the following ID: <app-id>"
+        #
+        # You can create a signature file using `gpg` like so:
+        #
+        #     echo -n "I am the author of the Sandstorm.io app with the following ID: <app-id>" | gpg --sign > pgp-signature
+        #
+        # Further details including how to set up GPG and how to use keybase.io can be found
+        # at https://docs.sandstorm.io/en/latest/developing/publishing-apps/#verify-your-identity
+
+        # upstreamAuthor = "Example App Team",
+        # Name of the original primary author of this app, if it is different from the person who
+        # produced the Sandstorm package. Setting this implies that the author connected to the PGP
+        # signature only "packaged" the app for Sandstorm, rather than developing the app.
+        # Remove this line if you consider yourself as the author of the app.
+      ),
+
+      #pgpKeyring = embed "path/to/pgp-keyring",
+      # A keyring in GPG keyring format containing all public keys needed to verify PGP signatures in
+      # this manifest (as of this writing, there is only one: `author.pgpSignature`).
+      #
+      # To generate a keyring containing just your public key, do:
+      #
+      #     gpg --export <key-id> > keyring
+      #
+      # Where `<key-id>` is a PGP key ID or email address associated with the key.
+
+      #description = (defaultText = embed "path/to/description.md"),
+      # The app's description in Github-flavored Markdown format, to be displayed e.g.
+      # in an app store. Note that the Markdown is not permitted to contain HTML nor image tags (but
+      # you can include a list of screenshots separately).
+
+      shortDescription = (defaultText = "Financial management"),
+      # A very short (one-to-three words) description of what the app does. For example,
+      # "Document editor", or "Notetaking", or "Email client". This will be displayed under the app
+      # title in the grid view in the app market.
+
+      screenshots = [
+        # Screenshots to use for marketing purposes.  Examples below.
+        # Sizes are given in device-independent pixels, so if you took these
+        # screenshots on a Retina-style high DPI screen, divide each dimension by two.
+
+        #(width = 746, height = 795, jpeg = embed "path/to/screenshot-1.jpeg"),
+        #(width = 640, height = 480, png = embed "path/to/screenshot-2.png"),
+      ],
+      #changeLog = (defaultText = embed "path/to/sandstorm-specific/changelog.md"),
+      # Documents the history of changes in Github-flavored markdown format (with the same restrictions
+      # as govern `description`). We recommend formatting this with an H1 heading for each version
+      # followed by a bullet list of changes.
+    ),
+  ),
+
+  sourceMap = (
+    # Here we defined where to look for files to copy into your package. The
+    # `spk dev` command actually figures out what files your app needs
+    # automatically by running it on a FUSE filesystem. So, the mappings
+    # here are only to tell it where to find files that the app wants.
+    searchPath = [
+      ( sourcePath = "." ),  # Search this directory first.
+      ( sourcePath = "/",    # Then search the system root directory.
+        hidePaths = [ "home", "proc", "sys",
+                      "etc/passwd", "etc/hosts", "etc/host.conf",
+                      "etc/nsswitch.conf", "etc/resolv.conf" ]
+        # You probably don't want the app pulling files from these places,
+        # so we hide them. Note that /dev, /var, and /tmp are implicitly
+        # hidden because Sandstorm itself provides them.
+      )
+    ]
+  ),
+
+  fileList = "sandstorm-files.list",
+  # `spk dev` will write a list of all the files your app uses to this file.
+  # You should review it later, before shipping your app.
+
+  alwaysInclude = [],
+  # Fill this list with more names of files or directories that should be
+  # included in your package, even if not listed in sandstorm-files.list.
+  # Use this to force-include stuff that you know you need but which may
+  # not have been detected as a dependency during `spk dev`. If you list
+  # a directory here, its entire contents will be included recursively.
+
+  #bridgeConfig = (
+  #  # Used for integrating permissions and roles into the Sandstorm shell
+  #  # and for sandstorm-http-bridge to pass to your app.
+  #  # Uncomment this block and adjust the permissions and roles to make
+  #  # sense for your app.
+  #  # For more information, see high-level documentation at
+  #  # https://docs.sandstorm.io/en/latest/developing/auth/
+  #  # and advanced details in the "BridgeConfig" section of
+  #  # https://github.com/sandstorm-io/sandstorm/blob/master/src/sandstorm/package.capnp
+  #  viewInfo = (
+  #    # For details on the viewInfo field, consult "ViewInfo" in
+  #    # https://github.com/sandstorm-io/sandstorm/blob/master/src/sandstorm/grain.capnp
+  #
+  #    permissions = [
+  #    # Permissions which a user may or may not possess.  A user's current
+  #    # permissions are passed to the app as a comma-separated list of `name`
+  #    # fields in the X-Sandstorm-Permissions header with each request.
+  #    #
+  #    # IMPORTANT: only ever append to this list!  Reordering or removing fields
+  #    # will change behavior and permissions for existing grains!  To deprecate a
+  #    # permission, or for more information, see "PermissionDef" in
+  #    # https://github.com/sandstorm-io/sandstorm/blob/master/src/sandstorm/grain.capnp
+  #      (
+  #        name = "editor",
+  #        # Name of the permission, used as an identifier for the permission in cases where string
+  #        # names are preferred.  Used in sandstorm-http-bridge's X-Sandstorm-Permissions HTTP header.
+  #
+  #        title = (defaultText = "editor"),
+  #        # Display name of the permission, e.g. to display in a checklist of permissions
+  #        # that may be assigned when sharing.
+  #
+  #        description = (defaultText = "grants ability to modify data"),
+  #        # Prose describing what this role means, suitable for a tool tip or similar help text.
+  #      ),
+  #    ],
+  #    roles = [
+  #      # Roles are logical collections of permissions.  For instance, your app may have
+  #      # a "viewer" role and an "editor" role
+  #      (
+  #        title = (defaultText = "editor"),
+  #        # Name of the role.  Shown in the Sandstorm UI to indicate which users have which roles.
+  #
+  #        permissions  = [true],
+  #        # An array indicating which permissions this role carries.
+  #        # It should be the same length as the permissions array in
+  #        # viewInfo, and the order of the lists must match.
+  #
+  #        verbPhrase = (defaultText = "can make changes to the document"),
+  #        # Brief explanatory text to show in the sharing UI indicating
+  #        # what a user assigned this role will be able to do with the grain.
+  #
+  #        description = (defaultText = "editors may view all site data and change settings."),
+  #        # Prose describing what this role means, suitable for a tool tip or similar help text.
+  #      ),
+  #      (
+  #        title = (defaultText = "viewer"),
+  #        permissions  = [false],
+  #        verbPhrase = (defaultText = "can view the document"),
+  #        description = (defaultText = "viewers may view what other users have written."),
+  #      ),
+  #    ],
+  #  ),
+  #  #apiPath = "/api",
+  #  # Apps can export an API to the world.  The API is to be used primarily by Javascript
+  #  # code and native apps, so it can't serve out regular HTML to browsers.  If a request
+  #  # comes in to your app's API, sandstorm-http-bridge will prefix the request's path with
+  #  # this string, if specified.
+  #),
+);
+
+const myCommand :Spk.Manifest.Command = (
+  # Here we define the command used to start up your server.
+  argv = ["/sandstorm-http-bridge", "8000", "--", "/opt/app/.sandstorm/launcher.sh"],
+  environ = [
+    # Note that this defines the *entire* environment seen by your app.
+    (key = "PATH", value = "/usr/local/bin:/usr/bin:/bin"),
+    (key = "SANDSTORM", value = "1"),
+    # Export SANDSTORM=1 into the environment, so that apps running within Sandstorm
+    # can detect if $SANDSTORM="1" at runtime, switching UI and/or backend to use
+    # the app's Sandstorm-specific integration code.
+  ]
+);

.sandstorm/service-config/mime.types

@@ -0,0 +1,89 @@
+
+types {
+    text/html                             html htm shtml;
+    text/css                              css;
+    text/xml                              xml;
+    image/gif                             gif;
+    image/jpeg                            jpeg jpg;
+    application/javascript                js;
+    application/atom+xml                  atom;
+    application/rss+xml                   rss;
+
+    text/mathml                           mml;
+    text/plain                            txt;
+    text/vnd.sun.j2me.app-descriptor      jad;
+    text/vnd.wap.wml                      wml;
+    text/x-component                      htc;
+
+    image/png                             png;
+    image/tiff                            tif tiff;
+    image/vnd.wap.wbmp                    wbmp;
+    image/x-icon                          ico;
+    image/x-jng                           jng;
+    image/x-ms-bmp                        bmp;
+    image/svg+xml                         svg svgz;
+    image/webp                            webp;
+
+    application/font-woff                 woff;
+    application/java-archive              jar war ear;
+    application/json                      json;
+    application/mac-binhex40              hqx;
+    application/msword                    doc;
+    application/pdf                       pdf;
+    application/postscript                ps eps ai;
+    application/rtf                       rtf;
+    application/vnd.apple.mpegurl         m3u8;
+    application/vnd.ms-excel              xls;
+    application/vnd.ms-fontobject         eot;
+    application/vnd.ms-powerpoint         ppt;
+    application/vnd.wap.wmlc              wmlc;
+    application/vnd.google-earth.kml+xml  kml;
+    application/vnd.google-earth.kmz      kmz;
+    application/x-7z-compressed           7z;
+    application/x-cocoa                   cco;
+    application/x-java-archive-diff       jardiff;
+    application/x-java-jnlp-file          jnlp;
+    application/x-makeself                run;
+    application/x-perl                    pl pm;
+    application/x-pilot                   prc pdb;
+    application/x-rar-compressed          rar;
+    application/x-redhat-package-manager  rpm;
+    application/x-sea                     sea;
+    application/x-shockwave-flash         swf;
+    application/x-stuffit                 sit;
+    application/x-tcl                     tcl tk;
+    application/x-x509-ca-cert            der pem crt;
+    application/x-xpinstall               xpi;
+    application/xhtml+xml                 xhtml;
+    application/xspf+xml                  xspf;
+    application/zip                       zip;
+
+    application/octet-stream              bin exe dll;
+    application/octet-stream              deb;
+    application/octet-stream              dmg;
+    application/octet-stream              iso img;
+    application/octet-stream              msi msp msm;
+
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;
+
+    audio/midi                            mid midi kar;
+    audio/mpeg                            mp3;
+    audio/ogg                             ogg;
+    audio/x-m4a                           m4a;
+    audio/x-realaudio                     ra;
+
+    video/3gpp                            3gpp 3gp;
+    video/mp2t                            ts;
+    video/mp4                             mp4;
+    video/mpeg                            mpeg mpg;
+    video/quicktime                       mov;
+    video/webm                            webm;
+    video/x-flv                           flv;
+    video/x-m4v                           m4v;
+    video/x-mng                           mng;
+    video/x-ms-asf                        asx asf;
+    video/x-ms-wmv                        wmv;
+    video/x-msvideo                       avi;
+}

.sandstorm/service-config/nginx.conf

@@ -0,0 +1,87 @@
+worker_processes 4;
+pid /var/run/nginx.pid;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+	# Basic Settings
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_names_hash_bucket_size 64;
+	server_tokens off;
+	server_name_in_redirect off;
+
+	include mime.types;
+	default_type application/octet-stream;
+
+	# Logging
+	access_log off;
+	error_log stderr;
+
+	# Prevent nginx from adding compression; this interacts badly with Sandstorm
+	# WebSession due to https://github.com/sandstorm-io/sandstorm/issues/289
+	gzip off;
+
+	# Trust the sandstorm-http-bridge's X-Forwarded-Proto.
+	map $http_x_forwarded_proto $fe_https {
+		default "";
+		https on;
+	}
+
+	server {
+		listen 8000 default_server;
+		listen [::]:8000 default_server ipv6only=on;
+
+		# Allow arbitrarily large bodies - Sandstorm can handle them, and requests
+		# are authenticated already, so there's no reason for apps to add additional
+		# limits by default.
+		client_max_body_size 0;
+
+		server_name localhost;
+		root /opt/app/public;
+		location / {
+			index index.php;
+			try_files $uri $uri/ /index.php?$query_string;
+			autoindex on;
+        	sendfile off;
+		}
+		location ~ \.php$ {
+			try_files $uri =404;
+            fastcgi_pass unix:/var/run/php7.0-fpm.sock;
+            fastcgi_index index.php;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+			fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
+
+
+			fastcgi_param  QUERY_STRING       $query_string;
+			fastcgi_param  REQUEST_METHOD     $request_method;
+			fastcgi_param  CONTENT_TYPE       $content_type;
+			fastcgi_param  CONTENT_LENGTH     $content_length;
+			
+			fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+			fastcgi_param  REQUEST_URI        $request_uri;
+			fastcgi_param  DOCUMENT_URI       $document_uri;
+			fastcgi_param  DOCUMENT_ROOT      $document_root;
+			fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+			fastcgi_param  HTTPS              $fe_https if_not_empty;
+			
+			fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+			fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+			
+			fastcgi_param  REMOTE_ADDR        $remote_addr;
+			fastcgi_param  REMOTE_PORT        $remote_port;
+			fastcgi_param  SERVER_ADDR        $server_addr;
+			fastcgi_param  SERVER_PORT        $server_port;
+			fastcgi_param  SERVER_NAME        $server_name;
+			
+			# PHP only, required if PHP was built with --enable-force-cgi-redirect
+			#fastcgi_param  REDIRECT_STATUS    200;
+		}
+	}
+}

.sandstorm/setup.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+
+# When you change this file, you must take manual action. Read this doc:
+# - https://docs.sandstorm.io/en/latest/vagrant-spk/customizing/#setupsh
+
+set -euo pipefail
+
+export DEBIAN_FRONTEND=noninteractive
+
+# install packages so we can install apt-add-repository.
+apt-get update
+apt-get install -y python-software-properties software-properties-common
+
+# actually add repository
+apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E9C74FEEA2098A6E
+add-apt-repository "deb http://packages.dotdeb.org jessie all"
+
+# install packages.
+apt-get update
+apt-get install -y nginx php7.0-fpm php7.0-mysql php7.0-cli php7.0-curl git php7.0-dev php7.0-intl php7.0-dom php7.0-mbstring php7.0-bcmath mysql-server
+service nginx stop
+service php7.0-fpm stop
+service mysql stop
+systemctl disable nginx
+systemctl disable php7.0-fpm
+systemctl disable mysql
+# patch /etc/php/7.0/fpm/pool.d/www.conf to not change uid/gid to www-data
+sed --in-place='' \
+       --expression='s/^listen.owner = www-data/;listen.owner = www-data/' \
+       --expression='s/^listen.group = www-data/;listen.group = www-data/' \
+       /etc/php/7.0/fpm/pool.d/www.conf
+# patch /etc/php/7.0/fpm/php-fpm.conf to not have a pidfile
+sed --in-place='' \
+       --expression='s/^pid =/;pid =/' \
+       /etc/php/7.0/fpm/php-fpm.conf
+
+# move sock file to better dir:
+sed --in-place='' \
+       --expression='s/^listen = \/run\/php\/php7.0-fpm.sock/listen = \/var\/run\/php7.0-fpm.sock/' \
+       /etc/php/7.0/fpm/pool.d/www.conf
+
+# patch /etc/php/7.0/fpm/pool.d/www.conf to no clear environment variables
+# so we can pass in SANDSTORM=1 to apps
+sed --in-place='' \
+       --expression='s/^;clear_env = no/clear_env=no/' \
+       /etc/php/7.0/fpm/pool.d/www.conf
+# patch mysql conf to not change uid, and to use /var/tmp over /tmp
+# for secure-file-priv see https://github.com/sandstorm-io/vagrant-spk/issues/195
+sed --in-place='' \
+        --expression='s/^user\t\t= mysql/#user\t\t= mysql/' \
+        --expression='s,^tmpdir\t\t= /tmp,tmpdir\t\t= /var/tmp,' \
+        --expression='/\[mysqld]/ a\ secure-file-priv = ""\' \
+        /etc/mysql/my.cnf
+# patch mysql conf to use smaller transaction logs to save disk space
+cat <<EOF > /etc/mysql/conf.d/sandstorm.cnf
+[mysqld]
+# Set the transaction log file to the minimum allowed size to save disk space.
+# innodb_log_file_size = 1048576
+# Set the main data file to grow by 1MB at a time, rather than 8MB at a time.
+innodb_autoextend_increment = 1
+EOF

.sandstorm/stack

@@ -0,0 +1 @@
+lemp