contrib: Add unit file and instructions for systemd
refs #1586
Change-Id: I06b91804fc8b8613560ef98687307f56262689fb
diff --git a/contrib/systemd/README.md b/contrib/systemd/README.md
new file mode 100644
index 0000000..7c722ab
--- /dev/null
+++ b/contrib/systemd/README.md
@@ -0,0 +1,130 @@
+Starting NFD on Linux with systemd
+==================================
+
+Newer versions of Ubuntu (starting with 15.04) and some other Linux distributions, including Debian
+use systemd to start system daemons, monitor their health, and restart them when they die.
+
+Initial setup
+-------------
+
+* Edit `nfd.service`, correcting the paths to the `nfd` executable, configuration, and
+ ``HOME`` directories.
+
+* Copy the systemd config file for NFD to the proper directory
+
+ sudo cp nfd.service /etc/systemd/system
+
+* Reload the systemd manager configuration
+
+ sudo systemctl daemon-reload
+
+### Assumptions in the default scripts
+
+* `nfd` is installed into `/usr/local/bin`
+* Configuraton file is `/usr/local/etc/ndn/nfd.conf`
+* `nfd` will be run as root
+* Log files will be written to `/usr/local/var/log/ndn` folder, which is owned by user `ndn`
+
+### Creating users
+
+If the `ndn` user and group do not exist, they need to be manually created.
+
+ # Create group `ndn`
+ sudo addgroup --system ndn
+
+ # Create user `ndn`
+ sudo adduser --system \
+ --disabled-login \
+ --ingroup ndn \
+ --home /nonexistent \
+ --gecos "NDN User" \
+ --shell /bin/false \
+ ndn
+
+
+### Creating folders
+
+Folder `/usr/local/var/log/ndn` should be created and assigned proper user and group:
+
+ sudo mkdir -p /usr/local/var/log/ndn
+ sudo chown -R ndn:ndn /usr/local/var/log/ndn
+
+`HOME` directory for `nfd` should be created prior to starting. This is necessary to manage
+unique security credentials for the daemon.
+
+ # Create HOME and generate self-signed NDN certificate for nfd
+ sudo sh -c ' \
+ mkdir -p /usr/local/var/lib/ndn/nfd/.ndn; \
+ export HOME=/usr/local/var/lib/ndn/nfd; \
+ ndnsec-keygen /localhost/daemons/nfd | ndnsec-install-cert -; \
+ '
+
+### Configuring NFD's security
+
+NFD sample configuration allows anybody to create faces, add nexthops to FIB, and set
+strategy choice for namespaces. While such settings could be a good start, it is
+generally not a good idea to run NFD in this mode.
+
+While thorough discussion about the security configuration of NFD is outside the scope of
+this document, at least the following change should be done in ``nfd.conf`` in the
+authorize section:
+
+ authorizations
+ {
+ authorize
+ {
+ certfile certs/localhost_daemons_nfd.ndncert
+ privileges
+ {
+ faces
+ fib
+ strategy-choice
+ }
+ }
+
+ authorize
+ {
+ certfile any
+ privileges
+ {
+ faces
+ strategy-choice
+ }
+ }
+ }
+
+While this configuration still allows the management of faces and updating strategy choice by
+anyone, only NFD's RIB Manager (i.e., NFD itself) is allowed to manage FIB.
+
+As the final step to make this configuration work, nfd's self-signed certificate needs to
+be exported into the `localhost_daemons_nfd.ndncert` file:
+
+ sudo sh -c '\
+ mkdir -p /usr/local/etc/ndn/certs || true; \
+ export HOME=/usr/local/var/lib/ndn/nfd; \
+ ndnsec-dump-certificate -i /localhost/daemons/nfd > \
+ /usr/local/etc/ndn/certs/localhost_daemons_nfd.ndncert; \
+ '
+
+Enable auto-start
+-----------------
+
+After copying the provided upstart script, auto-start of the `nfd` daemon can be enabled with:
+
+ sudo systemctl enable nfd
+
+To manually start it, use the following command:
+
+ sudo systemctl start nfd
+
+Disable auto-start
+------------------
+
+To stop the `nfd` daemon, use the following command:
+
+ sudo systemctl stop nfd
+
+To permanently stop the `nfd` daemon and disable it from being automatically started on reboot,
+disable the service:
+
+ sudo systemctl disable nfd
\ No newline at end of file