Merge stockholm
48
Makefile
|
@ -1,5 +1,5 @@
|
|||
APP=freedombone
|
||||
VERSION=1.01
|
||||
VERSION=1.02
|
||||
RELEASE=1
|
||||
PREFIX?=/usr/local
|
||||
|
||||
|
@ -11,44 +11,56 @@ rmtranslations:
|
|||
bash -c "./translate remove"
|
||||
alltranslations:
|
||||
bash -c "./translate translations"
|
||||
tidy:
|
||||
./tidyup src/*
|
||||
source:
|
||||
tar -cvf ../${APP}_${VERSION}.orig.tar ../${APP}-${VERSION} --exclude-vcs
|
||||
gzip -f9n ../${APP}_${VERSION}.orig.tar
|
||||
install:
|
||||
mkdir -p ${DESTDIR}${PREFIX}/bin
|
||||
mkdir -p ${DESTDIR}/usr/share/${APP}/base
|
||||
mkdir -p ${DESTDIR}/usr/share/${APP}/apps
|
||||
mkdir -p ${DESTDIR}/usr/share/${APP}/utils
|
||||
mkdir -p ${DESTDIR}/usr/share/${APP}/avatars
|
||||
mkdir -p ${DESTDIR}/etc/${APP}
|
||||
cp -r image_build/* ${DESTDIR}/etc/${APP}
|
||||
install -m 755 img/backgrounds/${APP}_mesh_background.png ${DESTDIR}${PREFIX}/share
|
||||
install -m 755 src/* ${DESTDIR}${PREFIX}/bin
|
||||
install -m 755 src/${APP}-meshweb ${DESTDIR}${PREFIX}/bin/meshweb
|
||||
install -m 755 src/${APP}-controlpanel ${DESTDIR}${PREFIX}/bin/control
|
||||
install -m 755 src/${APP}-mesh-batman ${DESTDIR}${PREFIX}/bin/batman
|
||||
install -m 755 src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup
|
||||
install -m 755 src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup2friends
|
||||
install -m 755 src/${APP}-restore-local ${DESTDIR}${PREFIX}/bin/restore
|
||||
install -m 755 src/${APP}-restore-remote ${DESTDIR}${PREFIX}/bin/restorefromfriend
|
||||
cp img/backgrounds/${APP}_*.png ${DESTDIR}${PREFIX}/share
|
||||
cp img/avatars/* ${DESTDIR}/usr/share/${APP}/avatars
|
||||
cp src/* ${DESTDIR}${PREFIX}/bin
|
||||
cp src/${APP}-controlpanel ${DESTDIR}${PREFIX}/bin/control
|
||||
cp src/${APP}-mesh-batman ${DESTDIR}${PREFIX}/bin/batman
|
||||
cp src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup
|
||||
cp src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup2friends
|
||||
cp src/${APP}-restore-local ${DESTDIR}${PREFIX}/bin/restore
|
||||
cp src/${APP}-restore-remote ${DESTDIR}${PREFIX}/bin/restorefromfriend
|
||||
rm -f ${DESTDIR}/usr/share/${APP}/base/*
|
||||
rm -f ${DESTDIR}/usr/share/${APP}/apps/*
|
||||
rm -f ${DESTDIR}/usr/share/${APP}/utils/*
|
||||
mv ${DESTDIR}${PREFIX}/bin/${APP}-base-* ${DESTDIR}/usr/share/${APP}/base
|
||||
mv ${DESTDIR}${PREFIX}/bin/${APP}-app-* ${DESTDIR}/usr/share/${APP}/apps
|
||||
mv ${DESTDIR}${PREFIX}/bin/${APP}-utils-* ${DESTDIR}/usr/share/${APP}/utils
|
||||
mkdir -m 755 -p ${DESTDIR}${PREFIX}/share/man/man1
|
||||
install -m 644 man/*.1.gz ${DESTDIR}${PREFIX}/share/man/man1
|
||||
install -m 644 man/${APP}-backup-local.1.gz ${DESTDIR}${PREFIX}/share/man/man1/backup.1.gz
|
||||
install -m 644 man/${APP}-restore-local.1.gz ${DESTDIR}${PREFIX}/share/man/man1/restore.1.gz
|
||||
bash -c "./translate install"
|
||||
cp man/*.1.gz ${DESTDIR}${PREFIX}/share/man/man1
|
||||
cp man/${APP}-backup-local.1.gz ${DESTDIR}${PREFIX}/share/man/man1/backup.1.gz
|
||||
cp man/${APP}-restore-local.1.gz ${DESTDIR}${PREFIX}/share/man/man1/restore.1.gz
|
||||
# bash -c "./translate install"
|
||||
uninstall:
|
||||
rm -f ${PREFIX}/share/${APP}_mesh_background.png
|
||||
rm -f ${PREFIX}/share/${APP}_*.png
|
||||
rm -f ${PREFIX}/share/man/man1/backup.1.gz
|
||||
rm -f ${PREFIX}/share/man/man1/restore.1.gz
|
||||
rm -f ${PREFIX}/share/man/man1/${APP}*.1.gz
|
||||
rm -rf ${PREFIX}/share/${APP}
|
||||
rm -rf /usr/share/${APP}
|
||||
rm -f ${PREFIX}/bin/${APP}*
|
||||
rm -f ${PREFIX}/bin/zeronetavahi
|
||||
rm -f ${PREFIX}/bin/meshavahi
|
||||
rm -f ${PREFIX}/bin/backup
|
||||
rm -f ${PREFIX}/bin/backup2friends
|
||||
rm -f ${PREFIX}/bin/restore
|
||||
rm -f ${PREFIX}/bin/restorefromfriend
|
||||
rm -f ${PREFIX}/bin/meshweb
|
||||
rm -f ${PREFIX}/bin/batman
|
||||
rm -rf /etc/${APP}
|
||||
bash -c "./translate uninstall"
|
||||
clean:
|
||||
rm -f \#* \.#* debian/*.substvars debian/*.log
|
||||
rm -f \#* \.#* debian/*.substvars debian/*.log src/*~
|
||||
rm -fr deb.* debian/${APP}
|
||||
rm -f ../${APP}*.deb ../${APP}*.changes ../${APP}*.asc ../${APP}*.dsc
|
||||
|
|
209
README.md
|
@ -1,208 +1,21 @@
|
|||
<img src="https://github.com/bashrc/freedombone/blob/master/img/logo.png?raw=true" width=640/>
|
||||
|
||||
The Freedombone system can be installed onto a Beaglebone Black, or any system capable of running Debian Jessie, and allows you to host your own email and web services. With Freedombone you can enjoy true freedom and independence in the cloud. It comes in a variety of flavours.
|
||||
> _"With the increasing move of our computing to cloud infrastructures, we give up the control of our computing to the managers of those infrastructures. Our terminals (laptops, desktops) might now be running entirely on Free Software, but this is increasingly irrelevant given that most of what actually matters gets executed on a remote closed system that we don’t control. The Free Software community needs to work to help users keep the control of all their computing, by developing suitable alternatives and facilitating their deployment."_ -- Lucas Nussbaum
|
||||
|
||||
- **Full install**: Installs eveything
|
||||
- **Mailbox**: An email server with GPG encryption
|
||||
- **Cloud**: Sync and share files. Never lose important files again
|
||||
- **Social**: Social networking with Hubzilla and GNU Social
|
||||
- **Media**: Runs media services such as DLNA to play music or videos on your devices
|
||||
- **Writer**: Host your blog and wiki
|
||||
- **Chat**: Encrypted IRC, XMPP, Tox and VoIP services for one-to-one and many-to-many chat
|
||||
- **Developer**: Host your own git projects with a Github-like user interface
|
||||
- **Mesh**: A wireless mesh network which is like the internet, but not the internet
|
||||
So you want to run your own internet services? Email, chat, VoIP, web sites, file synchronisation, wikis, blogs, social networks, backups. Freedombone enables you to do all of that in a self-hosted way, where you keep control of your data and it resides in your own home.
|
||||
|
||||
Except for the mesh variant all web systems installed also have an equivalent [onion address](https://en.wikipedia.org/wiki/.onion) so that they may be accessed via a Tor browser. This can provide some additional defense against unwanted surveillance or metadata gethering. Non-mesh variants also come with an RSS reader which provides strong reading privacy via the use of a Tor onion service.
|
||||
[Here's how](https://freedombone.net/homeserver.html).
|
||||
|
||||
Freedombone has an emphasis on security and privacy, and when installed on a Beaglebone Black it uses the built-in hardware random number generator as an entropy source. All communications with the box are encrypted by default using the recommendations from https://bettercrypto.org. The firewall is configured to only allow communications on the necessary ports and to drop all other packets, icmp is disabled by default, emails are stored in encrypted form using your public key and time synchronisation occurs via TLS only. Backups are also encrypted and can be local or remote.
|
||||
And here's how [on a Beaglebone Black](https://freedombone.net/beaglebone.html).
|
||||
|
||||
Freedombone is, and shall remain, 100% free software. Non-free repositories are removed automatically upon installation.
|
||||
Want to make a community mesh network which doesn't depend upon the internet?
|
||||
|
||||
Building an image for an SBC or Virtual Machine
|
||||
===============================================
|
||||
You don't have to trust images downloaded from random internet locations signed with untrusted keys. You can build one from scratch yourself, and this is the recommended procedure for maximum security. For guidance on how to build images see the manpage for the **freedombone-image** command.
|
||||
[You can do that too](https://freedombone.net/mesh.html).
|
||||
|
||||
Install the freedombone commands onto your laptop/desktop:
|
||||
After installation it's possible that you might want some advice on how to run your system and set up apps to work nicely with it.
|
||||
|
||||
sudo apt-get install git build-essential dialog
|
||||
git clone https://github.com/bashrc/freedombone
|
||||
cd freedombone
|
||||
sudo make install
|
||||
* [Apps available on the system](https://freedombone.net/apps.html)
|
||||
* [General usage](https://freedombone.net/usage.html)
|
||||
* [Frequently Asked Questions](https://freedombone.net/faq.html)
|
||||
|
||||
Then install packages needed for building images:
|
||||
|
||||
sudo apt-get -y install python-docutils mktorrent vmdebootstrap xz-utils
|
||||
sudo apt-get -y install dosfstools btrfs-tools extlinux python-distro-info mbr
|
||||
sudo apt-get -y install qemu-user-static binfmt-support u-boot-tools qemu
|
||||
|
||||
A typical use case to build an 8GB image for a Beaglebone Black is as follows. You can change the size depending upon the capacity of your microSD card.
|
||||
|
||||
freedombone-image -t beaglebone -s 8G
|
||||
|
||||
If you prefer an advanced installation with all of the options available then use:
|
||||
|
||||
freedombone-image -t beaglebone -s 8G --minimal no
|
||||
|
||||
To build a 64bit Virtualbox image:
|
||||
|
||||
freedombone-image -t virtualbox-amd64 -s 8G
|
||||
|
||||
To build a 64bit Qemu image:
|
||||
|
||||
freedombone-image -t qemu-x86_64 -s 8G
|
||||
|
||||
Other supported boards are cubieboard2, cubietruck, olinuxino-lime, olinuxino-lime2 and olinuxino-micro.
|
||||
|
||||
If the image build fails with an error such as "/Error reading from server. Remote end closed connection/" then you can specify a debian package mirror repository manually with:
|
||||
|
||||
freedombone-image -t beaglebone -s 8G -m http://ftp.de.debian.org/debian
|
||||
|
||||
Checklist
|
||||
=========
|
||||
Before installing Freedombone you will need a few things.
|
||||
|
||||
* Have some domains, or subdomains, registered with a dynamic DNS service
|
||||
* System with a new installation of Debian Jessie or a downloaded/prepared disk image
|
||||
* Ethernet connection between the system and your internet router
|
||||
* That it is possible to forward ports from the internet router to the system, typically via firewall settings
|
||||
* Have ssh access to the system, typically via fbone@freedombone.local on port 2222
|
||||
|
||||
Installation
|
||||
============
|
||||
There are three install options: Laptop/Desktop/Netbook, SBC and Virtual Machine.
|
||||
|
||||
**On a Laptop, Netbook or Desktop machine**
|
||||
|
||||
If you have an existing system, such as an old laptop or netbook which you can leave running as a server, then install a new version of Debian Jessie onto it. During the Debian install you won't need the print server or the desktop environment, and unchecking those will reduce the attack surface. Once Debian enter the following commands:
|
||||
|
||||
su
|
||||
apt-get update
|
||||
apt-get -y install git dialog build-essential
|
||||
git clone https://github.com/bashrc/freedombone
|
||||
cd freedombone
|
||||
make install
|
||||
freedombone menuconfig
|
||||
|
||||
**On a single board computer (SBC)**
|
||||
|
||||
Currently the following boards are supported:
|
||||
|
||||
Beaglebone Black
|
||||
Cubieboard 2
|
||||
Cubietruck (Cubieboard 3)
|
||||
olinuxino Lime2
|
||||
olinuxino Micro
|
||||
|
||||
If there is no existing image available then you can build one from scratch. See the section above on how to do that. If an existing image is available then you can download it and check the signature with:
|
||||
|
||||
gpg --verify filename.img.asc
|
||||
|
||||
And the hash with:
|
||||
|
||||
sha256sum filename.img
|
||||
|
||||
If the image is compressed then decompress it with:
|
||||
|
||||
unxz filename.img.xz
|
||||
|
||||
Then copy it to a microSD card. Depending on your system you may need an adaptor to be able to do that.
|
||||
|
||||
sudo dd bs=1M if=filename.img of=/dev/sdX conv=fdatasync
|
||||
|
||||
Where **sdX** is the microSD drive. You can check which drive is the microSD drive using:
|
||||
|
||||
ls /dev/sd*
|
||||
|
||||
With the drive removed and inserted. Copying to the microSD will take a while, so go and do something less boring instead. When it's complete remove it from your system and insert it into the SBC. Connect an ethernet cable between the SBC and your internet router, then connect the power cable. On the Beaglebone Black you will see some flashing LEDs, but on other SBCs there may not be any visual indication that anything is booting.
|
||||
|
||||
With the board connected and running you can ssh into the system with:
|
||||
|
||||
ssh fbone@freedombone.local -p 2222
|
||||
|
||||
Using the password 'freedombone'. Take a note of the new login password and then you can proceed through the installation.
|
||||
|
||||
**As a Virtual Machine**
|
||||
|
||||
Virtualbox and Qemu are supported. You can run a 64 bit Qemu image with:
|
||||
|
||||
qemu-system-x86_64 filename.img
|
||||
|
||||
If you are using Virtualbox then add a new VM and select the Freedombone **vdi** image.
|
||||
|
||||
The default login will be username 'fbone' and password 'freedombone'. Take a note of the new login password then you can proceed through the installation.
|
||||
|
||||
Social Key Management (aka "The Unforgettable Key")
|
||||
===================================================
|
||||
During the install procedure you will be asked if you wish to import GPG keys. If you don't already possess GPG keys then just select "Ok" and they will be generated during the install. If you do already have GPG keys then there are a few possibilities
|
||||
|
||||
**You have the gnupg keyring on an encrypted USB drive**
|
||||
|
||||
If you previously made a master keydrive containing the full keyring (the .gnupg directory). This is the most straightforward case, but not as secure as splitting the key into fragments.
|
||||
|
||||
**You have a number of key fragments on USB drives retrieved from friends**
|
||||
|
||||
If you previously made some USB drives containing key fragments then retrieve them from your friends and plug them in one after the other. After the last drive has been read then remove it and just select "Ok". The system will then try to reconstruct the key. For this to work you will need to have previously made three or more **Keydrives**.
|
||||
|
||||
**You can specify some ssh login details for friends servers containing key fragments**
|
||||
|
||||
Enter three or more sets of login details and the installer will try to retrieve key fragments and then assemble them into the full key. This only works if you previously were using remote backups and had social key management enabled.
|
||||
|
||||
Final Setup
|
||||
===========
|
||||
Any manual post-installation setup instructions or passwords can be found in /home/username/README. You should remove any passwords from that file and store them within a password manager such as KeepassX.
|
||||
|
||||
On your internet router, typically under firewall settings, open the following ports and forward them to your server.
|
||||
|
||||
| Service | Ports |
|
||||
|---------+------------|
|
||||
| HTTP | 80 |
|
||||
| HTTPS | 443 |
|
||||
| SSH | 2222 |
|
||||
| DLNA | 1900 |
|
||||
| DLNA | 8200 |
|
||||
| XMPP | 5222..5223 |
|
||||
| XMPP | 5269 |
|
||||
| XMPP | 5280..5281 |
|
||||
| IRC | 6697 |
|
||||
| IRC | 9999 |
|
||||
| Git | 9418 |
|
||||
| Email | 25 |
|
||||
| Email | 587 |
|
||||
| Email | 465 |
|
||||
| Email | 993 |
|
||||
| VoIP | 64738 |
|
||||
| Tox | 33445 |
|
||||
|
||||
Keydrives
|
||||
=========
|
||||
After installing for the first time it's a good idea to create some keydrives. These will store your gpg key so that if all else fails you will still be able to restore from backup. There are two ways to do this:
|
||||
|
||||
**Master Keydrive**
|
||||
|
||||
This is the traditional security model in which you carry your full keyring on an encrypted USB drive. To make a master keydrive first format a USB drive as a LUKS encrypted drive. In Ubuntu this can be done from the *Disk Utility* application. Then plug it into the Freedombone system, then from your local machine run:
|
||||
|
||||
ssh myusername@mydomainname -p 2222
|
||||
|
||||
Select *Administrator controls* then *Backup and Restore* then *Backup GPG key to USB (master keydrive)*.
|
||||
|
||||
**Fragment keydrives**
|
||||
|
||||
This breaks your GPG key into a number of fragments and randomly selects one to add to the USB drive. First format a USB drive as a LUKS encrypted drive. In Ubuntu this can be done from the *Disk Utility* application. Plug it into the Freedombone system then from your local machine run the following commands:
|
||||
|
||||
ssh myusername@mydomainname -p 2222
|
||||
|
||||
Select *Administrator controls* then *Backup and Restore* then *Backup GPG key to USB (fragment keydrive)*.
|
||||
|
||||
Fragments are randomly assigned and so you will need at least three or four keydrives to have enough fragments to reconstruct your original key in a worst case scenario. You can store fragments for different Freedombone systems on the same encrypted USB drive, so you can help to ensure that your friends can also recover their systems. This might be called *"the web of backups"* or *"the web of encryption"*. Since you can only write a single key fragment from your Freedombone system to a given USB drive each friend doesn't have enough information to decrypt your backups or steal your identity, even if they turn evil. This is based on the assumption that it may be difficult to get three or more friends to conspire against you all at once.
|
||||
|
||||
Passwords
|
||||
=========
|
||||
Passwords for server applications are randomly generated and can be found within **/home/username/README** after the system has fully installed. You should move those passwords into a password manager, such as KeepassX.
|
||||
|
||||
Administering the system
|
||||
========================
|
||||
To administer the system after installation log in via ssh, become the root user and then launch the control panel.
|
||||
|
||||
ssh fbone@freedombone.local -p 2222
|
||||
|
||||
Select *Administrator controls* and from there you will be able to perform various tasks, such as backups, adding and removing users and so on. You can also do this via commands, which are typically installed as /usr/local/bin/freedombone* and the corresponding manpages.
|
||||
If you find bugs, or want to add a new app to this system see the [Developers Guide](https://freedombone.net/devguide.html).
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, dlna
|
||||
#+DESCRIPTION: How to use DLNA
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>DLNA</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
An easy way to play music on any mobile device in your home is to use the DLNA service. Copy your music into a directory called "/Music/" on an unencrypted USB thumb drive and then insert it into a USB socket on the Freedombone system.
|
||||
|
||||
ssh into the system with:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh myusername@mydomain.com -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Select *Administrator controls* then *App Settings* then *dlna*. From there you can choose to attach the drive.
|
||||
|
||||
The system will scan the /Music/ directory, which could take a while if there are thousands of files, but you don't need to do anything further other than perhaps to log out by selecting *Exit* a couple of times.
|
||||
|
||||
If you have an Android device then go to F-Droid (if you don't already have it installed then it can be [[https://f-droid.org/][downloaded here]]) and search for *ControlDLNA*. On running the app you should see a red Debian icon which you can press on, then you may need to select "local". After a few seconds the list of albums or tracks should then appear and you can browse and play them.
|
||||
|
||||
The DLNA service will only work within your local home network, and isn't remotely accessible from other locations via the internet. That can be both a good and a bad thing. Another consideration is that there are /no access controls/ on DLNA services, so any music or videos on the USB drive will be playable by anyone within your home network.
|
|
@ -0,0 +1,38 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, dokuwiki
|
||||
#+DESCRIPTION: How to use Dokuwiki
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Dokuwiki</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Dokuwiki is a wiki which stores its content in text files. Having no database makes maintaining it simpler, and it's not tied to any particular domain name so you can easily copy the files to a different domain if you need to.
|
||||
|
||||
|
||||
* Installation
|
||||
Log into your system with:
|
||||
|
||||
#+begin_src bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+end_src
|
||||
|
||||
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
|
||||
|
||||
Select *Add/Remove Apps* then *dokuwiki*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /wiki.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
|
||||
|
||||
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Dokuwiki. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
|
||||
|
||||
* Initial setup
|
||||
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Dokuwiki domain listed there along with an onion address. You can then navigate to your site in a browser.
|
||||
|
||||
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
|
|
@ -0,0 +1,45 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, emacs
|
||||
#+DESCRIPTION: How to use Emacs
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Emacs</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Emacs is a text editor popular with software developers or anyone who needs to take notes at high speed or be able to customise their editing environment to a high degree. When installed on Freedombone it can be used together the Mutt email client to edit new emails or if you need to manually edit configuration files.
|
||||
|
||||
* Installation
|
||||
Log into your system with:
|
||||
|
||||
#+begin_src bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+end_src
|
||||
|
||||
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
|
||||
|
||||
Select *Add/Remove Apps*. If Vim is selected then you might want to unselect and uninstall it first, then select *emacs*.
|
||||
|
||||
* Common key combinations
|
||||
For anyone new to Emacs some common keys are:
|
||||
|
||||
| CTRL-x CTRL-s | Save |
|
||||
| CTRL-x CTRL-c | Exit |
|
||||
| CTRL-l | Go to a line number |
|
||||
| CTRL-x CTRL-f | Open a file |
|
||||
| SHIFT-ALT-< | Go to the top of the file |
|
||||
| SHIFT-ALT-> | Go to the end of the file |
|
||||
| SHIFT cursors | Select text |
|
||||
| CTRL-x CTRL-h | Highlight all text |
|
||||
| ALT-w | Copy selected text |
|
||||
| CTRL-y | Paste selected text |
|
||||
| ESC-ESC-ESC | Undo current selection |
|
|
@ -0,0 +1,39 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, etherpad
|
||||
#+DESCRIPTION: How to use Etherpad
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Etherpad</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
For collaborative document editing Etherpad is hard to beat. Just log in, choose a document title and then edit. Different users will appear in different colours, and can also chat in the sidebar. This is installed as a private system in which only users on your Freedombone server will be able to create and edit documents, so it's not open to any random users on the internet.
|
||||
|
||||
* Installation
|
||||
Log into your system with:
|
||||
|
||||
#+begin_src bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+end_src
|
||||
|
||||
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
|
||||
|
||||
Select *Add/Remove Apps* then *etherpad*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /wiki.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
|
||||
|
||||
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Etherpad. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
|
||||
|
||||
* Initial setup
|
||||
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Etherpad domain listed there along with an onion address. You can then navigate to your site in a browser.
|
||||
|
||||
Please be aware that after installation the etherpad daemon takes a while to start up for the first time. On a low powered system such as a Beaglebone Black this can take ten minutes or more. So if you navigate to the site and see a "/Bad Gateway/" error then don't panic. Wait for ten minutes and try again.
|
||||
|
||||
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
|
|
@ -0,0 +1,45 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, ghost
|
||||
#+DESCRIPTION: How to use Ghost
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Ghost</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Ghost is a blogging system which uses markdown formatted posts. It's quite simple to use, and also looks nice even on small mobile screens.
|
||||
|
||||
* Installation
|
||||
Log into your system with:
|
||||
|
||||
#+begin_src bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+end_src
|
||||
|
||||
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
|
||||
|
||||
Select *Add/Remove Apps* then *ghost*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /blog.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
|
||||
|
||||
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Ghost. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
|
||||
|
||||
* Initial setup
|
||||
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Ghost blog domain listed there along with an onion address. You can then navigate to your site in a browser.
|
||||
|
||||
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
|
||||
|
||||
Navigate to https://yourghostblogdomain/ghost and click on *create your account*
|
||||
|
||||
Enter your email address, password and blog title.
|
||||
|
||||
When prompted to invite users click on *I'll do this later*
|
||||
|
||||
Under *Settings* on the *General* option you can set a description, background image and so on.
|
|
@ -0,0 +1,97 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, gnu social
|
||||
#+DESCRIPTION: How to use GNU Social
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>GNU Social</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
GNU Social is typically referred to as a microblogging system, although with a maximum post length much longer than Twitter it's really a sort of federated community blog with a stream-based appearance which also supports markdown formatting.
|
||||
|
||||
You can host your own GNU Social instance and then "/remote follow/" other users who may also be doing the same. With a federated structure this type of system is hard to censor or ban. Unlike Twitter, there are no bribed adverts pushed into your stream, and any trends happening are likely to be real rather than being manipulated by some opaque algorithm.
|
||||
|
||||
You should regard anything posted to GNU Social as being /public communication/ visible to anyone on the internet. There is a direct messaging capability between users but it's not particularly secure, so for one-to-one messages stick to better methods, such as XMPP with OTR/OMEMO or Tox.
|
||||
|
||||
* Installation
|
||||
Log into your system with:
|
||||
|
||||
#+begin_src bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+end_src
|
||||
|
||||
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
|
||||
|
||||
Select *Add/Remove Apps* then *gnusocial*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. You can also add a welcome message and background picture URL if you wish, although those things are optional. Typically the domain name you use will be a subdomain, such as /gnusocial.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
|
||||
|
||||
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for GNU Social. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
|
||||
|
||||
|
||||
* Initial setup
|
||||
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your GNU Social domain listed there along with an onion address. You can then navigate to your site in a browser.
|
||||
|
||||
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
|
||||
|
||||
Once you have logged in to GNU Social you may then want to select *Admin* and check or change the details. You may also wish to change the license for the site to be either Creative Commons or private.
|
||||
|
||||
GNU Social has a clutter-free mobile user interface which can be accessed via a Tor compatible browser (make sure to add a NoScript exception). Unlike similar proprietary sites there are no bribed posts.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/gnusocial_mobile.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
|
||||
* Using with Emacs
|
||||
If you are an Emacs user it's also possible to set up GNU Social mode as follows:
|
||||
|
||||
#+begin_src bash :tangle no
|
||||
mkdir ~/elisp
|
||||
git clone git://git.savannah.nongnu.org/gnu-social-mode ~/elisp/gnu-social-mode
|
||||
sed -i 's|"http"|"https"|g' ~/elisp/gnu-social-mode/gnu-social-mode.el
|
||||
sed -i 's|http:|https:|g' ~/elisp/gnu-social-mode/gnu-social-mode.el
|
||||
sed -i 's|http?|https?|g' ~/elisp/gnu-social-mode/gnu-social-mode.el
|
||||
echo "(add-to-list 'load-path \"~/elisp/gnu-social-mode\")" >> ~/.emacs
|
||||
echo "(require 'gnu-social-mode)" >> ~/.emacs
|
||||
echo "(setq gnu-social-server-textlimit 2000" >> ~/.emacs
|
||||
echo " gnu-social-server \"yourgnusocialdomain\"" >> ~/.emacs
|
||||
echo " gnu-social-username \"yourusername\"" >> ~/.emacs
|
||||
echo " gnu-social-password \"gnusocialpassword\")" >> ~/.emacs
|
||||
#+end_src
|
||||
|
||||
And as a quick reference the main keys are:
|
||||
|
||||
| Key | Function |
|
||||
|---------------+--------------------|
|
||||
| i | Show icons |
|
||||
| CTRL-c CTRL-s | Post status update |
|
||||
| r | Repeat |
|
||||
| F | Favourite |
|
||||
| R | Reply to user |
|
||||
| CTRL-c CTRL-h | Highlight |
|
||||
| CTRL-c CTRL-r | Show replies |
|
||||
| CTRL-c CTRL-f | Friends timeline |
|
||||
|
||||
|
||||
* Sharing things
|
||||
If you have the GNU Social microblogging system installed then it's also possible to share things or services between groups or with particular users. This can be useful for sharing items within a family, club or in a local sharing economy. Sharing things freely, without money, reveals the social basis at the root of all economics which money normally conceals or obscures.
|
||||
|
||||
Click on "/share/" or "/my catalog/" and this will switch to a screen which allows you to enter details for things to be shared or wanted.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/sharings3.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
The "/catalog/" button then allows you to search for shared things within the federated network.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/sharings4.jpg]]
|
||||
#+END_CENTER
|
|
@ -0,0 +1,47 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, gogs
|
||||
#+DESCRIPTION: How to use Gogs
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Gogs</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Github is ok, but it's proprietary and funded by venture capital. If you been around on the internet for long enough then you know how this story eventually works itself out - i.e. badly for the users. It's really only a question of time. If you're a software developer or do things which involve the Git version control system then it's a good idea to become accustomed to hosting your own repositories, before the inevitable Github shitstorm occurs.
|
||||
|
||||
A Git hosting system called [[https://gogs.io][Gogs]] can optionally be installed. This is very similar to Github in appearance and use. It's lightweight and so well suited for use on low power ARM servers.
|
||||
|
||||
* Installation
|
||||
Log into your system with:
|
||||
|
||||
#+begin_src bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+end_src
|
||||
|
||||
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
|
||||
|
||||
Select *Add/Remove Apps* then *gogs*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /code.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
|
||||
|
||||
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Gogs. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
|
||||
|
||||
* Initial setup
|
||||
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Gogs domain listed there along with an onion address. You can then navigate to your site in a browser.
|
||||
|
||||
In a browser navigate to your Gogs site and click the *Register* button. The first user registered on the system becomes the administrator. Once you've done that then it's a good idea to disable further registrations. Currently that's a little complicated, but you can do it as follows:
|
||||
|
||||
#+begin_src bash :tangle no
|
||||
sudo username@domainname -p 2222
|
||||
#+end_src
|
||||
|
||||
Select *Administrator controls* then *App Settings* then *gogs*. You can then enable or disable registration of new users.
|
||||
|
||||
Disabling further registrations will stop any spam accounts being created by random strangers or bots.
|
|
@ -0,0 +1,39 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, htmly
|
||||
#+DESCRIPTION: How to use Htmly
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>HTMLy</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
HTMLy is a databaseless blogging system.
|
||||
|
||||
* Installation
|
||||
Log into your system with:
|
||||
|
||||
#+begin_src bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+end_src
|
||||
|
||||
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
|
||||
|
||||
Select *Add/Remove Apps* then *htmly*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /blog.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
|
||||
|
||||
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for HTMLy. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
|
||||
|
||||
* Initial setup
|
||||
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your HTMLy blog domain listed there along with an onion address. You can then navigate to your site in a browser.
|
||||
|
||||
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
|
||||
|
||||
Navigate to https://yourhtmlyblogdomain/login and enter your username and password. You can then create posts or edit existing ones.
|
|
@ -0,0 +1,42 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, hubzilla
|
||||
#+DESCRIPTION: How to use Hubzilla
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Hubzilla</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Hubzilla is a web publishing and social network system which includes wiki, web pages, photo albums and file storage. It also has privacy controls which allow you to define who can see which content. It's possible to write posts and have them visible only to a group of friends (known as "/privacy groups/"), with the encryption being handled automatically.
|
||||
|
||||
* Installation
|
||||
Log into your system with:
|
||||
|
||||
#+begin_src bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+end_src
|
||||
|
||||
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
|
||||
|
||||
Select *Add/Remove Apps* then *hubzilla*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /hub.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
|
||||
|
||||
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Hubzilla. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
|
||||
|
||||
|
||||
* Initial setup
|
||||
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Hubzilla domain listed there along with an onion address. You can then navigate to your site in a browser.
|
||||
|
||||
On first visiting your Hubzilla site you'll see the login screen. The first thing you need to do is *register* a new user. The first user on the system then becomes its administrator.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/hubzilla_mobile.jpg]]
|
||||
#+END_CENTER
|
|
@ -0,0 +1,100 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombome, irc
|
||||
#+DESCRIPTION: How to use IRC
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>IRC</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
IRC is useful for multi-user chat. The classic use case is for software development where many engineers might need to coordinate their activities, but it's also useful for meetings, parties and general socialising.
|
||||
|
||||
* Irssi
|
||||
The easiest way to use irssi is to connect to your system, like this:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Then select *IRC* from the menu. However, other than via this method using ssh, irssi isn't a very good IRC client because it doesn't have the capability to onion route messages, and therefore leaks metadata. For the best security when using your IRC server, use HexChat, Emacs ERC or another client which supports socks5 proxying.
|
||||
|
||||
* HexChat
|
||||
HexChat (formerly XChat) is compatible with proxying via Tor and so provides the best security when connecting to your IRC server. It will allow you to connect to your IRC server's onion address.
|
||||
|
||||
First install HexChat and set up its configuration file. This can be done on your local machine with:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
freedombone-client --setup hexchat
|
||||
#+END_SRC
|
||||
|
||||
Now look up the onion address for your IRC server
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh username@mydomainname -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Select Administrator options, then *About this system* and make a note of the onion address for IRC. Also select the *IRC Menu* and take a note of the login password.
|
||||
|
||||
Run HexChat.
|
||||
|
||||
Within the network list click, *Add* and enter your domain name then click *Edit*.
|
||||
|
||||
Select the entry within the servers box, then enter *ircaddress.onion/6697* or *mydomainname/6697* and press *Enter*.
|
||||
|
||||
Uncheck *use global user information*.
|
||||
|
||||
Enter first and second nicknames and check *connect to this network on startup*.
|
||||
|
||||
If you are using the ordinary domain name (clearnet/ICANN) then make sure that *Use SSL* is checked.
|
||||
|
||||
[[file:images/hexchat_setup_clearnet.jpg]]
|
||||
|
||||
If you are using the onion address then *use SSL* should be unchecked and the transport encryption will be handled via the onion address itself.
|
||||
|
||||
[[file:images/hexchat_setup.jpg]]
|
||||
|
||||
Within the *Password* field enter the password which can be found from the IRC menu of the *control panel*.
|
||||
|
||||
Select the *Autojoin channels* tab, click *Add* and enter *#freedombone* as the channel name.
|
||||
|
||||
Click *close* and then *connect*.
|
||||
|
||||
* Emacs
|
||||
If you are an Emacs user then you can also connect to your IRC server via Emacs.
|
||||
|
||||
Ensure that tor is installed onto your local system:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
sudo apt-get install tor
|
||||
#+END_SRC
|
||||
|
||||
Add the following to your Emacs configuration file:
|
||||
|
||||
#+BEGIN_SRC elisp
|
||||
(setq socks-noproxy '("localhost"))
|
||||
(require 'socks)
|
||||
(require 'tls)
|
||||
(setq socks-server (list "Tor socks" "localhost" 9050 5))
|
||||
(setq erc-server-connect-function 'socks-open-network-stream)
|
||||
(setq erc-autojoin-channels-alist
|
||||
'(("myircaddress.onion" "#freedombone")))
|
||||
(erc :server "myircaddress.onion" :port 6697 :nick "yourusername" :password "your IRC password")
|
||||
#+END_SRC
|
||||
|
||||
* Changing or removing the IRC password
|
||||
By default the IRC server is set up to require a password for users to log in. The password is the same for all users. If you want to change or remove the password:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Select /Administrator controls/ then *IRC Menu* and then change the password. An empty password will allow anyone to log in, so you can have a globally accessible IRC system if you wish, although you might want to carefully consider whether that's wise.
|
|
@ -0,0 +1,45 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, lychee
|
||||
#+DESCRIPTION: How to use Lychee
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Lychee</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Lychee is a simple and lightweight photo album for the web. Whether you're an amateur or professional photographer, or want to publish random holiday pics or cat pictures. Lychee just does what it says it does without any fuss. There is also a photo album feature within [[./app_hubzilla.html][Hubzilla]] if you need more sophisticated social photo sharing with individualised permissions.
|
||||
|
||||
* Installation
|
||||
Log into your system with:
|
||||
|
||||
#+begin_src bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+end_src
|
||||
|
||||
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
|
||||
|
||||
Select *Add/Remove Apps* then *lychee*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /code.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
|
||||
|
||||
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Lychee. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
|
||||
|
||||
* Initial setup
|
||||
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Lychee domain listed there along with an onion address. You can then navigate to your site in a browser.
|
||||
|
||||
Within a browser navigate to your lychee domain name or onion address. It should look like this:
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/lychee_setup.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
Within the *Administrator control panel* select *App Settings* and then *lychee*. This will show the initial login settings which you need to set up the database. To copy the password hold down the shift key, select the password then right click and copy.
|
||||
|
||||
After that create a username and password and store them in your favourite password manager. And you're done. Add photos and albums as you wish.
|
|
@ -0,0 +1,71 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, mailpile
|
||||
#+DESCRIPTION: How to use Mailpile
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Mailpile</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Mailpile provides a nice looking webmail interface suitable for use on desktop or mobile clients. It has good support for email encryption and makes that quite an simple process. At present it's usable but still has a few bugs and limitations. If you need a fully functional email client with comprehensive encryption support then either use Mutt or Thunderbird/Icedove.
|
||||
|
||||
An advantage of this type of webmail is that /it keeps your GPG keys off of any mobile devices/ so that if you lose your phone, or it gets stolen, then your email might still not be compromised.
|
||||
|
||||
One down side is that this appears to be a single user system, so if you have multiple users on your Freedombone server only the administrator will actually be able to use mailpile.
|
||||
|
||||
* Installation
|
||||
Log into your system with:
|
||||
|
||||
#+begin_src bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+end_src
|
||||
|
||||
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
|
||||
|
||||
Select *Add/Remove Apps* then *mailpile*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /mail.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
|
||||
|
||||
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Mailpile. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
|
||||
|
||||
* Initial setup
|
||||
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Mailpile domain listed there along with an onion address. You can then navigate to your site in a browser.
|
||||
|
||||
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
|
||||
|
||||
If you're viewing your mail domain site on a mobile device via OrFox then make sure you allow the domain in the NoScript settings.
|
||||
|
||||
Enter a password and store it within a password manager.
|
||||
|
||||
Click on the *Privacy and Security* button.
|
||||
|
||||
Scroll down and select *Save Settings*. Don't click on the Tor button.
|
||||
|
||||
Click *Add account*.
|
||||
|
||||
Enter your name, email address and password.
|
||||
|
||||
Uncheck *Detect Settings* and click *Next*.
|
||||
|
||||
Under *Sending Mail* select *local* or if you need to proxy outgoing email through your ISP's server select *SMTP/TLS* and enter the details, then click *Next*.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mailpile_setup.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
Under *Receiving files* select *IMAP*, the domain as *localhost*, port *143*, your username and password, then click *Next*. Astute readers may well be concerned that IMAP over port 143 is not encrypted, but since this is only via localhost communication between the Mail Transport Agent and Mailpile doesn't travel over the internet and port 143 is not opened on the firewall so it's not possible to accidentally connect an external mail client insecurely.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mailpile_setup_keys.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
Under *Security and Privacy* either select your existing encryption key or if you only get the option to create a new one then do so, then click *Add* or *Save*.
|
||||
|
||||
The process of importing your email should then occur, and can take some time.
|
|
@ -0,0 +1,42 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, mumble
|
||||
#+DESCRIPTION: How to use Mumble
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Mumble</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Mumble is a well known VoIP system originally used for gaming, but which works just as well for any general conference calls or meetings.
|
||||
|
||||
* Text chat
|
||||
In addition to voice it is also possible to do text chat via mumble. The security of this is pretty good provided that you do it via Plumble and Orbot on mobile, but compared to other options such as XMPP/Conversations or Tox the security is not as good, since the mumble server currently doesn't support forward secrecy.
|
||||
|
||||
* Using with Ubuntu
|
||||
Within the software center search for "mumble" and install the client then run it. Skip through the audio setup wizard.
|
||||
|
||||
Click on "add new" to add a new server and enter the default domain name for the Freedombone, your username (which can be anything) and the VoIP server password which can be found in the *Passwords* section of the *Administrator control panel*. Accept the self-signed SSL certificate if you don't have a Let's Encrypt certificate set up for your default domain. You are now ready to chat.
|
||||
|
||||
* Using with Android
|
||||
Install [[https://f-droid.org/][F-Droid]]
|
||||
|
||||
If you don't have Orbot installed then enable The Guardian Project repository from the drop down menu and install it.
|
||||
|
||||
Search for and install Plumble.
|
||||
|
||||
Press the plus button to add a Mumble server.
|
||||
|
||||
Enter a label (which can be any name you choose for the server), the default domain name of the Freedombone or preferably the mumble onion address as shown on the *About* screen of the *Administrator control panel*, your username (which can also be anything) and the mumble password which can be found in the *Passwords* section of the *Administrator control panel*.
|
||||
|
||||
Open the settings. Select General, then Connect via Tor. This will provide better protection, making it more difficult for adversaries to know who is talking to who.
|
||||
|
||||
Selecting the server by pressing on it then connects you to the server so that you can chat with other connected users.
|
|
@ -0,0 +1,69 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, pi-hole, ad blocker
|
||||
#+DESCRIPTION: How to block ads on your network
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>PI-Hole: The Black Hole for Web Adverts</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Idiots who have an inflated sense of self-entitlement will tell you that it's /your moral duty/ to view their mind-numbingly tedious corporate ads on their web site or YouTube channel, or else their kids will starve and the sky will fall because their revenue stream will dry up. But that's bullshit. There is nothing intrinsic or morally mandatory about adverts propping up the livelihoods of netizens, and indeed a web not primarily based on advertising money might have been a much better and more interesting place by now, with a lot less spying.
|
||||
|
||||
Not only are web ads annoying, but they can consume a lot of bandwidth, be a privacy problem in terms of allowing companies to track your browsing habits and also any badly written scripts they contain may introduce exploitable security holes. Also if you're poor then adverts often make you want things that you can't have.
|
||||
|
||||
You can block ads for any devices connected to your local network by installing the *pihole* app from *Add/Remove Apps* on the administrator control panel. This may help to improve overall performance of your devices by not wasting time downloading unwanted images or scripts.
|
||||
|
||||
Also don't expect perfection. Though many ads may be blocked by this system some will still get through. It's a constant cat and mouse game between advertisers and blockers.
|
||||
|
||||
* Set a static IP address
|
||||
|
||||
Ensure that your system has a static local IP address (typically 192.168..) using the option on the control panel. You will also need to know the IP address of your internet router, which is usually *192.168.1.1* or *192.168.1.254*.
|
||||
|
||||
When that's done select *About this system* from the control panel and see the IPv4 address. You can use this as a DNS address in two ways:
|
||||
|
||||
* On each client system within your local network
|
||||
|
||||
#+begin_src bash
|
||||
sudo chattr -i /etc/resolv.conf
|
||||
sudo nano /etc/resolv.conf
|
||||
#+end_src
|
||||
|
||||
Comment out any existing entries with a # character and add:
|
||||
|
||||
#+begin_src bash
|
||||
nameserver [IPv4 address from the About screen]
|
||||
#+end_src
|
||||
|
||||
Normally /resolv.conf/ will be overwritten every time your reboot, but you can prevent this with:
|
||||
|
||||
#+begin_src bash
|
||||
sudo chattr +i /etc/resolv.conf
|
||||
#+end_src
|
||||
|
||||
* On your internet router
|
||||
If you can access the settings on your local internet router then this is the simplest way to provide ad blocking for all devices which connect to it. Unfortunately some router models don't let you edit the DNS settings and if that's the case you might want to consider getting a different router.
|
||||
|
||||
Edit the DNS settings and add the IPv4 address which you got from the control panel About screen. Exactly how you do this will just depend upon your particular router model. You may also need to set the same address twice, because two addresses are conventional.
|
||||
|
||||
** LibreCMC
|
||||
On a router running LibreCMC from the *Network* menu select *DHCP and DNS*. Enter the static IP address of your Freedombone system within *DNS Forwardings*, then at the bottom of the page click on *Save & Apply*. Any devices which connect to your router will now have ad blocking.
|
||||
|
||||
* Configuring block lists
|
||||
You can configure the block lists which the system uses by going to the *administrator control panel*, selecting *App Settings* then choosing *pihole*. You can also add any extra domain names to the whitelist if they're being wrongly blocked or to the blacklist if they're not blocked by the current lists.
|
||||
|
||||
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
Return to the <a href="index.html">home page</a>
|
||||
</center>
|
||||
#+END_EXPORT
|
|
@ -0,0 +1,39 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, postactiv
|
||||
#+DESCRIPTION: How to use PostActiv
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>PostActiv</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
PostActiv is a fork of [[./app_gnusocial.html][GNU Social]] which includes some extra fixes and optimisations to improve performance. It federates just like GNU Social does and so whether you choose GNU Social or PostActiv is really just down to personal prefernce.
|
||||
|
||||
* Installation
|
||||
Log into your system with:
|
||||
|
||||
#+begin_src bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+end_src
|
||||
|
||||
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
|
||||
|
||||
Select *Add/Remove Apps* then *postactiv*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /code.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
|
||||
|
||||
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for PostActiv. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
|
||||
|
||||
* Initial setup
|
||||
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Postactiv domain listed there along with an onion address. You can then navigate to your site in a browser.
|
||||
|
||||
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
|
||||
|
||||
Navigate to your PostActiv domain name and log in.
|
|
@ -0,0 +1,41 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, radicale
|
||||
#+DESCRIPTION: How to use Radicale
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Radicale</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Radicale is a calendar server which allows your to synchronise your calendar across all your devices. Support for CalDAV within various client systems can be quite patchy/flaky though, so use it with caution.
|
||||
|
||||
* Installation
|
||||
Log into your system with:
|
||||
|
||||
#+begin_src bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+end_src
|
||||
|
||||
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
|
||||
|
||||
Select *Add/Remove Apps* then *radicale*. If you don't already have an SSL/TLS certificate for your main domain then go to the security settings and create a new Let's Encrypt cert for it. That will ensure that your calendar events have some minimal level of protection from passive surveillance.
|
||||
|
||||
* Setting up on Android
|
||||
Via F-droid install *DAVdroid*.
|
||||
|
||||
There seems to be a problem with Let's Encrypt certificates with this app, but it's possible to get around it. Open DAVdroid and select the side *menu* followed by *Settings*. Enable *Distrust system certificates* and press *Reset untrusted certificates*.
|
||||
|
||||
Exit from settings and press the *plus button* to add an account. Select *Login with URL and user name*. The URL should be https://yourmaindomainname/radicale/. Remember to include the trailing slash on the URL. If you installed Freedombone from a disk image then enter your username and the password which was shown at the start of installation. If not then the password for Radicale will be within *Passwords* section of the *Administrator control panel*.
|
||||
|
||||
You will be prompted to approve the Let's Encrypt cerificate for your domain name, and once that's done then you should see your account as a large yellow box. Press on that and ensure that *Addresses* and *calendar* are selected.
|
||||
|
||||
Now go to your calendar app and press the plus icon to add an event. You should notice that the calendar account selected is your username on the Freedombone system.
|
|
@ -0,0 +1,76 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: Freedombone, RSS
|
||||
#+DESCRIPTION: How to use the RSS reader
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>RSS Reader</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
The way that RSS reading is set up on Freedombone gives you strong reading privacy. Not only is there onion routing between you and the server but also between the server and the source of the RSS feed. The only down side is that many RSS feeds are still http only, and so could be vulnerable to injection attacks, but it's expected that more of this will go to https in the foreseeable future due to a combination of growing recognition of security issues and systems like Let's Encrypt which make obtaining certificates much easier.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/rss_reader_mobile.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
* Finding the onion address
|
||||
See the control panel for the RSS reader onion address.
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh username@domainname -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Select *Administrator controls* then select the *About* screen.
|
||||
|
||||
The RSS reader is accessible only via an onion address. This provides a reasonable degree of reading privacy, making it difficult for passive adversaries such as governments, corporations or criminals to create lists of sites which you are subscribed to.
|
||||
|
||||
To set up the system open http://rss_reader_onion_address and log in with username *admin* and the password which can be found within the *Passwords* section of the *Administrator control panel*. You can then select the *Actions* menu and begin adding your feeds.
|
||||
|
||||
* On mobile
|
||||
To access the RSS reader from a mobile device you can install a Tor compatible browser such as OrFox, then use the mobile onion address shown on the *About* screen of the *Administrator controls*. Remember to add the site to the NoScript whitelist, and you may also need to turn HTTPS Everywhere off.
|
||||
|
||||
#+BEGIN_QUOTE
|
||||
A note for the paranoid is that on mobile devices you get redirected to a different onion address which is specially set up for the mobile interface, so don't be alarmed that it looks like your connection is being hijacked.
|
||||
#+END_QUOTE
|
||||
* With Emacs
|
||||
If you are an Emacs user then you can also read your RSS feeds via the [[https://github.com/dk87/avandu][Avandu]] mode.
|
||||
|
||||
Add the following to your configuration, changing the address and password as appropriate.
|
||||
|
||||
#+begin_src emacs-lisp :tangle no
|
||||
(setq avandu-tt-rss-api-url "http://rss_reader_onion_address/api/"
|
||||
avandu-user "admin"
|
||||
avandu-password "mypassword")
|
||||
#+end_src
|
||||
|
||||
If you don't already have Emacs set up to route through Tor then also add the following:
|
||||
|
||||
#+begin_src emacs-lisp :tangle no
|
||||
(setq socks-noproxy '("localhost"))
|
||||
(require 'socks)
|
||||
(require 'tls)
|
||||
(setq socks-server (list "Tor socks" "localhost" 9050 5))
|
||||
#+end_src
|
||||
|
||||
And ensure that the Tor daemon is installed. On a debian based system:
|
||||
|
||||
#+begin_src bash :tangle no
|
||||
sudo apt-get install tor
|
||||
#+end_src
|
||||
|
||||
or on Arch/Parabola:
|
||||
|
||||
#+begin_src bash :tangle no
|
||||
sudo pacman -S tor
|
||||
sudo systemctl enable tor
|
||||
sudo systemctl start tor
|
||||
#+end_src
|
|
@ -0,0 +1,78 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, file sync
|
||||
#+DESCRIPTION: How to use Syncthing
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Syncthing</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Syncthing provides a similar capability to proprietary systems such as Dropbox, and also is well suited for use with low power single board computers. You can have one or more directories which are synchronized across your various laptops/desktops/devices, and this makes it hard for you to ever lose important files. The manner in which the synchronization is done is pretty secure, such that it would be difficult for passive adversaries (mass surveillance, "/men in the middle/", etc) to know what files you're sharing. Of course, you don't necessarily need to be running a server in order to use Syncthing, but if you do have a server which is always running then there's always at least one place to synchronize your files to or from.
|
||||
|
||||
Freedombone provides Syncthing shared directories for each user on the system, plus a single shared directory for all users. The expected most common scenario here is that of a family in which members may not want to share /all of their files/ with each other, but might want to share some in a common pool (eg. birthday photos). You can also easily share between different servers.
|
||||
|
||||
* On a laptop
|
||||
Install syncthing on a Debian based distro:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
|
||||
echo "deb http://apt.syncthing.net/ syncthing release" | sudo tee /etc/apt/sources.list.d/syncthing.list
|
||||
sudo apt-get update
|
||||
sudo apt-get install syncthing
|
||||
#+END_SRC
|
||||
|
||||
Or on Arch/Parabola:
|
||||
|
||||
#+begin_src bash
|
||||
sudo pacman -S syncthing
|
||||
#+end_src
|
||||
|
||||
Add syncthing to your startup applications, so that it begins running when your system starts. Then either restart your system or run the command "syncthing" from a terminal.
|
||||
|
||||
In another terminal log into Freedombone:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh username@domainname -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Then select *File Synchronization*.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/controlpanel/control_panel_file_sync.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
Select *Show device ID* and copy the long string of letters and numbers shown, using the shift key then select the text followed by right click then select copy.
|
||||
|
||||
Open a non-Tor browser and enter *http://127.0.0.1:8384* as the URL. You should now see the minimalistic user interface. Under *Remote Devices* select *Add Remote Device*. In the *Device ID* field paste the string you just copied (CTRL+v). The Device name can be anything. Under *Share Folders with Device* check *default* (or whatever folder you created on your local machine), then save.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/syncthing_browser.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
From the top menu select *Actions* and then *Show ID*, then copy the ID string (usually select then CTRL+c). Go back to the terminal control panel menu and select *Add an ID* then paste what you just copied (CTRL+v). Optionally you can also provide a description so that you later can know what that string corresponds to.
|
||||
|
||||
Now wait for a few minutes. Eventually you will see two messages appear within the browser asking if you want to add two new folders from the Freedombone server. Say yes to both, and specify *~/Sync* as the directory with your username and *~/SyncShared* as the shared directory. You can now copy files into your *~/Sync* directory and they will automatically be synced to the server. Those will be files which only you can access. If you copy files into *~/SyncShared* then they will also be available to any other users on the system.
|
||||
|
||||
* On Android
|
||||
Install Syncthing and Connectbot from F-droid.
|
||||
|
||||
Set up Connectbot to log into Freedombone.
|
||||
|
||||
Select *File Synchronization*.
|
||||
|
||||
Select *Show device ID* and copy the long string of letters by pressing anywhere on the screen, selecting the *menu* then *copy* and then selecting the ID string. This is very tricky on a small screen, so expect to fail multiple times before you succeed in copying the text.
|
||||
|
||||
Open Syncthing and select the devices tab. Press on *+* and then paste the device ID with a long press followed by *Paste*. You may need to remove any stray characters which were copied during the previous haphazard selection process. Add a name, which can be anything.
|
||||
|
||||
Now select the menu (top left or menu button) and then press on *Device ID*. It will be copied to the clipboard. Go back to Connectbot and from the control panel select *File Synchronization* followed by *Add an ID*. You can then paste in the ID with a long press, and optionally add a description for the device. When that's done you can disconnect from Connectbot.
|
||||
|
||||
Now wait for a few minutes or more. Eventually you should receive two notifications (swipe down from the top to see them) which will allow you to confirm the connection to the server. Say yes to both, and specify appropriate directories for your files and the shared files. To reduce battery and data usage via the settings you can also set Syncthing to only sync while it's charging and only while it's connected to wifi.
|
|
@ -0,0 +1,32 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, tox
|
||||
#+DESCRIPTION: How to use Tox
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Tox</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Tox is an encrypted peer-to-peer messaging system and so should work without Freedombone. It uses a system of nodes which act as a sort of directory service allowing users to find and connect to each other. The Tox node ID on the Freedombone can be found within *App Settings* under *tox* within the *Administrator control panel*. If you have other users connect to your node then you will be able to continue chatting even when no other nodes are available.
|
||||
|
||||
* The Toxic client
|
||||
Log into your system with:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Then from the menu select *Run an app* followed by *tox*. Tox is encrypted by default and also routed through Tor, so it should be reasonably secure both in terms of message content and metadata.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/toxic.jpg]]
|
||||
#+END_CENTER
|
|
@ -0,0 +1,149 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, xmpp
|
||||
#+DESCRIPTION: How to use XMPP/Jabber
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>XMPP/Jabber</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Most people know XMPP as "/Jabber/" and it's sometimes regarded and an old protocol once used by Google and Facebook but which is no longer relevant. However, it still works and if appropriately configured, as it is on Freedombone, can provide the best chat messaging security currently available.
|
||||
|
||||
With regard to chat apps you might have read a lot of stuff about /end-to-end security/. That's important, but to also protect the metadata of who sends messages to who the data needs to be onion routed (wrapped in multiple layers of routing encryption), and that's something which most popular chat apps don't provide. Also beware of chat apps which fundamentally rely upon Google's infrastructure. You can be sure that they extensively data mine everything and will be able to reconstruct your social graph if that's at all technically feasible, then pass that to whatever governments they're friendly with or trying to lobby.
|
||||
|
||||
A well written article on the state of XMPP and how it compares to other chat protocols [[https://gultsch.de/xmpp_2016.html][can be found here]].
|
||||
|
||||
* Using with Gajim
|
||||
In mid 2016 [[https://gajim.org/][Gajim]] became the first desktop XMPP client to support the [[https://en.wikipedia.org/wiki/OMEMO][OMEMO end-to-end security standard]], which is superior to the more traditional [[https://en.wikipedia.org/wiki/Off-the-Record_Messaging][OTR]] since it also includes multi-user chat and the ratcheting mechanism pioneered by Open Whisper Systems. To install it:
|
||||
|
||||
#+begin_src bash :tangle no
|
||||
su -c 'echo "deb ftp://ftp.gajim.org/debian unstable main" > /etc/apt/sources.list.d/gajim.list'
|
||||
sudo apt-get update
|
||||
sudo apt-get -y install gajim-dev-keyring
|
||||
sudo apt-get -y install git tor python-dev python-pip gajim-nightly
|
||||
mkdir ~/.local/share/gajim/plugins -p
|
||||
cd ~/.local/share/gajim/plugins
|
||||
git clone https://github.com/omemo/gajim-omemo
|
||||
sudo pip install protobuf==2.6.1, python-axolotl==0.1.35
|
||||
#+end_src
|
||||
|
||||
Open Gajim and enter your XMPP address and password.
|
||||
|
||||
Go to *Edit/Preferences* and select the *Advanced* tab. Under *Global Proxy* select *Tor* and the *Close* button. Then select *Edit/Plugins* and make sure that OMEMO is active (ticked), then select the *Close* button.
|
||||
|
||||
When you start a conversation make sure that the OMEMO box is ticked. You can also click on the keys button and trust various fingerprints. Both sides will need to do that before an encrypted chat can start.
|
||||
|
||||
If you wish to make backups of the OMEMO keys then they can be found within:
|
||||
|
||||
#+begin_src bash :tangle no
|
||||
~/.local/share/gajim
|
||||
#+end_src
|
||||
|
||||
If you wish to use OpenPGP to encrypt your messages then go to *Edit/Accounts*, select your account and then the *Personal Information* tab. You can then choose your GPG key. When initiating a chat you can select the *Advanced* button and then select *Toggle OpenPGP Encryption*. OpenPGP is not as secure as OMEMO, but does allow you to use XMPP in a similar style to email in that the recipient of the message does not necessarily need to be online at the same time that you send it.
|
||||
|
||||
* Using with Profanity
|
||||
The [[https://profanity.im][Profanity]] shell based user interface and is perhaps the simplest way to use XMPP from a laptop. It's also a good way to ensure that your OTR keys are the same even when logging in from different laptops or devices, and it also means that if those devices later become compomised then there are no locally stored OTR keys to be found.
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh username@domain -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Then select XMPP. Generate an [[https://en.wikipedia.org/wiki/Off-the-Record_Messaging][OTR]] key with:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr gen
|
||||
#+END_SRC
|
||||
|
||||
Then to start a conversation using OTR:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr start otherusername@otheruserdomain
|
||||
#+END_SRC
|
||||
|
||||
or if you're already in an insecure chat with someone just use:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr start
|
||||
#+END_SRC
|
||||
|
||||
Set a security question and answer:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr question "What is the name of your best friends rabbit?" fiffi
|
||||
#+END_SRC
|
||||
|
||||
On the other side the user can enter:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr answer fiffi
|
||||
#+END_SRC
|
||||
|
||||
For the most paranoid you can also obtain your fingerprint:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr myfp
|
||||
#+END_SRC
|
||||
|
||||
and quote that. If they quote theirs back you can check it with:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr theirfp
|
||||
#+END_SRC
|
||||
|
||||
If the fingerprints match then you can be pretty confident that unless you have been socially engineered via the question and answer you probably are talking to who you think you are, and that it will be difficult for mass surveillance systems to know the content of the conversation. For more details see [[https://www.profanity.im/otr.html][this guide]]
|
||||
|
||||
When accessed via the user control panel the client is automatically routed through Tor and so if you are also using OTR then this provides protection for both message content and metadata.
|
||||
|
||||
* Using with Jitsi
|
||||
Jitsi can be downloaded from https://jitsi.org
|
||||
|
||||
On your desktop/laptop open Jitsi and select *Options* from the *Tools* menu.
|
||||
|
||||
Click *Add* to add a new user, then enter the Jabber ID (yourusername@yourmaindomainname). Close and then you should notice that your status is "Online" (or if not then you should be able to set it to online).
|
||||
|
||||
From the *File* menu you can add contacts, then select the chat icon to begin a chat. Click on the lock icon on the right hand side and this will initiate an authentication procedure in which you can specify a question and answer to verify the identity of the person you're communicating with. Once authentication is complete then you'll be chating using OTR, which provides an additional layer of security.
|
||||
|
||||
When opening Jitsi initially you will get a certificate warning for your domain name (assuming that you're using a self-signed certificate). If this happens then select *View Certificate* and enable the checkbox to trust the certificate, then select *Continue Anyway*. Once you've done this then the certificate warning will not appear again unless you reinstall Jitsi or use a different computer.
|
||||
|
||||
You can also [[https://www.youtube.com/watch?v=vgx7VSrDGjk][see this video]] as an example of using OTR.
|
||||
|
||||
* Using with Ubuntu
|
||||
The default XMPP client in Ubuntu is Empathy. Using Empathy isn't as secure as using Jitsi, since it doesn't include the /off the record/ feature, but since it's the default it's what many users will have easy access to.
|
||||
|
||||
Open *System Settings* and select *Online Accounts*, *Add account* and then *Jabber*.
|
||||
|
||||
Enter your username (username@domainname) and password.
|
||||
|
||||
Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click *Done* and set your Jabber account and Empathy to *On*.
|
||||
|
||||
* Using Tor Messenger
|
||||
Tor Messenger is a messaging client which supports XMPP, and its onion routing enables you to protect the metadata of chat interactions to some extent by making it difficult for an adversary to know which server is talking to which. You can download Tor Messenger from [[https://torproject.org][torproject.org]] and the setup is pretty simple.
|
||||
|
||||
* Using with Android/Conversations
|
||||
Install [[https://f-droid.org/][F-Droid]]
|
||||
|
||||
Search for and install *Orbot* and *Conversations*.
|
||||
|
||||
Add an account and enter your Jabber/XMPP ID and password.
|
||||
|
||||
From the menu select *Settings* then *Expert Settings*. Select *Connect via Tor* and depending on your situation you might also want to select *Don't save encrypted messages*. Also within expert settings select *Keep in foreground*. This will enable you to still receive notifications when your device is in standby mode with the screen turned off.
|
||||
|
||||
From the menu select *Manage accounts* and add a new account.
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
Jabber ID: myusername@mydomain
|
||||
Password: your XMPP password
|
||||
Hostname: mydomain (preferably your xmpp onion address)
|
||||
Port: 5222
|
||||
#+END_SRC
|
||||
|
||||
Then select *Next*. When chatting you can use the lock icon to encrypt your conversation. OMEMO is the recommended type of encryption. It's also going through Tor, so passive surveillance of the metadata should not be easy for an adversary.
|
|
@ -0,0 +1,108 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, apps
|
||||
#+DESCRIPTION: List of apps available on freedombone
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+begin_export html
|
||||
<center><h1>Apps</h1></center>
|
||||
#+end_export
|
||||
|
||||
The base install of the system just contains an email server and Mutt client, but not much else. In addition from within the *Administrator control panel* under *Add/remove apps* the following are installable. This list only applies on the home server version, with the mesh network version having a different and smaller set of apps.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/controlpanel/control_panel_apps.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
* DLNA
|
||||
Enables you to use the system as a music server which any DLNA compatible devices can connect to within your home network.
|
||||
|
||||
[[./app_dlna.html][How to use it]]
|
||||
* Dokuwiki
|
||||
A databaseless wiki system.
|
||||
|
||||
[[./app_dokuwiki.html][How to use it]]
|
||||
* Emacs
|
||||
If you use the Mutt client to read your email then this will set it up to use emacs for composing new mail.
|
||||
|
||||
[[./app_emacs.html][How to use it]]
|
||||
* Etherpad
|
||||
Collaborate on creating documents in real time. Maybe you're planning a holiday with other family members or creating documentation for a Free Software project along with other volunteers. Etherpad is hard to beat for simplicity and speed. Only users of the system will be able to access it.
|
||||
|
||||
[[./app_etherpad.html][How to use it]]
|
||||
* Ghost
|
||||
Modern looking blogging system.
|
||||
|
||||
[[./app_ghost.html][How to use it]]
|
||||
* GNU Social
|
||||
Federated social network. You can "/remote follow/" other users within the GNU Social federation.
|
||||
|
||||
[[./app_gnusocial.html][How to use it]]
|
||||
* Gogs
|
||||
Lightweight git project hosting system. You can mirror projects from Github, or if Github turns evil then just host your own projects while retaining the familiar /fork-and-pull/ workflow. If you can use Github then you can also use Gogs.
|
||||
|
||||
[[./app_gogs.html][How to use it]]
|
||||
* HTMLy
|
||||
Databaseless blogging system. Quite simple and with a markdown-like format.
|
||||
|
||||
[[./app_htmly.html][How to use it]]
|
||||
* Hubzilla
|
||||
Web publishing platform with social network like features and good privacy controls so that it's possible to specify who can see which content. Includes photo albums, calendar, wiki and file storage.
|
||||
|
||||
[[./app_hubzilla.html][How to use it]]
|
||||
* IRC Server (ngirc)
|
||||
Run your own IRC chat channel which can be secured with a password and accessible via an onion address. A bouncer is included so that you can receive messages sent while you were offline. Works with Hexchat and other popular clients.
|
||||
|
||||
[[./app_irc.html][How to use it]]
|
||||
* Jitsi Meet
|
||||
Experimental WebRTC video conferencing system, similar to Google Hangouts. This may not be fully functional, but is hoped to be in the near future.
|
||||
|
||||
* Lychee
|
||||
Make your photo albums available on the web.
|
||||
|
||||
[[./app_lychee.html][How to use it]]
|
||||
* Mailpile
|
||||
Modern email client which supports GPG encryption.
|
||||
|
||||
[[./app_mailpile.html][How to use it]]
|
||||
* Mumble
|
||||
The popular VoIP and text chat system. Say goodbye to old-fashioned telephony conferences with silly dial codes. Also works well on mobile.
|
||||
|
||||
[[./app_mumble.html][How to use it]]
|
||||
* PI-Hole
|
||||
The black hole for web adverts. Block adverts at the domain name level within your local network. It can significantly reduce bandwidth, speed up page load times and protect your systems from being tracked by spyware.
|
||||
|
||||
[[./app_pihole.html][How to use it]]
|
||||
* PostActiv
|
||||
An alternative federated social networking system compatible with GNU Social. It includes some optimisations and fixes currently not available within the main GNU Social project.
|
||||
|
||||
[[./app_postactiv.html][How to use it]]
|
||||
* Radicale
|
||||
Calendar system compatible with CalDAV and CardDAV. Synch your calendar events easily and securely across all your devices.
|
||||
|
||||
[[./app_radicale.html][How to use it]]
|
||||
* tt-rss
|
||||
Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via an onion address. Have "/the right to read/" without the Surveillance State knowing what you're reading. Also available with a user interface suitable for viewing on mobile devices via a browser such as OrFox.
|
||||
|
||||
[[./app_rss.html][How to use it]]
|
||||
* Syncthing
|
||||
Possibly the best way to synchronise files across all of your devices. Once it has been set up it "just works" with no user intervention needed.
|
||||
|
||||
[[./app_syncthing.html][How to use it]]
|
||||
* Tox
|
||||
Client and bootstrap node for the Tox chat/VoIP system.
|
||||
|
||||
[[./app_tox.html][How to use it]]
|
||||
* Vim
|
||||
If you use the Mutt client to read your email then this will set it up to use vim for composing new mail.
|
||||
|
||||
* XMPP
|
||||
Chat server which can be used together with client such as Gajim or Conversations to provide end-to-end content security and also onion routed metadata security. Includes advanced features such as /client state notification/ to save battery power on your mobile devices, support for seamless roaming between networks and /message carbons/ so that you can receive the same messages while being simultaneously logged in to your account on more than one device.
|
||||
|
||||
[[./app_xmpp.html][How to use it]]
|
|
@ -1,10 +1,10 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
|
|
|
@ -0,0 +1,92 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombone, beaglebone
|
||||
#+DESCRIPTION: How to install Freedombone onto a Beaglebone Black
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Installing Freedombone on a Beaglebone Black</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
The Beaglebone Black is small, cheap, a fully open hardware design, has a hardware random number generator and consumes very little electrical power, making it suitable for all kinds of uses.
|
||||
|
||||
You can easily use one to run your own internet services from home.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/bbb_above.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
You will need:
|
||||
|
||||
* A Beaglebone Black. The exact revision of the hardware isn't very important, but it should have an ethernet socket.
|
||||
* Optionally a plastic or metal case to protect the electronics.
|
||||
* An ethernet cable. Typically these are colour coded either blue or yellow. Either colour will do.
|
||||
* Either a 5v power supply with 5.5mm barrel plug, or a miniUSB type B cable (typically supplied with the Beaglebone) and USB to mains adaptor.
|
||||
* A microSD card at least 8 gigabytes in size. In tests Sandisk class 10 works well. Prefer smaller but faster I/O rating to larger but slower.
|
||||
* A microSD card adaptor for your laptop or desktop system, so that you can copy the disk image to the card.
|
||||
|
||||
On your laptop or desktop prepare a microSD card image as follows. To create an image on a Debian based system:
|
||||
|
||||
#+begin_src bash
|
||||
sudo apt-get install git
|
||||
git clone https://github.com/bashrc/freedombone
|
||||
cd freedombone
|
||||
git checkout stockholm
|
||||
sudo make install
|
||||
freedombone-image --setup debian
|
||||
#+end_src
|
||||
|
||||
Or on Arch/Parabola:
|
||||
|
||||
#+begin_src bash
|
||||
sudo pacman -S git
|
||||
git clone https://github.com/bashrc/freedombone
|
||||
cd freedombone
|
||||
git checkout stockholm
|
||||
sudo make install
|
||||
freedombone-image --setup parabola
|
||||
#+end_src
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/microsd_reader.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
If you own a domain name and have it linked to a dynamic DNS account (eg. [[https://freedns.afraid.org][freeDNS]]) and want to make a system accessible via an ordinary browser then run:
|
||||
|
||||
#+begin_src
|
||||
freedombone-image -t beaglebone
|
||||
#+end_src
|
||||
|
||||
Or of you want a system where the services are only accessible via onion addresses.
|
||||
|
||||
#+begin_src
|
||||
freedombone-image -t beaglebone --onion yes
|
||||
#+end_src
|
||||
|
||||
Onion addresses have the advantage of being difficult to censor and you don't need to buy a domain or have a dynamic DNS account. An onion based system also means you don't need to think about NAT traversal type issues.
|
||||
|
||||
Connect the power and ethernet cable and plug it into your internet router.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/bbb_back.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
Now follow the [[./homeserver.html][instructions given here to copy the image to the microSD drive]] beginning with running the /freedombone-client/ command. Wherever it says "USB drive" substitute "microSD drive". When the microSD drive is ready plug it into the front of the Beaglebone. The photo below also includes an Atheros wifi USB dongle plugged into the front, but that's not necessary unless you want to set up the system to run on a wifi network.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/bbb_front.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
Now power cycle by removing the power plug and then inserting it again. It should boot from the microSD drive and you should see the blue LEDs on the board flashing. If they don't fash at all for a few minutes then try copying the image to the microSD card again.
|
||||
|
||||
Follow the rest of the [[./homeserver.html][instructions given here]] to log in via ssh and install the system. The microSD drive /should remain inside the Beaglebone/ and not be removed. This will be its main drive, with the internal EMMC not being used at all.
|
||||
|
||||
There are many apps available within the Freedombone system and trying to install them all is probably not a good idea, since this hardware is very resource constrained on CPU and especially on RAM. If the system seems to be becoming unstable and crashing then the most likely cause is running out of RAM, in which case you can try uninstalling some apps. It is possible to monitor RAM usage by logging in with ssh, exiting to the command line and then running the /top/ command.
|
|
@ -1,10 +1,10 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
|
@ -16,7 +16,7 @@
|
|||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
Freedombone is really just a couple of [[http://www.gnu.org/software/bash][bash]] scripts which install and configure software on a Debian GNU/Linux system. If you're a system administrator, software engineer or Linux hobbyist you'll probably be familiar with command line scripting and be able to make your own modifications or custom variants to suit your needs. Freedombone is licensed under the [[https://www.gnu.org/licenses/agpl.html][GNU Affero General Public License version 3]] (or later).
|
||||
Freedombone is really just a couple of [[https://www.gnu.org/software/bash][bash]] scripts which install and configure software on a Debian GNU/Linux system. If you're a system administrator, software engineer or Linux hobbyist you'll probably be familiar with command line scripting and be able to make your own modifications or custom variants to suit your needs. Freedombone is licensed under the [[https://www.gnu.org/licenses/agpl.html][GNU Affero General Public License version 3]] (or later).
|
||||
|
||||
You can find the source code for this project [[https://github.com/bashrc/freedombone][on Github]].
|
||||
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Control Panel
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
|
|
|
@ -0,0 +1,271 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+begin_export html
|
||||
<center><h1>Developers Guide</h1></center>
|
||||
#+end_export
|
||||
|
||||
* Introduction
|
||||
Freedombone consists of a set of bash scripts. There are a lot of them, but they're not very complicated. If you're familiar with the GNU/Linux commandline and can hack a bash script then you can probably add a new app or fix a bug in the system. There are no trendy development frameworks to learn or to get in your way.
|
||||
* Community Statement
|
||||
This project doesn't require you to take any special pledge of allegiance or subscribe to any guru's list of commandments. It does not care about your gender, race, national flag or political alignment. It is agnostic towards your religion or lack thereof. It doesn't give one hoot as to whether you are young or old, rich or poor, gay, trans, straight or just "other". It does not care if you like your eggs sunny side up or if you are a vegan.
|
||||
|
||||
This is an inclusive project which will take patches or pull requests from anyone, in a generous manner along the lines described by the late Pieter Hintjens in his book /Social Architecture/. Any useful patch is likely to be merged so long as it is submitted under a license compatible with AGPL3. Copyright assignment is not required.
|
||||
|
||||
Freedombone is a free system. That's free as in no secret source. For anything. Although there's nothing to stop you from adding proprietary utilities or apps if you wish, any patches containing closed stuff or which create dependencies upon closed systems will be regarded as trash and ignored.
|
||||
|
||||
This project also has a no bullshit policy. Anyone trying to cause a ruckus by trolling or engaging in behavior which is disruptive or disrespectful to others will be speedily blocked and ignored. Life's too short, and there's too much to be done.
|
||||
* Adding extra apps
|
||||
Suppose you have some internet application which you want to add to the system. To do this you need to create an app script which tells the system how to install/remove and also backup/restore. The script should be designed to work with the current stable version of Debian.
|
||||
|
||||
On an installed system the app scripts go into the directory:
|
||||
|
||||
#+begin_src bash
|
||||
/usr/share/freedombone/apps
|
||||
#+end_src
|
||||
|
||||
and within the project repo they appear within the /src/ directory. Your new app script should have the name:
|
||||
|
||||
#+begin_src bash
|
||||
freedombone-app-[myappname]
|
||||
#+end_src
|
||||
|
||||
The /myappname/ value should not contain any spaces and will appear in the list of available apps.
|
||||
|
||||
An example template for an app script is shown below. Copy this and add whatever variables and configuration you need. Search and replace /myappname/ with your own.
|
||||
|
||||
#+begin_src bash
|
||||
#!/bin/bash
|
||||
# Copyright (C) Year YourName <YourEmail>
|
||||
#
|
||||
# This program is free software: you can redistribute it
|
||||
# and/or modify it under the terms of the GNU Affero General
|
||||
# Public License as published by the Free Software Foundation,
|
||||
# either version 3 of the License, or (at your option) any
|
||||
# later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU Affero General Public License for more details.
|
||||
|
||||
# 'full' includes your app in the full installation and you
|
||||
# can also add other variants, separated by spaces. The
|
||||
# available variants will be detected automatically from the
|
||||
# app scripts. In most cases don't change this.
|
||||
VARIANTS='full'
|
||||
|
||||
# If you want this to appear on the control panel About screen
|
||||
SHOW_ON_ABOUT=1
|
||||
|
||||
# If you want this app to be in the default installation,
|
||||
# otherwise it will be available but not selected by default
|
||||
IN_DEFAULT_INSTALL=1
|
||||
|
||||
SOME_IMPORTANT_CONFIG_VARIABLE='some important value'
|
||||
ANOTHER_IMPORTANT_CONFIG_VARIABLE='foo'
|
||||
MY_FUNKY_AVATAR=https://some-domain-or-other/fro.png
|
||||
MYAPPNAME_ONION_PORT=[port number]
|
||||
MYAPPNAME_DB_PASSWORD=
|
||||
|
||||
# A directory where the data for this app exists
|
||||
MYAPP_DATA_DIR=/var/lib/somedirectory
|
||||
|
||||
# List of configuration variables used by the app
|
||||
myappname_variables=(ONION_ONLY
|
||||
MY_USERNAME
|
||||
SOME_IMPORTANT_CONFIG_VARIABLE
|
||||
ANOTHER_IMPORTANT_CONFIG_VARIABLE
|
||||
MY_FUNKY_AVATAR
|
||||
MYAPPNAME_ONION_PORT
|
||||
MYAPPNAME_DB_PASSWORD)
|
||||
|
||||
function change_password_myappname {
|
||||
PASSWORD_USERNAME="$1"
|
||||
PASSWORD_NEW="$2"
|
||||
# Do something to change the password
|
||||
}
|
||||
|
||||
function reconfigure_myappname {
|
||||
echo -n ''
|
||||
# Do something to delete existing keys/identity and
|
||||
# generate new ones
|
||||
}
|
||||
|
||||
function upgrade_myappname {
|
||||
echo -n ''
|
||||
# Do something to upgrade this app.
|
||||
# If it's a debian package then it will be maintained by the
|
||||
# operating system and you don't need anything here
|
||||
}
|
||||
|
||||
function backup_local_myappname {
|
||||
# If your app has a MariaDB/MySQL database
|
||||
backup_database_to_usb myappname
|
||||
|
||||
# To backup a directory
|
||||
backup_directory_to_usb $MYAPP_DATA_DIR myappname
|
||||
|
||||
# if you need to backup data within individual user
|
||||
# home directories
|
||||
for d in /home/*/ ; do
|
||||
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
|
||||
if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
|
||||
echo $"Backing up myappname config for $USERNAME"
|
||||
if [ -d /home/$USERNAME/.config/myappname ]; then
|
||||
backup_directory_to_usb \
|
||||
/home/$USERNAME/.config/myappname \
|
||||
myappname_users/$USERNAME
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
function restore_local_myappname {
|
||||
temp_restore_dir=/root/tempmyappname
|
||||
|
||||
# If your app has a MariaDB/MySQL database
|
||||
restore_database myappname
|
||||
|
||||
# Restore some data from a directory
|
||||
# Note that we don't restore directly but to a temporary
|
||||
# directory and then copy the files. This ensures that if
|
||||
# there is a restore failure you don't end up with
|
||||
# half-copied or corrupted files
|
||||
restore_directory_from_usb $MYAPP_DATA_DIR myappname
|
||||
cp -r $temp_restore_dir/$MYAPP_DATA_DIR $MYAPP_DATA_DIR
|
||||
rm -rf $temp_restore_dir
|
||||
|
||||
# If you need to restore a configuration directory for each user
|
||||
if [ -d $USB_MOUNT/backup/myappname_users ]; then
|
||||
for d in $USB_MOUNT/backup/myappname_users/*/ ; do
|
||||
USERNAME=$(echo "$d" | awk -F '/' '{print $6}')
|
||||
if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
|
||||
if [ ! -d /home/$USERNAME ]; then
|
||||
${PROJECT_NAME}-adduser $USERNAME
|
||||
fi
|
||||
echo $"Restoring Vim config for $USERNAME"
|
||||
function_check restore_directory_from_usb
|
||||
restore_directory_from_usb $temp_restore_dir \
|
||||
myappname_users/$USERNAME
|
||||
cp -r $temp_restore_dir/home/$USERNAME/.config \
|
||||
/home/$USERNAME/
|
||||
if [ ! "$?" = "0" ]; then
|
||||
rm -rf $temp_restore_dir
|
||||
set_user_permissions
|
||||
backup_unmount_drive
|
||||
exit 664
|
||||
fi
|
||||
rm -rf $temp_restore_dir
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
function backup_remote_myappname {
|
||||
# this should be the same as backup_local_myappname,
|
||||
# but call the backup functions backup_directory_to_friend
|
||||
# and backup_database_to_friend
|
||||
}
|
||||
|
||||
function restore_remote_vim {
|
||||
# this should be the same as restore_local_myappname,
|
||||
# but call the restore function restore_directory_from_friend
|
||||
# and restore_database_from_friend
|
||||
}
|
||||
|
||||
function remove_myappname {
|
||||
# if it's a debian package then:
|
||||
apt-get -y remove --purge [my-app-package-name]
|
||||
|
||||
# If your app has a MariaDB/MySQL database
|
||||
drop_database myappname
|
||||
|
||||
# If your app uses an onion address
|
||||
remove_onion_service myappname ${MYAPPNAME_ONION_PORT}
|
||||
}
|
||||
|
||||
function install_myappname {
|
||||
# if it's a debian package then:
|
||||
apt-get -y install [my-app-package-name]
|
||||
|
||||
# If you need to create a MariaDB/MySQL database for the app
|
||||
MYAPPNAME_DB_PASSWORD="$(create_password 20)"
|
||||
create_database myappname "$MYAPPNAME_DB_PASSWORD" $MY_USERNAME
|
||||
|
||||
# If you need to create an onion address for the app
|
||||
MYAPPNAME_ONION_HOSTNAME=$(add_onion_service myappname \
|
||||
80 ${MYAPPNAME_ONION_PORT})
|
||||
|
||||
# Do any other configuration
|
||||
# Here you might use $ONION_ONLY or
|
||||
# $SOME_IMPORTANT_CONFIG_VARIABLE
|
||||
|
||||
# Mark the app as having installed successfully
|
||||
# If this variable isn't set then it will be assumed that
|
||||
# the install has failed
|
||||
APP_INSTALLED=1
|
||||
}
|
||||
|
||||
function install_interactive_myappname {
|
||||
# Interactively obtain some values using dialog, such as
|
||||
# domain names. An avatar changing example is:
|
||||
data=$(tempfile 2>/dev/null)
|
||||
trap "rm -f $data" 0 1 2 5 15
|
||||
dialog --title $"Change your avatar" \
|
||||
--backtitle $"Freedombone Control Panel" \
|
||||
--inputbox $"Enter a URL for an image. It should be " \
|
||||
$"approximately a square image." 8 75 2>$data
|
||||
sel=$?
|
||||
case $sel in
|
||||
0)
|
||||
MY_FUNKY_AVATAR=$(<$data)
|
||||
if [ ${#MY_FUNKY_AVATAR} -gt 3 ]; then
|
||||
clear
|
||||
|
||||
# do whatever is needed to change the avatar
|
||||
# in your app
|
||||
|
||||
dialog --title $"Change your avatar" \
|
||||
--msgbox $"Your avatar has been changed" 6 40
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
# install_myappname will be called automatically after this function
|
||||
}
|
||||
|
||||
# NOTE: deliberately no exit 0
|
||||
#+end_src
|
||||
|
||||
To test your app log into your system, select *Exit to command line* then gain root powers with:
|
||||
|
||||
#+begin_src bash
|
||||
sudo su
|
||||
#+end_src
|
||||
|
||||
Copy your app script to */usr/share/freedombone/apps/freedombone-app-myappname*.
|
||||
|
||||
And run the admin control panel:
|
||||
|
||||
#+begin_src bash
|
||||
control
|
||||
#+end_src
|
||||
|
||||
Select *Add/Remove Apps* and if all is well then you should see your app listed as installable. Test that installing and removing it works as expected.
|
||||
|
||||
Submit your working app to *https://github.com/bashrc/freedombone/issues*
|
||||
|
||||
* Customising mesh images
|
||||
If you want to make your own specially branded version of the mesh images, such as for a particular event, then to change the default desktop backgrounds edit the images within *img/backgrounds* and to change the available avatars and desktop icons edit the images within *img/avatars*. Re-create disk images using the instructions shown previously.
|
||||
|
||||
If you need particular /dconf/ commands to alter desktop appearance or behavior then see the function /mesh_client_startup_applications/ within *src/freedombone-image-customise*.
|
123
doc/EN/faq.org
|
@ -1,10 +1,10 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, hubzilla, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Frequently asked questions
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
|
@ -18,8 +18,11 @@
|
|||
|
||||
#+BEGIN_CENTER
|
||||
#+ATTR_HTML: :border -1
|
||||
| [[What applications are supported?]] |
|
||||
| [[I don't have a static IP address. Can I still install this system?]] |
|
||||
| [[Why Freedombone and not FreedomBox?]] |
|
||||
| [[Why not support building images for Raspberry Pi?]] |
|
||||
| [[Why use Tor? I've heard it's used by bad people]] |
|
||||
| [[Why use Github?]] |
|
||||
| [[Keys and emails should not be stored on servers. Why do you do that?]] |
|
||||
| [[./mirrors.html][I have a question about mirrors or upstream repositories]] |
|
||||
|
@ -29,6 +32,7 @@
|
|||
| [[Why not use Signal for mobile chat?]] |
|
||||
| [[What is the most secure chat app to use on mobile?]] |
|
||||
| [[How do I remove a user from the system?]] |
|
||||
| [[Why is logging for web sites turned off by default?]] |
|
||||
| [[How do I reset the tripwire?]] |
|
||||
| [[Is metadata protected?]] |
|
||||
| [[How do I create email processing rules?]] |
|
||||
|
@ -43,14 +47,66 @@
|
|||
| [[Why does my email keep getting rejected as spam by Gmail/etc?]] |
|
||||
#+END_CENTER
|
||||
|
||||
* What applications are supported?
|
||||
* *Email* - Server and Mutt client configured for use with GPG and Emacs or Vim
|
||||
* *DLNA* - Play music on your local network devices
|
||||
* *Dokuwiki* - Databaseless wiki
|
||||
* *GNU Social* - Federated social network and resource sharing system
|
||||
* *Gogs* - Host your git projects
|
||||
* *qTox* - Chat and VoIP client on mesh networks
|
||||
* *HTMLy* - Databaseless blogging system
|
||||
* *Pelican* - Static blogging system used on mesh networks
|
||||
* *Hubzilla* - Federated social networking and web publishing
|
||||
* *IRC server*
|
||||
* *Obnam* - Encrypted backups to USB or to other servers
|
||||
* *Mumble* - VoIP and text chat
|
||||
* *pi-hole* - Block internet ads on your local network
|
||||
* *tt-rss* - Accessible via an onion address to give you /the right to read/ from any device
|
||||
* *sipwitch* - Telephony system
|
||||
* *Syncthing* - File sync
|
||||
* *IPFS* - For accessing sites on a mesh network
|
||||
* *Toxcore/Toxic* - Bootstrap node and client
|
||||
* *XMPP server* - Including XEPs needed to support the Conversations Android app with OMEMO
|
||||
* *Shell based web browser* - if all else fails then ssh to your server and browse from there
|
||||
* I don't have a static IP address. Can I still install this system?
|
||||
Yes. The minimum requirements are to have some hardware that you can install Debian onto and also that you have administrator access to your internet router so that you can forward ports to the system which has Freedombone installed.
|
||||
|
||||
The lack of a static IP address can be worked around by using a dynamic DNS service. Freedombone uses [[http://troglobit.com/inadyn.html][inadyn]] , which supports a variety of dynamic DNS providers.
|
||||
The lack of a static IP address can be worked around by using a dynamic DNS service. Freedombone uses [[https://troglobit.com/inadyn.html][inadyn]] , which supports a variety of dynamic DNS providers.
|
||||
* Why Freedombone and not FreedomBox?
|
||||
When the project began in late 2013 the FreedomBox project seemed to be going nowhere, and was only designed to work with the DreamPlug hardware. There was some new hardware out - the Beaglebone Black - which could run Debian and was also a free hardware design so seemed more appropriate. Hence the name "Freedombone", being like FreedomBox but on a Beaglebone. There are some similarities and differences between the two projects:
|
||||
|
||||
** Similarities
|
||||
- Uses freedom-maker and vmdebootstrap to build debian images
|
||||
- Supports the use of Tor onion addresses to access websites
|
||||
- Typically runs on ARM single board computers
|
||||
- Both projects aim to increase independence and privacy for internet users
|
||||
- Both projects aim to make running your own server at home easy
|
||||
- Both projects include wiki, blog, VoIP and file sync
|
||||
- Both projects enable easy installation and removal of apps
|
||||
- Both are typically "bare metal" rather than running as VMs or containers
|
||||
- Both currently are hosted on Github
|
||||
** Differences
|
||||
- FreedomBox is a Debian pure blend. Freedombone is not
|
||||
- Freedombone only supports Free Software. FreedomBox includes some closed binary boot blobs for certain ARM boards
|
||||
- FreedomBox is aimed at consumers. Freedombone is aimed at slightly more technical people who don't have time to configure servers
|
||||
- Freedombone includes some software not yet in the official Debian repos
|
||||
- Freedombone includes an email server set up for use with GPG by default
|
||||
- Freedombone has encrypted backups capability
|
||||
- Freedombone implements the /social key management/ idea which was described in a 2012 FreedomBox meetup
|
||||
- Freedombone implements recommendations from bettercrypto.org whereas FreedomBox sticks to Debian default crypto settings
|
||||
- Freedombone has a mesh network version. FreedomBox doesn't yet
|
||||
* Why not support building images for Raspberry Pi?
|
||||
The FreedomBox project supports Raspberry Pi builds, and the image build system for Freedombone is based on the same system. However, although the Raspberry Pi can run a version of Debian it requires a closed proprietary blob in order to boot the hardware. Who knows what that blob might contain or what exploits it could facilitate. From an adversarial point of view if you were trying to deliver "bulk equipment interference" then it doesn't get any better than piggybacking on something which has control of the boot process, and hence all subsequently run processes.
|
||||
|
||||
So although the Raspberry Pi is cheap and hugely popular it's not supported by the Freedombone project. Perhaps future versions of the Pi won't have the proprietary blob requirement, or maybe the blob will be open sourced at some stage.
|
||||
* Why use Tor? I've heard it's used by bad people
|
||||
Before you run screaming for the hills based upon whatever scare story you may have just read in the mainstream media there are a few things worthy of consideration. Tor is installed by default on Freedombone, /but not as a relay or exit node/. It's only used to provide onion addresses so that this gives you or the viewers of your sites some choice about how they access the information. It also allows you to subscribe to and read RSS feeds privately.
|
||||
|
||||
Onion routing - which is what Tor provides - gives you some level of protection against bulk surveillance of metadata. These days governments and other organisations are in the business of collecting and analysing your metadata. They want to have comprehensive lists of which sites you visited, or who visited your sites. Tor may at least partially help to thwart their totalitarian ambitions to know everything about everyone all of the time.
|
||||
|
||||
Tor is not a perfect system and is not fully decentralised. Like all software it has bugs, but it can be considered to probably be an effective tactic against some of the most egregious surveillance fanatics out there.
|
||||
|
||||
The media may also have sold you torrid tales about individual Tor project developers. While the conduct of individuals does matter, what matters far more is whether the technical system works and is practical for the average user. Don't allow your opinions of the technical system to be deflected by transient sex scandals or oppressive moralising, and /don't hold anyone to standards higher than you would apply to yourself/.
|
||||
* Why use Github?
|
||||
Github is paradoxically a centralized, closed and proprietary system which happens to mostly host free and open source projects. Up until now it has been relatively benign, but at some point in the name of "growth" it will likely start becoming more evil, or just become like SourceForge - which was also once much loved by FOSS developers, but turned into a den of malvertizing.
|
||||
|
||||
|
@ -75,6 +131,8 @@ In the home environment a box with a good firewall and no GUI components install
|
|||
|
||||
* Why can't I access my .onion site with a Tor browser?
|
||||
Probably you need to add the site to the NoScript whitelist. Typically click/press on the noscript icon (or select from the menu on mobile) then select /whitelist/ and add the site URL. You may also need to disable HTTPS Everywhere when using onion addresses, which don't use https.
|
||||
|
||||
Another factor to be aware of is that it can take a while for the onion address to become available within the Tor network. In tests the amount of time between creating a site and being able to access it's onion address seems to vary between a minute or two and half an hour. So don't be too impatient if the address doesn't appear to resolve straight away.
|
||||
* What is the best hardware to run this system on?
|
||||
It was originally designed to run on the Beaglebone Black, but that should be regarded as the most minimal system, because it's single core and has by today's standards a small amount of memory. Obviously the more powerful the hardware is the faster things like web pages (blog, social networking, etc) will be served but the more electricity such a system will require if you're running it 24/7. A good compromise between performance and energy consumption is something like an old netbook. The battery of an old netbook or laptop even gives you [[https://en.wikipedia.org/wiki/Uninterruptible_power_supply][UPS capability]] to keep the system going during brief power outages or cable re-arrangements, and that means using full disk encryption on the server also becomes more practical.
|
||||
|
||||
|
@ -100,6 +158,7 @@ If you are currently using a proprietary chat app, something without any encrypt
|
|||
* *It requires the installation of Google Play*. If you already have Google Play installed on a stock Android OS then this doesn't increase your security problems, but for other more secure Android variants it's a massive increase in attack surface.
|
||||
* *It depends entirely upon the Google message pushing system*. That means that Google /at least knows who Signal messages are being sent to and may be able to infer the rest via your (insecure) Android phone contact list or via timing correlation of alternating deliveries/. Remember that for an adversary metadata in aggregate is much better than having the content of messages. At any time Google could decide that it doesn't want to support Signal, or in adverse circumstances they could be leaned upon by the usual agencies or government cronies.
|
||||
* *Their privacy policy indicates that they will give whatever server data they have to third parties* under some conditions. Of course this is always claimed to be /for the very best of reasons/ - such as combating fraud - but once that sort of disclosure capability exists it may be abused without you ever knowing about it.
|
||||
* *Forking isn't really an option*. A fork was tried, but Moxie got annoyed when it still used his server. At the same time the level of interest in federating the server is not detectable with our best intrumentation, and is suspected to be negative. That's a catch 22 which effectively means that independent implementations of Signal will always leave some users unable to communicate with each other.
|
||||
|
||||
To give credit where it's due Signal is good, but it could be a lot better. The real solution for private chat is to run your own XMPP server, as you can with Freedombone, or to have someone within your community do that. /There is no substitute for a decentralised solution which is within the control of your community/.
|
||||
* What is the most secure chat app to use on mobile?
|
||||
|
@ -116,6 +175,12 @@ ssh username@mydomainname -p 2222
|
|||
#+end_src
|
||||
|
||||
Select /Administrator controls/ then /Manage Users/ and then /Delete a user/. Note that this will delete all of that user's files and email.
|
||||
* Why is logging for web sites turned off by default?
|
||||
If you're making profits out of the logs by running large server warehouses and then data mining what users click on - as is the business model of well known internet companies - then logging everything makes total sense. However, if you're running a home server then logging really only makes sense if you're trying to diagnose some specific problem with the system, and outside of that context logging everything becomes more of a liability than an asset.
|
||||
|
||||
Logs can potentially become quite large and frequent logging isn't a great idea if you're running on a flash disk since it just increases the wear rate and thus shortens its usable lifetime. Also from a security perspective if a compromise occurs then the attacker gets considerably less social information if there are no logs containing timestamped IP addresses.
|
||||
|
||||
On the Freedombone system web logs containing IP addresses are turned off by default. They're not deleted, they're just never created in the first place. If you need to turn logging on in order to fix a problem then go to the *Administrator control panel* and enable logging. If you don't manually turn it off again then it will turn itself off automatically at the next system update, which is typically a few days away.
|
||||
* How do I reset the tripwire?
|
||||
The tripwire will be automatically reset once per week. If you want to reset it earlier then do the following:
|
||||
|
||||
|
@ -160,49 +225,6 @@ And see some error related to checking for changes in the IP address then you ca
|
|||
https://check.torproject.org/
|
||||
https://www.whatsmydns.net/whats-my-ip-address.html
|
||||
https://www.privateinternetaccess.com/pages/whats-my-ip/
|
||||
http://checkip.two-dns.de
|
||||
http://ip.dnsexit.com
|
||||
http://ifconfig.me/ip
|
||||
http://ipecho.net/plain
|
||||
http://checkip.dyndns.org/plain
|
||||
http://ipogre.com/linux.php
|
||||
http://whatismyipaddress.com/
|
||||
http://ip.my-proxy.com/
|
||||
http://websiteipaddress.com/WhatIsMyIp
|
||||
http://getmyipaddress.org/
|
||||
http://www.my-ip-address.net/
|
||||
http://myexternalip.com/raw
|
||||
http://www.canyouseeme.org/
|
||||
http://www.trackip.net/
|
||||
http://icanhazip.com/
|
||||
http://www.iplocation.net/
|
||||
http://www.howtofindmyipaddress.com/
|
||||
http://www.ipchicken.com/
|
||||
http://whatsmyip.net/
|
||||
http://www.ip-adress.com/
|
||||
http://checkmyip.com/
|
||||
http://www.tracemyip.org/
|
||||
http://checkmyip.net/
|
||||
http://www.lawrencegoetz.com/programs/ipinfo/
|
||||
http://www.findmyip.co/
|
||||
http://ip-lookup.net/
|
||||
http://www.dslreports.com/whois
|
||||
http://www.mon-ip.com/en/my-ip/
|
||||
http://www.myip.ru
|
||||
http://ipgoat.com/
|
||||
http://www.myipnumber.com/my-ip-address.asp
|
||||
http://www.whatsmyipaddress.net/
|
||||
http://formyip.com/
|
||||
http://www.displaymyip.com/
|
||||
http://www.bobborst.com/tools/whatsmyip/
|
||||
http://www.geoiptool.com/
|
||||
http://checkip.dyndns.com/
|
||||
http://myexternalip.com/
|
||||
http://www.ip-adress.eu/
|
||||
http://www.infosniper.net/
|
||||
http://wtfismyip.com/
|
||||
http://ipinfo.io/
|
||||
http://httpbin.org/ip
|
||||
#+end_src
|
||||
|
||||
* How do I change my encryption settings?
|
||||
|
@ -282,15 +304,12 @@ ssh username@mydomainname -p 2222
|
|||
|
||||
Select /Administrator controls/ then *Security settings* then *Create a new Let's Encrypt certificate*.
|
||||
* Why use self-signed certificates?
|
||||
Almost everywhere on the web you will read that self-signed certificates are worthless. They bring up /scary-scary looking/ browser warnings and gurus will advise you not to use them. Self-signed certificates are quite useful though. What the scary warnings mean - and it would be good if they explained this more clearly - is that you have an encrypted connection established but there is /no certainty about who that connection is with/.
|
||||
Almost everywhere on the web you will read that self-signed certificates are worthless. They bring up /scary-scary looking/ browser warnings and gurus will advise you not to use them. Self-signed certificates are quite useful though. What the scary warnings mean - and it would be good if they explained this more clearly - is that you have an encrypted connection established but there is /no certainty about who that connection is with/. They probably will protect the content of your communications from passive bulk interception - such as the tapping of under-sea cables.
|
||||
|
||||
The usual solution to this is to get a "real" SSL certificate from one of the certificate authorities, but it's far from clear that such authorities can actually be trusted. Yes, /Let's Encrypt/ is awesome and very convenient but it's really a small sticking plaster over a much bigger problem. If you don't believe me then do some independent research on the history of certificate authorities and the scandals associated with them, then consider how many of those within your browser (usually under advanced settings) are "trusted". Some of those "trusted" certs are for companies with /incredibly sketchy reputations/, or governments such as that of China. Consider whether you judge the Chinese government to always be truthful about which certificate belongs to which domain, and that it will never abuse such a capability for censorship or political/commercial advantage. Then you'll begin to get an idea of the ramshackle nature of what currently exists.
|
||||
The current strategy on this system is to typically create self-signed certificates during the initial installation but also to have the ability to easily convert those to LetsEncrypt certificates via the security settings on the administrator control panel.
|
||||
|
||||
So although most internet users have been trained to look for the lock icon as an indication that the connection is secured that belief may not always be well founded.
|
||||
You might say, /"but surely LetsEncrypt is a single point of failure!"/, and you'd be right. Maybe at some point in future LetsEncrypt is no longer a thing, or no longer considered sufficiently secure. That's why building in total dependence upon one organisation is a bad idea, and it's still possible to have self-signed certs as a fallback option.
|
||||
|
||||
Despite the hype, security of web sites on the internet is still a somewhat unsolved problem, and what we have now is a less than ideal but /good enough to fool most of the people most of the time/ kind of arrangement. Long term a better solution might be to have a number of certificate authorities in a number of different jurisdictions vote on whether a given certificate actually belongs to a given domain name. Experimental systems like this exist, but they're not widely used. Since the current certificate system has an enormous amount of inertia behind it change could be slow in arriving.
|
||||
|
||||
For now a self-signed certificate will probably in most cases protect your communications from "bulk" passive surveillance. Once you've got past the scary browser warning and accepted the certificate under most conditions (except when starting up the Tor browser) you should not repeatedly see that warning. If you do then someone may be trying to meddle with your connection to the server. You can also take a note of the fingerprint of the certificate and verify that if you are especially concerned. If the fingerprint remains the same then you're probably ok.
|
||||
* Why not use the services of $company instead? They took the Seppuku pledge
|
||||
[[https://cryptostorm.org/viewtopic.php?f=63&t=2954&sid=7de2d1e699cfde2f574e6a7f6ea5a173][That pledge]] is utterly worthless. Years ago people trusted Google in the same sort of way, because they promised not be be evil and because a lot of the engineers working for them seemed like honest types who were "/on our side/". Post-[[https://en.wikipedia.org/wiki/Nymwars][nymwars]] and post-[[https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29][PRISM]] we know exactly how much Google cared about the privacy and security of its users. But Google is only one particular example. In general don't trust pledges made by companies, even if the people running them seem really sincere.
|
||||
* Why does my email keep getting rejected as spam by Gmail/etc?
|
||||
|
|
|
@ -0,0 +1,154 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
|
||||
#+begin_export html
|
||||
<center><h1>Home Server</h1></center>
|
||||
#+end_export
|
||||
|
||||
The quickest way to get started is as follows. You will need to be running a Debian based system (version 8 or later), have an old but still working laptop or netbook which you can use as a server, and 8GB or larger USB thumb drive and an ethernet cable to connect the laptop to your internet router.
|
||||
|
||||
First install freedombone onto your local system (not the target hardware that you want to run Freedombone on). On a debian based distro:
|
||||
|
||||
#+begin_src bash
|
||||
sudo apt-get install git
|
||||
git clone https://github.com/bashrc/freedombone
|
||||
cd freedombone
|
||||
git checkout stockholm
|
||||
sudo make install
|
||||
freedombone-image --setup debian
|
||||
freedombone-image -t i386 --onion yes
|
||||
#+end_src
|
||||
|
||||
Or on Arch/Parabola:
|
||||
|
||||
#+begin_src bash
|
||||
sudo pacman -S git
|
||||
git clone https://github.com/bashrc/freedombone
|
||||
cd freedombone
|
||||
git checkout stockholm
|
||||
sudo make install
|
||||
freedombone-image --setup parabola
|
||||
freedombone-image -t i386 --onion yes
|
||||
#+end_src
|
||||
|
||||
Now prepare your local system to talk to the freedombone by running the following command. This will set up avahi and create ssh keys if necessary.
|
||||
|
||||
#+begin_src bash
|
||||
freedombone-client
|
||||
#+end_src
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/tor_onion.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
The version in which sites are available only via onion addresses is the easiest to get started with, since you can evaluate the system without committing to buying an ICANN domain name or needing to get involved with SSL/TLS certificates at all. However, if you do want your sites to be available typically as subdomains of a domain name which you own then remove the *--onion yes* option from the last command shown above.
|
||||
|
||||
If you want to create images for microSD cards used within various single board computers then replace the *i386* with *beaglebone* / *cubieboard2* / *cubietruck* / *a20-olinuxino-lime* / *a20-olinuxino-lime2* / *a20-olinuxino-micro* or *apu*.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/beaglebone_black9.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
This takes a while. Maybe an hour or so, depending on the speed of your system and the internets. The good news though is that once created you can use the resulting image any number of times, and you don't need to trust some pre-built image.
|
||||
|
||||
List what drives are on your system with:
|
||||
|
||||
#+begin_src bash
|
||||
ls /dev/sd*
|
||||
#+end_src
|
||||
|
||||
Now plug in the USB thumb drive, and do the same again. Notice which drive letter gets added.
|
||||
|
||||
You can now copy the image to the USB thumb drive, replacing *sdX* with the identifier of the USB thumb drive. Don't include any numbers (so for example use *sdc* instead of *sdc1*).
|
||||
|
||||
#+begin_src bash
|
||||
dd bs=1M if=myimagefile.img of=/dev/sdX conv=fdatasync
|
||||
#+end_src
|
||||
|
||||
And wait. Again it will take a while to copy over. When that's done plug it into the laptop or netbook which you want to use as a server, power on and set the BIOS to boot from the USB stick.
|
||||
|
||||
As the system boots for the first time the login is:
|
||||
|
||||
#+begin_src bash
|
||||
username: fbone
|
||||
password: freedombone
|
||||
#+end_src
|
||||
|
||||
If you're installing from a microSD card on a single board computer without a screen and keyboard attached then you can ssh into it with:
|
||||
|
||||
#+begin_src bash
|
||||
ssh fbone@freedombone.local -p 2222
|
||||
#+end_src
|
||||
|
||||
Using the initial password "/freedombone/".
|
||||
|
||||
You will then be shown a new randomly generated password. It's *very important* that you write this down somewhere before going further, because you'll need this to log in later.
|
||||
|
||||
You'll be asked to set a username and a "real" name (or nickname), then the rest of the installation will be automatic. Again, it takes a while, so go and do something less boring instead. At the end of the base install you can also choose to install specific apps, but if you want to do that later then just press Enter.
|
||||
|
||||
When it's installed on your local system open a terminal and verify the ssh server key hash with:
|
||||
|
||||
#+begin_src bash
|
||||
freedombone-client --verify
|
||||
#+end_src
|
||||
|
||||
This will show the hash code for the public ssh key of the Freedombone system.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/ssh_key_verify.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
Open another terminal window then run:
|
||||
|
||||
#+begin_src bash
|
||||
freedombone-client
|
||||
ssh myusername@freedombone.local -p 2222
|
||||
#+end_src
|
||||
|
||||
Use the password you wrote down earlier to log in. Select the *administrator control panel* with up and down cursor keys, space bar and enter key. You should see something like this, and you might need to re-enter your password.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/controlpanel/control_panel.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
Then select *About*. You'll see a list of sites and their onion addresses.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/controlpanel/control_panel_about.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
The About screen contains the ssh server public key hashes and you can compare the relevant one with the previous terminal window to verify that they're the same. If they're not then you might have a /machine-in-the-middle/ snooping on you.
|
||||
|
||||
You have now confirmed a secure connection. Probably. If you're still sceptical then you can power off the system, remove the microSD card and manually check the public keys within the /etc/ssh directory on the drive.
|
||||
|
||||
Press any key to exit from the About screen. You can then select *Add/Remove apps* and add whatever applications you wish to run. Note that some apps will only run on x86 systems, but most will install and run on ARM single board computers. More details on particular apps can be [[./apps.html][found here]].
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/controlpanel/control_panel_apps.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
Once your apps have installed you can go back to the About screen, pick an onion address and try it within a Tor compatible browser. You'll need to know the login passwords and those can be found within the /Passwords/ section of the administrator control panel. An axiom of the Freedombone system is that /if given the choice users will usually use insecure passwords/, so on this system passwords are generated randomly. If you need to then you can transfer the passwords into your favourite password manager and remove them from the server by going to the *Security Settings* section of the administrator control panel and choosing *Password storage*.
|
||||
|
||||
*Congratulations! You have now become a citizen of the free internet.*
|
||||
|
||||
*Use your new powers wisely.*
|
||||
|
||||
Of course, this is just one way in which you can install the Freedombone system. If you have a single board computer (SBC) such as a [[./beaglebone.html][BeagleBone Black]] or OLinuxino you can make disk images for those too. You can even create clearnet sites if you have your own domain name. ARM boards with closed proprietary boot blobs are not supported. For more details run:
|
||||
|
||||
#+begin_src bash
|
||||
man freedombone-image
|
||||
#+end_src
|
||||
|
||||
#+BEGIN_CENTER
|
||||
This site can also be accessed via a Tor browser at http://2tp3f6vtvhkqpuc6.onion
|
||||
#+END_CENTER
|
|
@ -1,80 +1,39 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<table style="width:50%; border:0">
|
||||
<tr>
|
||||
<td><center><a href="variants.html">Variants</a></center></td>
|
||||
<td><center><a href="installation.html">Install</a></center></td>
|
||||
<td><center><a href="usage.html">Use</a></center></td>
|
||||
<td><center><a href="backups.html">Backups</a></center></td>
|
||||
<td><center><a href="mirrors.html">Mirrors</a></center></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><center><a href="code.html">Code</a></center></td>
|
||||
<td><center><a href="controlpanel.html">Control Panel</a></center></td>
|
||||
<td><center><a href="related.html">Related</a></center></td>
|
||||
<td><center><a href="faq.html">F.A.Q.</a></center></td>
|
||||
<td><center><a href="support.html">Contact/Support</a></center></td>
|
||||
</tr>
|
||||
</table>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
#+begin_quote
|
||||
"/With the increasing move of our computing to cloud infrastructures, we give up the control of our computing to the managers of those infrastructures. Our terminals (laptops, desktops) might now be running entirely on Free Software, but this is increasingly irrelevant given that most of what actually matters gets executed on a remote closed system that we don’t control. The Free Software community needs to work to help users keep the control of all their computing, by developing suitable alternatives and facilitating their deployment./"
|
||||
|
||||
With the right technology the internet can be a space for free expression, exploration, cooperation, learning and fun. A place to connect with others are share experiences. It doesn't have to be a gloomy surveillance prison owned and run by a diabolical synthesis of money-grabbing megacorporations and prurient government spooks brandishing "bulk/general warrants". Freedombone is designed to help you surmount the contemporary digital privacy conundrums and to increase your online autonomy. It's a self-hosted home server configuration which can be installed onto any computer capable of running [[https://www.debian.org/][Debian]], so if you have an old laptop or netbook which you can leave turned on then you can use Freedombone to provide your own internet services, such as blogging, wiki, email, chat and social networking and have independence from the well known internet companies.
|
||||
-- Lucas Nussbaum
|
||||
#+end_quote
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<b>Four Scenarios</b>
|
||||
<table style="width:95%; border:0">
|
||||
<tr>
|
||||
<td><center><h6>Home server</h6>Plugged into your home wifi router. Add a few friends and family as users</center></td>
|
||||
<td><center><h6>Home server + Hotspot</h6>Also provides a wifi hotspot to extend your home network</center></td>
|
||||
<td><center><h6>Server in your pocket</h6>Roaming wireless server with services accessible via onion addresses</center></td>
|
||||
<td><center><h6>Mesh node</h6>Dynamic networks which don't depend on the conventional internet. Distributed, scalable and fully encrypted</center></td>
|
||||
</tr>
|
||||
<tr>
|
||||
</tr>
|
||||
</table>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
So you want to run your own internet services? Email, chat, VoIP, web sites, file synchronisation, wikis, blogs, social networks, backups. Freedombone enables you to do all of that in a self-hosted way, where you keep control of your data and it resides in your own home.
|
||||
|
||||
This is personal or family scale computing, which can then federate to global proportions. We need [[http://www.alainet.org/en/articulo/168669][community controlled]] information systems and to achieve that they must be inexpensive and simple to install and maintain. This is the opposite of the current dominant paradigm of [[https://www.youtube.com/watch?v=XZmGGAbHqa0][titanic server warehouses]] owned by a tiny number of individuals and it's what is sometimes refered to as [[http://mediagoblin.org/news/userops.html]["userops"]] - i.e. a user being able to do what traditionally only a professional systems administrator would be able to.
|
||||
[[./homeserver.html][Here's how]].
|
||||
|
||||
With a system installed in your home you also have greater legal protection against unwarranted or "bulk warrant" searches. In general as soon as you put your information onto systems which you don't own then you no longer have the same property rights over it, together with "/no reasonable expectation of privacy/" otherwise known as the third party doctrine. We all know that's a nonsense, and so maybe we should do something about it.
|
||||
And here's how [[./beaglebone.html][on a Beaglebone Black]].
|
||||
|
||||
#+BEGIN_QUOTE
|
||||
"With the increasing move of our computing to cloud infrastructures, we give up the control of our computing to the managers of those infrastructures. Our terminals (laptops, desktops) might now be running entirely on Free Software, but this is increasingly irrelevant given that most of what actually matters gets executed on a remote closed system that we don’t control. The Free Software community needs to work to help users keep the control of all their computing, by developing suitable alternatives and facilitating their deployment." -- Lucas Nussbaum
|
||||
#+END_QUOTE
|
||||
Want to make a community mesh network which doesn't depend upon the internet?
|
||||
|
||||
Today everyone is concerned about privacy on the internet. Wanting privacy doesn't necessarily mean you have "something to hide". It just means having the ability to choose /what information to share, with whom and under what conditions/ and therefore being able to shape your own life story. The loss of ability to choose via the "involuntary sharing" which many people experience when using communications systems built by the well known internet companies, means that you're no longer really running your own affairs and that others may begin to exert an improper amount of influence over you. Mass surveillance is perhaps the ultimate in involuntary sharing and it's only through the use of freedom respecting software together with a solid determination to overcome state and corporate abuses of technology that we can hope to get to the kind of internet in which respect for human dignity is built in as a core feature.
|
||||
[[./mesh.html][You can do that too]].
|
||||
|
||||
After installation it's possible that you might want some advice on how to run your system and set up apps to work nicely with it.
|
||||
|
||||
* [[./apps.html][Apps available on the system]]
|
||||
* [[./usage.html][General usage]]
|
||||
* [[./faq.html][Frequently Asked Questions]]
|
||||
|
||||
If you find bugs, or want to add a new app to this system see the [[./devguide.html][Developers Guide]].
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/nocloud.png]]
|
||||
#+END_CENTER
|
||||
|
||||
Another problem is the precariousness of the terms of service. Except in rare cases such terms are not easy to read, so many people end up clicking through terms which if explained more clearly they would never agree to. Over the past decade many internet users have had the unpleasant experience of having their blogs, videos or other web content inexplicably removed, typically due to some ill-defined terms of service violation or a false accusation of copyright infringement. There have been valiant attempts to improve the readability of terms of service documents, using icons or clearer language, and to generate a sort of marketplace in which people would choose what web systems they use based on the terms documents - to make the privacy/autonomy bargaining more explicit. These efforts were well-intentioned, but have conclusively failed. Even in the best case, that approach doesn't take into account the coercive network effects or large web systems.
|
||||
|
||||
You can bypass all of these dilemmas and take back ownership of your internet content with Freedombone. Originally based upon the Beaglebone Black, Freedombone is a small and cheap home server which enables you to use email, have your own web site and do social networking without any built-in spying and without having to agree to any legal terms of service other than those of your ISP. It provides independence and security in an era where those things are in short supply.
|
||||
|
||||
#+BEGIN_QUOTE
|
||||
"The deepest problem is that the system architecture that has evolved in recent years holds masses of information on many people with no intelligence value, but with vast potential for political abuse." -- Ross Anderson
|
||||
#+END_QUOTE
|
||||
|
||||
Freedombone is an example of the internet as it was supposed to be: a network of peers, rather than a small number of gigantic server farms with everyone connecting to them. Even if they're well run, centralised server farms become a conspicuous target for /all kinds of nefariousness/ and in any future wars they're bound to be amongst the first facilities to receive the "/shock and awe/" treatment. Also consider just what is being "farmed". If a robust information society is desirable then excessive centralisation of control over information should be avoided.
|
||||
|
||||
An emphasis of the Freedombone project is the protection of private communications from indiscriminate mass surveillance, otherwise known as "/bulk intercept/" or "/warrantless wiretapping/". With only a few exceptions data entering and leaving the system is encrypted using settings recommended by [[https://bettercrypto.org][bettercrypto.org]]. Stored emails are encrypted such that only someone knowing your GPG password can read them and a GPG key is created automatically if you don't already have one. The system is firewalled with only the necessary ports being opened. Exclusively [[http://en.wikipedia.org/wiki/Free_software][free software]] is used so that all of it can potentially be security audited and proprietary repositories are disabled by default. There are still numerous security problems with the internet in general and software always contains bugs, but a best attempt has been made to ensure that the Freedombone is at least more secure than average.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
This site can also be accessed via a Tor browser at [[http://4fvfozz6g3zmvf76.onion][http://4fvfozz6g3zmvf76.onion]]
|
||||
This site can also be accessed via a Tor browser at http://2tp3f6vtvhkqpuc6.onion
|
||||
#+END_CENTER
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, hubzilla, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
|
@ -41,9 +41,13 @@ sudo make install
|
|||
Then install packages needed for building images:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
sudo apt-get -y install python-docutils mktorrent vmdebootstrap xz-utils
|
||||
sudo apt-get -y install dosfstools btrfs-tools extlinux python-distro-info mbr
|
||||
sudo apt-get -y install qemu-user-static binfmt-support u-boot-tools qemu
|
||||
freedombone-image --setup debian
|
||||
#+END_SRC
|
||||
|
||||
or on an Arch/Parabola system:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
freedombone-image --setup parabola
|
||||
#+END_SRC
|
||||
|
||||
A typical use case to build an 8GB image for a Beaglebone Black is as follows. You can change the size depending upon the capacity of your microSD card.
|
||||
|
@ -58,12 +62,6 @@ If you prefer an advanced installation with all of the options available then us
|
|||
freedombone-image -t beaglebone -s 8G --minimal no
|
||||
#+END_SRC
|
||||
|
||||
To build a 64bit Virtualbox image:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
freedombone-image -t virtualbox-amd64 -s 8G
|
||||
#+END_SRC
|
||||
|
||||
To build a 64bit Qemu image:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
|
@ -105,8 +103,8 @@ freedombone menuconfig
|
|||
** On a single board computer (SBC)
|
||||
Currently the following boards are supported:
|
||||
|
||||
* [[http://beagleboard.org/BLACK][Beaglebone Black]]
|
||||
* [[http://linux-sunxi.org/Cubietech_Cubieboard2][Cubieboard 2]]
|
||||
* [[https://beagleboard.org/BLACK][Beaglebone Black]]
|
||||
* [[https://linux-sunxi.org/Cubietech_Cubieboard2][Cubieboard 2]]
|
||||
* [[https://linux-sunxi.org/Cubietruck][Cubietruck (Cubieboard 3)]]
|
||||
* [[https://www.olimex.com/Products/OLinuXino/A20/A20-OLinuXIno-LIME/open-source-hardware][olinuxino Lime]]
|
||||
* [[https://www.olimex.com/Products/OLinuXino/A20/A20-OLinuXIno-LIME2/open-source-hardware][olinuxino Lime2]]
|
||||
|
@ -154,14 +152,12 @@ Using the password 'freedombone'. Take a note of the new login password and then
|
|||
|
||||
** As a Virtual Machine
|
||||
|
||||
Virtualbox and Qemu are supported. You can run a 64 bit Qemu image with:
|
||||
Qemu is currently supported, since it's s fully free software system. You can run a 64 bit Qemu image with:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
qemu-system-x86_64 -m 1G filename.img
|
||||
#+END_SRC
|
||||
|
||||
If you are using Virtualbox then add a new VM and select the Freedombone *vdi* image.
|
||||
|
||||
The default login will be username 'fbone' and password 'freedombone'. Take a note of the new login password and then you can proceed through the rest of the installation.
|
||||
|
||||
* Social Key Management - the 'Unforgettable Key'
|
||||
|
@ -174,7 +170,7 @@ If you previously made some USB drives containing key fragments then retrieve th
|
|||
** You can specify some ssh login details for friends servers containing key fragments
|
||||
Enter three or more sets of login details and the installer will try to retrieve key fragments and then assemble them into the full key. This only works if you previously were using remote backups and had social key management enabled.
|
||||
* Final Setup
|
||||
Any manual post-installation setup instructions or passwords can be found in /home/username/README. You should remove any passwords from that file and store them within a password manager such as KeepassX.
|
||||
Any manual post-installation setup instructions or passwords can be found in /home/username/README.
|
||||
|
||||
On your internet router, typically under firewall settings, open the following ports and forward them to your server.
|
||||
|
||||
|
|
341
doc/EN/mesh.org
|
@ -1,202 +1,245 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
<h1>Mesh Network</h1>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
#+begin_export html
|
||||
<center><h1>Mesh Network</h1></center>
|
||||
#+end_export
|
||||
|
||||
| [[What is a mesh network?]] |
|
||||
| [[The Freedombone Mesh]] |
|
||||
| [[Installation]] |
|
||||
| [[Wifi adaptors]] |
|
||||
| [[Using the mesh]] |
|
||||
| [[Further reading]] |
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mesh_screenshot.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
* What is a mesh network?
|
||||
The internet as it currently exists is mostly organised according to a client/server model. Servers run the web services and store the data and clients are the laptops, desktops and other devices accessing the servers. In a mesh network there isn't any clear division between clients and servers. The computers on a mesh network are known as "peers" and they can perform the functions of both clients and servers. Commonly this is also known as a "peer to peer" network.
|
||||
|------------------------+---+-------------+---+----------------------+---+---------------|
|
||||
| [[What the system can do]] | - | [[Disk Images]] | - | [[Building Disk Images]] | - | [[How to use it]] |
|
||||
|------------------------+---+-------------+---+----------------------+---+---------------|
|
||||
|
||||
The client/server and mesh network models have advantages and disadvantages. If the server in a client/server system fails then you can have catastrophic service outages which affect many users. If a peer in a mesh network fails then the other peers may be mostly unaffected and communications can continue. The disadvantage of mesh networks is that each peer relays data for other peers and so the bandwidth usage by each peer may be higher than for a client in a client/server system. However, with modern hardware that's not much of an issue.
|
||||
Mesh networks are useful as a quick way to make a fully decentralised communications system which is not connected to or reliant upon the internet. Think festivals, hacker conferences, onboard ships at sea, disaster/war zones, small business internal office communications, protests, remote areas of the world, temporary "digital blackouts", scientific expeditions and off-world space colonies. The down side is that you can't access any internet content. The upside is that you can securely communicate with anyone on the local mesh. No ISPs. No payments or subscriptions beyond the cost of obtaining the hardware. Systems need to be within wifi range of each other for the mesh to be created. It can be an ultra-convenient way to do purely local communications.
|
||||
|
||||
Mesh networks are useful for building local and highly resillient communications infrastructure which can be put together rapidly, in situations where the ordinary internet is either unavailable or untrustworthy.
|
||||
* What the system can do
|
||||
|
||||
Example use cases would be:
|
||||
- Discovery of other users on the network
|
||||
- Text based chat, one-to-one and in groups
|
||||
- Voice chat (VoIP)
|
||||
- Private and public sharing of files
|
||||
- Blogging
|
||||
- No network administration required
|
||||
- No servers, internet connection or cabling is needed.
|
||||
- Works from bootable USB drives or microSD drives.
|
||||
- Data is mesh routed between systems
|
||||
- Private communications is end-to-end secured and forward secret.
|
||||
- Publicly shared data is /content addressable/.
|
||||
|
||||
* Conferences / Exhibitions
|
||||
* Local community networks, not run by telcos or ISPs
|
||||
* Emergency services / Disaster relief
|
||||
* Camp sites
|
||||
* War zones
|
||||
* Scientific expeditions to remote areas
|
||||
* Onboard smaller ships without satellite internet, captain/crew communications
|
||||
* Underground (mines or caves)
|
||||
* Protests / Occupations of buildings
|
||||
* Eventually in space for manned missions to other planets, moons or asteroids
|
||||
This system should be quite scalable. Both qTox and IPFS are based upon distributed hash tables (DHT) so that each peer does not need to store the full index of data for the entire network. Caching or pinning of IPFS data and its content addressability means that if a file or blog becomes popular then performance should improve as the number of downloads increases, which is the opposite of the client/server paradigm.
|
||||
|
||||
* The Freedombone Mesh
|
||||
The Freedombone mesh is offline - in the sense of not being part of the larger internet - and consists of a set of computers with the software installed communicating wirelessly using ordinary wifi. Peers can enter or leave the network and it will adjust automatically. All communications between peers is end-to-end encrypted, so although it's easy to join the network it's not easy to passively evesdrop.
|
||||
* Installation
|
||||
** Two types of system
|
||||
Installation is split into two categories, /routers/ and /user devices/.
|
||||
* Disk Images
|
||||
** Client images
|
||||
|
||||
A router is a computer which is dedicated to moving network traffic and building out the mesh infrastructure. It's not primarily intended to have a user interface. Hardware such as the Beaglebone Black is ideal for this, because it's small, inexpensive and doesn't consume much electrical power and so can be fitted in any location where an electricity supply is available.
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mesh_netbook.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
Small computers acting as mesh routers can also be battery operated or solar powered so that the network need not be statically sited. They could be included in a backpack for camping, fitted within moving vehicles, strapped to protest placards or attached to [[https://www.youtube.com/watch?v=Wwsy9MThwns][large tethered helium balloons]] (like weather balloons) to help provide a local and transient communications system.
|
||||
"Client" isn't exactly the right term, but it's a mesh peer with a user interface. These images can be copied to a USB drive, then you can plug it into a laptop/netbook/desktop machine and boot from it. You will probably also need an Atheros USB wifi dongle (the black protruding object on the left side of the netbook in the picture above), because most built-in wifi usually requires proprietary firmware. In the commands below substitute /dev/sdX with the USB drive device, excluding any trailing numbers (eg. /dev/sdb). The USB drive you're copying to will need to be at least 8GB in size.
|
||||
|
||||
/User devices/ are the computers with which you would typically access the internet - laptops, desktop machines, netbooks or any other device which can run a Debian-based distro (eg. Ubuntu) with a working wifi connection.
|
||||
** Installing on routers
|
||||
Whatever system you're going to use as a mesh router should have a new Debian Jessie install on it. It's advisable that this be a new install so that there is no existing software on the system which could confuse the mesh install process.
|
||||
#+begin_src bash
|
||||
sudo apt-get install xz-utils wget
|
||||
wget https://freedombone.net/downloads/mesh-client-i386-20160913.img.xz
|
||||
wget https://freedombone.net/downloads/mesh-client-i386-20160913.img.xz.sig
|
||||
gpg --verify mesh-client-i386-20160913.img.xz.sig
|
||||
sha256sum mesh-client-i386-20160913.img.xz
|
||||
2111eeeba713d7ea0109845a295cc44550c66679045fd4bdafc04a883635bea9
|
||||
unxz mesh-client-i386-20160913.img.xz
|
||||
sudo dd bs=1M if=mesh-client-i386-20160913.img of=/dev/sdX conv=fdatasync
|
||||
#+end_src
|
||||
|
||||
Some recommended hardware:
|
||||
To get a number of systems onto the mesh repeat the /dd/ command to create however many bootable USB drives you need.
|
||||
|
||||
* Beaglebone Black
|
||||
* 5V power supply
|
||||
* Ethernet cable (for installation of the software)
|
||||
* 8GB microSD card, or larger
|
||||
* Wireless N USB Adapter TPE-N150USB
|
||||
If you're in an emergency and don't have Atheros wifi dongles then there is also an "insecure" image which contains some proprietary wifi drivers which may work with a wider range of laptops. Proprietary drivers *are not recommended* because they're unsupportable and may be exploitable or contain malicious antifeatures which fundamentally compromise the security of the network. However, the trade-off between security/maintainability and simply having the ability to communicate at all may be a valid one in some situations.
|
||||
|
||||
If you are using the Beaglebone Black then you'll need to install the Debian image to the microSD card. You can find details of how to do that [[./installation.html][here]].
|
||||
#+begin_src bash
|
||||
sudo apt-get install xz-utils wget
|
||||
wget https://freedombone.net/downloads/mesh-client-insecure-i386-20160913.img.xz
|
||||
wget https://freedombone.net/downloads/mesh-client-insecure-i386-20160913.img.xz.sig
|
||||
gpg --verify mesh-client-insecure-i386-20160913.img.xz.sig
|
||||
sha256sum mesh-client-insecure-i386-20160913.img.xz
|
||||
cd03596d115030469ff57ef519a2a8baba1e71b541e3014032c01f507c7988c1
|
||||
unxz mesh-client-insecure-i386-20160913.img.xz
|
||||
sudo dd bs=1M if=mesh-client-insecure-i386-20160913.img of=/dev/sdX conv=fdatasync
|
||||
#+end_src
|
||||
|
||||
Connect your system to your internet router with an ethernet cable, then ssh into it and type:
|
||||
** Router images
|
||||
Routers are intended to build network coverage for an area using small and low cost hardware. You can bolt them to walls or leave them on window ledges. They don't have any user interface and their only job is to haul network traffic across the mesh and to enable peers to find each other via running bootstrap nodes for Tox and IPFS. Copy the image to a microSD card and insert it into the router, plug in an Atheros wifi dongle and power on. That should be all you need to do.
|
||||
*** Beaglebone Black
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mesh_router.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
su
|
||||
apt-get update
|
||||
apt-get install git build-essential dialog
|
||||
git clone https://github.com/bashrc/freedombone
|
||||
cd freedombone
|
||||
make install
|
||||
#+END_SRC
|
||||
|
||||
At this point if you are using a system or dongle with an Atheros AR9271 wifi chipset then you may want to install some pre-compiled firmware (you can compile it from source, but it takes a long time - especially on the Beaglebone Black). If you need to do that then see the wifi adaptor notes below.
|
||||
|
||||
Then to begin the install:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
freedombone menuconfig
|
||||
#+END_SRC
|
||||
|
||||
Select the "/mesh (router)/" install variant, give an ESSID or just hit enter for the default. If discression is important then use an ESSID similar to those already in the area. The ESSID must be the same on every mesh peer. Assign this mesh peer a name. In order to avoid confusions it's important that the name should be unique on the network and contain no spaces. So maybe a word followed by some numbers, or the name of the place where the router will be installed.
|
||||
|
||||
If you're installing on a Beaglebone Black then after a while the system will reboot and you will need to ssh in again and run:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
cd freedombone
|
||||
freedombone -c freedombone.cfg
|
||||
#+END_SRC
|
||||
|
||||
The reboot is needed in order to enable zram and the hardware random number generator.
|
||||
** Installing on user devices
|
||||
Typically on a laptop with a Debian-based distro installed, open a terminal and type:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
sudo apt-get update
|
||||
sudo apt-get install git build-essential dialog
|
||||
git clone https://github.com/bashrc/freedombone
|
||||
The above picture shows a Beaglebone Black with the image copied onto a microSD card (there's no need to do anything with the internal EMMC). A USB Atheros wifi adaptor with a large antenna is attached and in this case power is from the mains, although it could be from a battery or solar power system capable of supplying 5 volts and maybe 1A (depending upon how active the router is).
|
||||
|
||||
#+begin_src bash
|
||||
sudo apt-get install xz-utils wget
|
||||
wget https://freedombone.net/downloads/mesh-router-beaglebone-black-20160913.img.xz
|
||||
wget https://freedombone.net/downloads/mesh-router-beaglebone-black-20160913.img.xz.sig
|
||||
gpg --verify mesh-router-beaglebone-black-20160913.img.xz.sig
|
||||
sha256sum mesh-router-beaglebone-black-20160913.img.xz
|
||||
74470b6491951a9744fdd3dab27e8ca74d5b60499fcf6e1a5313e6854c9db894
|
||||
unxz mesh-router-beaglebone-black-20160913.img.xz
|
||||
sudo dd bs=1M if=mesh-router-beaglebone-black-20160913.img of=/dev/sdX conv=fdatasync
|
||||
#+end_src
|
||||
|
||||
If you have a few Beaglebone Blacks to use as routers then repeat the /dd/ command to create however many microSD cards you need.
|
||||
|
||||
There is still a software freedom issue with the Beaglebone Black, but it doesn't prevent you from running a fully free system on the board. The TI AM335X SOC has a PowerVR SGX530 GPU which will only run with a proprietary blob, but this would only be an issue for systems with a monitor or LCD screen attached running a desktop environment which also needs GPU acceleration. For "headless" systems such as servers or mesh routers this isn't a problem.
|
||||
|
||||
* Building Disk Images
|
||||
It's better not to trust images downloaded from random places on the interwebs. Chances are that unless you are in the web of trust of the above GPG signatures then they don't mean very much to you. If you actually want something trustworthy then build the images from scratch. It will take some time. Here's how to do it.
|
||||
|
||||
First you will need to create an image. On a Debian based system (tested on Debian Jessie and Trisquel 7):
|
||||
|
||||
#+begin_src bash
|
||||
sudo apt-get -y install build-essential libc6-dev-i386 wget \
|
||||
gcc-multilib g++-multilib git python-docutils mktorrent \
|
||||
vmdebootstrap xz-utils dosfstools btrfs-tools extlinux \
|
||||
python-distro-info mbr qemu-user-static binfmt-support \
|
||||
u-boot-tools qemu
|
||||
wget https://freedombone.net/downloads/freedombone-mesh-13-09-2016.tar.gz
|
||||
wget https://freedombone.net/downloads/freedombone-mesh-13-09-2016.tar.gz.sig
|
||||
gpg --verify freedombone-mesh-13-09-2016.tar.gz.sig
|
||||
sha256sum freedombone-mesh-13-09-2016.tar.gz
|
||||
3e279f8ed762afb682bec6bd463830087354dd2f24020f3b0de51143585ab0ed
|
||||
tar -xzvf freedombone-mesh-13-09-2016.tar.gz
|
||||
cd freedombone
|
||||
git checkout stockholm
|
||||
sudo make install
|
||||
freedombone menuconfig
|
||||
#+END_SRC
|
||||
freedombone-image -t i386 -v meshclient
|
||||
#+end_src
|
||||
|
||||
Select the "/mesh (user device)/" variant and set the same ESSID as you did for the routers, or just hit enter for the default.
|
||||
If you don't have Atheros or free software compatible wifi adapter then you can include proprietary wifi drivers which will work with most laptops. This is *NOT RECOMMENDED* because proprietary drivers are unsupportable and may contain either malware or be exploitable in a way which can't be fixed. However, if you're in an emergency and don't have any Atheros or free software wifi USB dongles then you can use the following command to make the image:
|
||||
|
||||
An important point is that on older Debian-based systems, such as Ubuntu 14.04 or Trisquel 7, you may need to install a more recent version of /batctl/. An example is as follows.
|
||||
#+begin_src bash
|
||||
freedombone-image -t i386 -v meshclient --insecure yes
|
||||
#+end_src
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
sudo apt-get remove --purge batctl
|
||||
wget http://mirrors.kernel.org/ubuntu/pool/universe/b/batctl/batctl_2014.1.0-2_amd64.deb
|
||||
sudo dpkg -i batctl_2014.1.0-2_amd64.deb
|
||||
#+END_SRC
|
||||
* Wifi adaptors
|
||||
There are a small number of wifi adaptors which are compatible with a fully free software stack.
|
||||
** Atheros AR9271
|
||||
To install the firmware for this:
|
||||
This takes a while. Maybe an hour or so, depending on the speed of your system and the internets. The good news though is that once created you can use the resulting image any number of times, and you don't need to trust some pre-built image.
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
cd freedombone/drivers
|
||||
sha256sum ath9k_htc_driver_bbb.tar.gz
|
||||
7eb9324681f03c7630ed01e490ea447dfbd96c9b5389e45b64e4646d1be16ff1
|
||||
tar -xvzf ath9k_htc_driver_bbb.tar.gz
|
||||
mv *.fw /lib/firmware
|
||||
cd ..
|
||||
#+END_SRC
|
||||
* Using the mesh
|
||||
The following sections only apply to /client devices/. Mesh /routers/ are only for routing network traffic and operating [[https://en.wikipedia.org/wiki/BitTorrent_tracker][trackers]] and [[https://en.wikipedia.org/wiki/Distributed_hash_table][distributed hash tables]] for bootstrapping purposes.
|
||||
List what drives are on your system with:
|
||||
|
||||
** Switching from internet to mesh mode
|
||||
To join the mesh network open a terminal and type:
|
||||
#+begin_src bash
|
||||
ls /dev/sd*
|
||||
#+end_src
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
meshweb
|
||||
#+END_SRC
|
||||
Now plug in the USB thumb drive, and do the same again. Notice which drive letter gets added.
|
||||
|
||||
If you want to have your system as a permanent mesh peer then you could add that command to your startup applications so that it activates whenever the computer starts up.
|
||||
You can now copy the image to the USB thumb drive, replacing *sdX* with the identifier of the USB thumb drive. Don't include any numbers (so for example use *sdc* instead of *sdc1*).
|
||||
|
||||
A web page should appear in your browser, which then allows you to access communication services on the mesh. These pages should update automatically, so that if peers enter or leave the network the lists will change accordingly.
|
||||
#+begin_src bash
|
||||
sudo dd bs=1M if=myimagefile.img of=/dev/sdX conv=fdatasync
|
||||
#+end_src
|
||||
|
||||
If for any reason things don't seem to be updating you can force an update by issuing the command:
|
||||
And wait. Again it will take a while to copy over. When that's done plug it into the laptop or netbook which you want to use on the mesh, power on and set the BIOS to boot from the USB stick.
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
zeronetavahi
|
||||
#+END_SRC
|
||||
** Chat
|
||||
If you have a Tox client installed on your system then you can use that to communicate with other mesh peers. A limitation is that if peers change you may need to quit the application and restart it in order to receive the updated list of DHTnodes. The [[https://github.com/Tox/toxic][Toxic]] client is installed by default, but you may also want to install [[https://github.com/tux3/qTox][qTox]] or [[http://utox.org][uTox]] for a more conventional-looking user experience.
|
||||
On first boot you'll be asked to set a username, and then you can open the chat client and select the *users* icon to show the Tox IDs for other users on the mesh. When folks join they will be announced.
|
||||
|
||||
You can obtain Tox IDs for users on the network via the initial web page.
|
||||
Rinse, repeat, for any number of laptops that you want to get onto the mesh or to build out coverage within an area. There are no servers. Just peer-to-peer communications routed through the network which are end-to-end secure after a friend request is accepted. By default the chat client doesn't log anything.
|
||||
|
||||
To launch the [[https://github.com/Tox/toxic][Toxic client]] in a terminal type:
|
||||
You can also use single board computers (SBCs) such as the BeagleBone Black to make mesh routers which can be bolted to walls or the sides of buildings and consume minimal electrical power, so could be solar or battery powered for short term events such as festivals. To do that use the following command to make the image:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
toxic
|
||||
#+END_SRC
|
||||
#+begin_src bash
|
||||
freedombone-image -t beaglebone -v mesh
|
||||
#+end_src
|
||||
|
||||
The first time you will be asked whether you wish to encrypt the data file used for your settings. Select "no" for this, otherwise the system will not be able to obtain your public key and broadcast it to other peers in the network. Even if you select "yes" the system will still be usable, but it will not be so easy for other peers on the network to find you unless you have previously exchanged your Tox ID via some out-of-band method.
|
||||
The resulting image can be copied to a microSD card, inserted into a Beaglebone Black and booted. Don't forget to plug in an Atheros USB wifi dongle.
|
||||
|
||||
Then to add a new friend:
|
||||
* Customisation
|
||||
If you want to make your own specially branded version, such as for a particular event, then to change the default desktop backgrounds edit the images within *img/backgrounds* and to change the available avatars and desktop icons edit the images within *img/avatars*. Re-create disk images using the instructions shown previously.
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/nick mynickname
|
||||
/add <friend Tox ID>
|
||||
#+END_SRC
|
||||
If you need particular /dconf/ commands to alter desktop appearance or behavior then see the function /mesh_client_startup_applications/ within *src/freedombone-image-customise*.
|
||||
* How to use it
|
||||
When you first boot from the USB drive the system will create some encryption keys, assign a unique network address to the system and then reboot itself. When that's done you should see a prompt asking for a username. This username just makes it easy for others to initially find you on the mesh and will appear in the list of users.
|
||||
|
||||
Your friend will need to approve the request, and then you can chat via text or voice using /CTRL-o/ and /CTRL-p/ to switch between screens and cursor keys plus Enter to select users.
|
||||
After a minute or two if you are within wifi range and there is at least one other user on the network then you should see additional icons appear on the desktop, such as /Other Users/ and /Chat/.
|
||||
|
||||
Another thing worth knowing is that if you were already using a Tox client before running the /meshweb/ command then it's a good idea to close and reopen it, so that the list of bootstrap nodes is updated. The same also applies when exiting the mesh and returning to the internet.
|
||||
** Set the Date
|
||||
On the ordinary internet the date and time of your system would be set automatically via NTP. But this is not the internet and so you will need to manually ensure that your date and time settings are correct. You might need to periodically do this if your clock drifts. It's not essential that the time on your system be highly accurate, but if it drifts too far or goes back to epoch then things could become a little confusing in regard to the order of blog posts.
|
||||
|
||||
*Right click on the date* in the top right corner of the screen. Select *preferences*, then click the *Time Settings* button. You can then select the date from the calendar and set the time, then click the *Set System Time* button. Enter the default password, which is /freedombone/.
|
||||
** Check network status
|
||||
Unlike with ordinary wifi, on the mesh you don't get a signal strength icon and so it's not simple to see if you have a good connection.
|
||||
|
||||
Select the wifi icon on the desktop and enter the password '/freedombone/'. The network configuration will go into a monitoring mode and in the bottom right side of the window you will be able to see signal strength and other parameters. This can help you to locate systems or adjust antennas to get the best wifi performance.
|
||||
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mesh_signal.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
When you are finished close the window and then select the /Network Restart/ desktop icon, which will restart the B.A.T.M.A.N. network. You can also use the restart icon if you are within range of the mesh network but the /Chat/ and /Other Users/ icons do not automatically appear after a few minutes.
|
||||
|
||||
** Chat System
|
||||
|
||||
Ensure that you're within wifi range of at least one other mesh peer (could be a router or client) and then you should see that the /Chat/ and /Other Users/ icons appear. Select the users icon and you should see a list of users on the mesh. Select the /Chat/ icon and once you are connected you should see the status light turn green. If after a few minutes you don't get the green status light then try closing and re-opening the Tox chat application. Select the plus button to add a friend and then copy and paste in a Tox ID from the users list.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mesh_paste_tox_id.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
The other user can then accept or decline your friend request.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mesh_friend_request.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
You can also select an avatar by selecting the grey head and shoulders image.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mesh_choose_avatar.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
And by selecting the user from the list on the left hand side the chat can begin.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mesh_text_chat.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
One important point is that by default the microphone is turned off. When doing voice chat you can select the microphone volume with the drop down slider in the top right corner of the screen.
|
||||
|
||||
At present video doesn't work reliably, but text and voice chat do work well.
|
||||
|
||||
** Sharing Files
|
||||
You can make files publicly available on the network simply by dragging and dropping them into the /Public/ folder on the desktop. To view the files belonging to another user select the desktop icon called /Visit a site/ and enter the username or Tox ID of the other user.
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mesh_share_files.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
A note for the security-conscious is that broadcasting Tox IDs via the network (using Avahi) is convenient but not highly secure. An adversary could maybe join the network and create decoy peers to try to disrupt the communications and have messages going to the wrong places. For the best security exchange Tox IDs in advance by some method other than looking them up from the initial mesh web page.
|
||||
** Blogging
|
||||
The Freedombone mesh uses a fully decentralized blogging system called [[https://github.com/HelloZeroNet/ZeroBlog][ZeroBlog]]. It behaves rather like other peer-to-peer file sharing systems in that if you are reading the blog of another user you are also simultaneously seeding it to other peers (acting as both a client and a server). This allows the system to scale well, while also being robust to any peer failing or leaving the network.
|
||||
To create a blog post select the /Blog/ icon on the desktop and then use the up and down cursor keys, space bar and enter key to add a new entry. Edit the title of the entry and add your text. You can also include photos if you wish - just copy them to the *CreateBlog/content/images* directory and then link to them as shown.
|
||||
|
||||
All blogs on the mesh are public, so any user joining the mesh can read any other blog. Network traffic is encrypted between peers, so passive snooping will be hard, and also the integrity of data is checked via certificates so that you can be reasonably confident that nefarious content has not been added or removed from the data stream while in transit through the network.
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mesh_new_blog.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
This type of content creation and delivery provides a good template for what the conventional internet should ultimately be like if it is to be robust, trustworthy and resistant to censorship or damage.
|
||||
To finish your blog entry just select /Save/ and then close the editor. On older hardware it may take a while to publish the results, and this depends upon the amount of computation needed by IPFS to create file hashes. If you make no changes to the default text then the new blog entry will not be saved.
|
||||
|
||||
To add a new blog entry click the /new post/ button, edit the title and content (clicking /save/ at the bottom of the screen after each). Then when you are done click on the /publish/ button at the bottom of the screen. And that's all there is to it.
|
||||
** Other services
|
||||
It is hoped that a decentralized forum will be added, but this is not yet complete. In the mean time a substitute is to use the Tox group chat feature.
|
||||
** Turning off the mesh
|
||||
If you wish to return to the internet then open a terminal and type:
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mesh_new_blog2.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
sudo batman stop
|
||||
#+END_SRC
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/mesh_view_blog.jpg]]
|
||||
#+END_CENTER
|
||||
|
||||
After a few seconds your usual internet wifi connection should be re-established.
|
||||
* Further reading
|
||||
For much more extensive details about deploying wireless networks there is an excellent book called [[http://wndw.net][Wireless Networking in the Developing World]] which is worth reading. It's not necessarily exclusively about mesh networks, but may be useful in terms of advice about antennas, reflections, extending wifi range and so on.
|
||||
You can also visit other blogs, edit or delete your previous entry and also change your blog theme.
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
Return to the <a href="index.html">home page</a>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
||||
#+BEGIN_CENTER
|
||||
This site can also be accessed via a Tor browser at http://2tp3f6vtvhkqpuc6.onion
|
||||
#+END_CENTER
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Mirroring git repositories
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, hubzilla, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
|
@ -18,15 +18,15 @@
|
|||
|
||||
* Contact details
|
||||
|
||||
This site can also be accessed via a Tor browser at *4fvfozz6g3zmvf76.onion*
|
||||
This site can also be accessed via a Tor browser at *http://2tp3f6vtvhkqpuc6.onion*
|
||||
|
||||
*Email:* bob@robotics.uk.to
|
||||
*Email:* bob@freedombone.net
|
||||
|
||||
*PGP/GPG Key ID:* EA982E38
|
||||
|
||||
*PGP/GPG Fingerprint:* D538 1159 CD7A 2F80 2F06 ABA0 0452 CC7C EA98 2E38
|
||||
|
||||
*XMPP:* bob@robotics.uk.to with OTR
|
||||
*XMPP:* bob@freedombone.net with OMEMO or OTR
|
||||
|
||||
*Tox:* 82DD53788AB400843BC75EA96B62DD6C76D2B13E476B995B13C49920A3C8FD32E5365A82FA83
|
||||
|
||||
|
@ -43,7 +43,7 @@ If you find this project useful then you may wish to consider donating to [[./re
|
|||
Testing of the install on different hardware. Also pentesting on test installations to find vulnerabilities.
|
||||
|
||||
** Web design and artwork
|
||||
A better design for this website would be nice to have. Photos, icons or other artwork are all welcome. I've always liked the cartoon artwork of the [[http://www.mediagoblin.org/][Mediagoblin]] project, and attractive graphics can help to get people initially interested.
|
||||
A better design for this website would be nice to have. Photos, icons or other artwork are all welcome. I've always liked the cartoon artwork of the [[https://www.mediagoblin.org/][Mediagoblin]] project, and attractive graphics can help to get people initially interested.
|
||||
|
||||
** More education and promotion
|
||||
#+BEGIN_CENTER
|
||||
|
|
674
doc/EN/usage.org
|
@ -1,10 +1,10 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, hubzilla, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
|
@ -21,56 +21,43 @@
|
|||
| [[Administrating the system via an onion address (Tor)]] |
|
||||
| [[./mobile.html][Mobile advice]] |
|
||||
| [[./usage_email.html][Using Email]] |
|
||||
| [[Syncing to the Cloud]] |
|
||||
| [[Play Music]] |
|
||||
| [[Microblogging (GNU Social)]] |
|
||||
| [[Sharing things]] |
|
||||
| [[Social Network]] |
|
||||
| [[Chat Services]] |
|
||||
| [[RSS Reader]] |
|
||||
| [[Git Projects]] |
|
||||
| [[./app_syncthing.html][Syncing to the Cloud]] |
|
||||
| [[./app_dlna.html][Play Music]] |
|
||||
| [[./app_gnusocial.html][Microblogging (GNU Social)]] |
|
||||
| [[./app_postactiv.html][Microblogging (PostActiv)]] |
|
||||
| [[./app_ghost.html][Blogging with Ghost]] |
|
||||
| [[./app_htmly.html][Blogging with HTMLy]] |
|
||||
| [[./app_hubzilla.html][Social Network]] |
|
||||
| [[./app_lychee.html][Photo albums]] |
|
||||
| [[./app_dokuwiki.html][Wiki]] |
|
||||
| [[./app_etherpad.html][Collaborative document editing]] |
|
||||
| [[./app_irc.html][Multi-user chat with IRC]] |
|
||||
| [[./app_xmpp.html][XMPP/Jabber]] |
|
||||
| [[./app_tox.html][Tox]] |
|
||||
| [[./app_mumble.html][Mumble]] |
|
||||
| [[./app_mailpile.jtml][Mailpile]] |
|
||||
| [[./app_rss.html][RSS Reader]] |
|
||||
| [[./app_radicale.html][CalDAV calendar server]] |
|
||||
| [[./app_gogs.html][Git Projects]] |
|
||||
| [[Adding or removing users]] |
|
||||
| [[./app_pihole.html][Blocking Ads]] |
|
||||
|
||||
* Readme
|
||||
After the system has installed a README file will be generated which contains passwords and some brief advice on using the installed systems. You can read this with the following commands:
|
||||
* Improving security
|
||||
It's a lot more secure to log in to the Freedombone system using ssh keys rather than with a password. You can set that up by first running:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh username@domainname -p 2222
|
||||
emacs ~/README
|
||||
#+END_SRC
|
||||
#+begin_src bash
|
||||
freedombone-client
|
||||
#+end_src
|
||||
|
||||
You should transfer any passwords to a password manager such as [[http://www.keepassx.org/][KeepassX]] and then delete them from the README file. To save the file after removing passwords use *CTRL-x CTRL-s*.
|
||||
On your local system (i.e. whatever you're logging in to the Freedombone system from, typically a laptop). Then:
|
||||
|
||||
To exit you can either just close the terminal or use *CTRL-x CTRL-c* followed by the *exit* command.
|
||||
* Improving ssh security
|
||||
To improve ssh security you can generate an ssh key pair on your system and then upload the public key to the Freedombone.
|
||||
#+begin_src
|
||||
ssh myusername@freedombone.local -p 2222
|
||||
#+end_src
|
||||
|
||||
On your local machine:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh-keygen
|
||||
#+END_SRC
|
||||
|
||||
For extra security you may also want to add a passphrase to the ssh private key. You can show the generated public key with:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
cat ~/.ssh/id_rsa.pub
|
||||
#+END_SRC
|
||||
|
||||
Log into your system and open the control panel.
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh username@domain -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Select /Administrator controls/ then /Manage Users/ then /Change user ssh public key/. Copy and paste the public key here, then exit.
|
||||
|
||||
It's a good idea to also copy the contents of *~/.ssh/id_rsa* and *~/.ssh/id_rsa.pub* to you password manager, together with the private key password if you created one.
|
||||
|
||||
There are advantages and disadvantages to using ssh keys for logins. The advantage is that this is much more secure than a memorised password, but the disadvantage is that you need to carry your ssh keys around and be able to install them on any computer of mobile device that you use. In high security or hostile infosec environments it may not be possible to carry or use USB thumb drives containing your keys and so memorised passwords may be the only available choice.
|
||||
|
||||
If you wish to only use ssh keys then log in to the Freedombone, become the root user and open the control panel with the 'control' command. Select /Security Settings/ then keep hitting enter until you reach the question about allowing password logins. Select "no" for that, then apply the settings. Any subsequent attempts to log in via a password will then be denied.
|
||||
Select *Administrator controls* and re-enter your password, then *Manage Users* and *Change user ssh public key*. Copy and paste the ssh public keys which appeared after the *freedombone-client* command was run. Then go to *Security settings* and select *Allow ssh login with passwords* followed by *no*.
|
||||
|
||||
You'll need to make sure that you have a copy of the ~/.ssh directory on your local system. You could just copy that directory to a USB drive and then keep that somewhere safe so that you can restore the keys if you need to.
|
||||
* Administrating the system via an onion address (Tor)
|
||||
You can also access your system via the Tor system using an onion address. To find out what the onion address for ssh access is you can do the following:
|
||||
|
||||
|
@ -84,602 +71,13 @@ Select /Administrator controls/ then select "About this system" and look for the
|
|||
freedombone-client
|
||||
#+END_SRC
|
||||
|
||||
This will set up your ssh environment to be able to handle onion addresses. In addition if you use monkeysphere then you can do:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
freedombone-client --ms yes
|
||||
#+END_SRC
|
||||
|
||||
Then you can test ssh with:
|
||||
This will set up your ssh environment to be able to handle onion addresses. Then you can test ssh with:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh username@address.onion -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Subsequently even if dynamic DNS isn't working you may still be able to administer your system. Using the onion address also gives you some degree of protection against corporate or government metadata analysis, since it becomes more difficult to passively detect which systems are communicating.
|
||||
* Syncing to the Cloud
|
||||
[[https://syncthing.net][Syncthing]] provides a similar capability to proprietary systems such as [[http://www.drop-dropbox.com/][Dropbox]], and also is well suited for use with low power single board computers. You can have one or more directories which are synchronized across your various laptops/desktops/devices, and this makes it hard for you to ever lose important files. The manner in which the synchronization is done is pretty secure, such that it would be difficult for passive adversaries (mass surveillance, "/men in the middle/", etc) to know what files you're sharing. Of course, you don't necessarily need to be running a server in order to use Syncthing, but if you do have a server which is always running then there's always at least one place to synchronize your files to or from.
|
||||
|
||||
Freedombone provides Syncthing shared directories for each user on the system, plus a single shared directory for all users. The expected most common scenario here is that of a family in which members may not want to share /all of their files/ with each other, but might want to share some in a common pool (eg. birthday photos). You can also easily share between different servers.
|
||||
|
||||
** On a laptop
|
||||
Install syncthing:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
|
||||
echo "deb http://apt.syncthing.net/ syncthing release" | sudo tee /etc/apt/sources.list.d/syncthing.list
|
||||
sudo apt-get update
|
||||
sudo apt-get install syncthing
|
||||
#+END_SRC
|
||||
|
||||
Add syncthing to your startup applications, so that it begins running when your system starts. Then either restart your system or run the command "syncthing" from a terminal.
|
||||
|
||||
In another terminal log into Freedombone:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh username@domainname -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Then select *File Synchronization*.
|
||||
|
||||
[[file:images/controlpanel/control_panel_file_sync.jpg]]
|
||||
|
||||
Select *Show device ID* and copy the long string of letters and numbers shown, using the shift key then select the text followed by right click then select copy.
|
||||
|
||||
Open a non-Tor browser and enter *http://127.0.0.1:8384* as the URL. You should now see the minimalistic user interface. Under *Remote Devices* select *Add Remote Device*. In the *Device ID* field paste the string you just copied (CTRL+v). The Device name can be anything. Under *Share Folders with Device* check *default* (or whatever folder you created on your local machine), then save.
|
||||
|
||||
From the top menu select *Actions* and then *Show ID*, then copy the ID string (usually select then CTRL+c). Go back to the terminal control panel menu and select *Add an ID* then paste what you just copied (CTRL+v). Optionally you can also provide a description so that you later can know what that string corresponds to.
|
||||
|
||||
Now wait for a few minutes. Eventually you will see two messages appear within the browser asking if you want to add two new folders from the Freedombone server. Say yes to both, and specify *~/Sync* as the directory with your username and *~/SyncShared* as the shared directory. You can now copy files into your *~/Sync* directory and they will automatically be synced to the server. Those will be files which only you can access. If you copy files into *~/SyncShared* then they will also be available to any other users on the system.
|
||||
** On Android
|
||||
Install Syncthing and Connectbot from F-droid.
|
||||
|
||||
Set up Connectbot to log into Freedombone.
|
||||
|
||||
Select *File Synchronization*.
|
||||
|
||||
Select *Show device ID* and copy the long string of letters by pressing anywhere on the screen, selecting the *menu* then *copy* and then selecting the ID string. This is very tricky on a small screen, so expect to fail multiple times before you succeed in copying the text.
|
||||
|
||||
Open Syncthing and select the devices tab. Press on *+* and then paste the device ID with a long press followed by *Paste*. You may need to remove any stray characters which were copied during the previous haphazard selection process. Add a name, which can be anything.
|
||||
|
||||
Now select the menu (top left or menu button) and then press on *Device ID*. It will be copied to the clipboard. Go back to Connectbot and from the control panel select *File Synchronization* followed by *Add an ID*. You can then paste in the ID with a long press, and optionally add a description for the device. When that's done you can disconnect from Connectbot.
|
||||
|
||||
Now wait for a few minutes or more. Eventually you should receive two notifications (swipe down from the top to see them) which will allow you to confirm the connection to the server. Say yes to both, and specify appropriate directories for your files and the shared files. To reduce battery and data usage via the settings you can also set Syncthing to only sync while it's charging and only while it's connected to wifi.
|
||||
* Play Music
|
||||
** With the DLNA service
|
||||
An easy way to play music on any mobile device in your home is to use the DLNA service. Copy your music into a directory called "/Music/" on a USB thumb drive and then insert it into from socket on the Beaglebone.
|
||||
|
||||
ssh into the system with:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh myusername@mydomain.com -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Then mount the USB drive with:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
su
|
||||
attach-music
|
||||
#+END_SRC
|
||||
|
||||
The system will scan the Music directory, which could take a while if there are thousands of files, but you don't need to do anything further with the Beaglebone other than perhaps to log out by typing *exit* a couple of times.
|
||||
|
||||
If you have an Android device then go to F-Droid (if you don't already have it installed then it can be [[https://f-droid.org/][downloaded here]]) and search for *ControlDLNA*. On running the app you should see a red Debian icon which you can press on, then you may need to select "local". After a few seconds the list of albums or tracks should then appear and you can browse and play them.
|
||||
|
||||
The DLNA service will only work within your local home network, and isn't remotely accessible from other locations via the internet. That can be both a good and a bad thing. Another consideration is that there are no access controls on DLNA services, so any music or videos on the USB drive will be playable by anyone within your home network.
|
||||
|
||||
* Microblogging (GNU Social)
|
||||
** Initial setup
|
||||
To log into your GNU Social site first obtain your username and password from the "microblogging" section of the readme file.
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh username@domainname -p 2222
|
||||
cat README
|
||||
exit
|
||||
#+END_SRC
|
||||
|
||||
Navigate to your site and log in. You may then want to select *Admin* and check or change the details. You may also wish to change the license for the site to be either Creative Commons or private.
|
||||
|
||||
GNU Social has a clutter-free mobile user interface which can be accessed via a Tor compatible browser (make sure to add a NoScript exception). Unlike similar proprietary sites there are no bribed posts.
|
||||
|
||||
[[file:images/gnusocial_mobile.jpg]]
|
||||
|
||||
** Direct Messages (DMs) and privacy
|
||||
One important point about GNU Social is that although direct messages (DMs) are treated as being private their security is quite poor. If you want real communications privacy then use other systems such as XMPP+OMEMO/OTR, Tox or email with GPG. GNU Social is primarily about /fully public communications/.
|
||||
** Using with Emacs
|
||||
If you are an Emacs user it's also possible to set up GNU Social mode as follows:
|
||||
|
||||
#+begin_src bash :tangle no
|
||||
mkdir ~/elisp
|
||||
git clone git://git.savannah.nongnu.org/gnu-social-mode ~/elisp/gnu-social-mode
|
||||
sed -i 's|"http"|"https"|g' ~/elisp/gnu-social-mode/gnu-social-mode.el
|
||||
sed -i 's|http:|https:|g' ~/elisp/gnu-social-mode/gnu-social-mode.el
|
||||
sed -i 's|http?|https?|g' ~/elisp/gnu-social-mode/gnu-social-mode.el
|
||||
echo "(add-to-list 'load-path \"~/elisp/gnu-social-mode\")" >> ~/.emacs
|
||||
echo "(require 'gnu-social-mode)" >> ~/.emacs
|
||||
echo "(setq gnu-social-server-textlimit 2000" >> ~/.emacs
|
||||
echo " gnu-social-server \"yourgnusocialdomain\"" >> ~/.emacs
|
||||
echo " gnu-social-username \"yourusername\"" >> ~/.emacs
|
||||
echo " gnu-social-password \"gnusocialpassword\")" >> ~/.emacs
|
||||
#+end_src
|
||||
|
||||
And as a quick reference the main keys are:
|
||||
|
||||
| Key | Function |
|
||||
|---------------+--------------------|
|
||||
| i | Show icons |
|
||||
| CTRL-c CTRL-s | Post status update |
|
||||
| r | Repeat |
|
||||
| F | Favourite |
|
||||
| R | Reply to user |
|
||||
| CTRL-c CTRL-h | Highlight |
|
||||
| CTRL-c CTRL-r | Show replies |
|
||||
| CTRL-c CTRL-f | Friends timeline |
|
||||
|
||||
* Sharing things
|
||||
If you have the GNU Social microblogging system installed then it's also possible to share things or services between groups or with particular users. This can be useful for sharing items within a family, club or in a local sharing economy. Sharing things freely, without money, reveals the social basis at the root of all economics which money normally conceals or obscures.
|
||||
|
||||
Click on "/share/" or "/my catalog/" and this will switch to a screen which allows you to enter details for things to be shared or wanted.
|
||||
|
||||
[[file:images/sharings3.jpg]]
|
||||
|
||||
The "/catalog/" button then allows you to search for shared things within the federated network.
|
||||
|
||||
[[file:images/sharings4.jpg]]
|
||||
|
||||
* Social Network
|
||||
** Domains
|
||||
Both Hubzilla and GNU Social try to obtain certificates automatically at the time of installation via Let's Encrypt. This will likely mean that in order for this to work you'll need to have obtained at least one "official" domain via a domain selling service, since Let's Encrypt mostly doesn't seem to work with free subdomains from sites such as freeDNS.
|
||||
** Initial install
|
||||
On first visiting your Hubzilla site you'll see the login screen. The first thing you need to do is *register* a new user. The first user on the system then becomes its administrator.
|
||||
|
||||
[[file:images/hubzilla_mobile.jpg]]
|
||||
|
||||
* Chat Services
|
||||
** IRC
|
||||
IRC is useful for multi-user chat. The classic use case is for software development where many engineers might need to coordinate their activities, but it's also useful for meetings, parties and general socialising.
|
||||
*** Irssi
|
||||
The easiest way to use irssi is to connect to your system, like this:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Then select *IRC* from the menu. However, other than via this method using ssh, irssi isn't a very good IRC client because it doesn't have the capability to onion route messages, and therefore leaks metadata. For the best security when using your IRC server, use HexChat, Emacs ERC or another client which supports socks5 proxying.
|
||||
*** HexChat
|
||||
HexChat (formerly XChat) is compatible with proxying via Tor and so provides the best security when connecting to your IRC server. It will allow you to connect to your IRC server's onion address.
|
||||
|
||||
First install HexChat and set up its configuration file.
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
sudo apt-get install tor hexchat
|
||||
mkdir -p ~/.config/hexchat
|
||||
echo "# By default, HexChat based IRC software, when started-up, or run for first time,
|
||||
# it starts to use local network, to connect to the internet. To prevent that,
|
||||
# and to force it, to use Tor proxy (a Socks5 server):
|
||||
#
|
||||
# /set net_proxy_host 127.0.0.1
|
||||
# /set net_proxy_port 9050
|
||||
# /set net_proxy_type 3
|
||||
# /set net_proxy_use 0
|
||||
net_proxy_host = 127.0.0.1
|
||||
net_proxy_port = 9050
|
||||
# Technical note: 3 = socks5
|
||||
net_proxy_type = 3
|
||||
# Technical note: Do not worry. 0 is not equal to "off". 0 stands for "All".
|
||||
# Check yourself https://toxin.jottit.com/xchat_set_variables
|
||||
net_proxy_use = 0
|
||||
|
||||
# HexChat should not use the same circuit/exit server as other Tor applications.
|
||||
# Otherwise activity in different applications could be correlated to the same
|
||||
# pseudonym. There is a way to prevent that.
|
||||
# It is called stream isolation. We use IsolateSOCKSAuth,
|
||||
# see https://www.torproject.org/docs/tor-manual-dev.html.en
|
||||
# The password is actually not required, but it does not hurt either.
|
||||
# Will probable not hurt on Tor 0.2.2 and below.
|
||||
# Works with Tor 0.2.3 and above.
|
||||
#
|
||||
# /set net_proxy_auth 1
|
||||
# /set net_proxy_pass = HexChat
|
||||
# /set net_proxy_user = HexChat
|
||||
#
|
||||
net_proxy_auth = 1
|
||||
net_proxy_pass = HexChat
|
||||
net_proxy_user = HexChat
|
||||
|
||||
# Get rid of protocol leaks:
|
||||
# a DCC session can reveal IP address, etc. identd flag can reveal your
|
||||
# username which you use to login in your OS(Windows/Linux/Unix/MacOS) profile.
|
||||
# To prevent those:
|
||||
#
|
||||
# /set dcc_auto_chat 0
|
||||
# /set dcc_auto_resume OFF
|
||||
# /set dcc_auto_send 0
|
||||
# /set irc_hide_version ON
|
||||
# /set identd OFF <-- NOT working on all HexChat-based IRC software.
|
||||
# But still highly suggested to include & use it.
|
||||
# Probable not needed on UNIX, source: http://xchat.org/faq/#q21
|
||||
dcc_auto_chat = 0
|
||||
dcc_auto_resume = 0
|
||||
dcc_auto_send = 0
|
||||
irc_hide_version = 1
|
||||
identd = 0
|
||||
|
||||
# If you use your own comment instead of default values, then these data are
|
||||
# posted on each channel when you do these events: JOIN, PART, QUIT, AWAY.
|
||||
# So they can reveal who you actually are, when you are using same HexChat
|
||||
# software for multiple different nicknames.
|
||||
#
|
||||
# Delete everything under Settings -> Preferences -> Default Messages:
|
||||
# -> Quit: <Deleted everything!>
|
||||
# -> Leave channel: <Deleted everything!>
|
||||
# -> Away: <Deleted everything!>
|
||||
away_reason =
|
||||
irc_part_reason =
|
||||
irc_quit_reason =
|
||||
|
||||
# By default, HexChat based IRC software uses your platform OS(Operating System)s
|
||||
# login user name as your nickname, user name, real name. To prevent leaking
|
||||
# that, and, to use your own choice of nickname, realname, username:
|
||||
#
|
||||
# ***Pseudonymous vs. anonymous IRC use.***
|
||||
# Actually IRC is pseudonymous. Your nickname might also reveal something about
|
||||
# your origin, interests, etc. You can make IRC more anonymous by choosing a more
|
||||
# meaningless nickname. Use the following defaults if you want to be more anonymous.
|
||||
# If user, user_ and user___ are already taken, add more _ or start using user1,
|
||||
# user2, user3, etc. Or if the irc network auto assigns your a nickname, i.e.
|
||||
# guest532, stick with that nickname.
|
||||
#
|
||||
# Of course, you are free to continue using IRC in a pseudonymous manner.
|
||||
# In that case, instant of user, choose your nickname.
|
||||
#
|
||||
# /set irc_real_name user
|
||||
# /set irc_user_name user
|
||||
# /set irc_nick1 user
|
||||
# /set irc_nick2 user_
|
||||
# /set irc_nick3 user__
|
||||
irc_real_name = user
|
||||
irc_user_name = user
|
||||
irc_nick1 = user
|
||||
irc_nick2 = user_
|
||||
irc_nick3 = user__
|
||||
|
||||
# Use a more common nick completion suffix:
|
||||
# When you write the first few characters of a nickname followed by tab,
|
||||
# it will, by HexChat default, complete the nickname and ", " behind the
|
||||
# nickname. The behavior is HexChat specific. The " :" is more more common
|
||||
# for more common clients such as mIRC.
|
||||
#
|
||||
# HexChat -> Settings -> Preferences -> input box -> completion_suffix set to :
|
||||
#
|
||||
completion_suffix = :
|
||||
|
||||
# Not starting the server windows at the beginning so you can check and set
|
||||
# settings before connecting to any IRC networks.
|
||||
gui_slist_skip = 1
|
||||
" > ~/.config/hexchat/hexchat.conf
|
||||
#+END_SRC
|
||||
|
||||
Now look up the onion address for your IRC server
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh username@mydomainname -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Select Administrator options, then *About this system* and make a note of the onion address for IRC. Also select the *IRC Menu* and take a note of the login password.
|
||||
|
||||
[[file:images/hexchat_setup.jpg]]
|
||||
|
||||
Run HexChat.
|
||||
|
||||
Within the network list click, *Add* and enter your domain name then click *Edit*.
|
||||
|
||||
Select the entry within the servers box, then enter *ircaddress.onion/6697* and press *Enter*.
|
||||
|
||||
Uncheck *use global user information*.
|
||||
|
||||
Enter first and second nicknames and check *connect to this network on startup*.
|
||||
|
||||
Make sure that *use SSL* is unchecked. Encryption will be handled via the onion address itself.
|
||||
|
||||
Within the *Password* field enter the password which can be found from the IRC menu of the *control panel*.
|
||||
|
||||
Select the *Autojoin channels* tab, click *Add* and enter *#freedombone* as the channel name.
|
||||
|
||||
Click *close* and then *connect*.
|
||||
|
||||
*** Emacs
|
||||
If you are an Emacs user then you can also connect to your IRC server via Emacs.
|
||||
|
||||
Ensure that tor is installed onto your local system:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
sudo apt-get install tor
|
||||
#+END_SRC
|
||||
|
||||
Add the following to your Emacs configuration file:
|
||||
|
||||
#+BEGIN_SRC elisp
|
||||
(setq socks-noproxy '("localhost"))
|
||||
(require 'socks)
|
||||
(require 'tls)
|
||||
(setq socks-server (list "Tor socks" "localhost" 9050 5))
|
||||
(setq erc-server-connect-function 'socks-open-network-stream)
|
||||
(setq erc-autojoin-channels-alist
|
||||
'(("myircaddress.onion" "#freedombone")))
|
||||
(erc :server "myircaddress.onion" :port 6697 :nick "yourusername" :password "your IRC password")
|
||||
#+END_SRC
|
||||
*** Changing or removing the IRC password
|
||||
By default the IRC server is set up to require a password for users to log in. The password is the same for all users. If you want to change or remove the password:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Select /Administrator controls/ then *IRC Menu* and then change the password. An empty password will allow anyone to log in, so you can have a globally accessible IRC system if you wish, although you might want to carefully consider whether that's wise.
|
||||
|
||||
** XMPP/Jabber
|
||||
*** About XMPP
|
||||
A well written article on the state of XMPP and how it compares to other chat protocols [[https://gultsch.de/xmpp_2016.html][can be found here]].
|
||||
*** Using with Gajim
|
||||
In mid 2016 [[https://gajim.org/][Gajim]] became the first desktop XMPP client to support the [[https://en.wikipedia.org/wiki/OMEMO][OMEMO end-to-end security standard]], which is superior to the more traditional [[https://en.wikipedia.org/wiki/Off-the-Record_Messaging][OTR]] since it also includes multi-user chat and the ratcheting mechanism pioneered by Open Whisper Systems. To install it:
|
||||
|
||||
#+begin_src bash :tangle no
|
||||
su -c 'echo "deb ftp://ftp.gajim.org/debian unstable main" > /etc/apt/sources.list.d/gajim.list'
|
||||
sudo apt-get update
|
||||
sudo apt-get -y install gajim-dev-keyring
|
||||
sudo apt-get -y install git tor python-dev python-pip gajim-nightly
|
||||
mkdir ~/.local/share/gajim/plugins -p
|
||||
cd ~/.local/share/gajim/plugins
|
||||
git clone https://github.com/omemo/gajim-omemo
|
||||
sudo pip install protobuf==2.6.1, python-axolotl==0.1.35
|
||||
#+end_src
|
||||
|
||||
Open Gajim and enter your XMPP address and password.
|
||||
|
||||
Go to *Edit/Preferences* and select the *Advanced* tab. Under *Global Proxy* select *Tor* and the *Close* button. Then select *Edit/Plugins* and make sure that OMEMO is active (ticked), then select the *Close* button.
|
||||
|
||||
When you start a conversation make sure that the OMEMO box is ticked. You can also click on the keys button and trust various fingerprints. Both sides will need to do that before an encrypted chat can start.
|
||||
|
||||
If you wish to make backups of the OMEMO keys then they can be found within:
|
||||
|
||||
#+begin_src bash :tangle no
|
||||
~/.local/share/gajim
|
||||
#+end_src
|
||||
|
||||
If you wish to use OpenPGP to encrypt your messages then go to *Edit/Accounts*, select your account and then the *Personal Information* tab. You can then choose your GPG key. When initiating a chat you can select the *Advanced* button and then select *Toggle OpenPGP Encryption*. OpenPGP is not as secure as OMEMO, but does allow you to use XMPP in a similar style to email in that the recipient of the message does not necessarily need to be online at the same time that you send it.
|
||||
|
||||
*** Using with Profanity
|
||||
The [[http://profanity.im][Profanity]] shell based user interface and is perhaps the simplest way to use XMPP from a laptop. It's also a good way to ensure that your OTR keys are the same even when logging in from different laptops or devices, and it also means that if those devices later become compomised then there are no locally stored OTR keys to be found.
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh username@domain -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Then select XMPP. Generate an [[https://en.wikipedia.org/wiki/Off-the-Record_Messaging][OTR]] key with:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr gen
|
||||
#+END_SRC
|
||||
|
||||
Then to start a conversation using OTR:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr start otherusername@otheruserdomain
|
||||
#+END_SRC
|
||||
|
||||
or if you're already in an insecure chat with someone just use:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr start
|
||||
#+END_SRC
|
||||
|
||||
Set a security question and answer:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr question "What is the name of your best friends rabbit?" fiffi
|
||||
#+END_SRC
|
||||
|
||||
On the other side the user can enter:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr answer fiffi
|
||||
#+END_SRC
|
||||
|
||||
For the most paranoid you can also obtain your fingerprint:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr myfp
|
||||
#+END_SRC
|
||||
|
||||
and quote that. If they quote theirs back you can check it with:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
/otr theirfp
|
||||
#+END_SRC
|
||||
|
||||
If the fingerprints match then you can be pretty confident that unless you have been socially engineered via the question and answer you probably are talking to who you think you are, and that it will be difficult for mass surveillance systems to know the content of the conversation. For more details see [[http://www.profanity.im/otr.html][this guide]].
|
||||
|
||||
When accessed via the user control panel the client is automatically routed through Tor and so if you are also using OTR then this provides protection for both message content and metadata.
|
||||
*** Using with Jitsi
|
||||
Jitsi is the recommended communications client for desktop or laptop systems, since it includes the /off the record/ (OTR) feature which provides some additional security beyond the usual SSL certificates.
|
||||
|
||||
Jitsi can be downloaded from https://jitsi.org
|
||||
|
||||
On your desktop/laptop open Jitsi and select *Options* from the *Tools* menu.
|
||||
|
||||
Click *Add* to add a new user, then enter the Jabber ID which you previously specified with /prosodyctl/ when setting up the XMPP server. Close and then you should notice that your status is "Online" (or if not then you should be able to set it to online).
|
||||
|
||||
From the *File* menu you can add contacts, then select the chat icon to begin a chat. Click on the lock icon on the right hand side and this will initiate an authentication procedure in which you can specify a question and answer to verify the identity of the person you're communicating with. Once authentication is complete then you'll be chating using OTR, which provides an additional layer of security.
|
||||
|
||||
When opening Jitsi initially you will get a certificate warning for your domain name (assuming that you're using a self-signed certificate). If this happens then select *View Certificate* and enable the checkbox to trust the certificate, then select *Continue Anyway*. Once you've done this then the certificate warning will not appear again unless you reinstall Jitsi or use a different computer.
|
||||
|
||||
You can also [[https://www.youtube.com/watch?v=vgx7VSrDGjk][see this video]] as an example of using OTR.
|
||||
*** Using with Ubuntu
|
||||
The default XMPP client in Ubuntu is Empathy. Using Empathy isn't as secure as using Jitsi, since it doesn't include the /off the record/ feature, but since it's the default it's what many users will have easy access to.
|
||||
|
||||
Open *System Settings* and select *Online Accounts*, *Add account* and then *Jabber*.
|
||||
|
||||
Enter your username (username@domainname) and password.
|
||||
|
||||
Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click *Done* and set your Jabber account and Empathy to *On*.
|
||||
*** Using Tor Messenger
|
||||
Tor Messenger is a messaging client which supports XMPP, and its onion routing enables you to protect the metadata of chat interactions to some extent by making it difficult for an adversary to know which server is talking to which. You can download Tor Messenger from [[https://torproject.org][torproject.org]] and the setup is pretty simple.
|
||||
*** Using with Android/Conversations
|
||||
Install [[https://f-droid.org/][F-Droid]]
|
||||
|
||||
Search for and install *Orbot* and *Conversations*.
|
||||
|
||||
Add an account and enter your Jabber/XMPP ID and password.
|
||||
|
||||
From the menu select *Settings* then *Expert Settings*. Select *Connect via Tor* and depending on your situation you might also want to select *Don't save encrypted messages*. Also within expert settings select *Keep in foreground*. This will enable you to still receive notifications when your device is in standby mode with the screen turned off.
|
||||
|
||||
From the menu select *Manage accounts* and add a new account.
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
Jabber ID: myusername@mydomain
|
||||
Password: your XMPP password
|
||||
Hostname: mydomain
|
||||
Port: 5222
|
||||
#+END_SRC
|
||||
|
||||
Then select *Next*. When chatting you can use the lock icon to encrypt your conversation. OMEMO is the recommended type of encryption. It's also going through Tor, so passive surveillance of the metadata should not be easy for an adversary.
|
||||
** Tox
|
||||
Tox is an encrypted peer-to-peer messaging system and so should work without Freedombone. It uses a system of nodes which act as a sort of directory service allowing users to find and connect to each other. The Tox node ID on the Freedombone can be found within the README within your home directory. If you have other users connect to your node then you will be able to continue chatting even when no other nodes are available.
|
||||
*** Using the Toxic client
|
||||
Log into your system with:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh myusername@mydomain -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Then from the menu select *Tox Chat*. Tox is encrypted by default and also routed through Tor, so it should be reasonably secure both in terms of message content and metadata.
|
||||
|
||||
[[file:images/toxic.jpg]]
|
||||
|
||||
** VoIP (Voice and text chat)
|
||||
*** Text chat
|
||||
In addition to voice it is also possible to do text chat via mumble. The security of this is pretty good provided that you do it via Plumble and Orbot on mobile, but compared to other options such as XMPP/Conversations or Tox the security is not as good, since the mumble server currently doesn't support forward secrecy.
|
||||
*** Using with Ubuntu
|
||||
Within the software center search for "mumble" and install the client then run it. Skip through the audio setup wizard.
|
||||
|
||||
Click on "add new" to add a new server and enter the default domain name for the Freedombone, your username (which can be anything) and the VoIP server password which can be found in the README file on the Freedombone. Accept the self-signed SSL certificate. You are now ready to chat.
|
||||
*** Using with Android
|
||||
Install [[https://f-droid.org/][F-Droid]]
|
||||
|
||||
If you don't have Orbot installed then enable The Guardian Project repository from the drop down menu and install it.
|
||||
|
||||
Search for and install Plumble.
|
||||
|
||||
Press the plus button to add a Mumble server.
|
||||
|
||||
Enter a label (which can be any name you choose for the server), the default domain name of the Freedombone, your username (which can also be anything) and the VoIP server password which can be found in the README file on the Freedombone.
|
||||
|
||||
Open the settings. Select General, then Connect via Tor. This will provide better protection, making it more difficult for adversaries to know who is talking to who.
|
||||
|
||||
Selecting the server by pressing on it then connects you to the server so that you can chat with other connected users.
|
||||
|
||||
/Note: if you don't know the default domain name and you did a full installation then it will be the same as the wiki domain name./
|
||||
** SIP phones
|
||||
Freedombone also supports SIP phones The username and domain is the same as for your email address, and the SIP password and extension number will appear within the README file in your home directory. Various SIP client options are available, such as CSipSimple on Android and Jitsi on desktop or laptop machines. Ideally use clients which support ZRTP, which will provide the best level of security.
|
||||
*** About ZRTP
|
||||
[[https://jitsi.org/Documentation/ZrtpFAQ][ZRTP]] appears to be the current best standard to end-to-end encrypted voice calls, combining good security with simplicity of use. When the initial cryptographic negotiation between phones is done at the start of a call a short authentication string (SAS) is calculated and displayed at both ends. To check that there isn't anyone intercepting the call and acting as a /man in the middle/ - as [[https://en.wikipedia.org/wiki/Stingray_phone_tracker][stingray type devices]] try to do - the short authentication string can be read out and verbally confirmed between the callers. If it's the same then you can be pretty confident that the call is secure.
|
||||
*** Using with CSIPSimple
|
||||
Add an account. Under *General Wizards* choose *Expert* and enter the following details:
|
||||
|
||||
| Account name | Your username |
|
||||
| Account ID | sip:username@yourdomain |
|
||||
| Registration URI | sip:yourdefaultdomain |
|
||||
| Realm | * |
|
||||
| Username | Your username |
|
||||
| Data (Password) | Your SIP password |
|
||||
| ZRTP Mode | Create ZRTP |
|
||||
|
||||
If everything is working the account should appear in green with a status of *Registered*.
|
||||
*** Using with Ring
|
||||
From the menu select *Manage accounts*.
|
||||
|
||||
Add an account with the following details:
|
||||
|
||||
| Alias | Your full name or nickname |
|
||||
| Protocol | SIP |
|
||||
| Hostname | yourdefaultdomain |
|
||||
| Username | Your username |
|
||||
| Password | Your SIP password |
|
||||
|
||||
Select the *Security* tab. Under *SRTP Key Exchange* select *ZRTP*. Unde *SRTP Preferences* select *Not supported warning* and *Display SAS Once*.
|
||||
|
||||
* RSS Reader
|
||||
The way that RSS reading is set up on Freedombone gives you strong reading privacy. Not only is there onion routing between you and the server but also between the server and the source of the RSS feed. The only down side is that many RSS feeds are still http only, and so could be vulnerable to injection attacks, but it's expected that more of this will go to https in the foreseeable future due to a combination of growing recognition of security issues and systems like Let's Encrypt which make obtaining certificates much easier.
|
||||
|
||||
[[file:images/rss_reader_mobile.jpg]]
|
||||
|
||||
** Finding the onion address
|
||||
See the control panel for the RSS reader onion address.
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh username@domainname -p 2222
|
||||
#+END_SRC
|
||||
|
||||
Select /Administrator controls/ then select the *About* screen.
|
||||
|
||||
The RSS reader is accessible only via an onion address. This provides a reasonable degree of reading privacy, making it difficult for passive adversaries such as governments, corporations or criminals to create lists of sites which you are subscribed to.
|
||||
|
||||
To set up the system open http://rss_reader_onion_address/ and log in with username *admin* and the password obtained either at the beginning of the install or from the README file in your home directory. You can then select the *Actions* menu and begin adding your feeds.
|
||||
|
||||
** On mobile
|
||||
To access the RSS reader from a mobile device you can install a Tor compatible browser such as OrFox. It will try to automatically change to the mobile version of the user interface. Remember to add the site to the NoScript whitelist, and you may also need to turn HTTPS Everywhere off.
|
||||
|
||||
#+BEGIN_QUOTE
|
||||
A note for the paranoid is that on mobile devices you get redirected to a different onion address which is specially set up for the mobile interface, so don't be alarmed that it looks like your connection is being hijacked.
|
||||
#+END_QUOTE
|
||||
** With Emacs
|
||||
If you are an Emacs user then you can also read your RSS feeds via the [[https://github.com/dk87/avandu][Avandu]] mode.
|
||||
|
||||
Add the following to your configuration, changing the address and password as appropriate.
|
||||
|
||||
#+begin_src emacs-lisp :tangle no
|
||||
(setq avandu-tt-rss-api-url "http://rss_reader_onion_address/api/"
|
||||
avandu-user "admin"
|
||||
avandu-password "mypassword")
|
||||
#+end_src
|
||||
|
||||
If you don't already have Emacs set up to route through Tor then also add the following:
|
||||
|
||||
#+begin_src emacs-lisp :tangle no
|
||||
(setq socks-noproxy '("localhost"))
|
||||
(require 'socks)
|
||||
(require 'tls)
|
||||
(setq socks-server (list "Tor socks" "localhost" 9050 5))
|
||||
#+end_src
|
||||
|
||||
And ensure that the Tor daemon is installed:
|
||||
|
||||
#+begin_src bash :tangle no
|
||||
sudo apt-get install tor
|
||||
#+end_src
|
||||
* Git Projects
|
||||
Github is ok, but it's proprietary and funded by venture capital. If you been around on the internet for long enough then you know how this story eventually works itself out - i.e. badly for the users. It's really only a question of time. If you're a software developer or do things which involve the Git version control system then it's a good idea to become accustomed to hosting your own repositories, before the inevitable Github shitstorm happens.
|
||||
|
||||
A Git hosting system called [[https://gogs.io][Gogs]] can optionally be installed. This is very similar to Github in appearance and use. It's lightweight and so well suited for use on low power ARM servers.
|
||||
|
||||
Navigate to your git site and click the *Register* button. The first user registered on the system becomes the administrator. Once you've done that then it's a good idea to disable further registrations. Currently that's a little complicated, but you can do it as follows:
|
||||
|
||||
#+begin_src bash :tangle no
|
||||
sudo username@domainname -p 2222
|
||||
#+end_src
|
||||
|
||||
Select *Exit to the comand line*.
|
||||
|
||||
#+begin_src bash :tangle no
|
||||
sudo su
|
||||
export GO_VERSION=1.5
|
||||
sed -i "s|DISABLE_REGISTRATION =.*|DISABLE_REGISTRATION = true|g" /home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits/gogs/custom/conf/app.ini
|
||||
systemctl restart gogs
|
||||
exit; exit
|
||||
#+end_src
|
||||
|
||||
This will stop any spam accounts being created by random strangers or bots. You might want to mirror existing repos, and at any time a mirror can be converted into the main repo.
|
||||
* Adding or removing users
|
||||
Log into the system with:
|
||||
|
||||
|
@ -695,9 +93,3 @@ control
|
|||
#+END_SRC
|
||||
|
||||
[[file:images/controlpanel/control_panel_manage_users.jpg]]
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<center>
|
||||
Return to the <a href="index.html">home page</a>
|
||||
</center>
|
||||
#+END_EXPORT
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, hubzilla, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
|
@ -37,7 +37,7 @@ So if you want to use your own email address hosted on your own system you do ne
|
|||
* A technical note about email transport security
|
||||
Port 465 is used for SMTP and this is supposedly deprecated for secure email. However, using TLS from the start of the communications seems far more secure than starting off with insecure communications and then trying to upgrade it with a command to begin TLS, as happens with STARTTLS. There are [[https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks][possible attacks against STARTTLS]] in which the command to begin secure communications is removed or overwritten which could then result in email being transferred in plain text over the internet and be readable by third parties.
|
||||
|
||||
From http://motherboard.vice.com/read/email-encryption-is-broken:
|
||||
From https://motherboard.vice.com/read/email-encryption-is-broken:
|
||||
|
||||
#+BEGIN_QUOTE
|
||||
The researchers also uncovered mass scale attacks of STARTTLS sessions being stripped of their encryption. That attack itself isn't new: internet service providers sometimes do it to monitor users; organizations may use it to keep an eye on employees; or it may come from a malicious actor
|
||||
|
@ -54,7 +54,7 @@ quit
|
|||
exit
|
||||
#+END_SRC
|
||||
|
||||
Having a password on your GPG key will prevent someone from reading your email /even if your server gets lost or stolen/ or if someone else has physical access to it. Make the password something long and unlikely to be guessable or vulnerable to a brute force [[http://en.wikipedia.org/wiki/Dictionary_attack][dictionary attack]].
|
||||
Having a password on your GPG key will prevent someone from reading your email /even if your server gets lost or stolen/ or if someone else has physical access to it. Make the password something long and unlikely to be guessable or vulnerable to a brute force [[https://en.wikipedia.org/wiki/Dictionary_attack][dictionary attack]].
|
||||
|
||||
* Publishing your GPG public key
|
||||
If you havn't already then you should publish your GPG public key so that others can find it.
|
||||
|
@ -103,6 +103,7 @@ Some useful keys to know are:
|
|||
| [ | Expand of collapse the current thread |
|
||||
| CTRL-k | Import a PGP/GPG public key |
|
||||
| v | View current email in different formats, such as HTML |
|
||||
| CTRL-u | View long URLs |
|
||||
| q | Quit |
|
||||
|
||||
To use the address book system open an email by pressing the enter key on it and then to add the sender to the address list press the A key. It will ask you for an alias which may be used the next time you want to send a mail. Alternatively you may just edit the *~/.mutt-alias* file directly to add email addresses.
|
||||
|
@ -111,6 +112,8 @@ One of the most common things which you might wish to do is to send an email. T
|
|||
|
||||
When reading emails you will initially need to enter your GPG password. It will be retained in RAM for a while afterwards.
|
||||
|
||||
There is one irksome thing about email within mutt, and that's if you get sent a confirmation with a very long URL. It's usually not possible to view URLs which span over multiple lines, and trying to copy/paste them is annoying. A solution is to use /CTRL-u/ then select the url and press Enter. You can then navigate to it via the lynx browser.
|
||||
|
||||
* Thunderbird/Icedove
|
||||
Another common way in which you may want to access email is via Thunderbird (also known as Icedove on Debian). This may be especially useful if you're trying to convert former Windows users who may previously have been using some version of Outlook.
|
||||
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
#+TITLE:
|
||||
#+AUTHOR: Bob Mottram
|
||||
#+EMAIL: bob@robotics.uk.to
|
||||
#+EMAIL: bob@freedombone.net
|
||||
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
|
||||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||||
#+OPTIONS: ^:nil toc:nil
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
|
||||
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
|
||||
|
||||
#+BEGIN_CENTER
|
||||
[[file:images/logo.png]]
|
||||
|
|
|
@ -0,0 +1,211 @@
|
|||
mirror_style release
|
||||
download_style apt
|
||||
finddebs_style from-indices
|
||||
variants - buildd fakechroot minbase scratchbox
|
||||
keyring /usr/share/keyrings/debian-archive-keyring.gpg
|
||||
|
||||
if doing_variant fakechroot; then
|
||||
test "$FAKECHROOT" = "true" || error 1 FAKECHROOTREQ "This variant requires fakechroot environment to be started"
|
||||
fi
|
||||
|
||||
case $ARCH in
|
||||
alpha|ia64) LIBC="libc6.1" ;;
|
||||
kfreebsd-*) LIBC="libc0.1" ;;
|
||||
hurd-*) LIBC="libc0.3" ;;
|
||||
*) LIBC="libc6" ;;
|
||||
esac
|
||||
|
||||
work_out_debs () {
|
||||
required="$(get_debs Priority: required)"
|
||||
|
||||
if doing_variant - || doing_variant fakechroot; then
|
||||
#required="$required $(get_debs Priority: important)"
|
||||
# ^^ should be getting debconf here somehow maybe
|
||||
base="$(get_debs Priority: important)"
|
||||
elif doing_variant buildd || doing_variant scratchbox; then
|
||||
base="apt build-essential"
|
||||
elif doing_variant minbase; then
|
||||
base="apt"
|
||||
fi
|
||||
|
||||
if doing_variant fakechroot; then
|
||||
# ldd.fake needs binutils
|
||||
required="$required binutils"
|
||||
fi
|
||||
|
||||
case $MIRRORS in
|
||||
https://*)
|
||||
base="$base apt-transport-https ca-certificates"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
first_stage_install () {
|
||||
case "$CODENAME" in
|
||||
etch|etch-m68k|jessie|lenny|squeeze|wheezy) ;;
|
||||
*) setup_merged_usr ;;
|
||||
esac
|
||||
|
||||
extract $required
|
||||
|
||||
mkdir -p "$TARGET/var/lib/dpkg"
|
||||
: >"$TARGET/var/lib/dpkg/status"
|
||||
: >"$TARGET/var/lib/dpkg/available"
|
||||
|
||||
setup_etc
|
||||
if [ ! -e "$TARGET/etc/fstab" ]; then
|
||||
echo '# UNCONFIGURED FSTAB FOR BASE SYSTEM' > "$TARGET/etc/fstab"
|
||||
chown 0:0 "$TARGET/etc/fstab"; chmod 644 "$TARGET/etc/fstab"
|
||||
fi
|
||||
|
||||
setup_devices
|
||||
}
|
||||
|
||||
second_stage_install () {
|
||||
setup_dynamic_devices
|
||||
|
||||
x_feign_install () {
|
||||
local pkg="$1"
|
||||
local deb="$(debfor $pkg)"
|
||||
local ver="$(in_target dpkg-deb -f "$deb" Version)"
|
||||
|
||||
mkdir -p "$TARGET/var/lib/dpkg/info"
|
||||
|
||||
echo \
|
||||
"Package: $pkg
|
||||
Version: $ver
|
||||
Maintainer: unknown
|
||||
Status: install ok installed" >> "$TARGET/var/lib/dpkg/status"
|
||||
|
||||
touch "$TARGET/var/lib/dpkg/info/${pkg}.list"
|
||||
}
|
||||
|
||||
x_feign_install dpkg
|
||||
|
||||
x_core_install () {
|
||||
smallyes '' | in_target dpkg --force-depends --install $(debfor "$@")
|
||||
}
|
||||
|
||||
p () {
|
||||
baseprog="$(($baseprog + ${1:-1}))"
|
||||
}
|
||||
|
||||
if doing_variant fakechroot; then
|
||||
setup_proc_fakechroot
|
||||
elif doing_variant scratchbox; then
|
||||
true
|
||||
else
|
||||
setup_proc
|
||||
in_target /sbin/ldconfig
|
||||
fi
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive
|
||||
DEBCONF_NONINTERACTIVE_SEEN=true
|
||||
export DEBIAN_FRONTEND DEBCONF_NONINTERACTIVE_SEEN
|
||||
|
||||
baseprog=0
|
||||
bases=7
|
||||
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #1
|
||||
info INSTCORE "Installing core packages..."
|
||||
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #2
|
||||
ln -sf mawk "$TARGET/usr/bin/awk"
|
||||
x_core_install base-passwd
|
||||
x_core_install base-files
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #3
|
||||
x_core_install dpkg
|
||||
|
||||
if [ ! -e "$TARGET/etc/localtime" ]; then
|
||||
ln -sf /usr/share/zoneinfo/UTC "$TARGET/etc/localtime"
|
||||
fi
|
||||
|
||||
if doing_variant fakechroot; then
|
||||
install_fakechroot_tools
|
||||
fi
|
||||
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #4
|
||||
x_core_install $LIBC
|
||||
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #5
|
||||
x_core_install perl-base
|
||||
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #6
|
||||
rm "$TARGET/usr/bin/awk"
|
||||
x_core_install mawk
|
||||
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #7
|
||||
if doing_variant -; then
|
||||
x_core_install debconf
|
||||
fi
|
||||
|
||||
baseprog=0
|
||||
bases=$(set -- $required; echo $#)
|
||||
|
||||
info UNPACKREQ "Unpacking required packages..."
|
||||
|
||||
exec 7>&1
|
||||
|
||||
smallyes '' |
|
||||
(repeatn 5 in_target_failmsg UNPACK_REQ_FAIL_FIVE "Failure while unpacking required packages. This will be attempted up to five times." "" \
|
||||
dpkg --status-fd 8 --force-depends --unpack $(debfor $required) 8>&1 1>&7 || echo EXITCODE $?) |
|
||||
dpkg_progress $baseprog $bases UNPACKREQ "Unpacking required packages" UNPACKING
|
||||
|
||||
info CONFREQ "Configuring required packages..."
|
||||
|
||||
echo \
|
||||
"#!/bin/sh
|
||||
exit 101" > "$TARGET/usr/sbin/policy-rc.d"
|
||||
chmod 755 "$TARGET/usr/sbin/policy-rc.d"
|
||||
|
||||
mv "$TARGET/sbin/start-stop-daemon" "$TARGET/sbin/start-stop-daemon.REAL"
|
||||
echo \
|
||||
"#!/bin/sh
|
||||
echo
|
||||
echo \"Warning: Fake start-stop-daemon called, doing nothing\"" > "$TARGET/sbin/start-stop-daemon"
|
||||
chmod 755 "$TARGET/sbin/start-stop-daemon"
|
||||
|
||||
setup_dselect_method apt
|
||||
|
||||
smallyes '' |
|
||||
(in_target_failmsg CONF_REQ_FAIL "Failure while configuring required packages." "" \
|
||||
dpkg --status-fd 8 --configure --pending --force-configure-any --force-depends 8>&1 1>&7 || echo EXITCODE $?) |
|
||||
dpkg_progress $baseprog $bases CONFREQ "Configuring required packages" CONFIGURING
|
||||
|
||||
baseprog=0
|
||||
bases="$(set -- $base; echo $#)"
|
||||
|
||||
info UNPACKBASE "Unpacking the base system..."
|
||||
|
||||
setup_available $required $base
|
||||
done_predeps=
|
||||
while predep=$(get_next_predep); do
|
||||
# We have to resolve dependencies of pre-dependencies manually because
|
||||
# dpkg --predep-package doesn't handle this.
|
||||
predep=$(without "$(without "$(resolve_deps $predep)" "$required")" "$done_predeps")
|
||||
# XXX: progress is tricky due to how dpkg_progress works
|
||||
# -- cjwatson 2009-07-29
|
||||
p; smallyes '' |
|
||||
in_target dpkg --force-overwrite --force-confold --skip-same-version --install $(debfor $predep)
|
||||
base=$(without "$base" "$predep")
|
||||
done_predeps="$done_predeps $predep"
|
||||
done
|
||||
|
||||
smallyes '' |
|
||||
(repeatn 5 in_target_failmsg INST_BASE_FAIL_FIVE "Failure while installing base packages. This will be re-attempted up to five times." "" \
|
||||
dpkg --status-fd 8 --force-overwrite --force-confold --skip-same-version --unpack $(debfor $base) 8>&1 1>&7 || echo EXITCODE $?) |
|
||||
dpkg_progress $baseprog $bases UNPACKBASE "Unpacking base system" UNPACKING
|
||||
|
||||
info CONFBASE "Configuring the base system..."
|
||||
|
||||
smallyes '' |
|
||||
(repeatn 5 in_target_failmsg CONF_BASE_FAIL_FIVE "Failure while configuring base packages. This will be re-attempted up to five times." "" \
|
||||
dpkg --status-fd 8 --force-confold --skip-same-version --configure -a 8>&1 1>&7 || echo EXITCODE $?) |
|
||||
dpkg_progress $baseprog $bases CONFBASE "Configuring base system" CONFIGURING
|
||||
|
||||
mv "$TARGET/sbin/start-stop-daemon.REAL" "$TARGET/sbin/start-stop-daemon"
|
||||
rm -f "$TARGET/usr/sbin/policy-rc.d"
|
||||
|
||||
progress $bases $bases CONFBASE "Configuring base system"
|
||||
info BASESUCCESS "Base system installed successfully."
|
||||
}
|
|
@ -0,0 +1,211 @@
|
|||
mirror_style release
|
||||
download_style apt
|
||||
finddebs_style from-indices
|
||||
variants - buildd fakechroot minbase scratchbox
|
||||
keyring /usr/share/keyrings/debian-archive-keyring.gpg
|
||||
|
||||
if doing_variant fakechroot; then
|
||||
test "$FAKECHROOT" = "true" || error 1 FAKECHROOTREQ "This variant requires fakechroot environment to be started"
|
||||
fi
|
||||
|
||||
case $ARCH in
|
||||
alpha|ia64) LIBC="libc6.1" ;;
|
||||
kfreebsd-*) LIBC="libc0.1" ;;
|
||||
hurd-*) LIBC="libc0.3" ;;
|
||||
*) LIBC="libc6" ;;
|
||||
esac
|
||||
|
||||
work_out_debs () {
|
||||
required="$(get_debs Priority: required)"
|
||||
|
||||
if doing_variant - || doing_variant fakechroot; then
|
||||
#required="$required $(get_debs Priority: important)"
|
||||
# ^^ should be getting debconf here somehow maybe
|
||||
base="$(get_debs Priority: important)"
|
||||
elif doing_variant buildd || doing_variant scratchbox; then
|
||||
base="apt build-essential"
|
||||
elif doing_variant minbase; then
|
||||
base="apt"
|
||||
fi
|
||||
|
||||
if doing_variant fakechroot; then
|
||||
# ldd.fake needs binutils
|
||||
required="$required binutils"
|
||||
fi
|
||||
|
||||
case $MIRRORS in
|
||||
https://*)
|
||||
base="$base apt-transport-https ca-certificates"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
first_stage_install () {
|
||||
case "$CODENAME" in
|
||||
etch|etch-m68k|jessie|lenny|squeeze|wheezy) ;;
|
||||
*) setup_merged_usr ;;
|
||||
esac
|
||||
|
||||
extract $required
|
||||
|
||||
mkdir -p "$TARGET/var/lib/dpkg"
|
||||
: >"$TARGET/var/lib/dpkg/status"
|
||||
: >"$TARGET/var/lib/dpkg/available"
|
||||
|
||||
setup_etc
|
||||
if [ ! -e "$TARGET/etc/fstab" ]; then
|
||||
echo '# UNCONFIGURED FSTAB FOR BASE SYSTEM' > "$TARGET/etc/fstab"
|
||||
chown 0:0 "$TARGET/etc/fstab"; chmod 644 "$TARGET/etc/fstab"
|
||||
fi
|
||||
|
||||
setup_devices
|
||||
}
|
||||
|
||||
second_stage_install () {
|
||||
setup_dynamic_devices
|
||||
|
||||
x_feign_install () {
|
||||
local pkg="$1"
|
||||
local deb="$(debfor $pkg)"
|
||||
local ver="$(in_target dpkg-deb -f "$deb" Version)"
|
||||
|
||||
mkdir -p "$TARGET/var/lib/dpkg/info"
|
||||
|
||||
echo \
|
||||
"Package: $pkg
|
||||
Version: $ver
|
||||
Maintainer: unknown
|
||||
Status: install ok installed" >> "$TARGET/var/lib/dpkg/status"
|
||||
|
||||
touch "$TARGET/var/lib/dpkg/info/${pkg}.list"
|
||||
}
|
||||
|
||||
x_feign_install dpkg
|
||||
|
||||
x_core_install () {
|
||||
smallyes '' | in_target dpkg --force-depends --install $(debfor "$@")
|
||||
}
|
||||
|
||||
p () {
|
||||
baseprog="$(($baseprog + ${1:-1}))"
|
||||
}
|
||||
|
||||
if doing_variant fakechroot; then
|
||||
setup_proc_fakechroot
|
||||
elif doing_variant scratchbox; then
|
||||
true
|
||||
else
|
||||
setup_proc
|
||||
in_target /sbin/ldconfig
|
||||
fi
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive
|
||||
DEBCONF_NONINTERACTIVE_SEEN=true
|
||||
export DEBIAN_FRONTEND DEBCONF_NONINTERACTIVE_SEEN
|
||||
|
||||
baseprog=0
|
||||
bases=7
|
||||
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #1
|
||||
info INSTCORE "Installing core packages..."
|
||||
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #2
|
||||
ln -sf mawk "$TARGET/usr/bin/awk"
|
||||
x_core_install base-passwd
|
||||
x_core_install base-files
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #3
|
||||
x_core_install dpkg
|
||||
|
||||
if [ ! -e "$TARGET/etc/localtime" ]; then
|
||||
ln -sf /usr/share/zoneinfo/UTC "$TARGET/etc/localtime"
|
||||
fi
|
||||
|
||||
if doing_variant fakechroot; then
|
||||
install_fakechroot_tools
|
||||
fi
|
||||
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #4
|
||||
x_core_install $LIBC
|
||||
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #5
|
||||
x_core_install perl-base
|
||||
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #6
|
||||
rm "$TARGET/usr/bin/awk"
|
||||
x_core_install mawk
|
||||
|
||||
p; progress $baseprog $bases INSTCORE "Installing core packages" #7
|
||||
if doing_variant -; then
|
||||
x_core_install debconf
|
||||
fi
|
||||
|
||||
baseprog=0
|
||||
bases=$(set -- $required; echo $#)
|
||||
|
||||
info UNPACKREQ "Unpacking required packages..."
|
||||
|
||||
exec 7>&1
|
||||
|
||||
smallyes '' |
|
||||
(repeatn 5 in_target_failmsg UNPACK_REQ_FAIL_FIVE "Failure while unpacking required packages. This will be attempted up to five times." "" \
|
||||
dpkg --status-fd 8 --force-depends --unpack $(debfor $required) 8>&1 1>&7 || echo EXITCODE $?) |
|
||||
dpkg_progress $baseprog $bases UNPACKREQ "Unpacking required packages" UNPACKING
|
||||
|
||||
info CONFREQ "Configuring required packages..."
|
||||
|
||||
echo \
|
||||
"#!/bin/sh
|
||||
exit 101" > "$TARGET/usr/sbin/policy-rc.d"
|
||||
chmod 755 "$TARGET/usr/sbin/policy-rc.d"
|
||||
|
||||
mv "$TARGET/sbin/start-stop-daemon" "$TARGET/sbin/start-stop-daemon.REAL"
|
||||
echo \
|
||||
"#!/bin/sh
|
||||
echo
|
||||
echo \"Warning: Fake start-stop-daemon called, doing nothing\"" > "$TARGET/sbin/start-stop-daemon"
|
||||
chmod 755 "$TARGET/sbin/start-stop-daemon"
|
||||
|
||||
setup_dselect_method apt
|
||||
|
||||
smallyes '' |
|
||||
(in_target_failmsg CONF_REQ_FAIL "Failure while configuring required packages." "" \
|
||||
dpkg --status-fd 8 --configure --pending --force-configure-any --force-depends 8>&1 1>&7 || echo EXITCODE $?) |
|
||||
dpkg_progress $baseprog $bases CONFREQ "Configuring required packages" CONFIGURING
|
||||
|
||||
baseprog=0
|
||||
bases="$(set -- $base; echo $#)"
|
||||
|
||||
info UNPACKBASE "Unpacking the base system..."
|
||||
|
||||
setup_available $required $base
|
||||
done_predeps=
|
||||
while predep=$(get_next_predep); do
|
||||
# We have to resolve dependencies of pre-dependencies manually because
|
||||
# dpkg --predep-package doesn't handle this.
|
||||
predep=$(without "$(without "$(resolve_deps $predep)" "$required")" "$done_predeps")
|
||||
# XXX: progress is tricky due to how dpkg_progress works
|
||||
# -- cjwatson 2009-07-29
|
||||
p; smallyes '' |
|
||||
in_target dpkg --force-overwrite --force-confold --skip-same-version --install $(debfor $predep)
|
||||
base=$(without "$base" "$predep")
|
||||
done_predeps="$done_predeps $predep"
|
||||
done
|
||||
|
||||
smallyes '' |
|
||||
(repeatn 5 in_target_failmsg INST_BASE_FAIL_FIVE "Failure while installing base packages. This will be re-attempted up to five times." "" \
|
||||
dpkg --status-fd 8 --force-overwrite --force-confold --skip-same-version --unpack $(debfor $base) 8>&1 1>&7 || echo EXITCODE $?) |
|
||||
dpkg_progress $baseprog $bases UNPACKBASE "Unpacking base system" UNPACKING
|
||||
|
||||
info CONFBASE "Configuring the base system..."
|
||||
|
||||
smallyes '' |
|
||||
(repeatn 5 in_target_failmsg CONF_BASE_FAIL_FIVE "Failure while configuring base packages. This will be re-attempted up to five times." "" \
|
||||
dpkg --status-fd 8 --force-confold --skip-same-version --configure -a 8>&1 1>&7 || echo EXITCODE $?) |
|
||||
dpkg_progress $baseprog $bases CONFBASE "Configuring base system" CONFIGURING
|
||||
|
||||
mv "$TARGET/sbin/start-stop-daemon.REAL" "$TARGET/sbin/start-stop-daemon"
|
||||
rm -f "$TARGET/usr/sbin/policy-rc.d"
|
||||
|
||||
progress $bases $bases CONFBASE "Configuring base system"
|
||||
info BASESUCCESS "Base system installed successfully."
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
version,codename,series,created,release,eol
|
||||
1.1,Buzz,buzz,1993-08-16,1996-06-17,1997-06-05
|
||||
1.2,Rex,rex,1996-06-17,1996-12-12,1998-06-05
|
||||
1.3,Bo,bo,1996-12-12,1997-06-05,1999-03-09
|
||||
2.0,Hamm,hamm,1997-06-05,1998-07-24,2000-03-09
|
||||
2.1,Slink,slink,1998-07-24,1999-03-09,2000-10-30
|
||||
2.2,Potato,potato,1999-03-09,2000-08-15,2003-07-30
|
||||
3.0,Woody,woody,2000-08-15,2002-07-19,2006-06-30
|
||||
3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-30
|
||||
4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15
|
||||
5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06
|
||||
6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31
|
||||
7,Wheezy,wheezy,2011-02-06,2013-05-04
|
||||
8,Jessie,jessie,2013-05-04,2015-04-25
|
||||
9,Stretch,stretch,2015-04-25
|
||||
10,Buster,buster,2018-07-01
|
||||
,Sid,sid,1993-08-16
|
||||
,Experimental,experimental,1993-08-16
|
Can't render this file because it has a wrong number of fields in line 13.
|
|
@ -0,0 +1,37 @@
|
|||
All images in this directory are under a CC0 license, originally from pixabay.com
|
||||
|
||||
http://creativecommons.org/publicdomain/zero/1.0
|
||||
|
||||
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER.
|
||||
|
||||
Statement of Purpose
|
||||
|
||||
The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").
|
||||
|
||||
Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.
|
||||
|
||||
For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.
|
||||
|
||||
1. Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:
|
||||
|
||||
the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
|
||||
moral rights retained by the original author(s) and/or performer(s);
|
||||
publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
|
||||
rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
|
||||
rights protecting the extraction, dissemination, use and reuse of data in a Work;
|
||||
database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and
|
||||
other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.
|
||||
|
||||
2. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.
|
||||
|
||||
3. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.
|
||||
|
||||
4. Limitations and Disclaimers.
|
||||
|
||||
No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.
|
||||
|
||||
Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
|
||||
|
||||
Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.
|
||||
|
||||
Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.
|
After Width: | Height: | Size: 5.0 KiB |
After Width: | Height: | Size: 4.8 KiB |
After Width: | Height: | Size: 4.9 KiB |
After Width: | Height: | Size: 3.8 KiB |
After Width: | Height: | Size: 3.5 KiB |
After Width: | Height: | Size: 3.2 KiB |
After Width: | Height: | Size: 11 KiB |
After Width: | Height: | Size: 5.3 KiB |
After Width: | Height: | Size: 6.2 KiB |
After Width: | Height: | Size: 13 KiB |
After Width: | Height: | Size: 14 KiB |
After Width: | Height: | Size: 12 KiB |
After Width: | Height: | Size: 14 KiB |
After Width: | Height: | Size: 8.9 KiB |
After Width: | Height: | Size: 11 KiB |
After Width: | Height: | Size: 11 KiB |
After Width: | Height: | Size: 14 KiB |
After Width: | Height: | Size: 14 KiB |
After Width: | Height: | Size: 17 KiB |
After Width: | Height: | Size: 11 KiB |
After Width: | Height: | Size: 14 KiB |
After Width: | Height: | Size: 15 KiB |
After Width: | Height: | Size: 14 KiB |
After Width: | Height: | Size: 6.8 KiB |
After Width: | Height: | Size: 5.8 KiB |
After Width: | Height: | Size: 8.8 KiB |
After Width: | Height: | Size: 9.2 KiB |
After Width: | Height: | Size: 6.9 KiB |
After Width: | Height: | Size: 7.3 KiB |
After Width: | Height: | Size: 7.3 KiB |
After Width: | Height: | Size: 8.4 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 5.4 KiB |
After Width: | Height: | Size: 11 KiB |
After Width: | Height: | Size: 12 KiB |
After Width: | Height: | Size: 11 KiB |
After Width: | Height: | Size: 9.0 KiB |
After Width: | Height: | Size: 4.8 KiB |
After Width: | Height: | Size: 6.3 KiB |
After Width: | Height: | Size: 12 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 8.3 KiB |
After Width: | Height: | Size: 5.0 KiB |
After Width: | Height: | Size: 9.5 KiB |
After Width: | Height: | Size: 6.3 KiB |
After Width: | Height: | Size: 11 KiB |
After Width: | Height: | Size: 12 KiB |
After Width: | Height: | Size: 8.0 KiB |
After Width: | Height: | Size: 8.0 KiB |
After Width: | Height: | Size: 6.2 KiB |
After Width: | Height: | Size: 6.4 KiB |
After Width: | Height: | Size: 9.3 KiB |
After Width: | Height: | Size: 9.3 KiB |
After Width: | Height: | Size: 12 KiB |
After Width: | Height: | Size: 12 KiB |
After Width: | Height: | Size: 7.1 KiB |