Merge stockholm

This commit is contained in:
Bob Mottram 2016-11-24 10:44:30 +00:00
commit 851d44c5be
5703 changed files with 105466 additions and 55145 deletions

View File

@ -1,5 +1,5 @@
APP=freedombone
VERSION=1.01
VERSION=1.02
RELEASE=1
PREFIX?=/usr/local
@ -11,44 +11,56 @@ rmtranslations:
bash -c "./translate remove"
alltranslations:
bash -c "./translate translations"
tidy:
./tidyup src/*
source:
tar -cvf ../${APP}_${VERSION}.orig.tar ../${APP}-${VERSION} --exclude-vcs
gzip -f9n ../${APP}_${VERSION}.orig.tar
install:
mkdir -p ${DESTDIR}${PREFIX}/bin
mkdir -p ${DESTDIR}/usr/share/${APP}/base
mkdir -p ${DESTDIR}/usr/share/${APP}/apps
mkdir -p ${DESTDIR}/usr/share/${APP}/utils
mkdir -p ${DESTDIR}/usr/share/${APP}/avatars
mkdir -p ${DESTDIR}/etc/${APP}
cp -r image_build/* ${DESTDIR}/etc/${APP}
install -m 755 img/backgrounds/${APP}_mesh_background.png ${DESTDIR}${PREFIX}/share
install -m 755 src/* ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-meshweb ${DESTDIR}${PREFIX}/bin/meshweb
install -m 755 src/${APP}-controlpanel ${DESTDIR}${PREFIX}/bin/control
install -m 755 src/${APP}-mesh-batman ${DESTDIR}${PREFIX}/bin/batman
install -m 755 src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup
install -m 755 src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup2friends
install -m 755 src/${APP}-restore-local ${DESTDIR}${PREFIX}/bin/restore
install -m 755 src/${APP}-restore-remote ${DESTDIR}${PREFIX}/bin/restorefromfriend
cp img/backgrounds/${APP}_*.png ${DESTDIR}${PREFIX}/share
cp img/avatars/* ${DESTDIR}/usr/share/${APP}/avatars
cp src/* ${DESTDIR}${PREFIX}/bin
cp src/${APP}-controlpanel ${DESTDIR}${PREFIX}/bin/control
cp src/${APP}-mesh-batman ${DESTDIR}${PREFIX}/bin/batman
cp src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup
cp src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup2friends
cp src/${APP}-restore-local ${DESTDIR}${PREFIX}/bin/restore
cp src/${APP}-restore-remote ${DESTDIR}${PREFIX}/bin/restorefromfriend
rm -f ${DESTDIR}/usr/share/${APP}/base/*
rm -f ${DESTDIR}/usr/share/${APP}/apps/*
rm -f ${DESTDIR}/usr/share/${APP}/utils/*
mv ${DESTDIR}${PREFIX}/bin/${APP}-base-* ${DESTDIR}/usr/share/${APP}/base
mv ${DESTDIR}${PREFIX}/bin/${APP}-app-* ${DESTDIR}/usr/share/${APP}/apps
mv ${DESTDIR}${PREFIX}/bin/${APP}-utils-* ${DESTDIR}/usr/share/${APP}/utils
mkdir -m 755 -p ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/*.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-backup-local.1.gz ${DESTDIR}${PREFIX}/share/man/man1/backup.1.gz
install -m 644 man/${APP}-restore-local.1.gz ${DESTDIR}${PREFIX}/share/man/man1/restore.1.gz
bash -c "./translate install"
cp man/*.1.gz ${DESTDIR}${PREFIX}/share/man/man1
cp man/${APP}-backup-local.1.gz ${DESTDIR}${PREFIX}/share/man/man1/backup.1.gz
cp man/${APP}-restore-local.1.gz ${DESTDIR}${PREFIX}/share/man/man1/restore.1.gz
# bash -c "./translate install"
uninstall:
rm -f ${PREFIX}/share/${APP}_mesh_background.png
rm -f ${PREFIX}/share/${APP}_*.png
rm -f ${PREFIX}/share/man/man1/backup.1.gz
rm -f ${PREFIX}/share/man/man1/restore.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}*.1.gz
rm -rf ${PREFIX}/share/${APP}
rm -rf /usr/share/${APP}
rm -f ${PREFIX}/bin/${APP}*
rm -f ${PREFIX}/bin/zeronetavahi
rm -f ${PREFIX}/bin/meshavahi
rm -f ${PREFIX}/bin/backup
rm -f ${PREFIX}/bin/backup2friends
rm -f ${PREFIX}/bin/restore
rm -f ${PREFIX}/bin/restorefromfriend
rm -f ${PREFIX}/bin/meshweb
rm -f ${PREFIX}/bin/batman
rm -rf /etc/${APP}
bash -c "./translate uninstall"
clean:
rm -f \#* \.#* debian/*.substvars debian/*.log
rm -f \#* \.#* debian/*.substvars debian/*.log src/*~
rm -fr deb.* debian/${APP}
rm -f ../${APP}*.deb ../${APP}*.changes ../${APP}*.asc ../${APP}*.dsc

209
README.md
View File

@ -1,208 +1,21 @@
<img src="https://github.com/bashrc/freedombone/blob/master/img/logo.png?raw=true" width=640/>
The Freedombone system can be installed onto a Beaglebone Black, or any system capable of running Debian Jessie, and allows you to host your own email and web services. With Freedombone you can enjoy true freedom and independence in the cloud. It comes in a variety of flavours.
> _"With the increasing move of our computing to cloud infrastructures, we give up the control of our computing to the managers of those infrastructures. Our terminals (laptops, desktops) might now be running entirely on Free Software, but this is increasingly irrelevant given that most of what actually matters gets executed on a remote closed system that we dont control. The Free Software community needs to work to help users keep the control of all their computing, by developing suitable alternatives and facilitating their deployment."_ -- Lucas Nussbaum
- **Full install**: Installs eveything
- **Mailbox**: An email server with GPG encryption
- **Cloud**: Sync and share files. Never lose important files again
- **Social**: Social networking with Hubzilla and GNU Social
- **Media**: Runs media services such as DLNA to play music or videos on your devices
- **Writer**: Host your blog and wiki
- **Chat**: Encrypted IRC, XMPP, Tox and VoIP services for one-to-one and many-to-many chat
- **Developer**: Host your own git projects with a Github-like user interface
- **Mesh**: A wireless mesh network which is like the internet, but not the internet
So you want to run your own internet services? Email, chat, VoIP, web sites, file synchronisation, wikis, blogs, social networks, backups. Freedombone enables you to do all of that in a self-hosted way, where you keep control of your data and it resides in your own home.
Except for the mesh variant all web systems installed also have an equivalent [onion address](https://en.wikipedia.org/wiki/.onion) so that they may be accessed via a Tor browser. This can provide some additional defense against unwanted surveillance or metadata gethering. Non-mesh variants also come with an RSS reader which provides strong reading privacy via the use of a Tor onion service.
[Here's how](https://freedombone.net/homeserver.html).
Freedombone has an emphasis on security and privacy, and when installed on a Beaglebone Black it uses the built-in hardware random number generator as an entropy source. All communications with the box are encrypted by default using the recommendations from https://bettercrypto.org. The firewall is configured to only allow communications on the necessary ports and to drop all other packets, icmp is disabled by default, emails are stored in encrypted form using your public key and time synchronisation occurs via TLS only. Backups are also encrypted and can be local or remote.
And here's how [on a Beaglebone Black](https://freedombone.net/beaglebone.html).
Freedombone is, and shall remain, 100% free software. Non-free repositories are removed automatically upon installation.
Want to make a community mesh network which doesn't depend upon the internet?
Building an image for an SBC or Virtual Machine
===============================================
You don't have to trust images downloaded from random internet locations signed with untrusted keys. You can build one from scratch yourself, and this is the recommended procedure for maximum security. For guidance on how to build images see the manpage for the **freedombone-image** command.
[You can do that too](https://freedombone.net/mesh.html).
Install the freedombone commands onto your laptop/desktop:
After installation it's possible that you might want some advice on how to run your system and set up apps to work nicely with it.
sudo apt-get install git build-essential dialog
git clone https://github.com/bashrc/freedombone
cd freedombone
sudo make install
* [Apps available on the system](https://freedombone.net/apps.html)
* [General usage](https://freedombone.net/usage.html)
* [Frequently Asked Questions](https://freedombone.net/faq.html)
Then install packages needed for building images:
sudo apt-get -y install python-docutils mktorrent vmdebootstrap xz-utils
sudo apt-get -y install dosfstools btrfs-tools extlinux python-distro-info mbr
sudo apt-get -y install qemu-user-static binfmt-support u-boot-tools qemu
A typical use case to build an 8GB image for a Beaglebone Black is as follows. You can change the size depending upon the capacity of your microSD card.
freedombone-image -t beaglebone -s 8G
If you prefer an advanced installation with all of the options available then use:
freedombone-image -t beaglebone -s 8G --minimal no
To build a 64bit Virtualbox image:
freedombone-image -t virtualbox-amd64 -s 8G
To build a 64bit Qemu image:
freedombone-image -t qemu-x86_64 -s 8G
Other supported boards are cubieboard2, cubietruck, olinuxino-lime, olinuxino-lime2 and olinuxino-micro.
If the image build fails with an error such as "/Error reading from server. Remote end closed connection/" then you can specify a debian package mirror repository manually with:
freedombone-image -t beaglebone -s 8G -m http://ftp.de.debian.org/debian
Checklist
=========
Before installing Freedombone you will need a few things.
* Have some domains, or subdomains, registered with a dynamic DNS service
* System with a new installation of Debian Jessie or a downloaded/prepared disk image
* Ethernet connection between the system and your internet router
* That it is possible to forward ports from the internet router to the system, typically via firewall settings
* Have ssh access to the system, typically via fbone@freedombone.local on port 2222
Installation
============
There are three install options: Laptop/Desktop/Netbook, SBC and Virtual Machine.
**On a Laptop, Netbook or Desktop machine**
If you have an existing system, such as an old laptop or netbook which you can leave running as a server, then install a new version of Debian Jessie onto it. During the Debian install you won't need the print server or the desktop environment, and unchecking those will reduce the attack surface. Once Debian enter the following commands:
su
apt-get update
apt-get -y install git dialog build-essential
git clone https://github.com/bashrc/freedombone
cd freedombone
make install
freedombone menuconfig
**On a single board computer (SBC)**
Currently the following boards are supported:
Beaglebone Black
Cubieboard 2
Cubietruck (Cubieboard 3)
olinuxino Lime2
olinuxino Micro
If there is no existing image available then you can build one from scratch. See the section above on how to do that. If an existing image is available then you can download it and check the signature with:
gpg --verify filename.img.asc
And the hash with:
sha256sum filename.img
If the image is compressed then decompress it with:
unxz filename.img.xz
Then copy it to a microSD card. Depending on your system you may need an adaptor to be able to do that.
sudo dd bs=1M if=filename.img of=/dev/sdX conv=fdatasync
Where **sdX** is the microSD drive. You can check which drive is the microSD drive using:
ls /dev/sd*
With the drive removed and inserted. Copying to the microSD will take a while, so go and do something less boring instead. When it's complete remove it from your system and insert it into the SBC. Connect an ethernet cable between the SBC and your internet router, then connect the power cable. On the Beaglebone Black you will see some flashing LEDs, but on other SBCs there may not be any visual indication that anything is booting.
With the board connected and running you can ssh into the system with:
ssh fbone@freedombone.local -p 2222
Using the password 'freedombone'. Take a note of the new login password and then you can proceed through the installation.
**As a Virtual Machine**
Virtualbox and Qemu are supported. You can run a 64 bit Qemu image with:
qemu-system-x86_64 filename.img
If you are using Virtualbox then add a new VM and select the Freedombone **vdi** image.
The default login will be username 'fbone' and password 'freedombone'. Take a note of the new login password then you can proceed through the installation.
Social Key Management (aka "The Unforgettable Key")
===================================================
During the install procedure you will be asked if you wish to import GPG keys. If you don't already possess GPG keys then just select "Ok" and they will be generated during the install. If you do already have GPG keys then there are a few possibilities
**You have the gnupg keyring on an encrypted USB drive**
If you previously made a master keydrive containing the full keyring (the .gnupg directory). This is the most straightforward case, but not as secure as splitting the key into fragments.
**You have a number of key fragments on USB drives retrieved from friends**
If you previously made some USB drives containing key fragments then retrieve them from your friends and plug them in one after the other. After the last drive has been read then remove it and just select "Ok". The system will then try to reconstruct the key. For this to work you will need to have previously made three or more **Keydrives**.
**You can specify some ssh login details for friends servers containing key fragments**
Enter three or more sets of login details and the installer will try to retrieve key fragments and then assemble them into the full key. This only works if you previously were using remote backups and had social key management enabled.
Final Setup
===========
Any manual post-installation setup instructions or passwords can be found in /home/username/README. You should remove any passwords from that file and store them within a password manager such as KeepassX.
On your internet router, typically under firewall settings, open the following ports and forward them to your server.
| Service | Ports |
|---------+------------|
| HTTP | 80 |
| HTTPS | 443 |
| SSH | 2222 |
| DLNA | 1900 |
| DLNA | 8200 |
| XMPP | 5222..5223 |
| XMPP | 5269 |
| XMPP | 5280..5281 |
| IRC | 6697 |
| IRC | 9999 |
| Git | 9418 |
| Email | 25 |
| Email | 587 |
| Email | 465 |
| Email | 993 |
| VoIP | 64738 |
| Tox | 33445 |
Keydrives
=========
After installing for the first time it's a good idea to create some keydrives. These will store your gpg key so that if all else fails you will still be able to restore from backup. There are two ways to do this:
**Master Keydrive**
This is the traditional security model in which you carry your full keyring on an encrypted USB drive. To make a master keydrive first format a USB drive as a LUKS encrypted drive. In Ubuntu this can be done from the *Disk Utility* application. Then plug it into the Freedombone system, then from your local machine run:
ssh myusername@mydomainname -p 2222
Select *Administrator controls* then *Backup and Restore* then *Backup GPG key to USB (master keydrive)*.
**Fragment keydrives**
This breaks your GPG key into a number of fragments and randomly selects one to add to the USB drive. First format a USB drive as a LUKS encrypted drive. In Ubuntu this can be done from the *Disk Utility* application. Plug it into the Freedombone system then from your local machine run the following commands:
ssh myusername@mydomainname -p 2222
Select *Administrator controls* then *Backup and Restore* then *Backup GPG key to USB (fragment keydrive)*.
Fragments are randomly assigned and so you will need at least three or four keydrives to have enough fragments to reconstruct your original key in a worst case scenario. You can store fragments for different Freedombone systems on the same encrypted USB drive, so you can help to ensure that your friends can also recover their systems. This might be called *"the web of backups"* or *"the web of encryption"*. Since you can only write a single key fragment from your Freedombone system to a given USB drive each friend doesn't have enough information to decrypt your backups or steal your identity, even if they turn evil. This is based on the assumption that it may be difficult to get three or more friends to conspire against you all at once.
Passwords
=========
Passwords for server applications are randomly generated and can be found within **/home/username/README** after the system has fully installed. You should move those passwords into a password manager, such as KeepassX.
Administering the system
========================
To administer the system after installation log in via ssh, become the root user and then launch the control panel.
ssh fbone@freedombone.local -p 2222
Select *Administrator controls* and from there you will be able to perform various tasks, such as backups, adding and removing users and so on. You can also do this via commands, which are typically installed as /usr/local/bin/freedombone* and the corresponding manpages.
If you find bugs, or want to add a new app to this system see the [Developers Guide](https://freedombone.net/devguide.html).

33
doc/EN/app_dlna.org Normal file
View File

@ -0,0 +1,33 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, dlna
#+DESCRIPTION: How to use DLNA
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>DLNA</h1>
</center>
#+END_EXPORT
An easy way to play music on any mobile device in your home is to use the DLNA service. Copy your music into a directory called "/Music/" on an unencrypted USB thumb drive and then insert it into a USB socket on the Freedombone system.
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomain.com -p 2222
#+END_SRC
Select *Administrator controls* then *App Settings* then *dlna*. From there you can choose to attach the drive.
The system will scan the /Music/ directory, which could take a while if there are thousands of files, but you don't need to do anything further other than perhaps to log out by selecting *Exit* a couple of times.
If you have an Android device then go to F-Droid (if you don't already have it installed then it can be [[https://f-droid.org/][downloaded here]]) and search for *ControlDLNA*. On running the app you should see a red Debian icon which you can press on, then you may need to select "local". After a few seconds the list of albums or tracks should then appear and you can browse and play them.
The DLNA service will only work within your local home network, and isn't remotely accessible from other locations via the internet. That can be both a good and a bad thing. Another consideration is that there are /no access controls/ on DLNA services, so any music or videos on the USB drive will be playable by anyone within your home network.

38
doc/EN/app_dokuwiki.org Normal file
View File

@ -0,0 +1,38 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, dokuwiki
#+DESCRIPTION: How to use Dokuwiki
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Dokuwiki</h1>
</center>
#+END_EXPORT
Dokuwiki is a wiki which stores its content in text files. Having no database makes maintaining it simpler, and it's not tied to any particular domain name so you can easily copy the files to a different domain if you need to.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *dokuwiki*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /wiki.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Dokuwiki. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Dokuwiki domain listed there along with an onion address. You can then navigate to your site in a browser.
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.

45
doc/EN/app_emacs.org Normal file
View File

@ -0,0 +1,45 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, emacs
#+DESCRIPTION: How to use Emacs
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Emacs</h1>
</center>
#+END_EXPORT
Emacs is a text editor popular with software developers or anyone who needs to take notes at high speed or be able to customise their editing environment to a high degree. When installed on Freedombone it can be used together the Mutt email client to edit new emails or if you need to manually edit configuration files.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps*. If Vim is selected then you might want to unselect and uninstall it first, then select *emacs*.
* Common key combinations
For anyone new to Emacs some common keys are:
| CTRL-x CTRL-s | Save |
| CTRL-x CTRL-c | Exit |
| CTRL-l | Go to a line number |
| CTRL-x CTRL-f | Open a file |
| SHIFT-ALT-< | Go to the top of the file |
| SHIFT-ALT-> | Go to the end of the file |
| SHIFT cursors | Select text |
| CTRL-x CTRL-h | Highlight all text |
| ALT-w | Copy selected text |
| CTRL-y | Paste selected text |
| ESC-ESC-ESC | Undo current selection |

39
doc/EN/app_etherpad.org Normal file
View File

@ -0,0 +1,39 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, etherpad
#+DESCRIPTION: How to use Etherpad
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Etherpad</h1>
</center>
#+END_EXPORT
For collaborative document editing Etherpad is hard to beat. Just log in, choose a document title and then edit. Different users will appear in different colours, and can also chat in the sidebar. This is installed as a private system in which only users on your Freedombone server will be able to create and edit documents, so it's not open to any random users on the internet.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *etherpad*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /wiki.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Etherpad. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Etherpad domain listed there along with an onion address. You can then navigate to your site in a browser.
Please be aware that after installation the etherpad daemon takes a while to start up for the first time. On a low powered system such as a Beaglebone Black this can take ten minutes or more. So if you navigate to the site and see a "/Bad Gateway/" error then don't panic. Wait for ten minutes and try again.
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.

45
doc/EN/app_ghost.org Normal file
View File

@ -0,0 +1,45 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, ghost
#+DESCRIPTION: How to use Ghost
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Ghost</h1>
</center>
#+END_EXPORT
Ghost is a blogging system which uses markdown formatted posts. It's quite simple to use, and also looks nice even on small mobile screens.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *ghost*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /blog.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Ghost. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Ghost blog domain listed there along with an onion address. You can then navigate to your site in a browser.
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
Navigate to https://yourghostblogdomain/ghost and click on *create your account*
Enter your email address, password and blog title.
When prompted to invite users click on *I'll do this later*
Under *Settings* on the *General* option you can set a description, background image and so on.

97
doc/EN/app_gnusocial.org Normal file
View File

@ -0,0 +1,97 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, gnu social
#+DESCRIPTION: How to use GNU Social
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>GNU Social</h1>
</center>
#+END_EXPORT
GNU Social is typically referred to as a microblogging system, although with a maximum post length much longer than Twitter it's really a sort of federated community blog with a stream-based appearance which also supports markdown formatting.
You can host your own GNU Social instance and then "/remote follow/" other users who may also be doing the same. With a federated structure this type of system is hard to censor or ban. Unlike Twitter, there are no bribed adverts pushed into your stream, and any trends happening are likely to be real rather than being manipulated by some opaque algorithm.
You should regard anything posted to GNU Social as being /public communication/ visible to anyone on the internet. There is a direct messaging capability between users but it's not particularly secure, so for one-to-one messages stick to better methods, such as XMPP with OTR/OMEMO or Tox.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *gnusocial*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. You can also add a welcome message and background picture URL if you wish, although those things are optional. Typically the domain name you use will be a subdomain, such as /gnusocial.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for GNU Social. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your GNU Social domain listed there along with an onion address. You can then navigate to your site in a browser.
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
Once you have logged in to GNU Social you may then want to select *Admin* and check or change the details. You may also wish to change the license for the site to be either Creative Commons or private.
GNU Social has a clutter-free mobile user interface which can be accessed via a Tor compatible browser (make sure to add a NoScript exception). Unlike similar proprietary sites there are no bribed posts.
#+BEGIN_CENTER
[[file:images/gnusocial_mobile.jpg]]
#+END_CENTER
* Using with Emacs
If you are an Emacs user it's also possible to set up GNU Social mode as follows:
#+begin_src bash :tangle no
mkdir ~/elisp
git clone git://git.savannah.nongnu.org/gnu-social-mode ~/elisp/gnu-social-mode
sed -i 's|"http"|"https"|g' ~/elisp/gnu-social-mode/gnu-social-mode.el
sed -i 's|http:|https:|g' ~/elisp/gnu-social-mode/gnu-social-mode.el
sed -i 's|http?|https?|g' ~/elisp/gnu-social-mode/gnu-social-mode.el
echo "(add-to-list 'load-path \"~/elisp/gnu-social-mode\")" >> ~/.emacs
echo "(require 'gnu-social-mode)" >> ~/.emacs
echo "(setq gnu-social-server-textlimit 2000" >> ~/.emacs
echo " gnu-social-server \"yourgnusocialdomain\"" >> ~/.emacs
echo " gnu-social-username \"yourusername\"" >> ~/.emacs
echo " gnu-social-password \"gnusocialpassword\")" >> ~/.emacs
#+end_src
And as a quick reference the main keys are:
| Key | Function |
|---------------+--------------------|
| i | Show icons |
| CTRL-c CTRL-s | Post status update |
| r | Repeat |
| F | Favourite |
| R | Reply to user |
| CTRL-c CTRL-h | Highlight |
| CTRL-c CTRL-r | Show replies |
| CTRL-c CTRL-f | Friends timeline |
* Sharing things
If you have the GNU Social microblogging system installed then it's also possible to share things or services between groups or with particular users. This can be useful for sharing items within a family, club or in a local sharing economy. Sharing things freely, without money, reveals the social basis at the root of all economics which money normally conceals or obscures.
Click on "/share/" or "/my catalog/" and this will switch to a screen which allows you to enter details for things to be shared or wanted.
#+BEGIN_CENTER
[[file:images/sharings3.jpg]]
#+END_CENTER
The "/catalog/" button then allows you to search for shared things within the federated network.
#+BEGIN_CENTER
[[file:images/sharings4.jpg]]
#+END_CENTER

47
doc/EN/app_gogs.org Normal file
View File

@ -0,0 +1,47 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, gogs
#+DESCRIPTION: How to use Gogs
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Gogs</h1>
</center>
#+END_EXPORT
Github is ok, but it's proprietary and funded by venture capital. If you been around on the internet for long enough then you know how this story eventually works itself out - i.e. badly for the users. It's really only a question of time. If you're a software developer or do things which involve the Git version control system then it's a good idea to become accustomed to hosting your own repositories, before the inevitable Github shitstorm occurs.
A Git hosting system called [[https://gogs.io][Gogs]] can optionally be installed. This is very similar to Github in appearance and use. It's lightweight and so well suited for use on low power ARM servers.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *gogs*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /code.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Gogs. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Gogs domain listed there along with an onion address. You can then navigate to your site in a browser.
In a browser navigate to your Gogs site and click the *Register* button. The first user registered on the system becomes the administrator. Once you've done that then it's a good idea to disable further registrations. Currently that's a little complicated, but you can do it as follows:
#+begin_src bash :tangle no
sudo username@domainname -p 2222
#+end_src
Select *Administrator controls* then *App Settings* then *gogs*. You can then enable or disable registration of new users.
Disabling further registrations will stop any spam accounts being created by random strangers or bots.

39
doc/EN/app_htmly.org Normal file
View File

@ -0,0 +1,39 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, htmly
#+DESCRIPTION: How to use Htmly
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>HTMLy</h1>
</center>
#+END_EXPORT
HTMLy is a databaseless blogging system.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *htmly*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /blog.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for HTMLy. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your HTMLy blog domain listed there along with an onion address. You can then navigate to your site in a browser.
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
Navigate to https://yourhtmlyblogdomain/login and enter your username and password. You can then create posts or edit existing ones.

42
doc/EN/app_hubzilla.org Normal file
View File

@ -0,0 +1,42 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, hubzilla
#+DESCRIPTION: How to use Hubzilla
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Hubzilla</h1>
</center>
#+END_EXPORT
Hubzilla is a web publishing and social network system which includes wiki, web pages, photo albums and file storage. It also has privacy controls which allow you to define who can see which content. It's possible to write posts and have them visible only to a group of friends (known as "/privacy groups/"), with the encryption being handled automatically.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *hubzilla*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /hub.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Hubzilla. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Hubzilla domain listed there along with an onion address. You can then navigate to your site in a browser.
On first visiting your Hubzilla site you'll see the login screen. The first thing you need to do is *register* a new user. The first user on the system then becomes its administrator.
#+BEGIN_CENTER
[[file:images/hubzilla_mobile.jpg]]
#+END_CENTER

100
doc/EN/app_irc.org Normal file
View File

@ -0,0 +1,100 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombome, irc
#+DESCRIPTION: How to use IRC
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>IRC</h1>
</center>
#+END_EXPORT
IRC is useful for multi-user chat. The classic use case is for software development where many engineers might need to coordinate their activities, but it's also useful for meetings, parties and general socialising.
* Irssi
The easiest way to use irssi is to connect to your system, like this:
#+BEGIN_SRC bash
ssh myusername@mydomain -p 2222
#+END_SRC
Then select *IRC* from the menu. However, other than via this method using ssh, irssi isn't a very good IRC client because it doesn't have the capability to onion route messages, and therefore leaks metadata. For the best security when using your IRC server, use HexChat, Emacs ERC or another client which supports socks5 proxying.
* HexChat
HexChat (formerly XChat) is compatible with proxying via Tor and so provides the best security when connecting to your IRC server. It will allow you to connect to your IRC server's onion address.
First install HexChat and set up its configuration file. This can be done on your local machine with:
#+BEGIN_SRC bash
freedombone-client --setup hexchat
#+END_SRC
Now look up the onion address for your IRC server
#+BEGIN_SRC bash
ssh username@mydomainname -p 2222
#+END_SRC
Select Administrator options, then *About this system* and make a note of the onion address for IRC. Also select the *IRC Menu* and take a note of the login password.
Run HexChat.
Within the network list click, *Add* and enter your domain name then click *Edit*.
Select the entry within the servers box, then enter *ircaddress.onion/6697* or *mydomainname/6697* and press *Enter*.
Uncheck *use global user information*.
Enter first and second nicknames and check *connect to this network on startup*.
If you are using the ordinary domain name (clearnet/ICANN) then make sure that *Use SSL* is checked.
[[file:images/hexchat_setup_clearnet.jpg]]
If you are using the onion address then *use SSL* should be unchecked and the transport encryption will be handled via the onion address itself.
[[file:images/hexchat_setup.jpg]]
Within the *Password* field enter the password which can be found from the IRC menu of the *control panel*.
Select the *Autojoin channels* tab, click *Add* and enter *#freedombone* as the channel name.
Click *close* and then *connect*.
* Emacs
If you are an Emacs user then you can also connect to your IRC server via Emacs.
Ensure that tor is installed onto your local system:
#+BEGIN_SRC bash
sudo apt-get install tor
#+END_SRC
Add the following to your Emacs configuration file:
#+BEGIN_SRC elisp
(setq socks-noproxy '("localhost"))
(require 'socks)
(require 'tls)
(setq socks-server (list "Tor socks" "localhost" 9050 5))
(setq erc-server-connect-function 'socks-open-network-stream)
(setq erc-autojoin-channels-alist
'(("myircaddress.onion" "#freedombone")))
(erc :server "myircaddress.onion" :port 6697 :nick "yourusername" :password "your IRC password")
#+END_SRC
* Changing or removing the IRC password
By default the IRC server is set up to require a password for users to log in. The password is the same for all users. If you want to change or remove the password:
#+BEGIN_SRC bash
ssh myusername@mydomain -p 2222
#+END_SRC
Select /Administrator controls/ then *IRC Menu* and then change the password. An empty password will allow anyone to log in, so you can have a globally accessible IRC system if you wish, although you might want to carefully consider whether that's wise.

45
doc/EN/app_lychee.org Normal file
View File

@ -0,0 +1,45 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, lychee
#+DESCRIPTION: How to use Lychee
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Lychee</h1>
</center>
#+END_EXPORT
Lychee is a simple and lightweight photo album for the web. Whether you're an amateur or professional photographer, or want to publish random holiday pics or cat pictures. Lychee just does what it says it does without any fuss. There is also a photo album feature within [[./app_hubzilla.html][Hubzilla]] if you need more sophisticated social photo sharing with individualised permissions.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *lychee*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /code.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Lychee. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Lychee domain listed there along with an onion address. You can then navigate to your site in a browser.
Within a browser navigate to your lychee domain name or onion address. It should look like this:
#+BEGIN_CENTER
[[file:images/lychee_setup.jpg]]
#+END_CENTER
Within the *Administrator control panel* select *App Settings* and then *lychee*. This will show the initial login settings which you need to set up the database. To copy the password hold down the shift key, select the password then right click and copy.
After that create a username and password and store them in your favourite password manager. And you're done. Add photos and albums as you wish.

71
doc/EN/app_mailpile.org Normal file
View File

@ -0,0 +1,71 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, mailpile
#+DESCRIPTION: How to use Mailpile
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Mailpile</h1>
</center>
#+END_EXPORT
Mailpile provides a nice looking webmail interface suitable for use on desktop or mobile clients. It has good support for email encryption and makes that quite an simple process. At present it's usable but still has a few bugs and limitations. If you need a fully functional email client with comprehensive encryption support then either use Mutt or Thunderbird/Icedove.
An advantage of this type of webmail is that /it keeps your GPG keys off of any mobile devices/ so that if you lose your phone, or it gets stolen, then your email might still not be compromised.
One down side is that this appears to be a single user system, so if you have multiple users on your Freedombone server only the administrator will actually be able to use mailpile.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *mailpile*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /mail.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Mailpile. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Mailpile domain listed there along with an onion address. You can then navigate to your site in a browser.
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
If you're viewing your mail domain site on a mobile device via OrFox then make sure you allow the domain in the NoScript settings.
Enter a password and store it within a password manager.
Click on the *Privacy and Security* button.
Scroll down and select *Save Settings*. Don't click on the Tor button.
Click *Add account*.
Enter your name, email address and password.
Uncheck *Detect Settings* and click *Next*.
Under *Sending Mail* select *local* or if you need to proxy outgoing email through your ISP's server select *SMTP/TLS* and enter the details, then click *Next*.
#+BEGIN_CENTER
[[file:images/mailpile_setup.jpg]]
#+END_CENTER
Under *Receiving files* select *IMAP*, the domain as *localhost*, port *143*, your username and password, then click *Next*. Astute readers may well be concerned that IMAP over port 143 is not encrypted, but since this is only via localhost communication between the Mail Transport Agent and Mailpile doesn't travel over the internet and port 143 is not opened on the firewall so it's not possible to accidentally connect an external mail client insecurely.
#+BEGIN_CENTER
[[file:images/mailpile_setup_keys.jpg]]
#+END_CENTER
Under *Security and Privacy* either select your existing encryption key or if you only get the option to create a new one then do so, then click *Add* or *Save*.
The process of importing your email should then occur, and can take some time.

42
doc/EN/app_mumble.org Normal file
View File

@ -0,0 +1,42 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, mumble
#+DESCRIPTION: How to use Mumble
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Mumble</h1>
</center>
#+END_EXPORT
Mumble is a well known VoIP system originally used for gaming, but which works just as well for any general conference calls or meetings.
* Text chat
In addition to voice it is also possible to do text chat via mumble. The security of this is pretty good provided that you do it via Plumble and Orbot on mobile, but compared to other options such as XMPP/Conversations or Tox the security is not as good, since the mumble server currently doesn't support forward secrecy.
* Using with Ubuntu
Within the software center search for "mumble" and install the client then run it. Skip through the audio setup wizard.
Click on "add new" to add a new server and enter the default domain name for the Freedombone, your username (which can be anything) and the VoIP server password which can be found in the *Passwords* section of the *Administrator control panel*. Accept the self-signed SSL certificate if you don't have a Let's Encrypt certificate set up for your default domain. You are now ready to chat.
* Using with Android
Install [[https://f-droid.org/][F-Droid]]
If you don't have Orbot installed then enable The Guardian Project repository from the drop down menu and install it.
Search for and install Plumble.
Press the plus button to add a Mumble server.
Enter a label (which can be any name you choose for the server), the default domain name of the Freedombone or preferably the mumble onion address as shown on the *About* screen of the *Administrator control panel*, your username (which can also be anything) and the mumble password which can be found in the *Passwords* section of the *Administrator control panel*.
Open the settings. Select General, then Connect via Tor. This will provide better protection, making it more difficult for adversaries to know who is talking to who.
Selecting the server by pressing on it then connects you to the server so that you can chat with other connected users.

69
doc/EN/app_pihole.org Normal file
View File

@ -0,0 +1,69 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, pi-hole, ad blocker
#+DESCRIPTION: How to block ads on your network
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>PI-Hole: The Black Hole for Web Adverts</h1>
</center>
#+END_EXPORT
Idiots who have an inflated sense of self-entitlement will tell you that it's /your moral duty/ to view their mind-numbingly tedious corporate ads on their web site or YouTube channel, or else their kids will starve and the sky will fall because their revenue stream will dry up. But that's bullshit. There is nothing intrinsic or morally mandatory about adverts propping up the livelihoods of netizens, and indeed a web not primarily based on advertising money might have been a much better and more interesting place by now, with a lot less spying.
Not only are web ads annoying, but they can consume a lot of bandwidth, be a privacy problem in terms of allowing companies to track your browsing habits and also any badly written scripts they contain may introduce exploitable security holes. Also if you're poor then adverts often make you want things that you can't have.
You can block ads for any devices connected to your local network by installing the *pihole* app from *Add/Remove Apps* on the administrator control panel. This may help to improve overall performance of your devices by not wasting time downloading unwanted images or scripts.
Also don't expect perfection. Though many ads may be blocked by this system some will still get through. It's a constant cat and mouse game between advertisers and blockers.
* Set a static IP address
Ensure that your system has a static local IP address (typically 192.168..) using the option on the control panel. You will also need to know the IP address of your internet router, which is usually *192.168.1.1* or *192.168.1.254*.
When that's done select *About this system* from the control panel and see the IPv4 address. You can use this as a DNS address in two ways:
* On each client system within your local network
#+begin_src bash
sudo chattr -i /etc/resolv.conf
sudo nano /etc/resolv.conf
#+end_src
Comment out any existing entries with a # character and add:
#+begin_src bash
nameserver [IPv4 address from the About screen]
#+end_src
Normally /resolv.conf/ will be overwritten every time your reboot, but you can prevent this with:
#+begin_src bash
sudo chattr +i /etc/resolv.conf
#+end_src
* On your internet router
If you can access the settings on your local internet router then this is the simplest way to provide ad blocking for all devices which connect to it. Unfortunately some router models don't let you edit the DNS settings and if that's the case you might want to consider getting a different router.
Edit the DNS settings and add the IPv4 address which you got from the control panel About screen. Exactly how you do this will just depend upon your particular router model. You may also need to set the same address twice, because two addresses are conventional.
** LibreCMC
On a router running LibreCMC from the *Network* menu select *DHCP and DNS*. Enter the static IP address of your Freedombone system within *DNS Forwardings*, then at the bottom of the page click on *Save & Apply*. Any devices which connect to your router will now have ad blocking.
* Configuring block lists
You can configure the block lists which the system uses by going to the *administrator control panel*, selecting *App Settings* then choosing *pihole*. You can also add any extra domain names to the whitelist if they're being wrongly blocked or to the blacklist if they're not blocked by the current lists.
#+BEGIN_EXPORT html
<center>
Return to the <a href="index.html">home page</a>
</center>
#+END_EXPORT

39
doc/EN/app_postactiv.org Normal file
View File

@ -0,0 +1,39 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, postactiv
#+DESCRIPTION: How to use PostActiv
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>PostActiv</h1>
</center>
#+END_EXPORT
PostActiv is a fork of [[./app_gnusocial.html][GNU Social]] which includes some extra fixes and optimisations to improve performance. It federates just like GNU Social does and so whether you choose GNU Social or PostActiv is really just down to personal prefernce.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *postactiv*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /code.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for PostActiv. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Postactiv domain listed there along with an onion address. You can then navigate to your site in a browser.
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
Navigate to your PostActiv domain name and log in.

41
doc/EN/app_radicale.org Normal file
View File

@ -0,0 +1,41 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, radicale
#+DESCRIPTION: How to use Radicale
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Radicale</h1>
</center>
#+END_EXPORT
Radicale is a calendar server which allows your to synchronise your calendar across all your devices. Support for CalDAV within various client systems can be quite patchy/flaky though, so use it with caution.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *radicale*. If you don't already have an SSL/TLS certificate for your main domain then go to the security settings and create a new Let's Encrypt cert for it. That will ensure that your calendar events have some minimal level of protection from passive surveillance.
* Setting up on Android
Via F-droid install *DAVdroid*.
There seems to be a problem with Let's Encrypt certificates with this app, but it's possible to get around it. Open DAVdroid and select the side *menu* followed by *Settings*. Enable *Distrust system certificates* and press *Reset untrusted certificates*.
Exit from settings and press the *plus button* to add an account. Select *Login with URL and user name*. The URL should be https://yourmaindomainname/radicale/. Remember to include the trailing slash on the URL. If you installed Freedombone from a disk image then enter your username and the password which was shown at the start of installation. If not then the password for Radicale will be within *Passwords* section of the *Administrator control panel*.
You will be prompted to approve the Let's Encrypt cerificate for your domain name, and once that's done then you should see your account as a large yellow box. Press on that and ensure that *Addresses* and *calendar* are selected.
Now go to your calendar app and press the plus icon to add an event. You should notice that the calendar account selected is your username on the Freedombone system.

76
doc/EN/app_rss.org Normal file
View File

@ -0,0 +1,76 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: Freedombone, RSS
#+DESCRIPTION: How to use the RSS reader
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>RSS Reader</h1>
</center>
#+END_EXPORT
The way that RSS reading is set up on Freedombone gives you strong reading privacy. Not only is there onion routing between you and the server but also between the server and the source of the RSS feed. The only down side is that many RSS feeds are still http only, and so could be vulnerable to injection attacks, but it's expected that more of this will go to https in the foreseeable future due to a combination of growing recognition of security issues and systems like Let's Encrypt which make obtaining certificates much easier.
#+BEGIN_CENTER
[[file:images/rss_reader_mobile.jpg]]
#+END_CENTER
* Finding the onion address
See the control panel for the RSS reader onion address.
#+BEGIN_SRC bash
ssh username@domainname -p 2222
#+END_SRC
Select *Administrator controls* then select the *About* screen.
The RSS reader is accessible only via an onion address. This provides a reasonable degree of reading privacy, making it difficult for passive adversaries such as governments, corporations or criminals to create lists of sites which you are subscribed to.
To set up the system open http://rss_reader_onion_address and log in with username *admin* and the password which can be found within the *Passwords* section of the *Administrator control panel*. You can then select the *Actions* menu and begin adding your feeds.
* On mobile
To access the RSS reader from a mobile device you can install a Tor compatible browser such as OrFox, then use the mobile onion address shown on the *About* screen of the *Administrator controls*. Remember to add the site to the NoScript whitelist, and you may also need to turn HTTPS Everywhere off.
#+BEGIN_QUOTE
A note for the paranoid is that on mobile devices you get redirected to a different onion address which is specially set up for the mobile interface, so don't be alarmed that it looks like your connection is being hijacked.
#+END_QUOTE
* With Emacs
If you are an Emacs user then you can also read your RSS feeds via the [[https://github.com/dk87/avandu][Avandu]] mode.
Add the following to your configuration, changing the address and password as appropriate.
#+begin_src emacs-lisp :tangle no
(setq avandu-tt-rss-api-url "http://rss_reader_onion_address/api/"
avandu-user "admin"
avandu-password "mypassword")
#+end_src
If you don't already have Emacs set up to route through Tor then also add the following:
#+begin_src emacs-lisp :tangle no
(setq socks-noproxy '("localhost"))
(require 'socks)
(require 'tls)
(setq socks-server (list "Tor socks" "localhost" 9050 5))
#+end_src
And ensure that the Tor daemon is installed. On a debian based system:
#+begin_src bash :tangle no
sudo apt-get install tor
#+end_src
or on Arch/Parabola:
#+begin_src bash :tangle no
sudo pacman -S tor
sudo systemctl enable tor
sudo systemctl start tor
#+end_src

78
doc/EN/app_syncthing.org Normal file
View File

@ -0,0 +1,78 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, file sync
#+DESCRIPTION: How to use Syncthing
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Syncthing</h1>
</center>
#+END_EXPORT
Syncthing provides a similar capability to proprietary systems such as Dropbox, and also is well suited for use with low power single board computers. You can have one or more directories which are synchronized across your various laptops/desktops/devices, and this makes it hard for you to ever lose important files. The manner in which the synchronization is done is pretty secure, such that it would be difficult for passive adversaries (mass surveillance, "/men in the middle/", etc) to know what files you're sharing. Of course, you don't necessarily need to be running a server in order to use Syncthing, but if you do have a server which is always running then there's always at least one place to synchronize your files to or from.
Freedombone provides Syncthing shared directories for each user on the system, plus a single shared directory for all users. The expected most common scenario here is that of a family in which members may not want to share /all of their files/ with each other, but might want to share some in a common pool (eg. birthday photos). You can also easily share between different servers.
* On a laptop
Install syncthing on a Debian based distro:
#+BEGIN_SRC bash
curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
echo "deb http://apt.syncthing.net/ syncthing release" | sudo tee /etc/apt/sources.list.d/syncthing.list
sudo apt-get update
sudo apt-get install syncthing
#+END_SRC
Or on Arch/Parabola:
#+begin_src bash
sudo pacman -S syncthing
#+end_src
Add syncthing to your startup applications, so that it begins running when your system starts. Then either restart your system or run the command "syncthing" from a terminal.
In another terminal log into Freedombone:
#+BEGIN_SRC bash
ssh username@domainname -p 2222
#+END_SRC
Then select *File Synchronization*.
#+BEGIN_CENTER
[[file:images/controlpanel/control_panel_file_sync.jpg]]
#+END_CENTER
Select *Show device ID* and copy the long string of letters and numbers shown, using the shift key then select the text followed by right click then select copy.
Open a non-Tor browser and enter *http://127.0.0.1:8384* as the URL. You should now see the minimalistic user interface. Under *Remote Devices* select *Add Remote Device*. In the *Device ID* field paste the string you just copied (CTRL+v). The Device name can be anything. Under *Share Folders with Device* check *default* (or whatever folder you created on your local machine), then save.
#+BEGIN_CENTER
[[file:images/syncthing_browser.jpg]]
#+END_CENTER
From the top menu select *Actions* and then *Show ID*, then copy the ID string (usually select then CTRL+c). Go back to the terminal control panel menu and select *Add an ID* then paste what you just copied (CTRL+v). Optionally you can also provide a description so that you later can know what that string corresponds to.
Now wait for a few minutes. Eventually you will see two messages appear within the browser asking if you want to add two new folders from the Freedombone server. Say yes to both, and specify *~/Sync* as the directory with your username and *~/SyncShared* as the shared directory. You can now copy files into your *~/Sync* directory and they will automatically be synced to the server. Those will be files which only you can access. If you copy files into *~/SyncShared* then they will also be available to any other users on the system.
* On Android
Install Syncthing and Connectbot from F-droid.
Set up Connectbot to log into Freedombone.
Select *File Synchronization*.
Select *Show device ID* and copy the long string of letters by pressing anywhere on the screen, selecting the *menu* then *copy* and then selecting the ID string. This is very tricky on a small screen, so expect to fail multiple times before you succeed in copying the text.
Open Syncthing and select the devices tab. Press on *+* and then paste the device ID with a long press followed by *Paste*. You may need to remove any stray characters which were copied during the previous haphazard selection process. Add a name, which can be anything.
Now select the menu (top left or menu button) and then press on *Device ID*. It will be copied to the clipboard. Go back to Connectbot and from the control panel select *File Synchronization* followed by *Add an ID*. You can then paste in the ID with a long press, and optionally add a description for the device. When that's done you can disconnect from Connectbot.
Now wait for a few minutes or more. Eventually you should receive two notifications (swipe down from the top to see them) which will allow you to confirm the connection to the server. Say yes to both, and specify appropriate directories for your files and the shared files. To reduce battery and data usage via the settings you can also set Syncthing to only sync while it's charging and only while it's connected to wifi.

32
doc/EN/app_tox.org Normal file
View File

@ -0,0 +1,32 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, tox
#+DESCRIPTION: How to use Tox
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Tox</h1>
</center>
#+END_EXPORT
Tox is an encrypted peer-to-peer messaging system and so should work without Freedombone. It uses a system of nodes which act as a sort of directory service allowing users to find and connect to each other. The Tox node ID on the Freedombone can be found within *App Settings* under *tox* within the *Administrator control panel*. If you have other users connect to your node then you will be able to continue chatting even when no other nodes are available.
* The Toxic client
Log into your system with:
#+BEGIN_SRC bash
ssh myusername@mydomain -p 2222
#+END_SRC
Then from the menu select *Run an app* followed by *tox*. Tox is encrypted by default and also routed through Tor, so it should be reasonably secure both in terms of message content and metadata.
#+BEGIN_CENTER
[[file:images/toxic.jpg]]
#+END_CENTER

149
doc/EN/app_xmpp.org Normal file
View File

@ -0,0 +1,149 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, xmpp
#+DESCRIPTION: How to use XMPP/Jabber
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>XMPP/Jabber</h1>
</center>
#+END_EXPORT
Most people know XMPP as "/Jabber/" and it's sometimes regarded and an old protocol once used by Google and Facebook but which is no longer relevant. However, it still works and if appropriately configured, as it is on Freedombone, can provide the best chat messaging security currently available.
With regard to chat apps you might have read a lot of stuff about /end-to-end security/. That's important, but to also protect the metadata of who sends messages to who the data needs to be onion routed (wrapped in multiple layers of routing encryption), and that's something which most popular chat apps don't provide. Also beware of chat apps which fundamentally rely upon Google's infrastructure. You can be sure that they extensively data mine everything and will be able to reconstruct your social graph if that's at all technically feasible, then pass that to whatever governments they're friendly with or trying to lobby.
A well written article on the state of XMPP and how it compares to other chat protocols [[https://gultsch.de/xmpp_2016.html][can be found here]].
* Using with Gajim
In mid 2016 [[https://gajim.org/][Gajim]] became the first desktop XMPP client to support the [[https://en.wikipedia.org/wiki/OMEMO][OMEMO end-to-end security standard]], which is superior to the more traditional [[https://en.wikipedia.org/wiki/Off-the-Record_Messaging][OTR]] since it also includes multi-user chat and the ratcheting mechanism pioneered by Open Whisper Systems. To install it:
#+begin_src bash :tangle no
su -c 'echo "deb ftp://ftp.gajim.org/debian unstable main" > /etc/apt/sources.list.d/gajim.list'
sudo apt-get update
sudo apt-get -y install gajim-dev-keyring
sudo apt-get -y install git tor python-dev python-pip gajim-nightly
mkdir ~/.local/share/gajim/plugins -p
cd ~/.local/share/gajim/plugins
git clone https://github.com/omemo/gajim-omemo
sudo pip install protobuf==2.6.1, python-axolotl==0.1.35
#+end_src
Open Gajim and enter your XMPP address and password.
Go to *Edit/Preferences* and select the *Advanced* tab. Under *Global Proxy* select *Tor* and the *Close* button. Then select *Edit/Plugins* and make sure that OMEMO is active (ticked), then select the *Close* button.
When you start a conversation make sure that the OMEMO box is ticked. You can also click on the keys button and trust various fingerprints. Both sides will need to do that before an encrypted chat can start.
If you wish to make backups of the OMEMO keys then they can be found within:
#+begin_src bash :tangle no
~/.local/share/gajim
#+end_src
If you wish to use OpenPGP to encrypt your messages then go to *Edit/Accounts*, select your account and then the *Personal Information* tab. You can then choose your GPG key. When initiating a chat you can select the *Advanced* button and then select *Toggle OpenPGP Encryption*. OpenPGP is not as secure as OMEMO, but does allow you to use XMPP in a similar style to email in that the recipient of the message does not necessarily need to be online at the same time that you send it.
* Using with Profanity
The [[https://profanity.im][Profanity]] shell based user interface and is perhaps the simplest way to use XMPP from a laptop. It's also a good way to ensure that your OTR keys are the same even when logging in from different laptops or devices, and it also means that if those devices later become compomised then there are no locally stored OTR keys to be found.
#+BEGIN_SRC bash
ssh username@domain -p 2222
#+END_SRC
Then select XMPP. Generate an [[https://en.wikipedia.org/wiki/Off-the-Record_Messaging][OTR]] key with:
#+BEGIN_SRC bash
/otr gen
#+END_SRC
Then to start a conversation using OTR:
#+BEGIN_SRC bash
/otr start otherusername@otheruserdomain
#+END_SRC
or if you're already in an insecure chat with someone just use:
#+BEGIN_SRC bash
/otr start
#+END_SRC
Set a security question and answer:
#+BEGIN_SRC bash
/otr question "What is the name of your best friends rabbit?" fiffi
#+END_SRC
On the other side the user can enter:
#+BEGIN_SRC bash
/otr answer fiffi
#+END_SRC
For the most paranoid you can also obtain your fingerprint:
#+BEGIN_SRC bash
/otr myfp
#+END_SRC
and quote that. If they quote theirs back you can check it with:
#+BEGIN_SRC bash
/otr theirfp
#+END_SRC
If the fingerprints match then you can be pretty confident that unless you have been socially engineered via the question and answer you probably are talking to who you think you are, and that it will be difficult for mass surveillance systems to know the content of the conversation. For more details see [[https://www.profanity.im/otr.html][this guide]]
When accessed via the user control panel the client is automatically routed through Tor and so if you are also using OTR then this provides protection for both message content and metadata.
* Using with Jitsi
Jitsi can be downloaded from https://jitsi.org
On your desktop/laptop open Jitsi and select *Options* from the *Tools* menu.
Click *Add* to add a new user, then enter the Jabber ID (yourusername@yourmaindomainname). Close and then you should notice that your status is "Online" (or if not then you should be able to set it to online).
From the *File* menu you can add contacts, then select the chat icon to begin a chat. Click on the lock icon on the right hand side and this will initiate an authentication procedure in which you can specify a question and answer to verify the identity of the person you're communicating with. Once authentication is complete then you'll be chating using OTR, which provides an additional layer of security.
When opening Jitsi initially you will get a certificate warning for your domain name (assuming that you're using a self-signed certificate). If this happens then select *View Certificate* and enable the checkbox to trust the certificate, then select *Continue Anyway*. Once you've done this then the certificate warning will not appear again unless you reinstall Jitsi or use a different computer.
You can also [[https://www.youtube.com/watch?v=vgx7VSrDGjk][see this video]] as an example of using OTR.
* Using with Ubuntu
The default XMPP client in Ubuntu is Empathy. Using Empathy isn't as secure as using Jitsi, since it doesn't include the /off the record/ feature, but since it's the default it's what many users will have easy access to.
Open *System Settings* and select *Online Accounts*, *Add account* and then *Jabber*.
Enter your username (username@domainname) and password.
Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click *Done* and set your Jabber account and Empathy to *On*.
* Using Tor Messenger
Tor Messenger is a messaging client which supports XMPP, and its onion routing enables you to protect the metadata of chat interactions to some extent by making it difficult for an adversary to know which server is talking to which. You can download Tor Messenger from [[https://torproject.org][torproject.org]] and the setup is pretty simple.
* Using with Android/Conversations
Install [[https://f-droid.org/][F-Droid]]
Search for and install *Orbot* and *Conversations*.
Add an account and enter your Jabber/XMPP ID and password.
From the menu select *Settings* then *Expert Settings*. Select *Connect via Tor* and depending on your situation you might also want to select *Don't save encrypted messages*. Also within expert settings select *Keep in foreground*. This will enable you to still receive notifications when your device is in standby mode with the screen turned off.
From the menu select *Manage accounts* and add a new account.
#+BEGIN_SRC bash
Jabber ID: myusername@mydomain
Password: your XMPP password
Hostname: mydomain (preferably your xmpp onion address)
Port: 5222
#+END_SRC
Then select *Next*. When chatting you can use the lock icon to encrypt your conversation. OMEMO is the recommended type of encryption. It's also going through Tor, so passive surveillance of the metadata should not be easy for an adversary.

108
doc/EN/apps.org Normal file
View File

@ -0,0 +1,108 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, apps
#+DESCRIPTION: List of apps available on freedombone
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+begin_export html
<center><h1>Apps</h1></center>
#+end_export
The base install of the system just contains an email server and Mutt client, but not much else. In addition from within the *Administrator control panel* under *Add/remove apps* the following are installable. This list only applies on the home server version, with the mesh network version having a different and smaller set of apps.
#+BEGIN_CENTER
[[file:images/controlpanel/control_panel_apps.jpg]]
#+END_CENTER
* DLNA
Enables you to use the system as a music server which any DLNA compatible devices can connect to within your home network.
[[./app_dlna.html][How to use it]]
* Dokuwiki
A databaseless wiki system.
[[./app_dokuwiki.html][How to use it]]
* Emacs
If you use the Mutt client to read your email then this will set it up to use emacs for composing new mail.
[[./app_emacs.html][How to use it]]
* Etherpad
Collaborate on creating documents in real time. Maybe you're planning a holiday with other family members or creating documentation for a Free Software project along with other volunteers. Etherpad is hard to beat for simplicity and speed. Only users of the system will be able to access it.
[[./app_etherpad.html][How to use it]]
* Ghost
Modern looking blogging system.
[[./app_ghost.html][How to use it]]
* GNU Social
Federated social network. You can "/remote follow/" other users within the GNU Social federation.
[[./app_gnusocial.html][How to use it]]
* Gogs
Lightweight git project hosting system. You can mirror projects from Github, or if Github turns evil then just host your own projects while retaining the familiar /fork-and-pull/ workflow. If you can use Github then you can also use Gogs.
[[./app_gogs.html][How to use it]]
* HTMLy
Databaseless blogging system. Quite simple and with a markdown-like format.
[[./app_htmly.html][How to use it]]
* Hubzilla
Web publishing platform with social network like features and good privacy controls so that it's possible to specify who can see which content. Includes photo albums, calendar, wiki and file storage.
[[./app_hubzilla.html][How to use it]]
* IRC Server (ngirc)
Run your own IRC chat channel which can be secured with a password and accessible via an onion address. A bouncer is included so that you can receive messages sent while you were offline. Works with Hexchat and other popular clients.
[[./app_irc.html][How to use it]]
* Jitsi Meet
Experimental WebRTC video conferencing system, similar to Google Hangouts. This may not be fully functional, but is hoped to be in the near future.
* Lychee
Make your photo albums available on the web.
[[./app_lychee.html][How to use it]]
* Mailpile
Modern email client which supports GPG encryption.
[[./app_mailpile.html][How to use it]]
* Mumble
The popular VoIP and text chat system. Say goodbye to old-fashioned telephony conferences with silly dial codes. Also works well on mobile.
[[./app_mumble.html][How to use it]]
* PI-Hole
The black hole for web adverts. Block adverts at the domain name level within your local network. It can significantly reduce bandwidth, speed up page load times and protect your systems from being tracked by spyware.
[[./app_pihole.html][How to use it]]
* PostActiv
An alternative federated social networking system compatible with GNU Social. It includes some optimisations and fixes currently not available within the main GNU Social project.
[[./app_postactiv.html][How to use it]]
* Radicale
Calendar system compatible with CalDAV and CardDAV. Synch your calendar events easily and securely across all your devices.
[[./app_radicale.html][How to use it]]
* tt-rss
Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via an onion address. Have "/the right to read/" without the Surveillance State knowing what you're reading. Also available with a user interface suitable for viewing on mobile devices via a browser such as OrFox.
[[./app_rss.html][How to use it]]
* Syncthing
Possibly the best way to synchronise files across all of your devices. Once it has been set up it "just works" with no user intervention needed.
[[./app_syncthing.html][How to use it]]
* Tox
Client and bootstrap node for the Tox chat/VoIP system.
[[./app_tox.html][How to use it]]
* Vim
If you use the Mutt client to read your email then this will set it up to use vim for composing new mail.
* XMPP
Chat server which can be used together with client such as Gajim or Conversations to provide end-to-end content security and also onion routed metadata security. Includes advanced features such as /client state notification/ to save battery power on your mobile devices, support for seamless roaming between networks and /message carbons/ so that you can receive the same messages while being simultaneously logged in to your account on more than one device.
[[./app_xmpp.html][How to use it]]

View File

@ -1,10 +1,10 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]

92
doc/EN/beaglebone.org Normal file
View File

@ -0,0 +1,92 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, beaglebone
#+DESCRIPTION: How to install Freedombone onto a Beaglebone Black
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Installing Freedombone on a Beaglebone Black</h1>
</center>
#+END_EXPORT
The Beaglebone Black is small, cheap, a fully open hardware design, has a hardware random number generator and consumes very little electrical power, making it suitable for all kinds of uses.
You can easily use one to run your own internet services from home.
#+BEGIN_CENTER
[[file:images/bbb_above.jpg]]
#+END_CENTER
You will need:
* A Beaglebone Black. The exact revision of the hardware isn't very important, but it should have an ethernet socket.
* Optionally a plastic or metal case to protect the electronics.
* An ethernet cable. Typically these are colour coded either blue or yellow. Either colour will do.
* Either a 5v power supply with 5.5mm barrel plug, or a miniUSB type B cable (typically supplied with the Beaglebone) and USB to mains adaptor.
* A microSD card at least 8 gigabytes in size. In tests Sandisk class 10 works well. Prefer smaller but faster I/O rating to larger but slower.
* A microSD card adaptor for your laptop or desktop system, so that you can copy the disk image to the card.
On your laptop or desktop prepare a microSD card image as follows. To create an image on a Debian based system:
#+begin_src bash
sudo apt-get install git
git clone https://github.com/bashrc/freedombone
cd freedombone
git checkout stockholm
sudo make install
freedombone-image --setup debian
#+end_src
Or on Arch/Parabola:
#+begin_src bash
sudo pacman -S git
git clone https://github.com/bashrc/freedombone
cd freedombone
git checkout stockholm
sudo make install
freedombone-image --setup parabola
#+end_src
#+BEGIN_CENTER
[[file:images/microsd_reader.jpg]]
#+END_CENTER
If you own a domain name and have it linked to a dynamic DNS account (eg. [[https://freedns.afraid.org][freeDNS]]) and want to make a system accessible via an ordinary browser then run:
#+begin_src
freedombone-image -t beaglebone
#+end_src
Or of you want a system where the services are only accessible via onion addresses.
#+begin_src
freedombone-image -t beaglebone --onion yes
#+end_src
Onion addresses have the advantage of being difficult to censor and you don't need to buy a domain or have a dynamic DNS account. An onion based system also means you don't need to think about NAT traversal type issues.
Connect the power and ethernet cable and plug it into your internet router.
#+BEGIN_CENTER
[[file:images/bbb_back.jpg]]
#+END_CENTER
Now follow the [[./homeserver.html][instructions given here to copy the image to the microSD drive]] beginning with running the /freedombone-client/ command. Wherever it says "USB drive" substitute "microSD drive". When the microSD drive is ready plug it into the front of the Beaglebone. The photo below also includes an Atheros wifi USB dongle plugged into the front, but that's not necessary unless you want to set up the system to run on a wifi network.
#+BEGIN_CENTER
[[file:images/bbb_front.jpg]]
#+END_CENTER
Now power cycle by removing the power plug and then inserting it again. It should boot from the microSD drive and you should see the blue LEDs on the board flashing. If they don't fash at all for a few minutes then try copying the image to the microSD card again.
Follow the rest of the [[./homeserver.html][instructions given here]] to log in via ssh and install the system. The microSD drive /should remain inside the Beaglebone/ and not be removed. This will be its main drive, with the internal EMMC not being used at all.
There are many apps available within the Freedombone system and trying to install them all is probably not a good idea, since this hardware is very resource constrained on CPU and especially on RAM. If the system seems to be becoming unstable and crashing then the most likely cause is running out of RAM, in which case you can try uninstalling some apps. It is possible to monitor RAM usage by logging in with ssh, exiting to the command line and then running the /top/ command.

View File

@ -1,10 +1,10 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
@ -16,7 +16,7 @@
</center>
#+END_EXPORT
Freedombone is really just a couple of [[http://www.gnu.org/software/bash][bash]] scripts which install and configure software on a Debian GNU/Linux system. If you're a system administrator, software engineer or Linux hobbyist you'll probably be familiar with command line scripting and be able to make your own modifications or custom variants to suit your needs. Freedombone is licensed under the [[https://www.gnu.org/licenses/agpl.html][GNU Affero General Public License version 3]] (or later).
Freedombone is really just a couple of [[https://www.gnu.org/software/bash][bash]] scripts which install and configure software on a Debian GNU/Linux system. If you're a system administrator, software engineer or Linux hobbyist you'll probably be familiar with command line scripting and be able to make your own modifications or custom variants to suit your needs. Freedombone is licensed under the [[https://www.gnu.org/licenses/agpl.html][GNU Affero General Public License version 3]] (or later).
You can find the source code for this project [[https://github.com/bashrc/freedombone][on Github]].

View File

@ -1,10 +1,10 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Control Panel
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]

271
doc/EN/devguide.org Normal file
View File

@ -0,0 +1,271 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+begin_export html
<center><h1>Developers Guide</h1></center>
#+end_export
* Introduction
Freedombone consists of a set of bash scripts. There are a lot of them, but they're not very complicated. If you're familiar with the GNU/Linux commandline and can hack a bash script then you can probably add a new app or fix a bug in the system. There are no trendy development frameworks to learn or to get in your way.
* Community Statement
This project doesn't require you to take any special pledge of allegiance or subscribe to any guru's list of commandments. It does not care about your gender, race, national flag or political alignment. It is agnostic towards your religion or lack thereof. It doesn't give one hoot as to whether you are young or old, rich or poor, gay, trans, straight or just "other". It does not care if you like your eggs sunny side up or if you are a vegan.
This is an inclusive project which will take patches or pull requests from anyone, in a generous manner along the lines described by the late Pieter Hintjens in his book /Social Architecture/. Any useful patch is likely to be merged so long as it is submitted under a license compatible with AGPL3. Copyright assignment is not required.
Freedombone is a free system. That's free as in no secret source. For anything. Although there's nothing to stop you from adding proprietary utilities or apps if you wish, any patches containing closed stuff or which create dependencies upon closed systems will be regarded as trash and ignored.
This project also has a no bullshit policy. Anyone trying to cause a ruckus by trolling or engaging in behavior which is disruptive or disrespectful to others will be speedily blocked and ignored. Life's too short, and there's too much to be done.
* Adding extra apps
Suppose you have some internet application which you want to add to the system. To do this you need to create an app script which tells the system how to install/remove and also backup/restore. The script should be designed to work with the current stable version of Debian.
On an installed system the app scripts go into the directory:
#+begin_src bash
/usr/share/freedombone/apps
#+end_src
and within the project repo they appear within the /src/ directory. Your new app script should have the name:
#+begin_src bash
freedombone-app-[myappname]
#+end_src
The /myappname/ value should not contain any spaces and will appear in the list of available apps.
An example template for an app script is shown below. Copy this and add whatever variables and configuration you need. Search and replace /myappname/ with your own.
#+begin_src bash
#!/bin/bash
# Copyright (C) Year YourName <YourEmail>
#
# This program is free software: you can redistribute it
# and/or modify it under the terms of the GNU Affero General
# Public License as published by the Free Software Foundation,
# either version 3 of the License, or (at your option) any
# later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# 'full' includes your app in the full installation and you
# can also add other variants, separated by spaces. The
# available variants will be detected automatically from the
# app scripts. In most cases don't change this.
VARIANTS='full'
# If you want this to appear on the control panel About screen
SHOW_ON_ABOUT=1
# If you want this app to be in the default installation,
# otherwise it will be available but not selected by default
IN_DEFAULT_INSTALL=1
SOME_IMPORTANT_CONFIG_VARIABLE='some important value'
ANOTHER_IMPORTANT_CONFIG_VARIABLE='foo'
MY_FUNKY_AVATAR=https://some-domain-or-other/fro.png
MYAPPNAME_ONION_PORT=[port number]
MYAPPNAME_DB_PASSWORD=
# A directory where the data for this app exists
MYAPP_DATA_DIR=/var/lib/somedirectory
# List of configuration variables used by the app
myappname_variables=(ONION_ONLY
MY_USERNAME
SOME_IMPORTANT_CONFIG_VARIABLE
ANOTHER_IMPORTANT_CONFIG_VARIABLE
MY_FUNKY_AVATAR
MYAPPNAME_ONION_PORT
MYAPPNAME_DB_PASSWORD)
function change_password_myappname {
PASSWORD_USERNAME="$1"
PASSWORD_NEW="$2"
# Do something to change the password
}
function reconfigure_myappname {
echo -n ''
# Do something to delete existing keys/identity and
# generate new ones
}
function upgrade_myappname {
echo -n ''
# Do something to upgrade this app.
# If it's a debian package then it will be maintained by the
# operating system and you don't need anything here
}
function backup_local_myappname {
# If your app has a MariaDB/MySQL database
backup_database_to_usb myappname
# To backup a directory
backup_directory_to_usb $MYAPP_DATA_DIR myappname
# if you need to backup data within individual user
# home directories
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
echo $"Backing up myappname config for $USERNAME"
if [ -d /home/$USERNAME/.config/myappname ]; then
backup_directory_to_usb \
/home/$USERNAME/.config/myappname \
myappname_users/$USERNAME
fi
fi
done
}
function restore_local_myappname {
temp_restore_dir=/root/tempmyappname
# If your app has a MariaDB/MySQL database
restore_database myappname
# Restore some data from a directory
# Note that we don't restore directly but to a temporary
# directory and then copy the files. This ensures that if
# there is a restore failure you don't end up with
# half-copied or corrupted files
restore_directory_from_usb $MYAPP_DATA_DIR myappname
cp -r $temp_restore_dir/$MYAPP_DATA_DIR $MYAPP_DATA_DIR
rm -rf $temp_restore_dir
# If you need to restore a configuration directory for each user
if [ -d $USB_MOUNT/backup/myappname_users ]; then
for d in $USB_MOUNT/backup/myappname_users/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $6}')
if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
if [ ! -d /home/$USERNAME ]; then
${PROJECT_NAME}-adduser $USERNAME
fi
echo $"Restoring Vim config for $USERNAME"
function_check restore_directory_from_usb
restore_directory_from_usb $temp_restore_dir \
myappname_users/$USERNAME
cp -r $temp_restore_dir/home/$USERNAME/.config \
/home/$USERNAME/
if [ ! "$?" = "0" ]; then
rm -rf $temp_restore_dir
set_user_permissions
backup_unmount_drive
exit 664
fi
rm -rf $temp_restore_dir
fi
done
fi
}
function backup_remote_myappname {
# this should be the same as backup_local_myappname,
# but call the backup functions backup_directory_to_friend
# and backup_database_to_friend
}
function restore_remote_vim {
# this should be the same as restore_local_myappname,
# but call the restore function restore_directory_from_friend
# and restore_database_from_friend
}
function remove_myappname {
# if it's a debian package then:
apt-get -y remove --purge [my-app-package-name]
# If your app has a MariaDB/MySQL database
drop_database myappname
# If your app uses an onion address
remove_onion_service myappname ${MYAPPNAME_ONION_PORT}
}
function install_myappname {
# if it's a debian package then:
apt-get -y install [my-app-package-name]
# If you need to create a MariaDB/MySQL database for the app
MYAPPNAME_DB_PASSWORD="$(create_password 20)"
create_database myappname "$MYAPPNAME_DB_PASSWORD" $MY_USERNAME
# If you need to create an onion address for the app
MYAPPNAME_ONION_HOSTNAME=$(add_onion_service myappname \
80 ${MYAPPNAME_ONION_PORT})
# Do any other configuration
# Here you might use $ONION_ONLY or
# $SOME_IMPORTANT_CONFIG_VARIABLE
# Mark the app as having installed successfully
# If this variable isn't set then it will be assumed that
# the install has failed
APP_INSTALLED=1
}
function install_interactive_myappname {
# Interactively obtain some values using dialog, such as
# domain names. An avatar changing example is:
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --title $"Change your avatar" \
--backtitle $"Freedombone Control Panel" \
--inputbox $"Enter a URL for an image. It should be " \
$"approximately a square image." 8 75 2>$data
sel=$?
case $sel in
0)
MY_FUNKY_AVATAR=$(<$data)
if [ ${#MY_FUNKY_AVATAR} -gt 3 ]; then
clear
# do whatever is needed to change the avatar
# in your app
dialog --title $"Change your avatar" \
--msgbox $"Your avatar has been changed" 6 40
fi
;;
esac
# install_myappname will be called automatically after this function
}
# NOTE: deliberately no exit 0
#+end_src
To test your app log into your system, select *Exit to command line* then gain root powers with:
#+begin_src bash
sudo su
#+end_src
Copy your app script to */usr/share/freedombone/apps/freedombone-app-myappname*.
And run the admin control panel:
#+begin_src bash
control
#+end_src
Select *Add/Remove Apps* and if all is well then you should see your app listed as installable. Test that installing and removing it works as expected.
Submit your working app to *https://github.com/bashrc/freedombone/issues*
* Customising mesh images
If you want to make your own specially branded version of the mesh images, such as for a particular event, then to change the default desktop backgrounds edit the images within *img/backgrounds* and to change the available avatars and desktop icons edit the images within *img/avatars*. Re-create disk images using the instructions shown previously.
If you need particular /dconf/ commands to alter desktop appearance or behavior then see the function /mesh_client_startup_applications/ within *src/freedombone-image-customise*.

View File

@ -1,10 +1,10 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, hubzilla, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Frequently asked questions
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
@ -18,8 +18,11 @@
#+BEGIN_CENTER
#+ATTR_HTML: :border -1
| [[What applications are supported?]] |
| [[I don't have a static IP address. Can I still install this system?]] |
| [[Why Freedombone and not FreedomBox?]] |
| [[Why not support building images for Raspberry Pi?]] |
| [[Why use Tor? I've heard it's used by bad people]] |
| [[Why use Github?]] |
| [[Keys and emails should not be stored on servers. Why do you do that?]] |
| [[./mirrors.html][I have a question about mirrors or upstream repositories]] |
@ -29,6 +32,7 @@
| [[Why not use Signal for mobile chat?]] |
| [[What is the most secure chat app to use on mobile?]] |
| [[How do I remove a user from the system?]] |
| [[Why is logging for web sites turned off by default?]] |
| [[How do I reset the tripwire?]] |
| [[Is metadata protected?]] |
| [[How do I create email processing rules?]] |
@ -43,14 +47,66 @@
| [[Why does my email keep getting rejected as spam by Gmail/etc?]] |
#+END_CENTER
* What applications are supported?
* *Email* - Server and Mutt client configured for use with GPG and Emacs or Vim
* *DLNA* - Play music on your local network devices
* *Dokuwiki* - Databaseless wiki
* *GNU Social* - Federated social network and resource sharing system
* *Gogs* - Host your git projects
* *qTox* - Chat and VoIP client on mesh networks
* *HTMLy* - Databaseless blogging system
* *Pelican* - Static blogging system used on mesh networks
* *Hubzilla* - Federated social networking and web publishing
* *IRC server*
* *Obnam* - Encrypted backups to USB or to other servers
* *Mumble* - VoIP and text chat
* *pi-hole* - Block internet ads on your local network
* *tt-rss* - Accessible via an onion address to give you /the right to read/ from any device
* *sipwitch* - Telephony system
* *Syncthing* - File sync
* *IPFS* - For accessing sites on a mesh network
* *Toxcore/Toxic* - Bootstrap node and client
* *XMPP server* - Including XEPs needed to support the Conversations Android app with OMEMO
* *Shell based web browser* - if all else fails then ssh to your server and browse from there
* I don't have a static IP address. Can I still install this system?
Yes. The minimum requirements are to have some hardware that you can install Debian onto and also that you have administrator access to your internet router so that you can forward ports to the system which has Freedombone installed.
The lack of a static IP address can be worked around by using a dynamic DNS service. Freedombone uses [[http://troglobit.com/inadyn.html][inadyn]] , which supports a variety of dynamic DNS providers.
The lack of a static IP address can be worked around by using a dynamic DNS service. Freedombone uses [[https://troglobit.com/inadyn.html][inadyn]] , which supports a variety of dynamic DNS providers.
* Why Freedombone and not FreedomBox?
When the project began in late 2013 the FreedomBox project seemed to be going nowhere, and was only designed to work with the DreamPlug hardware. There was some new hardware out - the Beaglebone Black - which could run Debian and was also a free hardware design so seemed more appropriate. Hence the name "Freedombone", being like FreedomBox but on a Beaglebone. There are some similarities and differences between the two projects:
** Similarities
- Uses freedom-maker and vmdebootstrap to build debian images
- Supports the use of Tor onion addresses to access websites
- Typically runs on ARM single board computers
- Both projects aim to increase independence and privacy for internet users
- Both projects aim to make running your own server at home easy
- Both projects include wiki, blog, VoIP and file sync
- Both projects enable easy installation and removal of apps
- Both are typically "bare metal" rather than running as VMs or containers
- Both currently are hosted on Github
** Differences
- FreedomBox is a Debian pure blend. Freedombone is not
- Freedombone only supports Free Software. FreedomBox includes some closed binary boot blobs for certain ARM boards
- FreedomBox is aimed at consumers. Freedombone is aimed at slightly more technical people who don't have time to configure servers
- Freedombone includes some software not yet in the official Debian repos
- Freedombone includes an email server set up for use with GPG by default
- Freedombone has encrypted backups capability
- Freedombone implements the /social key management/ idea which was described in a 2012 FreedomBox meetup
- Freedombone implements recommendations from bettercrypto.org whereas FreedomBox sticks to Debian default crypto settings
- Freedombone has a mesh network version. FreedomBox doesn't yet
* Why not support building images for Raspberry Pi?
The FreedomBox project supports Raspberry Pi builds, and the image build system for Freedombone is based on the same system. However, although the Raspberry Pi can run a version of Debian it requires a closed proprietary blob in order to boot the hardware. Who knows what that blob might contain or what exploits it could facilitate. From an adversarial point of view if you were trying to deliver "bulk equipment interference" then it doesn't get any better than piggybacking on something which has control of the boot process, and hence all subsequently run processes.
So although the Raspberry Pi is cheap and hugely popular it's not supported by the Freedombone project. Perhaps future versions of the Pi won't have the proprietary blob requirement, or maybe the blob will be open sourced at some stage.
* Why use Tor? I've heard it's used by bad people
Before you run screaming for the hills based upon whatever scare story you may have just read in the mainstream media there are a few things worthy of consideration. Tor is installed by default on Freedombone, /but not as a relay or exit node/. It's only used to provide onion addresses so that this gives you or the viewers of your sites some choice about how they access the information. It also allows you to subscribe to and read RSS feeds privately.
Onion routing - which is what Tor provides - gives you some level of protection against bulk surveillance of metadata. These days governments and other organisations are in the business of collecting and analysing your metadata. They want to have comprehensive lists of which sites you visited, or who visited your sites. Tor may at least partially help to thwart their totalitarian ambitions to know everything about everyone all of the time.
Tor is not a perfect system and is not fully decentralised. Like all software it has bugs, but it can be considered to probably be an effective tactic against some of the most egregious surveillance fanatics out there.
The media may also have sold you torrid tales about individual Tor project developers. While the conduct of individuals does matter, what matters far more is whether the technical system works and is practical for the average user. Don't allow your opinions of the technical system to be deflected by transient sex scandals or oppressive moralising, and /don't hold anyone to standards higher than you would apply to yourself/.
* Why use Github?
Github is paradoxically a centralized, closed and proprietary system which happens to mostly host free and open source projects. Up until now it has been relatively benign, but at some point in the name of "growth" it will likely start becoming more evil, or just become like SourceForge - which was also once much loved by FOSS developers, but turned into a den of malvertizing.
@ -75,6 +131,8 @@ In the home environment a box with a good firewall and no GUI components install
* Why can't I access my .onion site with a Tor browser?
Probably you need to add the site to the NoScript whitelist. Typically click/press on the noscript icon (or select from the menu on mobile) then select /whitelist/ and add the site URL. You may also need to disable HTTPS Everywhere when using onion addresses, which don't use https.
Another factor to be aware of is that it can take a while for the onion address to become available within the Tor network. In tests the amount of time between creating a site and being able to access it's onion address seems to vary between a minute or two and half an hour. So don't be too impatient if the address doesn't appear to resolve straight away.
* What is the best hardware to run this system on?
It was originally designed to run on the Beaglebone Black, but that should be regarded as the most minimal system, because it's single core and has by today's standards a small amount of memory. Obviously the more powerful the hardware is the faster things like web pages (blog, social networking, etc) will be served but the more electricity such a system will require if you're running it 24/7. A good compromise between performance and energy consumption is something like an old netbook. The battery of an old netbook or laptop even gives you [[https://en.wikipedia.org/wiki/Uninterruptible_power_supply][UPS capability]] to keep the system going during brief power outages or cable re-arrangements, and that means using full disk encryption on the server also becomes more practical.
@ -100,6 +158,7 @@ If you are currently using a proprietary chat app, something without any encrypt
* *It requires the installation of Google Play*. If you already have Google Play installed on a stock Android OS then this doesn't increase your security problems, but for other more secure Android variants it's a massive increase in attack surface.
* *It depends entirely upon the Google message pushing system*. That means that Google /at least knows who Signal messages are being sent to and may be able to infer the rest via your (insecure) Android phone contact list or via timing correlation of alternating deliveries/. Remember that for an adversary metadata in aggregate is much better than having the content of messages. At any time Google could decide that it doesn't want to support Signal, or in adverse circumstances they could be leaned upon by the usual agencies or government cronies.
* *Their privacy policy indicates that they will give whatever server data they have to third parties* under some conditions. Of course this is always claimed to be /for the very best of reasons/ - such as combating fraud - but once that sort of disclosure capability exists it may be abused without you ever knowing about it.
* *Forking isn't really an option*. A fork was tried, but Moxie got annoyed when it still used his server. At the same time the level of interest in federating the server is not detectable with our best intrumentation, and is suspected to be negative. That's a catch 22 which effectively means that independent implementations of Signal will always leave some users unable to communicate with each other.
To give credit where it's due Signal is good, but it could be a lot better. The real solution for private chat is to run your own XMPP server, as you can with Freedombone, or to have someone within your community do that. /There is no substitute for a decentralised solution which is within the control of your community/.
* What is the most secure chat app to use on mobile?
@ -116,6 +175,12 @@ ssh username@mydomainname -p 2222
#+end_src
Select /Administrator controls/ then /Manage Users/ and then /Delete a user/. Note that this will delete all of that user's files and email.
* Why is logging for web sites turned off by default?
If you're making profits out of the logs by running large server warehouses and then data mining what users click on - as is the business model of well known internet companies - then logging everything makes total sense. However, if you're running a home server then logging really only makes sense if you're trying to diagnose some specific problem with the system, and outside of that context logging everything becomes more of a liability than an asset.
Logs can potentially become quite large and frequent logging isn't a great idea if you're running on a flash disk since it just increases the wear rate and thus shortens its usable lifetime. Also from a security perspective if a compromise occurs then the attacker gets considerably less social information if there are no logs containing timestamped IP addresses.
On the Freedombone system web logs containing IP addresses are turned off by default. They're not deleted, they're just never created in the first place. If you need to turn logging on in order to fix a problem then go to the *Administrator control panel* and enable logging. If you don't manually turn it off again then it will turn itself off automatically at the next system update, which is typically a few days away.
* How do I reset the tripwire?
The tripwire will be automatically reset once per week. If you want to reset it earlier then do the following:
@ -160,49 +225,6 @@ And see some error related to checking for changes in the IP address then you ca
https://check.torproject.org/
https://www.whatsmydns.net/whats-my-ip-address.html
https://www.privateinternetaccess.com/pages/whats-my-ip/
http://checkip.two-dns.de
http://ip.dnsexit.com
http://ifconfig.me/ip
http://ipecho.net/plain
http://checkip.dyndns.org/plain
http://ipogre.com/linux.php
http://whatismyipaddress.com/
http://ip.my-proxy.com/
http://websiteipaddress.com/WhatIsMyIp
http://getmyipaddress.org/
http://www.my-ip-address.net/
http://myexternalip.com/raw
http://www.canyouseeme.org/
http://www.trackip.net/
http://icanhazip.com/
http://www.iplocation.net/
http://www.howtofindmyipaddress.com/
http://www.ipchicken.com/
http://whatsmyip.net/
http://www.ip-adress.com/
http://checkmyip.com/
http://www.tracemyip.org/
http://checkmyip.net/
http://www.lawrencegoetz.com/programs/ipinfo/
http://www.findmyip.co/
http://ip-lookup.net/
http://www.dslreports.com/whois
http://www.mon-ip.com/en/my-ip/
http://www.myip.ru
http://ipgoat.com/
http://www.myipnumber.com/my-ip-address.asp
http://www.whatsmyipaddress.net/
http://formyip.com/
http://www.displaymyip.com/
http://www.bobborst.com/tools/whatsmyip/
http://www.geoiptool.com/
http://checkip.dyndns.com/
http://myexternalip.com/
http://www.ip-adress.eu/
http://www.infosniper.net/
http://wtfismyip.com/
http://ipinfo.io/
http://httpbin.org/ip
#+end_src
* How do I change my encryption settings?
@ -282,15 +304,12 @@ ssh username@mydomainname -p 2222
Select /Administrator controls/ then *Security settings* then *Create a new Let's Encrypt certificate*.
* Why use self-signed certificates?
Almost everywhere on the web you will read that self-signed certificates are worthless. They bring up /scary-scary looking/ browser warnings and gurus will advise you not to use them. Self-signed certificates are quite useful though. What the scary warnings mean - and it would be good if they explained this more clearly - is that you have an encrypted connection established but there is /no certainty about who that connection is with/.
Almost everywhere on the web you will read that self-signed certificates are worthless. They bring up /scary-scary looking/ browser warnings and gurus will advise you not to use them. Self-signed certificates are quite useful though. What the scary warnings mean - and it would be good if they explained this more clearly - is that you have an encrypted connection established but there is /no certainty about who that connection is with/. They probably will protect the content of your communications from passive bulk interception - such as the tapping of under-sea cables.
The usual solution to this is to get a "real" SSL certificate from one of the certificate authorities, but it's far from clear that such authorities can actually be trusted. Yes, /Let's Encrypt/ is awesome and very convenient but it's really a small sticking plaster over a much bigger problem. If you don't believe me then do some independent research on the history of certificate authorities and the scandals associated with them, then consider how many of those within your browser (usually under advanced settings) are "trusted". Some of those "trusted" certs are for companies with /incredibly sketchy reputations/, or governments such as that of China. Consider whether you judge the Chinese government to always be truthful about which certificate belongs to which domain, and that it will never abuse such a capability for censorship or political/commercial advantage. Then you'll begin to get an idea of the ramshackle nature of what currently exists.
The current strategy on this system is to typically create self-signed certificates during the initial installation but also to have the ability to easily convert those to LetsEncrypt certificates via the security settings on the administrator control panel.
So although most internet users have been trained to look for the lock icon as an indication that the connection is secured that belief may not always be well founded.
You might say, /"but surely LetsEncrypt is a single point of failure!"/, and you'd be right. Maybe at some point in future LetsEncrypt is no longer a thing, or no longer considered sufficiently secure. That's why building in total dependence upon one organisation is a bad idea, and it's still possible to have self-signed certs as a fallback option.
Despite the hype, security of web sites on the internet is still a somewhat unsolved problem, and what we have now is a less than ideal but /good enough to fool most of the people most of the time/ kind of arrangement. Long term a better solution might be to have a number of certificate authorities in a number of different jurisdictions vote on whether a given certificate actually belongs to a given domain name. Experimental systems like this exist, but they're not widely used. Since the current certificate system has an enormous amount of inertia behind it change could be slow in arriving.
For now a self-signed certificate will probably in most cases protect your communications from "bulk" passive surveillance. Once you've got past the scary browser warning and accepted the certificate under most conditions (except when starting up the Tor browser) you should not repeatedly see that warning. If you do then someone may be trying to meddle with your connection to the server. You can also take a note of the fingerprint of the certificate and verify that if you are especially concerned. If the fingerprint remains the same then you're probably ok.
* Why not use the services of $company instead? They took the Seppuku pledge
[[https://cryptostorm.org/viewtopic.php?f=63&t=2954&sid=7de2d1e699cfde2f574e6a7f6ea5a173][That pledge]] is utterly worthless. Years ago people trusted Google in the same sort of way, because they promised not be be evil and because a lot of the engineers working for them seemed like honest types who were "/on our side/". Post-[[https://en.wikipedia.org/wiki/Nymwars][nymwars]] and post-[[https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29][PRISM]] we know exactly how much Google cared about the privacy and security of its users. But Google is only one particular example. In general don't trust pledges made by companies, even if the people running them seem really sincere.
* Why does my email keep getting rejected as spam by Gmail/etc?

154
doc/EN/homeserver.org Normal file
View File

@ -0,0 +1,154 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+begin_export html
<center><h1>Home Server</h1></center>
#+end_export
The quickest way to get started is as follows. You will need to be running a Debian based system (version 8 or later), have an old but still working laptop or netbook which you can use as a server, and 8GB or larger USB thumb drive and an ethernet cable to connect the laptop to your internet router.
First install freedombone onto your local system (not the target hardware that you want to run Freedombone on). On a debian based distro:
#+begin_src bash
sudo apt-get install git
git clone https://github.com/bashrc/freedombone
cd freedombone
git checkout stockholm
sudo make install
freedombone-image --setup debian
freedombone-image -t i386 --onion yes
#+end_src
Or on Arch/Parabola:
#+begin_src bash
sudo pacman -S git
git clone https://github.com/bashrc/freedombone
cd freedombone
git checkout stockholm
sudo make install
freedombone-image --setup parabola
freedombone-image -t i386 --onion yes
#+end_src
Now prepare your local system to talk to the freedombone by running the following command. This will set up avahi and create ssh keys if necessary.
#+begin_src bash
freedombone-client
#+end_src
#+BEGIN_CENTER
[[file:images/tor_onion.jpg]]
#+END_CENTER
The version in which sites are available only via onion addresses is the easiest to get started with, since you can evaluate the system without committing to buying an ICANN domain name or needing to get involved with SSL/TLS certificates at all. However, if you do want your sites to be available typically as subdomains of a domain name which you own then remove the *--onion yes* option from the last command shown above.
If you want to create images for microSD cards used within various single board computers then replace the *i386* with *beaglebone* / *cubieboard2* / *cubietruck* / *a20-olinuxino-lime* / *a20-olinuxino-lime2* / *a20-olinuxino-micro* or *apu*.
#+BEGIN_CENTER
[[file:images/beaglebone_black9.jpg]]
#+END_CENTER
This takes a while. Maybe an hour or so, depending on the speed of your system and the internets. The good news though is that once created you can use the resulting image any number of times, and you don't need to trust some pre-built image.
List what drives are on your system with:
#+begin_src bash
ls /dev/sd*
#+end_src
Now plug in the USB thumb drive, and do the same again. Notice which drive letter gets added.
You can now copy the image to the USB thumb drive, replacing *sdX* with the identifier of the USB thumb drive. Don't include any numbers (so for example use *sdc* instead of *sdc1*).
#+begin_src bash
dd bs=1M if=myimagefile.img of=/dev/sdX conv=fdatasync
#+end_src
And wait. Again it will take a while to copy over. When that's done plug it into the laptop or netbook which you want to use as a server, power on and set the BIOS to boot from the USB stick.
As the system boots for the first time the login is:
#+begin_src bash
username: fbone
password: freedombone
#+end_src
If you're installing from a microSD card on a single board computer without a screen and keyboard attached then you can ssh into it with:
#+begin_src bash
ssh fbone@freedombone.local -p 2222
#+end_src
Using the initial password "/freedombone/".
You will then be shown a new randomly generated password. It's *very important* that you write this down somewhere before going further, because you'll need this to log in later.
You'll be asked to set a username and a "real" name (or nickname), then the rest of the installation will be automatic. Again, it takes a while, so go and do something less boring instead. At the end of the base install you can also choose to install specific apps, but if you want to do that later then just press Enter.
When it's installed on your local system open a terminal and verify the ssh server key hash with:
#+begin_src bash
freedombone-client --verify
#+end_src
This will show the hash code for the public ssh key of the Freedombone system.
#+BEGIN_CENTER
[[file:images/ssh_key_verify.jpg]]
#+END_CENTER
Open another terminal window then run:
#+begin_src bash
freedombone-client
ssh myusername@freedombone.local -p 2222
#+end_src
Use the password you wrote down earlier to log in. Select the *administrator control panel* with up and down cursor keys, space bar and enter key. You should see something like this, and you might need to re-enter your password.
#+BEGIN_CENTER
[[file:images/controlpanel/control_panel.jpg]]
#+END_CENTER
Then select *About*. You'll see a list of sites and their onion addresses.
#+BEGIN_CENTER
[[file:images/controlpanel/control_panel_about.jpg]]
#+END_CENTER
The About screen contains the ssh server public key hashes and you can compare the relevant one with the previous terminal window to verify that they're the same. If they're not then you might have a /machine-in-the-middle/ snooping on you.
You have now confirmed a secure connection. Probably. If you're still sceptical then you can power off the system, remove the microSD card and manually check the public keys within the /etc/ssh directory on the drive.
Press any key to exit from the About screen. You can then select *Add/Remove apps* and add whatever applications you wish to run. Note that some apps will only run on x86 systems, but most will install and run on ARM single board computers. More details on particular apps can be [[./apps.html][found here]].
#+BEGIN_CENTER
[[file:images/controlpanel/control_panel_apps.jpg]]
#+END_CENTER
Once your apps have installed you can go back to the About screen, pick an onion address and try it within a Tor compatible browser. You'll need to know the login passwords and those can be found within the /Passwords/ section of the administrator control panel. An axiom of the Freedombone system is that /if given the choice users will usually use insecure passwords/, so on this system passwords are generated randomly. If you need to then you can transfer the passwords into your favourite password manager and remove them from the server by going to the *Security Settings* section of the administrator control panel and choosing *Password storage*.
*Congratulations! You have now become a citizen of the free internet.*
*Use your new powers wisely.*
Of course, this is just one way in which you can install the Freedombone system. If you have a single board computer (SBC) such as a [[./beaglebone.html][BeagleBone Black]] or OLinuxino you can make disk images for those too. You can even create clearnet sites if you have your own domain name. ARM boards with closed proprietary boot blobs are not supported. For more details run:
#+begin_src bash
man freedombone-image
#+end_src
#+BEGIN_CENTER
This site can also be accessed via a Tor browser at http://2tp3f6vtvhkqpuc6.onion
#+END_CENTER

View File

@ -1,80 +1,39 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<table style="width:50%; border:0">
<tr>
<td><center><a href="variants.html">Variants</a></center></td>
<td><center><a href="installation.html">Install</a></center></td>
<td><center><a href="usage.html">Use</a></center></td>
<td><center><a href="backups.html">Backups</a></center></td>
<td><center><a href="mirrors.html">Mirrors</a></center></td>
</tr>
<tr>
<td><center><a href="code.html">Code</a></center></td>
<td><center><a href="controlpanel.html">Control Panel</a></center></td>
<td><center><a href="related.html">Related</a></center></td>
<td><center><a href="faq.html">F.A.Q.</a></center></td>
<td><center><a href="support.html">Contact/Support</a></center></td>
</tr>
</table>
</center>
#+END_EXPORT
#+begin_quote
"/With the increasing move of our computing to cloud infrastructures, we give up the control of our computing to the managers of those infrastructures. Our terminals (laptops, desktops) might now be running entirely on Free Software, but this is increasingly irrelevant given that most of what actually matters gets executed on a remote closed system that we dont control. The Free Software community needs to work to help users keep the control of all their computing, by developing suitable alternatives and facilitating their deployment./"
With the right technology the internet can be a space for free expression, exploration, cooperation, learning and fun. A place to connect with others are share experiences. It doesn't have to be a gloomy surveillance prison owned and run by a diabolical synthesis of money-grabbing megacorporations and prurient government spooks brandishing "bulk/general warrants". Freedombone is designed to help you surmount the contemporary digital privacy conundrums and to increase your online autonomy. It's a self-hosted home server configuration which can be installed onto any computer capable of running [[https://www.debian.org/][Debian]], so if you have an old laptop or netbook which you can leave turned on then you can use Freedombone to provide your own internet services, such as blogging, wiki, email, chat and social networking and have independence from the well known internet companies.
-- Lucas Nussbaum
#+end_quote
#+BEGIN_EXPORT html
<center>
<b>Four Scenarios</b>
<table style="width:95%; border:0">
<tr>
<td><center><h6>Home server</h6>Plugged into your home wifi router. Add a few friends and family as users</center></td>
<td><center><h6>Home server + Hotspot</h6>Also provides a wifi hotspot to extend your home network</center></td>
<td><center><h6>Server in your pocket</h6>Roaming wireless server with services accessible via onion addresses</center></td>
<td><center><h6>Mesh node</h6>Dynamic networks which don't depend on the conventional internet. Distributed, scalable and fully encrypted</center></td>
</tr>
<tr>
</tr>
</table>
</center>
#+END_EXPORT
So you want to run your own internet services? Email, chat, VoIP, web sites, file synchronisation, wikis, blogs, social networks, backups. Freedombone enables you to do all of that in a self-hosted way, where you keep control of your data and it resides in your own home.
This is personal or family scale computing, which can then federate to global proportions. We need [[http://www.alainet.org/en/articulo/168669][community controlled]] information systems and to achieve that they must be inexpensive and simple to install and maintain. This is the opposite of the current dominant paradigm of [[https://www.youtube.com/watch?v=XZmGGAbHqa0][titanic server warehouses]] owned by a tiny number of individuals and it's what is sometimes refered to as [[http://mediagoblin.org/news/userops.html]["userops"]] - i.e. a user being able to do what traditionally only a professional systems administrator would be able to.
[[./homeserver.html][Here's how]].
With a system installed in your home you also have greater legal protection against unwarranted or "bulk warrant" searches. In general as soon as you put your information onto systems which you don't own then you no longer have the same property rights over it, together with "/no reasonable expectation of privacy/" otherwise known as the third party doctrine. We all know that's a nonsense, and so maybe we should do something about it.
And here's how [[./beaglebone.html][on a Beaglebone Black]].
#+BEGIN_QUOTE
"With the increasing move of our computing to cloud infrastructures, we give up the control of our computing to the managers of those infrastructures. Our terminals (laptops, desktops) might now be running entirely on Free Software, but this is increasingly irrelevant given that most of what actually matters gets executed on a remote closed system that we dont control. The Free Software community needs to work to help users keep the control of all their computing, by developing suitable alternatives and facilitating their deployment." -- Lucas Nussbaum
#+END_QUOTE
Want to make a community mesh network which doesn't depend upon the internet?
Today everyone is concerned about privacy on the internet. Wanting privacy doesn't necessarily mean you have "something to hide". It just means having the ability to choose /what information to share, with whom and under what conditions/ and therefore being able to shape your own life story. The loss of ability to choose via the "involuntary sharing" which many people experience when using communications systems built by the well known internet companies, means that you're no longer really running your own affairs and that others may begin to exert an improper amount of influence over you. Mass surveillance is perhaps the ultimate in involuntary sharing and it's only through the use of freedom respecting software together with a solid determination to overcome state and corporate abuses of technology that we can hope to get to the kind of internet in which respect for human dignity is built in as a core feature.
[[./mesh.html][You can do that too]].
After installation it's possible that you might want some advice on how to run your system and set up apps to work nicely with it.
* [[./apps.html][Apps available on the system]]
* [[./usage.html][General usage]]
* [[./faq.html][Frequently Asked Questions]]
If you find bugs, or want to add a new app to this system see the [[./devguide.html][Developers Guide]].
#+BEGIN_CENTER
[[file:images/nocloud.png]]
#+END_CENTER
Another problem is the precariousness of the terms of service. Except in rare cases such terms are not easy to read, so many people end up clicking through terms which if explained more clearly they would never agree to. Over the past decade many internet users have had the unpleasant experience of having their blogs, videos or other web content inexplicably removed, typically due to some ill-defined terms of service violation or a false accusation of copyright infringement. There have been valiant attempts to improve the readability of terms of service documents, using icons or clearer language, and to generate a sort of marketplace in which people would choose what web systems they use based on the terms documents - to make the privacy/autonomy bargaining more explicit. These efforts were well-intentioned, but have conclusively failed. Even in the best case, that approach doesn't take into account the coercive network effects or large web systems.
You can bypass all of these dilemmas and take back ownership of your internet content with Freedombone. Originally based upon the Beaglebone Black, Freedombone is a small and cheap home server which enables you to use email, have your own web site and do social networking without any built-in spying and without having to agree to any legal terms of service other than those of your ISP. It provides independence and security in an era where those things are in short supply.
#+BEGIN_QUOTE
"The deepest problem is that the system architecture that has evolved in recent years holds masses of information on many people with no intelligence value, but with vast potential for political abuse." -- Ross Anderson
#+END_QUOTE
Freedombone is an example of the internet as it was supposed to be: a network of peers, rather than a small number of gigantic server farms with everyone connecting to them. Even if they're well run, centralised server farms become a conspicuous target for /all kinds of nefariousness/ and in any future wars they're bound to be amongst the first facilities to receive the "/shock and awe/" treatment. Also consider just what is being "farmed". If a robust information society is desirable then excessive centralisation of control over information should be avoided.
An emphasis of the Freedombone project is the protection of private communications from indiscriminate mass surveillance, otherwise known as "/bulk intercept/" or "/warrantless wiretapping/". With only a few exceptions data entering and leaving the system is encrypted using settings recommended by [[https://bettercrypto.org][bettercrypto.org]]. Stored emails are encrypted such that only someone knowing your GPG password can read them and a GPG key is created automatically if you don't already have one. The system is firewalled with only the necessary ports being opened. Exclusively [[http://en.wikipedia.org/wiki/Free_software][free software]] is used so that all of it can potentially be security audited and proprietary repositories are disabled by default. There are still numerous security problems with the internet in general and software always contains bugs, but a best attempt has been made to ensure that the Freedombone is at least more secure than average.
#+BEGIN_CENTER
This site can also be accessed via a Tor browser at [[http://4fvfozz6g3zmvf76.onion][http://4fvfozz6g3zmvf76.onion]]
This site can also be accessed via a Tor browser at http://2tp3f6vtvhkqpuc6.onion
#+END_CENTER

View File

@ -1,10 +1,10 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, hubzilla, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
@ -41,9 +41,13 @@ sudo make install
Then install packages needed for building images:
#+BEGIN_SRC bash
sudo apt-get -y install python-docutils mktorrent vmdebootstrap xz-utils
sudo apt-get -y install dosfstools btrfs-tools extlinux python-distro-info mbr
sudo apt-get -y install qemu-user-static binfmt-support u-boot-tools qemu
freedombone-image --setup debian
#+END_SRC
or on an Arch/Parabola system:
#+BEGIN_SRC bash
freedombone-image --setup parabola
#+END_SRC
A typical use case to build an 8GB image for a Beaglebone Black is as follows. You can change the size depending upon the capacity of your microSD card.
@ -58,12 +62,6 @@ If you prefer an advanced installation with all of the options available then us
freedombone-image -t beaglebone -s 8G --minimal no
#+END_SRC
To build a 64bit Virtualbox image:
#+BEGIN_SRC bash
freedombone-image -t virtualbox-amd64 -s 8G
#+END_SRC
To build a 64bit Qemu image:
#+BEGIN_SRC bash
@ -105,8 +103,8 @@ freedombone menuconfig
** On a single board computer (SBC)
Currently the following boards are supported:
* [[http://beagleboard.org/BLACK][Beaglebone Black]]
* [[http://linux-sunxi.org/Cubietech_Cubieboard2][Cubieboard 2]]
* [[https://beagleboard.org/BLACK][Beaglebone Black]]
* [[https://linux-sunxi.org/Cubietech_Cubieboard2][Cubieboard 2]]
* [[https://linux-sunxi.org/Cubietruck][Cubietruck (Cubieboard 3)]]
* [[https://www.olimex.com/Products/OLinuXino/A20/A20-OLinuXIno-LIME/open-source-hardware][olinuxino Lime]]
* [[https://www.olimex.com/Products/OLinuXino/A20/A20-OLinuXIno-LIME2/open-source-hardware][olinuxino Lime2]]
@ -154,14 +152,12 @@ Using the password 'freedombone'. Take a note of the new login password and then
** As a Virtual Machine
Virtualbox and Qemu are supported. You can run a 64 bit Qemu image with:
Qemu is currently supported, since it's s fully free software system. You can run a 64 bit Qemu image with:
#+BEGIN_SRC bash
qemu-system-x86_64 -m 1G filename.img
#+END_SRC
If you are using Virtualbox then add a new VM and select the Freedombone *vdi* image.
The default login will be username 'fbone' and password 'freedombone'. Take a note of the new login password and then you can proceed through the rest of the installation.
* Social Key Management - the 'Unforgettable Key'
@ -174,7 +170,7 @@ If you previously made some USB drives containing key fragments then retrieve th
** You can specify some ssh login details for friends servers containing key fragments
Enter three or more sets of login details and the installer will try to retrieve key fragments and then assemble them into the full key. This only works if you previously were using remote backups and had social key management enabled.
* Final Setup
Any manual post-installation setup instructions or passwords can be found in /home/username/README. You should remove any passwords from that file and store them within a password manager such as KeepassX.
Any manual post-installation setup instructions or passwords can be found in /home/username/README.
On your internet router, typically under firewall settings, open the following ports and forward them to your server.

View File

@ -1,202 +1,245 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Mesh Network</h1>
</center>
#+END_EXPORT
#+begin_export html
<center><h1>Mesh Network</h1></center>
#+end_export
| [[What is a mesh network?]] |
| [[The Freedombone Mesh]] |
| [[Installation]] |
| [[Wifi adaptors]] |
| [[Using the mesh]] |
| [[Further reading]] |
#+BEGIN_CENTER
[[file:images/mesh_screenshot.jpg]]
#+END_CENTER
* What is a mesh network?
The internet as it currently exists is mostly organised according to a client/server model. Servers run the web services and store the data and clients are the laptops, desktops and other devices accessing the servers. In a mesh network there isn't any clear division between clients and servers. The computers on a mesh network are known as "peers" and they can perform the functions of both clients and servers. Commonly this is also known as a "peer to peer" network.
|------------------------+---+-------------+---+----------------------+---+---------------|
| [[What the system can do]] | - | [[Disk Images]] | - | [[Building Disk Images]] | - | [[How to use it]] |
|------------------------+---+-------------+---+----------------------+---+---------------|
The client/server and mesh network models have advantages and disadvantages. If the server in a client/server system fails then you can have catastrophic service outages which affect many users. If a peer in a mesh network fails then the other peers may be mostly unaffected and communications can continue. The disadvantage of mesh networks is that each peer relays data for other peers and so the bandwidth usage by each peer may be higher than for a client in a client/server system. However, with modern hardware that's not much of an issue.
Mesh networks are useful as a quick way to make a fully decentralised communications system which is not connected to or reliant upon the internet. Think festivals, hacker conferences, onboard ships at sea, disaster/war zones, small business internal office communications, protests, remote areas of the world, temporary "digital blackouts", scientific expeditions and off-world space colonies. The down side is that you can't access any internet content. The upside is that you can securely communicate with anyone on the local mesh. No ISPs. No payments or subscriptions beyond the cost of obtaining the hardware. Systems need to be within wifi range of each other for the mesh to be created. It can be an ultra-convenient way to do purely local communications.
Mesh networks are useful for building local and highly resillient communications infrastructure which can be put together rapidly, in situations where the ordinary internet is either unavailable or untrustworthy.
* What the system can do
Example use cases would be:
- Discovery of other users on the network
- Text based chat, one-to-one and in groups
- Voice chat (VoIP)
- Private and public sharing of files
- Blogging
- No network administration required
- No servers, internet connection or cabling is needed.
- Works from bootable USB drives or microSD drives.
- Data is mesh routed between systems
- Private communications is end-to-end secured and forward secret.
- Publicly shared data is /content addressable/.
* Conferences / Exhibitions
* Local community networks, not run by telcos or ISPs
* Emergency services / Disaster relief
* Camp sites
* War zones
* Scientific expeditions to remote areas
* Onboard smaller ships without satellite internet, captain/crew communications
* Underground (mines or caves)
* Protests / Occupations of buildings
* Eventually in space for manned missions to other planets, moons or asteroids
This system should be quite scalable. Both qTox and IPFS are based upon distributed hash tables (DHT) so that each peer does not need to store the full index of data for the entire network. Caching or pinning of IPFS data and its content addressability means that if a file or blog becomes popular then performance should improve as the number of downloads increases, which is the opposite of the client/server paradigm.
* The Freedombone Mesh
The Freedombone mesh is offline - in the sense of not being part of the larger internet - and consists of a set of computers with the software installed communicating wirelessly using ordinary wifi. Peers can enter or leave the network and it will adjust automatically. All communications between peers is end-to-end encrypted, so although it's easy to join the network it's not easy to passively evesdrop.
* Installation
** Two types of system
Installation is split into two categories, /routers/ and /user devices/.
* Disk Images
** Client images
A router is a computer which is dedicated to moving network traffic and building out the mesh infrastructure. It's not primarily intended to have a user interface. Hardware such as the Beaglebone Black is ideal for this, because it's small, inexpensive and doesn't consume much electrical power and so can be fitted in any location where an electricity supply is available.
#+BEGIN_CENTER
[[file:images/mesh_netbook.jpg]]
#+END_CENTER
Small computers acting as mesh routers can also be battery operated or solar powered so that the network need not be statically sited. They could be included in a backpack for camping, fitted within moving vehicles, strapped to protest placards or attached to [[https://www.youtube.com/watch?v=Wwsy9MThwns][large tethered helium balloons]] (like weather balloons) to help provide a local and transient communications system.
"Client" isn't exactly the right term, but it's a mesh peer with a user interface. These images can be copied to a USB drive, then you can plug it into a laptop/netbook/desktop machine and boot from it. You will probably also need an Atheros USB wifi dongle (the black protruding object on the left side of the netbook in the picture above), because most built-in wifi usually requires proprietary firmware. In the commands below substitute /dev/sdX with the USB drive device, excluding any trailing numbers (eg. /dev/sdb). The USB drive you're copying to will need to be at least 8GB in size.
/User devices/ are the computers with which you would typically access the internet - laptops, desktop machines, netbooks or any other device which can run a Debian-based distro (eg. Ubuntu) with a working wifi connection.
** Installing on routers
Whatever system you're going to use as a mesh router should have a new Debian Jessie install on it. It's advisable that this be a new install so that there is no existing software on the system which could confuse the mesh install process.
#+begin_src bash
sudo apt-get install xz-utils wget
wget https://freedombone.net/downloads/mesh-client-i386-20160913.img.xz
wget https://freedombone.net/downloads/mesh-client-i386-20160913.img.xz.sig
gpg --verify mesh-client-i386-20160913.img.xz.sig
sha256sum mesh-client-i386-20160913.img.xz
2111eeeba713d7ea0109845a295cc44550c66679045fd4bdafc04a883635bea9
unxz mesh-client-i386-20160913.img.xz
sudo dd bs=1M if=mesh-client-i386-20160913.img of=/dev/sdX conv=fdatasync
#+end_src
Some recommended hardware:
To get a number of systems onto the mesh repeat the /dd/ command to create however many bootable USB drives you need.
* Beaglebone Black
* 5V power supply
* Ethernet cable (for installation of the software)
* 8GB microSD card, or larger
* Wireless N USB Adapter TPE-N150USB
If you're in an emergency and don't have Atheros wifi dongles then there is also an "insecure" image which contains some proprietary wifi drivers which may work with a wider range of laptops. Proprietary drivers *are not recommended* because they're unsupportable and may be exploitable or contain malicious antifeatures which fundamentally compromise the security of the network. However, the trade-off between security/maintainability and simply having the ability to communicate at all may be a valid one in some situations.
If you are using the Beaglebone Black then you'll need to install the Debian image to the microSD card. You can find details of how to do that [[./installation.html][here]].
#+begin_src bash
sudo apt-get install xz-utils wget
wget https://freedombone.net/downloads/mesh-client-insecure-i386-20160913.img.xz
wget https://freedombone.net/downloads/mesh-client-insecure-i386-20160913.img.xz.sig
gpg --verify mesh-client-insecure-i386-20160913.img.xz.sig
sha256sum mesh-client-insecure-i386-20160913.img.xz
cd03596d115030469ff57ef519a2a8baba1e71b541e3014032c01f507c7988c1
unxz mesh-client-insecure-i386-20160913.img.xz
sudo dd bs=1M if=mesh-client-insecure-i386-20160913.img of=/dev/sdX conv=fdatasync
#+end_src
Connect your system to your internet router with an ethernet cable, then ssh into it and type:
** Router images
Routers are intended to build network coverage for an area using small and low cost hardware. You can bolt them to walls or leave them on window ledges. They don't have any user interface and their only job is to haul network traffic across the mesh and to enable peers to find each other via running bootstrap nodes for Tox and IPFS. Copy the image to a microSD card and insert it into the router, plug in an Atheros wifi dongle and power on. That should be all you need to do.
*** Beaglebone Black
#+BEGIN_CENTER
[[file:images/mesh_router.jpg]]
#+END_CENTER
#+BEGIN_SRC bash
su
apt-get update
apt-get install git build-essential dialog
git clone https://github.com/bashrc/freedombone
cd freedombone
make install
#+END_SRC
At this point if you are using a system or dongle with an Atheros AR9271 wifi chipset then you may want to install some pre-compiled firmware (you can compile it from source, but it takes a long time - especially on the Beaglebone Black). If you need to do that then see the wifi adaptor notes below.
Then to begin the install:
#+BEGIN_SRC bash
freedombone menuconfig
#+END_SRC
Select the "/mesh (router)/" install variant, give an ESSID or just hit enter for the default. If discression is important then use an ESSID similar to those already in the area. The ESSID must be the same on every mesh peer. Assign this mesh peer a name. In order to avoid confusions it's important that the name should be unique on the network and contain no spaces. So maybe a word followed by some numbers, or the name of the place where the router will be installed.
If you're installing on a Beaglebone Black then after a while the system will reboot and you will need to ssh in again and run:
#+BEGIN_SRC bash
cd freedombone
freedombone -c freedombone.cfg
#+END_SRC
The reboot is needed in order to enable zram and the hardware random number generator.
** Installing on user devices
Typically on a laptop with a Debian-based distro installed, open a terminal and type:
#+BEGIN_SRC bash
sudo apt-get update
sudo apt-get install git build-essential dialog
git clone https://github.com/bashrc/freedombone
The above picture shows a Beaglebone Black with the image copied onto a microSD card (there's no need to do anything with the internal EMMC). A USB Atheros wifi adaptor with a large antenna is attached and in this case power is from the mains, although it could be from a battery or solar power system capable of supplying 5 volts and maybe 1A (depending upon how active the router is).
#+begin_src bash
sudo apt-get install xz-utils wget
wget https://freedombone.net/downloads/mesh-router-beaglebone-black-20160913.img.xz
wget https://freedombone.net/downloads/mesh-router-beaglebone-black-20160913.img.xz.sig
gpg --verify mesh-router-beaglebone-black-20160913.img.xz.sig
sha256sum mesh-router-beaglebone-black-20160913.img.xz
74470b6491951a9744fdd3dab27e8ca74d5b60499fcf6e1a5313e6854c9db894
unxz mesh-router-beaglebone-black-20160913.img.xz
sudo dd bs=1M if=mesh-router-beaglebone-black-20160913.img of=/dev/sdX conv=fdatasync
#+end_src
If you have a few Beaglebone Blacks to use as routers then repeat the /dd/ command to create however many microSD cards you need.
There is still a software freedom issue with the Beaglebone Black, but it doesn't prevent you from running a fully free system on the board. The TI AM335X SOC has a PowerVR SGX530 GPU which will only run with a proprietary blob, but this would only be an issue for systems with a monitor or LCD screen attached running a desktop environment which also needs GPU acceleration. For "headless" systems such as servers or mesh routers this isn't a problem.
* Building Disk Images
It's better not to trust images downloaded from random places on the interwebs. Chances are that unless you are in the web of trust of the above GPG signatures then they don't mean very much to you. If you actually want something trustworthy then build the images from scratch. It will take some time. Here's how to do it.
First you will need to create an image. On a Debian based system (tested on Debian Jessie and Trisquel 7):
#+begin_src bash
sudo apt-get -y install build-essential libc6-dev-i386 wget \
gcc-multilib g++-multilib git python-docutils mktorrent \
vmdebootstrap xz-utils dosfstools btrfs-tools extlinux \
python-distro-info mbr qemu-user-static binfmt-support \
u-boot-tools qemu
wget https://freedombone.net/downloads/freedombone-mesh-13-09-2016.tar.gz
wget https://freedombone.net/downloads/freedombone-mesh-13-09-2016.tar.gz.sig
gpg --verify freedombone-mesh-13-09-2016.tar.gz.sig
sha256sum freedombone-mesh-13-09-2016.tar.gz
3e279f8ed762afb682bec6bd463830087354dd2f24020f3b0de51143585ab0ed
tar -xzvf freedombone-mesh-13-09-2016.tar.gz
cd freedombone
git checkout stockholm
sudo make install
freedombone menuconfig
#+END_SRC
freedombone-image -t i386 -v meshclient
#+end_src
Select the "/mesh (user device)/" variant and set the same ESSID as you did for the routers, or just hit enter for the default.
If you don't have Atheros or free software compatible wifi adapter then you can include proprietary wifi drivers which will work with most laptops. This is *NOT RECOMMENDED* because proprietary drivers are unsupportable and may contain either malware or be exploitable in a way which can't be fixed. However, if you're in an emergency and don't have any Atheros or free software wifi USB dongles then you can use the following command to make the image:
An important point is that on older Debian-based systems, such as Ubuntu 14.04 or Trisquel 7, you may need to install a more recent version of /batctl/. An example is as follows.
#+begin_src bash
freedombone-image -t i386 -v meshclient --insecure yes
#+end_src
#+BEGIN_SRC bash
sudo apt-get remove --purge batctl
wget http://mirrors.kernel.org/ubuntu/pool/universe/b/batctl/batctl_2014.1.0-2_amd64.deb
sudo dpkg -i batctl_2014.1.0-2_amd64.deb
#+END_SRC
* Wifi adaptors
There are a small number of wifi adaptors which are compatible with a fully free software stack.
** Atheros AR9271
To install the firmware for this:
This takes a while. Maybe an hour or so, depending on the speed of your system and the internets. The good news though is that once created you can use the resulting image any number of times, and you don't need to trust some pre-built image.
#+BEGIN_SRC bash
cd freedombone/drivers
sha256sum ath9k_htc_driver_bbb.tar.gz
7eb9324681f03c7630ed01e490ea447dfbd96c9b5389e45b64e4646d1be16ff1
tar -xvzf ath9k_htc_driver_bbb.tar.gz
mv *.fw /lib/firmware
cd ..
#+END_SRC
* Using the mesh
The following sections only apply to /client devices/. Mesh /routers/ are only for routing network traffic and operating [[https://en.wikipedia.org/wiki/BitTorrent_tracker][trackers]] and [[https://en.wikipedia.org/wiki/Distributed_hash_table][distributed hash tables]] for bootstrapping purposes.
List what drives are on your system with:
** Switching from internet to mesh mode
To join the mesh network open a terminal and type:
#+begin_src bash
ls /dev/sd*
#+end_src
#+BEGIN_SRC bash
meshweb
#+END_SRC
Now plug in the USB thumb drive, and do the same again. Notice which drive letter gets added.
If you want to have your system as a permanent mesh peer then you could add that command to your startup applications so that it activates whenever the computer starts up.
You can now copy the image to the USB thumb drive, replacing *sdX* with the identifier of the USB thumb drive. Don't include any numbers (so for example use *sdc* instead of *sdc1*).
A web page should appear in your browser, which then allows you to access communication services on the mesh. These pages should update automatically, so that if peers enter or leave the network the lists will change accordingly.
#+begin_src bash
sudo dd bs=1M if=myimagefile.img of=/dev/sdX conv=fdatasync
#+end_src
If for any reason things don't seem to be updating you can force an update by issuing the command:
And wait. Again it will take a while to copy over. When that's done plug it into the laptop or netbook which you want to use on the mesh, power on and set the BIOS to boot from the USB stick.
#+BEGIN_SRC bash
zeronetavahi
#+END_SRC
** Chat
If you have a Tox client installed on your system then you can use that to communicate with other mesh peers. A limitation is that if peers change you may need to quit the application and restart it in order to receive the updated list of DHTnodes. The [[https://github.com/Tox/toxic][Toxic]] client is installed by default, but you may also want to install [[https://github.com/tux3/qTox][qTox]] or [[http://utox.org][uTox]] for a more conventional-looking user experience.
On first boot you'll be asked to set a username, and then you can open the chat client and select the *users* icon to show the Tox IDs for other users on the mesh. When folks join they will be announced.
You can obtain Tox IDs for users on the network via the initial web page.
Rinse, repeat, for any number of laptops that you want to get onto the mesh or to build out coverage within an area. There are no servers. Just peer-to-peer communications routed through the network which are end-to-end secure after a friend request is accepted. By default the chat client doesn't log anything.
To launch the [[https://github.com/Tox/toxic][Toxic client]] in a terminal type:
You can also use single board computers (SBCs) such as the BeagleBone Black to make mesh routers which can be bolted to walls or the sides of buildings and consume minimal electrical power, so could be solar or battery powered for short term events such as festivals. To do that use the following command to make the image:
#+BEGIN_SRC bash
toxic
#+END_SRC
#+begin_src bash
freedombone-image -t beaglebone -v mesh
#+end_src
The first time you will be asked whether you wish to encrypt the data file used for your settings. Select "no" for this, otherwise the system will not be able to obtain your public key and broadcast it to other peers in the network. Even if you select "yes" the system will still be usable, but it will not be so easy for other peers on the network to find you unless you have previously exchanged your Tox ID via some out-of-band method.
The resulting image can be copied to a microSD card, inserted into a Beaglebone Black and booted. Don't forget to plug in an Atheros USB wifi dongle.
Then to add a new friend:
* Customisation
If you want to make your own specially branded version, such as for a particular event, then to change the default desktop backgrounds edit the images within *img/backgrounds* and to change the available avatars and desktop icons edit the images within *img/avatars*. Re-create disk images using the instructions shown previously.
#+BEGIN_SRC bash
/nick mynickname
/add <friend Tox ID>
#+END_SRC
If you need particular /dconf/ commands to alter desktop appearance or behavior then see the function /mesh_client_startup_applications/ within *src/freedombone-image-customise*.
* How to use it
When you first boot from the USB drive the system will create some encryption keys, assign a unique network address to the system and then reboot itself. When that's done you should see a prompt asking for a username. This username just makes it easy for others to initially find you on the mesh and will appear in the list of users.
Your friend will need to approve the request, and then you can chat via text or voice using /CTRL-o/ and /CTRL-p/ to switch between screens and cursor keys plus Enter to select users.
After a minute or two if you are within wifi range and there is at least one other user on the network then you should see additional icons appear on the desktop, such as /Other Users/ and /Chat/.
Another thing worth knowing is that if you were already using a Tox client before running the /meshweb/ command then it's a good idea to close and reopen it, so that the list of bootstrap nodes is updated. The same also applies when exiting the mesh and returning to the internet.
** Set the Date
On the ordinary internet the date and time of your system would be set automatically via NTP. But this is not the internet and so you will need to manually ensure that your date and time settings are correct. You might need to periodically do this if your clock drifts. It's not essential that the time on your system be highly accurate, but if it drifts too far or goes back to epoch then things could become a little confusing in regard to the order of blog posts.
*Right click on the date* in the top right corner of the screen. Select *preferences*, then click the *Time Settings* button. You can then select the date from the calendar and set the time, then click the *Set System Time* button. Enter the default password, which is /freedombone/.
** Check network status
Unlike with ordinary wifi, on the mesh you don't get a signal strength icon and so it's not simple to see if you have a good connection.
Select the wifi icon on the desktop and enter the password '/freedombone/'. The network configuration will go into a monitoring mode and in the bottom right side of the window you will be able to see signal strength and other parameters. This can help you to locate systems or adjust antennas to get the best wifi performance.
#+BEGIN_CENTER
[[file:images/mesh_signal.jpg]]
#+END_CENTER
When you are finished close the window and then select the /Network Restart/ desktop icon, which will restart the B.A.T.M.A.N. network. You can also use the restart icon if you are within range of the mesh network but the /Chat/ and /Other Users/ icons do not automatically appear after a few minutes.
** Chat System
Ensure that you're within wifi range of at least one other mesh peer (could be a router or client) and then you should see that the /Chat/ and /Other Users/ icons appear. Select the users icon and you should see a list of users on the mesh. Select the /Chat/ icon and once you are connected you should see the status light turn green. If after a few minutes you don't get the green status light then try closing and re-opening the Tox chat application. Select the plus button to add a friend and then copy and paste in a Tox ID from the users list.
#+BEGIN_CENTER
[[file:images/mesh_paste_tox_id.jpg]]
#+END_CENTER
The other user can then accept or decline your friend request.
#+BEGIN_CENTER
[[file:images/mesh_friend_request.jpg]]
#+END_CENTER
You can also select an avatar by selecting the grey head and shoulders image.
#+BEGIN_CENTER
[[file:images/mesh_choose_avatar.jpg]]
#+END_CENTER
And by selecting the user from the list on the left hand side the chat can begin.
#+BEGIN_CENTER
[[file:images/mesh_text_chat.jpg]]
#+END_CENTER
One important point is that by default the microphone is turned off. When doing voice chat you can select the microphone volume with the drop down slider in the top right corner of the screen.
At present video doesn't work reliably, but text and voice chat do work well.
** Sharing Files
You can make files publicly available on the network simply by dragging and dropping them into the /Public/ folder on the desktop. To view the files belonging to another user select the desktop icon called /Visit a site/ and enter the username or Tox ID of the other user.
#+BEGIN_CENTER
[[file:images/mesh_share_files.jpg]]
#+END_CENTER
A note for the security-conscious is that broadcasting Tox IDs via the network (using Avahi) is convenient but not highly secure. An adversary could maybe join the network and create decoy peers to try to disrupt the communications and have messages going to the wrong places. For the best security exchange Tox IDs in advance by some method other than looking them up from the initial mesh web page.
** Blogging
The Freedombone mesh uses a fully decentralized blogging system called [[https://github.com/HelloZeroNet/ZeroBlog][ZeroBlog]]. It behaves rather like other peer-to-peer file sharing systems in that if you are reading the blog of another user you are also simultaneously seeding it to other peers (acting as both a client and a server). This allows the system to scale well, while also being robust to any peer failing or leaving the network.
To create a blog post select the /Blog/ icon on the desktop and then use the up and down cursor keys, space bar and enter key to add a new entry. Edit the title of the entry and add your text. You can also include photos if you wish - just copy them to the *CreateBlog/content/images* directory and then link to them as shown.
All blogs on the mesh are public, so any user joining the mesh can read any other blog. Network traffic is encrypted between peers, so passive snooping will be hard, and also the integrity of data is checked via certificates so that you can be reasonably confident that nefarious content has not been added or removed from the data stream while in transit through the network.
#+BEGIN_CENTER
[[file:images/mesh_new_blog.jpg]]
#+END_CENTER
This type of content creation and delivery provides a good template for what the conventional internet should ultimately be like if it is to be robust, trustworthy and resistant to censorship or damage.
To finish your blog entry just select /Save/ and then close the editor. On older hardware it may take a while to publish the results, and this depends upon the amount of computation needed by IPFS to create file hashes. If you make no changes to the default text then the new blog entry will not be saved.
To add a new blog entry click the /new post/ button, edit the title and content (clicking /save/ at the bottom of the screen after each). Then when you are done click on the /publish/ button at the bottom of the screen. And that's all there is to it.
** Other services
It is hoped that a decentralized forum will be added, but this is not yet complete. In the mean time a substitute is to use the Tox group chat feature.
** Turning off the mesh
If you wish to return to the internet then open a terminal and type:
#+BEGIN_CENTER
[[file:images/mesh_new_blog2.jpg]]
#+END_CENTER
#+BEGIN_SRC bash
sudo batman stop
#+END_SRC
#+BEGIN_CENTER
[[file:images/mesh_view_blog.jpg]]
#+END_CENTER
After a few seconds your usual internet wifi connection should be re-established.
* Further reading
For much more extensive details about deploying wireless networks there is an excellent book called [[http://wndw.net][Wireless Networking in the Developing World]] which is worth reading. It's not necessarily exclusively about mesh networks, but may be useful in terms of advice about antennas, reflections, extending wifi range and so on.
You can also visit other blogs, edit or delete your previous entry and also change your blog theme.
#+BEGIN_EXPORT html
<center>
Return to the <a href="index.html">home page</a>
</center>
#+END_EXPORT
#+BEGIN_CENTER
This site can also be accessed via a Tor browser at http://2tp3f6vtvhkqpuc6.onion
#+END_CENTER

View File

@ -1,10 +1,10 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Mirroring git repositories
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]

View File

@ -1,10 +1,10 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]

View File

@ -1,10 +1,10 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, hubzilla, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]

View File

@ -1,10 +1,10 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
@ -18,15 +18,15 @@
* Contact details
This site can also be accessed via a Tor browser at *4fvfozz6g3zmvf76.onion*
This site can also be accessed via a Tor browser at *http://2tp3f6vtvhkqpuc6.onion*
*Email:* bob@robotics.uk.to
*Email:* bob@freedombone.net
*PGP/GPG Key ID:* EA982E38
*PGP/GPG Fingerprint:* D538 1159 CD7A 2F80 2F06 ABA0 0452 CC7C EA98 2E38
*XMPP:* bob@robotics.uk.to with OTR
*XMPP:* bob@freedombone.net with OMEMO or OTR
*Tox:* 82DD53788AB400843BC75EA96B62DD6C76D2B13E476B995B13C49920A3C8FD32E5365A82FA83
@ -43,7 +43,7 @@ If you find this project useful then you may wish to consider donating to [[./re
Testing of the install on different hardware. Also pentesting on test installations to find vulnerabilities.
** Web design and artwork
A better design for this website would be nice to have. Photos, icons or other artwork are all welcome. I've always liked the cartoon artwork of the [[http://www.mediagoblin.org/][Mediagoblin]] project, and attractive graphics can help to get people initially interested.
A better design for this website would be nice to have. Photos, icons or other artwork are all welcome. I've always liked the cartoon artwork of the [[https://www.mediagoblin.org/][Mediagoblin]] project, and attractive graphics can help to get people initially interested.
** More education and promotion
#+BEGIN_CENTER

View File

@ -1,10 +1,10 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, hubzilla, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
@ -21,56 +21,43 @@
| [[Administrating the system via an onion address (Tor)]] |
| [[./mobile.html][Mobile advice]] |
| [[./usage_email.html][Using Email]] |
| [[Syncing to the Cloud]] |
| [[Play Music]] |
| [[Microblogging (GNU Social)]] |
| [[Sharing things]] |
| [[Social Network]] |
| [[Chat Services]] |
| [[RSS Reader]] |
| [[Git Projects]] |
| [[./app_syncthing.html][Syncing to the Cloud]] |
| [[./app_dlna.html][Play Music]] |
| [[./app_gnusocial.html][Microblogging (GNU Social)]] |
| [[./app_postactiv.html][Microblogging (PostActiv)]] |
| [[./app_ghost.html][Blogging with Ghost]] |
| [[./app_htmly.html][Blogging with HTMLy]] |
| [[./app_hubzilla.html][Social Network]] |
| [[./app_lychee.html][Photo albums]] |
| [[./app_dokuwiki.html][Wiki]] |
| [[./app_etherpad.html][Collaborative document editing]] |
| [[./app_irc.html][Multi-user chat with IRC]] |
| [[./app_xmpp.html][XMPP/Jabber]] |
| [[./app_tox.html][Tox]] |
| [[./app_mumble.html][Mumble]] |
| [[./app_mailpile.jtml][Mailpile]] |
| [[./app_rss.html][RSS Reader]] |
| [[./app_radicale.html][CalDAV calendar server]] |
| [[./app_gogs.html][Git Projects]] |
| [[Adding or removing users]] |
| [[./app_pihole.html][Blocking Ads]] |
* Readme
After the system has installed a README file will be generated which contains passwords and some brief advice on using the installed systems. You can read this with the following commands:
* Improving security
It's a lot more secure to log in to the Freedombone system using ssh keys rather than with a password. You can set that up by first running:
#+BEGIN_SRC bash
ssh username@domainname -p 2222
emacs ~/README
#+END_SRC
#+begin_src bash
freedombone-client
#+end_src
You should transfer any passwords to a password manager such as [[http://www.keepassx.org/][KeepassX]] and then delete them from the README file. To save the file after removing passwords use *CTRL-x CTRL-s*.
On your local system (i.e. whatever you're logging in to the Freedombone system from, typically a laptop). Then:
To exit you can either just close the terminal or use *CTRL-x CTRL-c* followed by the *exit* command.
* Improving ssh security
To improve ssh security you can generate an ssh key pair on your system and then upload the public key to the Freedombone.
#+begin_src
ssh myusername@freedombone.local -p 2222
#+end_src
On your local machine:
#+BEGIN_SRC bash
ssh-keygen
#+END_SRC
For extra security you may also want to add a passphrase to the ssh private key. You can show the generated public key with:
#+BEGIN_SRC bash
cat ~/.ssh/id_rsa.pub
#+END_SRC
Log into your system and open the control panel.
#+BEGIN_SRC bash
ssh username@domain -p 2222
#+END_SRC
Select /Administrator controls/ then /Manage Users/ then /Change user ssh public key/. Copy and paste the public key here, then exit.
It's a good idea to also copy the contents of *~/.ssh/id_rsa* and *~/.ssh/id_rsa.pub* to you password manager, together with the private key password if you created one.
There are advantages and disadvantages to using ssh keys for logins. The advantage is that this is much more secure than a memorised password, but the disadvantage is that you need to carry your ssh keys around and be able to install them on any computer of mobile device that you use. In high security or hostile infosec environments it may not be possible to carry or use USB thumb drives containing your keys and so memorised passwords may be the only available choice.
If you wish to only use ssh keys then log in to the Freedombone, become the root user and open the control panel with the 'control' command. Select /Security Settings/ then keep hitting enter until you reach the question about allowing password logins. Select "no" for that, then apply the settings. Any subsequent attempts to log in via a password will then be denied.
Select *Administrator controls* and re-enter your password, then *Manage Users* and *Change user ssh public key*. Copy and paste the ssh public keys which appeared after the *freedombone-client* command was run. Then go to *Security settings* and select *Allow ssh login with passwords* followed by *no*.
You'll need to make sure that you have a copy of the ~/.ssh directory on your local system. You could just copy that directory to a USB drive and then keep that somewhere safe so that you can restore the keys if you need to.
* Administrating the system via an onion address (Tor)
You can also access your system via the Tor system using an onion address. To find out what the onion address for ssh access is you can do the following:
@ -84,602 +71,13 @@ Select /Administrator controls/ then select "About this system" and look for the
freedombone-client
#+END_SRC
This will set up your ssh environment to be able to handle onion addresses. In addition if you use monkeysphere then you can do:
#+BEGIN_SRC bash
freedombone-client --ms yes
#+END_SRC
Then you can test ssh with:
This will set up your ssh environment to be able to handle onion addresses. Then you can test ssh with:
#+BEGIN_SRC bash
ssh username@address.onion -p 2222
#+END_SRC
Subsequently even if dynamic DNS isn't working you may still be able to administer your system. Using the onion address also gives you some degree of protection against corporate or government metadata analysis, since it becomes more difficult to passively detect which systems are communicating.
* Syncing to the Cloud
[[https://syncthing.net][Syncthing]] provides a similar capability to proprietary systems such as [[http://www.drop-dropbox.com/][Dropbox]], and also is well suited for use with low power single board computers. You can have one or more directories which are synchronized across your various laptops/desktops/devices, and this makes it hard for you to ever lose important files. The manner in which the synchronization is done is pretty secure, such that it would be difficult for passive adversaries (mass surveillance, "/men in the middle/", etc) to know what files you're sharing. Of course, you don't necessarily need to be running a server in order to use Syncthing, but if you do have a server which is always running then there's always at least one place to synchronize your files to or from.
Freedombone provides Syncthing shared directories for each user on the system, plus a single shared directory for all users. The expected most common scenario here is that of a family in which members may not want to share /all of their files/ with each other, but might want to share some in a common pool (eg. birthday photos). You can also easily share between different servers.
** On a laptop
Install syncthing:
#+BEGIN_SRC bash
curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
echo "deb http://apt.syncthing.net/ syncthing release" | sudo tee /etc/apt/sources.list.d/syncthing.list
sudo apt-get update
sudo apt-get install syncthing
#+END_SRC
Add syncthing to your startup applications, so that it begins running when your system starts. Then either restart your system or run the command "syncthing" from a terminal.
In another terminal log into Freedombone:
#+BEGIN_SRC bash
ssh username@domainname -p 2222
#+END_SRC
Then select *File Synchronization*.
[[file:images/controlpanel/control_panel_file_sync.jpg]]
Select *Show device ID* and copy the long string of letters and numbers shown, using the shift key then select the text followed by right click then select copy.
Open a non-Tor browser and enter *http://127.0.0.1:8384* as the URL. You should now see the minimalistic user interface. Under *Remote Devices* select *Add Remote Device*. In the *Device ID* field paste the string you just copied (CTRL+v). The Device name can be anything. Under *Share Folders with Device* check *default* (or whatever folder you created on your local machine), then save.
From the top menu select *Actions* and then *Show ID*, then copy the ID string (usually select then CTRL+c). Go back to the terminal control panel menu and select *Add an ID* then paste what you just copied (CTRL+v). Optionally you can also provide a description so that you later can know what that string corresponds to.
Now wait for a few minutes. Eventually you will see two messages appear within the browser asking if you want to add two new folders from the Freedombone server. Say yes to both, and specify *~/Sync* as the directory with your username and *~/SyncShared* as the shared directory. You can now copy files into your *~/Sync* directory and they will automatically be synced to the server. Those will be files which only you can access. If you copy files into *~/SyncShared* then they will also be available to any other users on the system.
** On Android
Install Syncthing and Connectbot from F-droid.
Set up Connectbot to log into Freedombone.
Select *File Synchronization*.
Select *Show device ID* and copy the long string of letters by pressing anywhere on the screen, selecting the *menu* then *copy* and then selecting the ID string. This is very tricky on a small screen, so expect to fail multiple times before you succeed in copying the text.
Open Syncthing and select the devices tab. Press on *+* and then paste the device ID with a long press followed by *Paste*. You may need to remove any stray characters which were copied during the previous haphazard selection process. Add a name, which can be anything.
Now select the menu (top left or menu button) and then press on *Device ID*. It will be copied to the clipboard. Go back to Connectbot and from the control panel select *File Synchronization* followed by *Add an ID*. You can then paste in the ID with a long press, and optionally add a description for the device. When that's done you can disconnect from Connectbot.
Now wait for a few minutes or more. Eventually you should receive two notifications (swipe down from the top to see them) which will allow you to confirm the connection to the server. Say yes to both, and specify appropriate directories for your files and the shared files. To reduce battery and data usage via the settings you can also set Syncthing to only sync while it's charging and only while it's connected to wifi.
* Play Music
** With the DLNA service
An easy way to play music on any mobile device in your home is to use the DLNA service. Copy your music into a directory called "/Music/" on a USB thumb drive and then insert it into from socket on the Beaglebone.
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomain.com -p 2222
#+END_SRC
Then mount the USB drive with:
#+BEGIN_SRC bash
su
attach-music
#+END_SRC
The system will scan the Music directory, which could take a while if there are thousands of files, but you don't need to do anything further with the Beaglebone other than perhaps to log out by typing *exit* a couple of times.
If you have an Android device then go to F-Droid (if you don't already have it installed then it can be [[https://f-droid.org/][downloaded here]]) and search for *ControlDLNA*. On running the app you should see a red Debian icon which you can press on, then you may need to select "local". After a few seconds the list of albums or tracks should then appear and you can browse and play them.
The DLNA service will only work within your local home network, and isn't remotely accessible from other locations via the internet. That can be both a good and a bad thing. Another consideration is that there are no access controls on DLNA services, so any music or videos on the USB drive will be playable by anyone within your home network.
* Microblogging (GNU Social)
** Initial setup
To log into your GNU Social site first obtain your username and password from the "microblogging" section of the readme file.
#+BEGIN_SRC bash
ssh username@domainname -p 2222
cat README
exit
#+END_SRC
Navigate to your site and log in. You may then want to select *Admin* and check or change the details. You may also wish to change the license for the site to be either Creative Commons or private.
GNU Social has a clutter-free mobile user interface which can be accessed via a Tor compatible browser (make sure to add a NoScript exception). Unlike similar proprietary sites there are no bribed posts.
[[file:images/gnusocial_mobile.jpg]]
** Direct Messages (DMs) and privacy
One important point about GNU Social is that although direct messages (DMs) are treated as being private their security is quite poor. If you want real communications privacy then use other systems such as XMPP+OMEMO/OTR, Tox or email with GPG. GNU Social is primarily about /fully public communications/.
** Using with Emacs
If you are an Emacs user it's also possible to set up GNU Social mode as follows:
#+begin_src bash :tangle no
mkdir ~/elisp
git clone git://git.savannah.nongnu.org/gnu-social-mode ~/elisp/gnu-social-mode
sed -i 's|"http"|"https"|g' ~/elisp/gnu-social-mode/gnu-social-mode.el
sed -i 's|http:|https:|g' ~/elisp/gnu-social-mode/gnu-social-mode.el
sed -i 's|http?|https?|g' ~/elisp/gnu-social-mode/gnu-social-mode.el
echo "(add-to-list 'load-path \"~/elisp/gnu-social-mode\")" >> ~/.emacs
echo "(require 'gnu-social-mode)" >> ~/.emacs
echo "(setq gnu-social-server-textlimit 2000" >> ~/.emacs
echo " gnu-social-server \"yourgnusocialdomain\"" >> ~/.emacs
echo " gnu-social-username \"yourusername\"" >> ~/.emacs
echo " gnu-social-password \"gnusocialpassword\")" >> ~/.emacs
#+end_src
And as a quick reference the main keys are:
| Key | Function |
|---------------+--------------------|
| i | Show icons |
| CTRL-c CTRL-s | Post status update |
| r | Repeat |
| F | Favourite |
| R | Reply to user |
| CTRL-c CTRL-h | Highlight |
| CTRL-c CTRL-r | Show replies |
| CTRL-c CTRL-f | Friends timeline |
* Sharing things
If you have the GNU Social microblogging system installed then it's also possible to share things or services between groups or with particular users. This can be useful for sharing items within a family, club or in a local sharing economy. Sharing things freely, without money, reveals the social basis at the root of all economics which money normally conceals or obscures.
Click on "/share/" or "/my catalog/" and this will switch to a screen which allows you to enter details for things to be shared or wanted.
[[file:images/sharings3.jpg]]
The "/catalog/" button then allows you to search for shared things within the federated network.
[[file:images/sharings4.jpg]]
* Social Network
** Domains
Both Hubzilla and GNU Social try to obtain certificates automatically at the time of installation via Let's Encrypt. This will likely mean that in order for this to work you'll need to have obtained at least one "official" domain via a domain selling service, since Let's Encrypt mostly doesn't seem to work with free subdomains from sites such as freeDNS.
** Initial install
On first visiting your Hubzilla site you'll see the login screen. The first thing you need to do is *register* a new user. The first user on the system then becomes its administrator.
[[file:images/hubzilla_mobile.jpg]]
* Chat Services
** IRC
IRC is useful for multi-user chat. The classic use case is for software development where many engineers might need to coordinate their activities, but it's also useful for meetings, parties and general socialising.
*** Irssi
The easiest way to use irssi is to connect to your system, like this:
#+BEGIN_SRC bash
ssh myusername@mydomain -p 2222
#+END_SRC
Then select *IRC* from the menu. However, other than via this method using ssh, irssi isn't a very good IRC client because it doesn't have the capability to onion route messages, and therefore leaks metadata. For the best security when using your IRC server, use HexChat, Emacs ERC or another client which supports socks5 proxying.
*** HexChat
HexChat (formerly XChat) is compatible with proxying via Tor and so provides the best security when connecting to your IRC server. It will allow you to connect to your IRC server's onion address.
First install HexChat and set up its configuration file.
#+BEGIN_SRC bash
sudo apt-get install tor hexchat
mkdir -p ~/.config/hexchat
echo "# By default, HexChat based IRC software, when started-up, or run for first time,
# it starts to use local network, to connect to the internet. To prevent that,
# and to force it, to use Tor proxy (a Socks5 server):
#
# /set net_proxy_host 127.0.0.1
# /set net_proxy_port 9050
# /set net_proxy_type 3
# /set net_proxy_use 0
net_proxy_host = 127.0.0.1
net_proxy_port = 9050
# Technical note: 3 = socks5
net_proxy_type = 3
# Technical note: Do not worry. 0 is not equal to "off". 0 stands for "All".
# Check yourself https://toxin.jottit.com/xchat_set_variables
net_proxy_use = 0
# HexChat should not use the same circuit/exit server as other Tor applications.
# Otherwise activity in different applications could be correlated to the same
# pseudonym. There is a way to prevent that.
# It is called stream isolation. We use IsolateSOCKSAuth,
# see https://www.torproject.org/docs/tor-manual-dev.html.en
# The password is actually not required, but it does not hurt either.
# Will probable not hurt on Tor 0.2.2 and below.
# Works with Tor 0.2.3 and above.
#
# /set net_proxy_auth 1
# /set net_proxy_pass = HexChat
# /set net_proxy_user = HexChat
#
net_proxy_auth = 1
net_proxy_pass = HexChat
net_proxy_user = HexChat
# Get rid of protocol leaks:
# a DCC session can reveal IP address, etc. identd flag can reveal your
# username which you use to login in your OS(Windows/Linux/Unix/MacOS) profile.
# To prevent those:
#
# /set dcc_auto_chat 0
# /set dcc_auto_resume OFF
# /set dcc_auto_send 0
# /set irc_hide_version ON
# /set identd OFF <-- NOT working on all HexChat-based IRC software.
# But still highly suggested to include & use it.
# Probable not needed on UNIX, source: http://xchat.org/faq/#q21
dcc_auto_chat = 0
dcc_auto_resume = 0
dcc_auto_send = 0
irc_hide_version = 1
identd = 0
# If you use your own comment instead of default values, then these data are
# posted on each channel when you do these events: JOIN, PART, QUIT, AWAY.
# So they can reveal who you actually are, when you are using same HexChat
# software for multiple different nicknames.
#
# Delete everything under Settings -> Preferences -> Default Messages:
# -> Quit: <Deleted everything!>
# -> Leave channel: <Deleted everything!>
# -> Away: <Deleted everything!>
away_reason =
irc_part_reason =
irc_quit_reason =
# By default, HexChat based IRC software uses your platform OS(Operating System)s
# login user name as your nickname, user name, real name. To prevent leaking
# that, and, to use your own choice of nickname, realname, username:
#
# ***Pseudonymous vs. anonymous IRC use.***
# Actually IRC is pseudonymous. Your nickname might also reveal something about
# your origin, interests, etc. You can make IRC more anonymous by choosing a more
# meaningless nickname. Use the following defaults if you want to be more anonymous.
# If user, user_ and user___ are already taken, add more _ or start using user1,
# user2, user3, etc. Or if the irc network auto assigns your a nickname, i.e.
# guest532, stick with that nickname.
#
# Of course, you are free to continue using IRC in a pseudonymous manner.
# In that case, instant of user, choose your nickname.
#
# /set irc_real_name user
# /set irc_user_name user
# /set irc_nick1 user
# /set irc_nick2 user_
# /set irc_nick3 user__
irc_real_name = user
irc_user_name = user
irc_nick1 = user
irc_nick2 = user_
irc_nick3 = user__
# Use a more common nick completion suffix:
# When you write the first few characters of a nickname followed by tab,
# it will, by HexChat default, complete the nickname and ", " behind the
# nickname. The behavior is HexChat specific. The " :" is more more common
# for more common clients such as mIRC.
#
# HexChat -> Settings -> Preferences -> input box -> completion_suffix set to :
#
completion_suffix = :
# Not starting the server windows at the beginning so you can check and set
# settings before connecting to any IRC networks.
gui_slist_skip = 1
" > ~/.config/hexchat/hexchat.conf
#+END_SRC
Now look up the onion address for your IRC server
#+BEGIN_SRC bash
ssh username@mydomainname -p 2222
#+END_SRC
Select Administrator options, then *About this system* and make a note of the onion address for IRC. Also select the *IRC Menu* and take a note of the login password.
[[file:images/hexchat_setup.jpg]]
Run HexChat.
Within the network list click, *Add* and enter your domain name then click *Edit*.
Select the entry within the servers box, then enter *ircaddress.onion/6697* and press *Enter*.
Uncheck *use global user information*.
Enter first and second nicknames and check *connect to this network on startup*.
Make sure that *use SSL* is unchecked. Encryption will be handled via the onion address itself.
Within the *Password* field enter the password which can be found from the IRC menu of the *control panel*.
Select the *Autojoin channels* tab, click *Add* and enter *#freedombone* as the channel name.
Click *close* and then *connect*.
*** Emacs
If you are an Emacs user then you can also connect to your IRC server via Emacs.
Ensure that tor is installed onto your local system:
#+BEGIN_SRC bash
sudo apt-get install tor
#+END_SRC
Add the following to your Emacs configuration file:
#+BEGIN_SRC elisp
(setq socks-noproxy '("localhost"))
(require 'socks)
(require 'tls)
(setq socks-server (list "Tor socks" "localhost" 9050 5))
(setq erc-server-connect-function 'socks-open-network-stream)
(setq erc-autojoin-channels-alist
'(("myircaddress.onion" "#freedombone")))
(erc :server "myircaddress.onion" :port 6697 :nick "yourusername" :password "your IRC password")
#+END_SRC
*** Changing or removing the IRC password
By default the IRC server is set up to require a password for users to log in. The password is the same for all users. If you want to change or remove the password:
#+BEGIN_SRC bash
ssh myusername@mydomain -p 2222
#+END_SRC
Select /Administrator controls/ then *IRC Menu* and then change the password. An empty password will allow anyone to log in, so you can have a globally accessible IRC system if you wish, although you might want to carefully consider whether that's wise.
** XMPP/Jabber
*** About XMPP
A well written article on the state of XMPP and how it compares to other chat protocols [[https://gultsch.de/xmpp_2016.html][can be found here]].
*** Using with Gajim
In mid 2016 [[https://gajim.org/][Gajim]] became the first desktop XMPP client to support the [[https://en.wikipedia.org/wiki/OMEMO][OMEMO end-to-end security standard]], which is superior to the more traditional [[https://en.wikipedia.org/wiki/Off-the-Record_Messaging][OTR]] since it also includes multi-user chat and the ratcheting mechanism pioneered by Open Whisper Systems. To install it:
#+begin_src bash :tangle no
su -c 'echo "deb ftp://ftp.gajim.org/debian unstable main" > /etc/apt/sources.list.d/gajim.list'
sudo apt-get update
sudo apt-get -y install gajim-dev-keyring
sudo apt-get -y install git tor python-dev python-pip gajim-nightly
mkdir ~/.local/share/gajim/plugins -p
cd ~/.local/share/gajim/plugins
git clone https://github.com/omemo/gajim-omemo
sudo pip install protobuf==2.6.1, python-axolotl==0.1.35
#+end_src
Open Gajim and enter your XMPP address and password.
Go to *Edit/Preferences* and select the *Advanced* tab. Under *Global Proxy* select *Tor* and the *Close* button. Then select *Edit/Plugins* and make sure that OMEMO is active (ticked), then select the *Close* button.
When you start a conversation make sure that the OMEMO box is ticked. You can also click on the keys button and trust various fingerprints. Both sides will need to do that before an encrypted chat can start.
If you wish to make backups of the OMEMO keys then they can be found within:
#+begin_src bash :tangle no
~/.local/share/gajim
#+end_src
If you wish to use OpenPGP to encrypt your messages then go to *Edit/Accounts*, select your account and then the *Personal Information* tab. You can then choose your GPG key. When initiating a chat you can select the *Advanced* button and then select *Toggle OpenPGP Encryption*. OpenPGP is not as secure as OMEMO, but does allow you to use XMPP in a similar style to email in that the recipient of the message does not necessarily need to be online at the same time that you send it.
*** Using with Profanity
The [[http://profanity.im][Profanity]] shell based user interface and is perhaps the simplest way to use XMPP from a laptop. It's also a good way to ensure that your OTR keys are the same even when logging in from different laptops or devices, and it also means that if those devices later become compomised then there are no locally stored OTR keys to be found.
#+BEGIN_SRC bash
ssh username@domain -p 2222
#+END_SRC
Then select XMPP. Generate an [[https://en.wikipedia.org/wiki/Off-the-Record_Messaging][OTR]] key with:
#+BEGIN_SRC bash
/otr gen
#+END_SRC
Then to start a conversation using OTR:
#+BEGIN_SRC bash
/otr start otherusername@otheruserdomain
#+END_SRC
or if you're already in an insecure chat with someone just use:
#+BEGIN_SRC bash
/otr start
#+END_SRC
Set a security question and answer:
#+BEGIN_SRC bash
/otr question "What is the name of your best friends rabbit?" fiffi
#+END_SRC
On the other side the user can enter:
#+BEGIN_SRC bash
/otr answer fiffi
#+END_SRC
For the most paranoid you can also obtain your fingerprint:
#+BEGIN_SRC bash
/otr myfp
#+END_SRC
and quote that. If they quote theirs back you can check it with:
#+BEGIN_SRC bash
/otr theirfp
#+END_SRC
If the fingerprints match then you can be pretty confident that unless you have been socially engineered via the question and answer you probably are talking to who you think you are, and that it will be difficult for mass surveillance systems to know the content of the conversation. For more details see [[http://www.profanity.im/otr.html][this guide]].
When accessed via the user control panel the client is automatically routed through Tor and so if you are also using OTR then this provides protection for both message content and metadata.
*** Using with Jitsi
Jitsi is the recommended communications client for desktop or laptop systems, since it includes the /off the record/ (OTR) feature which provides some additional security beyond the usual SSL certificates.
Jitsi can be downloaded from https://jitsi.org
On your desktop/laptop open Jitsi and select *Options* from the *Tools* menu.
Click *Add* to add a new user, then enter the Jabber ID which you previously specified with /prosodyctl/ when setting up the XMPP server. Close and then you should notice that your status is "Online" (or if not then you should be able to set it to online).
From the *File* menu you can add contacts, then select the chat icon to begin a chat. Click on the lock icon on the right hand side and this will initiate an authentication procedure in which you can specify a question and answer to verify the identity of the person you're communicating with. Once authentication is complete then you'll be chating using OTR, which provides an additional layer of security.
When opening Jitsi initially you will get a certificate warning for your domain name (assuming that you're using a self-signed certificate). If this happens then select *View Certificate* and enable the checkbox to trust the certificate, then select *Continue Anyway*. Once you've done this then the certificate warning will not appear again unless you reinstall Jitsi or use a different computer.
You can also [[https://www.youtube.com/watch?v=vgx7VSrDGjk][see this video]] as an example of using OTR.
*** Using with Ubuntu
The default XMPP client in Ubuntu is Empathy. Using Empathy isn't as secure as using Jitsi, since it doesn't include the /off the record/ feature, but since it's the default it's what many users will have easy access to.
Open *System Settings* and select *Online Accounts*, *Add account* and then *Jabber*.
Enter your username (username@domainname) and password.
Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click *Done* and set your Jabber account and Empathy to *On*.
*** Using Tor Messenger
Tor Messenger is a messaging client which supports XMPP, and its onion routing enables you to protect the metadata of chat interactions to some extent by making it difficult for an adversary to know which server is talking to which. You can download Tor Messenger from [[https://torproject.org][torproject.org]] and the setup is pretty simple.
*** Using with Android/Conversations
Install [[https://f-droid.org/][F-Droid]]
Search for and install *Orbot* and *Conversations*.
Add an account and enter your Jabber/XMPP ID and password.
From the menu select *Settings* then *Expert Settings*. Select *Connect via Tor* and depending on your situation you might also want to select *Don't save encrypted messages*. Also within expert settings select *Keep in foreground*. This will enable you to still receive notifications when your device is in standby mode with the screen turned off.
From the menu select *Manage accounts* and add a new account.
#+BEGIN_SRC bash
Jabber ID: myusername@mydomain
Password: your XMPP password
Hostname: mydomain
Port: 5222
#+END_SRC
Then select *Next*. When chatting you can use the lock icon to encrypt your conversation. OMEMO is the recommended type of encryption. It's also going through Tor, so passive surveillance of the metadata should not be easy for an adversary.
** Tox
Tox is an encrypted peer-to-peer messaging system and so should work without Freedombone. It uses a system of nodes which act as a sort of directory service allowing users to find and connect to each other. The Tox node ID on the Freedombone can be found within the README within your home directory. If you have other users connect to your node then you will be able to continue chatting even when no other nodes are available.
*** Using the Toxic client
Log into your system with:
#+BEGIN_SRC bash
ssh myusername@mydomain -p 2222
#+END_SRC
Then from the menu select *Tox Chat*. Tox is encrypted by default and also routed through Tor, so it should be reasonably secure both in terms of message content and metadata.
[[file:images/toxic.jpg]]
** VoIP (Voice and text chat)
*** Text chat
In addition to voice it is also possible to do text chat via mumble. The security of this is pretty good provided that you do it via Plumble and Orbot on mobile, but compared to other options such as XMPP/Conversations or Tox the security is not as good, since the mumble server currently doesn't support forward secrecy.
*** Using with Ubuntu
Within the software center search for "mumble" and install the client then run it. Skip through the audio setup wizard.
Click on "add new" to add a new server and enter the default domain name for the Freedombone, your username (which can be anything) and the VoIP server password which can be found in the README file on the Freedombone. Accept the self-signed SSL certificate. You are now ready to chat.
*** Using with Android
Install [[https://f-droid.org/][F-Droid]]
If you don't have Orbot installed then enable The Guardian Project repository from the drop down menu and install it.
Search for and install Plumble.
Press the plus button to add a Mumble server.
Enter a label (which can be any name you choose for the server), the default domain name of the Freedombone, your username (which can also be anything) and the VoIP server password which can be found in the README file on the Freedombone.
Open the settings. Select General, then Connect via Tor. This will provide better protection, making it more difficult for adversaries to know who is talking to who.
Selecting the server by pressing on it then connects you to the server so that you can chat with other connected users.
/Note: if you don't know the default domain name and you did a full installation then it will be the same as the wiki domain name./
** SIP phones
Freedombone also supports SIP phones The username and domain is the same as for your email address, and the SIP password and extension number will appear within the README file in your home directory. Various SIP client options are available, such as CSipSimple on Android and Jitsi on desktop or laptop machines. Ideally use clients which support ZRTP, which will provide the best level of security.
*** About ZRTP
[[https://jitsi.org/Documentation/ZrtpFAQ][ZRTP]] appears to be the current best standard to end-to-end encrypted voice calls, combining good security with simplicity of use. When the initial cryptographic negotiation between phones is done at the start of a call a short authentication string (SAS) is calculated and displayed at both ends. To check that there isn't anyone intercepting the call and acting as a /man in the middle/ - as [[https://en.wikipedia.org/wiki/Stingray_phone_tracker][stingray type devices]] try to do - the short authentication string can be read out and verbally confirmed between the callers. If it's the same then you can be pretty confident that the call is secure.
*** Using with CSIPSimple
Add an account. Under *General Wizards* choose *Expert* and enter the following details:
| Account name | Your username |
| Account ID | sip:username@yourdomain |
| Registration URI | sip:yourdefaultdomain |
| Realm | * |
| Username | Your username |
| Data (Password) | Your SIP password |
| ZRTP Mode | Create ZRTP |
If everything is working the account should appear in green with a status of *Registered*.
*** Using with Ring
From the menu select *Manage accounts*.
Add an account with the following details:
| Alias | Your full name or nickname |
| Protocol | SIP |
| Hostname | yourdefaultdomain |
| Username | Your username |
| Password | Your SIP password |
Select the *Security* tab. Under *SRTP Key Exchange* select *ZRTP*. Unde *SRTP Preferences* select *Not supported warning* and *Display SAS Once*.
* RSS Reader
The way that RSS reading is set up on Freedombone gives you strong reading privacy. Not only is there onion routing between you and the server but also between the server and the source of the RSS feed. The only down side is that many RSS feeds are still http only, and so could be vulnerable to injection attacks, but it's expected that more of this will go to https in the foreseeable future due to a combination of growing recognition of security issues and systems like Let's Encrypt which make obtaining certificates much easier.
[[file:images/rss_reader_mobile.jpg]]
** Finding the onion address
See the control panel for the RSS reader onion address.
#+BEGIN_SRC bash
ssh username@domainname -p 2222
#+END_SRC
Select /Administrator controls/ then select the *About* screen.
The RSS reader is accessible only via an onion address. This provides a reasonable degree of reading privacy, making it difficult for passive adversaries such as governments, corporations or criminals to create lists of sites which you are subscribed to.
To set up the system open http://rss_reader_onion_address/ and log in with username *admin* and the password obtained either at the beginning of the install or from the README file in your home directory. You can then select the *Actions* menu and begin adding your feeds.
** On mobile
To access the RSS reader from a mobile device you can install a Tor compatible browser such as OrFox. It will try to automatically change to the mobile version of the user interface. Remember to add the site to the NoScript whitelist, and you may also need to turn HTTPS Everywhere off.
#+BEGIN_QUOTE
A note for the paranoid is that on mobile devices you get redirected to a different onion address which is specially set up for the mobile interface, so don't be alarmed that it looks like your connection is being hijacked.
#+END_QUOTE
** With Emacs
If you are an Emacs user then you can also read your RSS feeds via the [[https://github.com/dk87/avandu][Avandu]] mode.
Add the following to your configuration, changing the address and password as appropriate.
#+begin_src emacs-lisp :tangle no
(setq avandu-tt-rss-api-url "http://rss_reader_onion_address/api/"
avandu-user "admin"
avandu-password "mypassword")
#+end_src
If you don't already have Emacs set up to route through Tor then also add the following:
#+begin_src emacs-lisp :tangle no
(setq socks-noproxy '("localhost"))
(require 'socks)
(require 'tls)
(setq socks-server (list "Tor socks" "localhost" 9050 5))
#+end_src
And ensure that the Tor daemon is installed:
#+begin_src bash :tangle no
sudo apt-get install tor
#+end_src
* Git Projects
Github is ok, but it's proprietary and funded by venture capital. If you been around on the internet for long enough then you know how this story eventually works itself out - i.e. badly for the users. It's really only a question of time. If you're a software developer or do things which involve the Git version control system then it's a good idea to become accustomed to hosting your own repositories, before the inevitable Github shitstorm happens.
A Git hosting system called [[https://gogs.io][Gogs]] can optionally be installed. This is very similar to Github in appearance and use. It's lightweight and so well suited for use on low power ARM servers.
Navigate to your git site and click the *Register* button. The first user registered on the system becomes the administrator. Once you've done that then it's a good idea to disable further registrations. Currently that's a little complicated, but you can do it as follows:
#+begin_src bash :tangle no
sudo username@domainname -p 2222
#+end_src
Select *Exit to the comand line*.
#+begin_src bash :tangle no
sudo su
export GO_VERSION=1.5
sed -i "s|DISABLE_REGISTRATION =.*|DISABLE_REGISTRATION = true|g" /home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits/gogs/custom/conf/app.ini
systemctl restart gogs
exit; exit
#+end_src
This will stop any spam accounts being created by random strangers or bots. You might want to mirror existing repos, and at any time a mirror can be converted into the main repo.
* Adding or removing users
Log into the system with:
@ -695,9 +93,3 @@ control
#+END_SRC
[[file:images/controlpanel/control_panel_manage_users.jpg]]
#+BEGIN_EXPORT html
<center>
Return to the <a href="index.html">home page</a>
</center>
#+END_EXPORT

View File

@ -1,10 +1,10 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, hubzilla, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
@ -37,7 +37,7 @@ So if you want to use your own email address hosted on your own system you do ne
* A technical note about email transport security
Port 465 is used for SMTP and this is supposedly deprecated for secure email. However, using TLS from the start of the communications seems far more secure than starting off with insecure communications and then trying to upgrade it with a command to begin TLS, as happens with STARTTLS. There are [[https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks][possible attacks against STARTTLS]] in which the command to begin secure communications is removed or overwritten which could then result in email being transferred in plain text over the internet and be readable by third parties.
From http://motherboard.vice.com/read/email-encryption-is-broken:
From https://motherboard.vice.com/read/email-encryption-is-broken:
#+BEGIN_QUOTE
The researchers also uncovered mass scale attacks of STARTTLS sessions being stripped of their encryption. That attack itself isn't new: internet service providers sometimes do it to monitor users; organizations may use it to keep an eye on employees; or it may come from a malicious actor
@ -54,7 +54,7 @@ quit
exit
#+END_SRC
Having a password on your GPG key will prevent someone from reading your email /even if your server gets lost or stolen/ or if someone else has physical access to it. Make the password something long and unlikely to be guessable or vulnerable to a brute force [[http://en.wikipedia.org/wiki/Dictionary_attack][dictionary attack]].
Having a password on your GPG key will prevent someone from reading your email /even if your server gets lost or stolen/ or if someone else has physical access to it. Make the password something long and unlikely to be guessable or vulnerable to a brute force [[https://en.wikipedia.org/wiki/Dictionary_attack][dictionary attack]].
* Publishing your GPG public key
If you havn't already then you should publish your GPG public key so that others can find it.
@ -103,6 +103,7 @@ Some useful keys to know are:
| [ | Expand of collapse the current thread |
| CTRL-k | Import a PGP/GPG public key |
| v | View current email in different formats, such as HTML |
| CTRL-u | View long URLs |
| q | Quit |
To use the address book system open an email by pressing the enter key on it and then to add the sender to the address list press the A key. It will ask you for an alias which may be used the next time you want to send a mail. Alternatively you may just edit the *~/.mutt-alias* file directly to add email addresses.
@ -111,6 +112,8 @@ One of the most common things which you might wish to do is to send an email. T
When reading emails you will initially need to enter your GPG password. It will be retained in RAM for a while afterwards.
There is one irksome thing about email within mutt, and that's if you get sent a confirmation with a very long URL. It's usually not possible to view URLs which span over multiple lines, and trying to copy/paste them is annoying. A solution is to use /CTRL-u/ then select the url and press Enter. You can then navigate to it via the lynx browser.
* Thunderbird/Icedove
Another common way in which you may want to access email is via Thunderbird (also known as Icedove on Debian). This may be especially useful if you're trying to convert former Windows users who may previously have been using some version of Outlook.

View File

@ -1,10 +1,10 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="solarized-light.css" />
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]

View File

@ -0,0 +1,211 @@
mirror_style release
download_style apt
finddebs_style from-indices
variants - buildd fakechroot minbase scratchbox
keyring /usr/share/keyrings/debian-archive-keyring.gpg
if doing_variant fakechroot; then
test "$FAKECHROOT" = "true" || error 1 FAKECHROOTREQ "This variant requires fakechroot environment to be started"
fi
case $ARCH in
alpha|ia64) LIBC="libc6.1" ;;
kfreebsd-*) LIBC="libc0.1" ;;
hurd-*) LIBC="libc0.3" ;;
*) LIBC="libc6" ;;
esac
work_out_debs () {
required="$(get_debs Priority: required)"
if doing_variant - || doing_variant fakechroot; then
#required="$required $(get_debs Priority: important)"
# ^^ should be getting debconf here somehow maybe
base="$(get_debs Priority: important)"
elif doing_variant buildd || doing_variant scratchbox; then
base="apt build-essential"
elif doing_variant minbase; then
base="apt"
fi
if doing_variant fakechroot; then
# ldd.fake needs binutils
required="$required binutils"
fi
case $MIRRORS in
https://*)
base="$base apt-transport-https ca-certificates"
;;
esac
}
first_stage_install () {
case "$CODENAME" in
etch|etch-m68k|jessie|lenny|squeeze|wheezy) ;;
*) setup_merged_usr ;;
esac
extract $required
mkdir -p "$TARGET/var/lib/dpkg"
: >"$TARGET/var/lib/dpkg/status"
: >"$TARGET/var/lib/dpkg/available"
setup_etc
if [ ! -e "$TARGET/etc/fstab" ]; then
echo '# UNCONFIGURED FSTAB FOR BASE SYSTEM' > "$TARGET/etc/fstab"
chown 0:0 "$TARGET/etc/fstab"; chmod 644 "$TARGET/etc/fstab"
fi
setup_devices
}
second_stage_install () {
setup_dynamic_devices
x_feign_install () {
local pkg="$1"
local deb="$(debfor $pkg)"
local ver="$(in_target dpkg-deb -f "$deb" Version)"
mkdir -p "$TARGET/var/lib/dpkg/info"
echo \
"Package: $pkg
Version: $ver
Maintainer: unknown
Status: install ok installed" >> "$TARGET/var/lib/dpkg/status"
touch "$TARGET/var/lib/dpkg/info/${pkg}.list"
}
x_feign_install dpkg
x_core_install () {
smallyes '' | in_target dpkg --force-depends --install $(debfor "$@")
}
p () {
baseprog="$(($baseprog + ${1:-1}))"
}
if doing_variant fakechroot; then
setup_proc_fakechroot
elif doing_variant scratchbox; then
true
else
setup_proc
in_target /sbin/ldconfig
fi
DEBIAN_FRONTEND=noninteractive
DEBCONF_NONINTERACTIVE_SEEN=true
export DEBIAN_FRONTEND DEBCONF_NONINTERACTIVE_SEEN
baseprog=0
bases=7
p; progress $baseprog $bases INSTCORE "Installing core packages" #1
info INSTCORE "Installing core packages..."
p; progress $baseprog $bases INSTCORE "Installing core packages" #2
ln -sf mawk "$TARGET/usr/bin/awk"
x_core_install base-passwd
x_core_install base-files
p; progress $baseprog $bases INSTCORE "Installing core packages" #3
x_core_install dpkg
if [ ! -e "$TARGET/etc/localtime" ]; then
ln -sf /usr/share/zoneinfo/UTC "$TARGET/etc/localtime"
fi
if doing_variant fakechroot; then
install_fakechroot_tools
fi
p; progress $baseprog $bases INSTCORE "Installing core packages" #4
x_core_install $LIBC
p; progress $baseprog $bases INSTCORE "Installing core packages" #5
x_core_install perl-base
p; progress $baseprog $bases INSTCORE "Installing core packages" #6
rm "$TARGET/usr/bin/awk"
x_core_install mawk
p; progress $baseprog $bases INSTCORE "Installing core packages" #7
if doing_variant -; then
x_core_install debconf
fi
baseprog=0
bases=$(set -- $required; echo $#)
info UNPACKREQ "Unpacking required packages..."
exec 7>&1
smallyes '' |
(repeatn 5 in_target_failmsg UNPACK_REQ_FAIL_FIVE "Failure while unpacking required packages. This will be attempted up to five times." "" \
dpkg --status-fd 8 --force-depends --unpack $(debfor $required) 8>&1 1>&7 || echo EXITCODE $?) |
dpkg_progress $baseprog $bases UNPACKREQ "Unpacking required packages" UNPACKING
info CONFREQ "Configuring required packages..."
echo \
"#!/bin/sh
exit 101" > "$TARGET/usr/sbin/policy-rc.d"
chmod 755 "$TARGET/usr/sbin/policy-rc.d"
mv "$TARGET/sbin/start-stop-daemon" "$TARGET/sbin/start-stop-daemon.REAL"
echo \
"#!/bin/sh
echo
echo \"Warning: Fake start-stop-daemon called, doing nothing\"" > "$TARGET/sbin/start-stop-daemon"
chmod 755 "$TARGET/sbin/start-stop-daemon"
setup_dselect_method apt
smallyes '' |
(in_target_failmsg CONF_REQ_FAIL "Failure while configuring required packages." "" \
dpkg --status-fd 8 --configure --pending --force-configure-any --force-depends 8>&1 1>&7 || echo EXITCODE $?) |
dpkg_progress $baseprog $bases CONFREQ "Configuring required packages" CONFIGURING
baseprog=0
bases="$(set -- $base; echo $#)"
info UNPACKBASE "Unpacking the base system..."
setup_available $required $base
done_predeps=
while predep=$(get_next_predep); do
# We have to resolve dependencies of pre-dependencies manually because
# dpkg --predep-package doesn't handle this.
predep=$(without "$(without "$(resolve_deps $predep)" "$required")" "$done_predeps")
# XXX: progress is tricky due to how dpkg_progress works
# -- cjwatson 2009-07-29
p; smallyes '' |
in_target dpkg --force-overwrite --force-confold --skip-same-version --install $(debfor $predep)
base=$(without "$base" "$predep")
done_predeps="$done_predeps $predep"
done
smallyes '' |
(repeatn 5 in_target_failmsg INST_BASE_FAIL_FIVE "Failure while installing base packages. This will be re-attempted up to five times." "" \
dpkg --status-fd 8 --force-overwrite --force-confold --skip-same-version --unpack $(debfor $base) 8>&1 1>&7 || echo EXITCODE $?) |
dpkg_progress $baseprog $bases UNPACKBASE "Unpacking base system" UNPACKING
info CONFBASE "Configuring the base system..."
smallyes '' |
(repeatn 5 in_target_failmsg CONF_BASE_FAIL_FIVE "Failure while configuring base packages. This will be re-attempted up to five times." "" \
dpkg --status-fd 8 --force-confold --skip-same-version --configure -a 8>&1 1>&7 || echo EXITCODE $?) |
dpkg_progress $baseprog $bases CONFBASE "Configuring base system" CONFIGURING
mv "$TARGET/sbin/start-stop-daemon.REAL" "$TARGET/sbin/start-stop-daemon"
rm -f "$TARGET/usr/sbin/policy-rc.d"
progress $bases $bases CONFBASE "Configuring base system"
info BASESUCCESS "Base system installed successfully."
}

View File

@ -0,0 +1,211 @@
mirror_style release
download_style apt
finddebs_style from-indices
variants - buildd fakechroot minbase scratchbox
keyring /usr/share/keyrings/debian-archive-keyring.gpg
if doing_variant fakechroot; then
test "$FAKECHROOT" = "true" || error 1 FAKECHROOTREQ "This variant requires fakechroot environment to be started"
fi
case $ARCH in
alpha|ia64) LIBC="libc6.1" ;;
kfreebsd-*) LIBC="libc0.1" ;;
hurd-*) LIBC="libc0.3" ;;
*) LIBC="libc6" ;;
esac
work_out_debs () {
required="$(get_debs Priority: required)"
if doing_variant - || doing_variant fakechroot; then
#required="$required $(get_debs Priority: important)"
# ^^ should be getting debconf here somehow maybe
base="$(get_debs Priority: important)"
elif doing_variant buildd || doing_variant scratchbox; then
base="apt build-essential"
elif doing_variant minbase; then
base="apt"
fi
if doing_variant fakechroot; then
# ldd.fake needs binutils
required="$required binutils"
fi
case $MIRRORS in
https://*)
base="$base apt-transport-https ca-certificates"
;;
esac
}
first_stage_install () {
case "$CODENAME" in
etch|etch-m68k|jessie|lenny|squeeze|wheezy) ;;
*) setup_merged_usr ;;
esac
extract $required
mkdir -p "$TARGET/var/lib/dpkg"
: >"$TARGET/var/lib/dpkg/status"
: >"$TARGET/var/lib/dpkg/available"
setup_etc
if [ ! -e "$TARGET/etc/fstab" ]; then
echo '# UNCONFIGURED FSTAB FOR BASE SYSTEM' > "$TARGET/etc/fstab"
chown 0:0 "$TARGET/etc/fstab"; chmod 644 "$TARGET/etc/fstab"
fi
setup_devices
}
second_stage_install () {
setup_dynamic_devices
x_feign_install () {
local pkg="$1"
local deb="$(debfor $pkg)"
local ver="$(in_target dpkg-deb -f "$deb" Version)"
mkdir -p "$TARGET/var/lib/dpkg/info"
echo \
"Package: $pkg
Version: $ver
Maintainer: unknown
Status: install ok installed" >> "$TARGET/var/lib/dpkg/status"
touch "$TARGET/var/lib/dpkg/info/${pkg}.list"
}
x_feign_install dpkg
x_core_install () {
smallyes '' | in_target dpkg --force-depends --install $(debfor "$@")
}
p () {
baseprog="$(($baseprog + ${1:-1}))"
}
if doing_variant fakechroot; then
setup_proc_fakechroot
elif doing_variant scratchbox; then
true
else
setup_proc
in_target /sbin/ldconfig
fi
DEBIAN_FRONTEND=noninteractive
DEBCONF_NONINTERACTIVE_SEEN=true
export DEBIAN_FRONTEND DEBCONF_NONINTERACTIVE_SEEN
baseprog=0
bases=7
p; progress $baseprog $bases INSTCORE "Installing core packages" #1
info INSTCORE "Installing core packages..."
p; progress $baseprog $bases INSTCORE "Installing core packages" #2
ln -sf mawk "$TARGET/usr/bin/awk"
x_core_install base-passwd
x_core_install base-files
p; progress $baseprog $bases INSTCORE "Installing core packages" #3
x_core_install dpkg
if [ ! -e "$TARGET/etc/localtime" ]; then
ln -sf /usr/share/zoneinfo/UTC "$TARGET/etc/localtime"
fi
if doing_variant fakechroot; then
install_fakechroot_tools
fi
p; progress $baseprog $bases INSTCORE "Installing core packages" #4
x_core_install $LIBC
p; progress $baseprog $bases INSTCORE "Installing core packages" #5
x_core_install perl-base
p; progress $baseprog $bases INSTCORE "Installing core packages" #6
rm "$TARGET/usr/bin/awk"
x_core_install mawk
p; progress $baseprog $bases INSTCORE "Installing core packages" #7
if doing_variant -; then
x_core_install debconf
fi
baseprog=0
bases=$(set -- $required; echo $#)
info UNPACKREQ "Unpacking required packages..."
exec 7>&1
smallyes '' |
(repeatn 5 in_target_failmsg UNPACK_REQ_FAIL_FIVE "Failure while unpacking required packages. This will be attempted up to five times." "" \
dpkg --status-fd 8 --force-depends --unpack $(debfor $required) 8>&1 1>&7 || echo EXITCODE $?) |
dpkg_progress $baseprog $bases UNPACKREQ "Unpacking required packages" UNPACKING
info CONFREQ "Configuring required packages..."
echo \
"#!/bin/sh
exit 101" > "$TARGET/usr/sbin/policy-rc.d"
chmod 755 "$TARGET/usr/sbin/policy-rc.d"
mv "$TARGET/sbin/start-stop-daemon" "$TARGET/sbin/start-stop-daemon.REAL"
echo \
"#!/bin/sh
echo
echo \"Warning: Fake start-stop-daemon called, doing nothing\"" > "$TARGET/sbin/start-stop-daemon"
chmod 755 "$TARGET/sbin/start-stop-daemon"
setup_dselect_method apt
smallyes '' |
(in_target_failmsg CONF_REQ_FAIL "Failure while configuring required packages." "" \
dpkg --status-fd 8 --configure --pending --force-configure-any --force-depends 8>&1 1>&7 || echo EXITCODE $?) |
dpkg_progress $baseprog $bases CONFREQ "Configuring required packages" CONFIGURING
baseprog=0
bases="$(set -- $base; echo $#)"
info UNPACKBASE "Unpacking the base system..."
setup_available $required $base
done_predeps=
while predep=$(get_next_predep); do
# We have to resolve dependencies of pre-dependencies manually because
# dpkg --predep-package doesn't handle this.
predep=$(without "$(without "$(resolve_deps $predep)" "$required")" "$done_predeps")
# XXX: progress is tricky due to how dpkg_progress works
# -- cjwatson 2009-07-29
p; smallyes '' |
in_target dpkg --force-overwrite --force-confold --skip-same-version --install $(debfor $predep)
base=$(without "$base" "$predep")
done_predeps="$done_predeps $predep"
done
smallyes '' |
(repeatn 5 in_target_failmsg INST_BASE_FAIL_FIVE "Failure while installing base packages. This will be re-attempted up to five times." "" \
dpkg --status-fd 8 --force-overwrite --force-confold --skip-same-version --unpack $(debfor $base) 8>&1 1>&7 || echo EXITCODE $?) |
dpkg_progress $baseprog $bases UNPACKBASE "Unpacking base system" UNPACKING
info CONFBASE "Configuring the base system..."
smallyes '' |
(repeatn 5 in_target_failmsg CONF_BASE_FAIL_FIVE "Failure while configuring base packages. This will be re-attempted up to five times." "" \
dpkg --status-fd 8 --force-confold --skip-same-version --configure -a 8>&1 1>&7 || echo EXITCODE $?) |
dpkg_progress $baseprog $bases CONFBASE "Configuring base system" CONFIGURING
mv "$TARGET/sbin/start-stop-daemon.REAL" "$TARGET/sbin/start-stop-daemon"
rm -f "$TARGET/usr/sbin/policy-rc.d"
progress $bases $bases CONFBASE "Configuring base system"
info BASESUCCESS "Base system installed successfully."
}

View File

@ -0,0 +1,18 @@
version,codename,series,created,release,eol
1.1,Buzz,buzz,1993-08-16,1996-06-17,1997-06-05
1.2,Rex,rex,1996-06-17,1996-12-12,1998-06-05
1.3,Bo,bo,1996-12-12,1997-06-05,1999-03-09
2.0,Hamm,hamm,1997-06-05,1998-07-24,2000-03-09
2.1,Slink,slink,1998-07-24,1999-03-09,2000-10-30
2.2,Potato,potato,1999-03-09,2000-08-15,2003-07-30
3.0,Woody,woody,2000-08-15,2002-07-19,2006-06-30
3.1,Sarge,sarge,2002-07-19,2005-06-06,2008-03-30
4.0,Etch,etch,2005-06-06,2007-04-08,2010-02-15
5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06
6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31
7,Wheezy,wheezy,2011-02-06,2013-05-04
8,Jessie,jessie,2013-05-04,2015-04-25
9,Stretch,stretch,2015-04-25
10,Buster,buster,2018-07-01
,Sid,sid,1993-08-16
,Experimental,experimental,1993-08-16
Can't render this file because it has a wrong number of fields in line 13.

37
img/avatars/README Normal file
View File

@ -0,0 +1,37 @@
All images in this directory are under a CC0 license, originally from pixabay.com
http://creativecommons.org/publicdomain/zero/1.0
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER.
Statement of Purpose
The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").
Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.
For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.
1. Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:
the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
moral rights retained by the original author(s) and/or performer(s);
publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
rights protecting the extraction, dissemination, use and reuse of data in a Work;
database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and
other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.
2. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.
3. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.
4. Limitations and Disclaimers.
No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.
Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.
Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.

BIN
img/avatars/anon001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.0 KiB

BIN
img/avatars/anon002.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 4.8 KiB

BIN
img/avatars/anon003.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 4.9 KiB

BIN
img/avatars/anon004.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.8 KiB

BIN
img/avatars/anon005.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.5 KiB

BIN
img/avatars/anon006.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.2 KiB

BIN
img/avatars/blog.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

BIN
img/avatars/budgie001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.3 KiB

BIN
img/avatars/budgie002.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.2 KiB

BIN
img/avatars/buffalo001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 13 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

BIN
img/avatars/cat001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.9 KiB

BIN
img/avatars/cat002.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

BIN
img/avatars/cat003.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

BIN
img/avatars/cat004.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

BIN
img/avatars/cat005.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

BIN
img/avatars/cat006.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 17 KiB

BIN
img/avatars/cat007.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

BIN
img/avatars/cat008.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

BIN
img/avatars/cat009.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 15 KiB

BIN
img/avatars/cat010.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

BIN
img/avatars/cat011.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.8 KiB

BIN
img/avatars/cat12.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.8 KiB

BIN
img/avatars/chat.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.8 KiB

BIN
img/avatars/chicken001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.2 KiB

BIN
img/avatars/crow001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.9 KiB

BIN
img/avatars/deer001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 7.3 KiB

BIN
img/avatars/dog001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 7.3 KiB

BIN
img/avatars/dog002.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.4 KiB

BIN
img/avatars/dog003.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

BIN
img/avatars/dog004.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.4 KiB

BIN
img/avatars/dog005.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

BIN
img/avatars/dog006.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

BIN
img/avatars/dog007.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

BIN
img/avatars/dog008.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.0 KiB

BIN
img/avatars/dog009.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 4.8 KiB

BIN
img/avatars/dove001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.3 KiB

BIN
img/avatars/duck001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

BIN
img/avatars/duck002.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

BIN
img/avatars/eagle001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.3 KiB

BIN
img/avatars/eagle002.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.0 KiB

BIN
img/avatars/eagle003.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.5 KiB

BIN
img/avatars/eagle004.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.3 KiB

BIN
img/avatars/flower001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

BIN
img/avatars/fox001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

BIN
img/avatars/gnu001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.0 KiB

BIN
img/avatars/gnu002.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.0 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.2 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.4 KiB

BIN
img/avatars/help.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.3 KiB

BIN
img/avatars/horse001.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.3 KiB

BIN
img/avatars/horse002.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

BIN
img/avatars/horse003.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

BIN
img/avatars/horse004.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 7.1 KiB

Some files were not shown because too many files have changed in this diff Show More