freedombone/doc/EN/homeserver.org

148 lines
7.6 KiB
Org Mode

#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, home server
#+DESCRIPTION: Freedombone home server setup
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+attr_html: :width 80% :height 10% :align center
[[file:images/logo.png]]
* Home Server
The quickest way to get started is as follows. You will need to be running a Debian based system (version 8 or later), have an old but still working laptop or netbook which you can use as a server, and 8GB or larger USB thumb drive and an ethernet cable to connect the laptop to your internet router.
First install freedombone onto your local system (not the target hardware that you want to run Freedombone on). On a debian based distro:
#+begin_src bash
sudo apt-get install git dialog build-essential
git clone https://github.com/bashrc/freedombone
cd freedombone
git checkout stretch
sudo make install
freedombone-image --setup debian
freedombone-image -t i386 --onion-addresses-only yes
#+end_src
Or on Arch/Parabola:
#+begin_src bash
sudo pacman -S git dialog
git clone https://github.com/bashrc/freedombone
cd freedombone
git checkout stretch
sudo make install
freedombone-image --setup parabola
freedombone-image -t i386 --onion-addresses-only yes
#+end_src
Now prepare your local system to talk to the freedombone by running the following command. This will set up avahi and create ssh keys if necessary.
#+begin_src bash
freedombone-client
#+end_src
#+attr_html: :width 80% :align center
[[file:images/tor_onion.jpg]]
The version in which sites are available only via onion addresses is the easiest to get started with, since you can evaluate the system without committing to buying an ICANN domain name or needing to get involved with SSL/TLS certificates at all. However, if you do want your sites to be available typically as subdomains of a domain name which you own then remove the *--onion-addresses-only yes* option from the last command shown above. Also see the [[./domains.html][guide on setting up an ICANN domain name]].
The *onion-addresses-only* option *does not* mean that everything gets routed through Tor. It's intended to provide accessible web apps with minimum fuss and without needing to buy a clearnet domain name or mess with forwarding ports. Using apps via their onion addresses may provide some degree of anonymity but it may not be perfect and anonymity isn't the aim of this system (if you want that then use [[https://tails.boum.org/][TAILS]]).
If you want to create images for microSD cards used within various single board computers then replace the *i386* with *beaglebone* / *cubieboard2* / *cubietruck* / *a20-olinuxino-lime* / *a20-olinuxino-lime2* / *a20-olinuxino-micro* or *apu*.
#+attr_html: :width 80% :align center
[[file:images/beaglebone_black9.jpg]]
This takes a while. Maybe an hour or so, depending on the speed of your system and the internets. The good news though is that once created you can use the resulting image any number of times, and you don't need to trust some pre-built image.
List what drives are on your system with:
#+begin_src bash
ls /dev/sd*
#+end_src
Now plug in the USB thumb drive, and do the same again. Notice which drive letter gets added.
You can now copy the image to the USB thumb drive, replacing *sdX* with the identifier of the USB thumb drive. Don't include any numbers (so for example use *sdc* instead of *sdc1*).
#+begin_src bash
dd if=/dev/zero of=/dev/sdX bs=32M count=8
dd bs=32M if=myimagefile.img of=/dev/sdX conv=fdatasync,sync,noerror
#+end_src
And wait. Again it will take a while to copy over. When that's done plug it into the laptop or netbook which you want to use as a server, power on and set the BIOS to boot from the USB stick.
As the system boots for the first time the login is:
#+begin_src bash
username: fbone
password: freedombone
#+end_src
If you're installing from a microSD card on a single board computer without a screen and keyboard attached then you can ssh into it with:
#+begin_src bash
ssh fbone@freedombone.local -p 2222
#+end_src
Using the initial password "/freedombone/".
You will then be shown a new randomly generated password. It's *very important* that you write this down somewhere before going further, because you'll need this to log in later.
You'll be asked to set a username and a "real" name (or nickname), then the rest of the installation will be automatic. Again, it takes a while, so go and do something less boring instead. At the end of the base install you can also choose to install specific apps, but if you want to do that later then just press Enter.
When it's installed on your local system open a terminal and verify the ssh server key hash with:
#+begin_src bash
freedombone-client --verify
#+end_src
This will show the hash code for the public ssh key of the Freedombone system.
#+attr_html: :width 80% :align center
[[file:images/ssh_key_verify.jpg]]
Open another terminal window then run:
#+begin_src bash
freedombone-client
ssh myusername@freedombone.local -p 2222
#+end_src
Use the password you wrote down earlier to log in. Select the *administrator control panel* with up and down cursor keys, space bar and enter key. You should see something like this, and you might need to re-enter your password.
#+attr_html: :width 80% :align center
[[file:images/controlpanel/control_panel.jpg]]
Then select *About*. You'll see a list of sites and their onion addresses.
#+attr_html: :width 100% :align center
[[file:images/controlpanel/control_panel_about.jpg]]
The About screen contains the ssh server public key hashes and you can compare the relevant one with the previous terminal window to verify that they're the same. If they're not then you might have a /machine-in-the-middle/ snooping on you.
You have now confirmed a secure connection. Probably. If you're still sceptical then you can power off the system, remove the microSD card and manually check the public keys within the /etc/ssh directory on the drive.
Press any key to exit from the About screen. You can then select *Add/Remove apps* and add whatever applications you wish to run. Note that some apps will only run on x86 systems, but most will install and run on ARM single board computers. More details on particular apps can be [[./apps.html][found here]].
#+attr_html: :width 80% :align center
[[file:images/controlpanel/control_panel_apps.jpg]]
Once your apps have installed you can go back to the About screen, pick an onion address and try it within a Tor compatible browser. You'll need to know the login passwords and those can be found within the /Passwords/ section of the administrator control panel. An axiom of the Freedombone system is that /if given the choice users will usually use insecure passwords/, so on this system passwords are generated randomly. If you need to then you can transfer the passwords into your favourite password manager and remove them from the server by going to the *Security Settings* section of the administrator control panel and choosing *Export passwords* and *Password storage*.
*Congratulations! You have now become a citizen of the free internet.*
*Use your new powers wisely.*
Of course, this is just one way in which you can install the Freedombone system. If you have a single board computer (SBC) such as a [[./beaglebone.html][BeagleBone Black]] or OLinuxino you can make disk images for those too. You can even create clearnet sites if you have your own domain name. ARM boards with closed proprietary boot blobs are not supported. For more details run:
#+begin_src bash
man freedombone-image
#+end_src
#+attr_html: :width 10% :height 2% :align center
[[file:fdl-1.3.txt][file:images/gfdl.png]]