freedombonee/doc/EN/installation.org

244 lines
12 KiB
Org Mode

#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombox, debian, beaglebone, hubzilla, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
#+BEGIN_EXPORT html
<center>
<h1>Installation</h1>
</center>
#+END_EXPORT
| [[Building an image for a Single Board Computer or Virtual Machine]] |
| [[Checklist]] |
| [[./mesh.html][Mesh network]] |
| [[Installation]] |
| [[Social Key Management - the 'Unforgettable Key']] |
| [[Final Setup]] |
| [[Keydrives]] |
| [[On Client Machines]] |
| [[Administering the system]] |
* Building an image for a Single Board Computer or Virtual Machine
You don't have to trust images downloaded from random internet locations signed with untrusted keys. You can build one from scratch yourself, and this is the recommended procedure for maximum security. For guidance on how to build images see the manpage for the *freedombone-image* command.
Install the freedombone commands onto your laptop/desktop:
#+BEGIN_SRC bash
sudo apt-get install git build-essential dialog
git clone https://github.com/bashrc/freedombone
cd freedombone
sudo make install
#+END_SRC
Then install packages needed for building images:
#+BEGIN_SRC bash
freedombone-image --setup debian
#+END_SRC
or on an Arch/Parabola system:
#+BEGIN_SRC bash
freedombone-image --setup parabola
#+END_SRC
A typical use case to build an 8GB image for a Beaglebone Black is as follows. You can change the size depending upon the capacity of your microSD card.
#+BEGIN_SRC bash
freedombone-image -t beaglebone -s 8G
#+END_SRC
If you prefer an advanced installation with all of the options available then use:
#+BEGIN_SRC bash
freedombone-image -t beaglebone -s 8G --minimal no
#+END_SRC
To build a 64bit Qemu image:
#+BEGIN_SRC bash
freedombone-image -t qemu-x86_64 -s 8G
#+END_SRC
Other supported boards are cubieboard2, cubietruck, olinuxino-lime, olinuxino-lime2 and olinuxino-micro.
If the image build fails with an error such as "/Error reading from server. Remote end closed connection/" then you can specify a debian package mirror repository manually with:
#+BEGIN_SRC bash
freedombone-image -t beaglebone -s 8G -m http://ftp.de.debian.org/debian
#+END_SRC
* Checklist
Before installing Freedombone you will need a few things.
* Have some domains, or subdomains, registered with a dynamic DNS service. For the full install you may need two "official" purchased domains or be using a subdomain provider which is supported by Let's Encrypt.
* System with a new installation of Debian Jessie or a downloaded/prepared disk image
* Ethernet connection between the system and your internet router
* That it is possible to forward ports from the internet router to the system, typically via firewall settings
* Have ssh access to the system, typically via fbone@freedombone.local on port 2222
* Installation
There are three install options: Laptop/Desktop/Netbook, SBC and Virtual Machine.
** On a Laptop, Netbook or Desktop machine
If you have an existing system, such as an old laptop or netbook which you can leave running as a server, then install a new version of Debian Jessie onto it. During the Debian install you won't need the print server or the desktop environment, and unchecking those will reduce the attack surface. Once Debian enter the following commands:
#+BEGIN_SRC bash
su
apt-get update
apt-get -y install git dialog build-essential
git clone https://github.com/bashrc/freedombone
cd freedombone
make install
freedombone menuconfig
#+END_SRC
** On a single board computer (SBC)
Currently the following boards are supported:
* [[https://beagleboard.org/BLACK][Beaglebone Black]]
* [[https://linux-sunxi.org/Cubietech_Cubieboard2][Cubieboard 2]]
* [[https://linux-sunxi.org/Cubietruck][Cubietruck (Cubieboard 3)]]
* [[https://www.olimex.com/Products/OLinuXino/A20/A20-OLinuXIno-LIME/open-source-hardware][olinuxino Lime]]
* [[https://www.olimex.com/Products/OLinuXino/A20/A20-OLinuXIno-LIME2/open-source-hardware][olinuxino Lime2]]
* [[https://www.olimex.com/Products/OlinuXino/A20/A20-OlinuXino-MICRO/open-source-hardware][olinuxino Micro]]
If there is no existing image available then you can build one from scratch. See the section above on how to do that. If an existing image is available then you can download it and check the signature with:
#+BEGIN_SRC bash
gpg --verify filename.img.asc
#+END_SRC
And the hash with:
#+BEGIN_SRC bash
sha256sum filename.img
#+END_SRC
If the image is compressed then decompress it with:
#+BEGIN_SRC bash
unxz filename.img.xz
#+END_SRC
Then copy it to a microSD card. Depending on your system you may need an adaptor to be able to do that.
#+BEGIN_SRC bash
sudo dd bs=1M if=filename.img of=/dev/sdX conv=fdatasync
#+END_SRC
Where *sdX* is the microSD drive. You can check which drive is the microSD drive using:
#+BEGIN_SRC bash
ls /dev/sd*
#+END_SRC
With the drive removed and inserted. Copying to the microSD will take a while, so go and do something less boring instead. When it's complete remove it from your system and insert it into the SBC. Connect an ethernet cable between the SBC and your internet router, then connect the power cable. On the Beaglebone Black you will see some flashing LEDs, but on other SBCs there may not be any visual indication that anything is booting.
With the board connected and running you can ssh into the system with:
#+BEGIN_SRC bash
ssh fbone@freedombone.local -p 2222
#+END_SRC
Using the password 'freedombone'. Take a note of the new login password and then you can proceed through the rest of the installation.
** As a Virtual Machine
Qemu is currently supported, since it's s fully free software system. You can run a 64 bit Qemu image with:
#+BEGIN_SRC bash
qemu-system-x86_64 -m 1G filename.img
#+END_SRC
The default login will be username 'fbone' and password 'freedombone'. Take a note of the new login password and then you can proceed through the rest of the installation.
* Social Key Management - the 'Unforgettable Key'
During the install procedure you will be asked if you wish to import GPG keys. If you don't already possess GPG keys then just select "Ok" and they will be generated during the install. If you do already have GPG keys then there are a few possibilities
** You have the gnupg keyring on an encrypted USB drive
If you previously made a master keydrive containing the full keyring (the .gnupg directory). This is the most straightforward case, but not as secure as splitting the key into fragments.
** You have a number of key fragments on USB drives retrieved from friends
If you previously made some USB drives containing key fragments then retrieve them from your friends and plug them in one after the other. After the last drive has been read then remove it and just select "Ok". The system will then try to reconstruct the key. For this to work you will need to have previously made three or more [[Keydrives]].
** You can specify some ssh login details for friends servers containing key fragments
Enter three or more sets of login details and the installer will try to retrieve key fragments and then assemble them into the full key. This only works if you previously were using remote backups and had social key management enabled.
* Final Setup
Any manual post-installation setup instructions or passwords can be found in /home/username/README. You should remove any passwords from that file and store them within a password manager such as KeepassX.
On your internet router, typically under firewall settings, open the following ports and forward them to your server.
| Service | Ports |
|-----------+------------|
| HTTP | 80 |
| HTTPS | 443 |
| SSH | 2222 |
| DLNA | 1900 |
| DLNA | 8200 |
| XMPP | 5222..5223 |
| XMPP | 5269 |
| XMPP | 5280..5281 |
| IRC | 6697 |
| Git | 9418 |
| Email | 25 |
| Email | 587 |
| Email | 465 |
| Email | 993 |
| VoIP | 64738 |
| VoIP | 5060 |
| Tox | 33445 |
| Syncthing | 22000 |
* Keydrives
After installing for the first time it's a good idea to create some keydrives. These will store your gpg key so that if all else fails you will still be able to restore from backup. There are two ways to do this:
** Master Keydrive
This is the traditional security model in which you carry your full keyring on an encrypted USB drive. To make a master keydrive first format a USB drive as a LUKS encrypted drive. In Ubuntu this can be [[https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage][done from the /Disk Utility/ application]]. Then plug it into the Freedombone system, then from your local machine run:
#+BEGIN_SRC bash
ssh myusername@mydomainname -p 2222
#+END_SRC
Select /Administrator controls/ then /Backup and Restore/ then /Backup GPG key to USB (master keydrive)/.
** Fragment keydrives
This breaks your GPG key into a number of fragments and randomly selects one to add to the USB drive. First format a USB drive as a LUKS encrypted drive. In Ubuntu this [[https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage][can be done from the /Disk Utility/ application]]. Plug it into the Freedombone system then from your local machine run the following commands:
#+BEGIN_SRC bash
ssh myusername@mydomainname -p 2222
#+END_SRC
Select /Administrator controls/ then /Backup and Restore/ then /Backup GPG key to USB (fragment keydrive)/.
Fragments are randomly assigned and so you will need at least three or four keydrives to have enough fragments to reconstruct your original key in a worst case scenario. You can store fragments for different Freedombone systems on the same encrypted USB drive, so you can help to ensure that your friends can also recover their systems. This might be called "/the web of backups/" or "/the web of encryption/". Since you can only write a single key fragment from your Freedombone system to a given USB drive each friend doesn't have enough information to decrypt your backups or steal your identity, even if they turn evil. This is based on the assumption that it may be difficult to get three or more friends to conspire against you all at once.
* On Client Machines
You can configure laptops or desktop machines which connect to the Freedombone server in the following way. This alters encryption settings to improve overall security.
#+BEGIN_SRC bash
sudo apt-get update
sudo apt-get install git dialog haveged build-essential
git clone https://github.com/bashrc/freedombone
cd freedombone
sudo make install
freedombone-client
#+END_SRC
* Administering the system
To administer the system after installation log in via ssh, become the root user and then launch the control panel.
#+BEGIN_SRC bash
ssh myusername@freedombone.local -p 2222
#+END_SRC
Select /Administrator controls/ then from there you will be able to perform various tasks, such as backups, adding and removing users and so on. You can also do this via commands, which are typically installed as /usr/local/bin/freedombone* and the corresponding manpages.
#+BEGIN_EXPORT html
<center>
Return to the <a href="index.html">home page</a>
</center>
#+END_EXPORT