free
/
freedomboneeee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Move docs

This commit is contained in:
Bob Mottram 2015-01-26 10:36:00 +00:00
parent 5eb71e0d38
commit 2eae676c3a
20 changed files with 9544 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
doc/backups.org → doc/gb/backups.org
View File

0
doc/beaglebone.txt → doc/gb/beaglebone.txt
View File

0
doc/code.org → doc/gb/code.org
View File

0
doc/faq.org → doc/gb/faq.org
View File

0
doc/index.org → doc/gb/index.org
View File

0
doc/installation.org → doc/gb/installation.org
View File

0
doc/related.org → doc/gb/related.org
View File

0
doc/support.org → doc/gb/support.org
View File

0
doc/usage.org → doc/gb/usage.org
View File

0
doc/variants.org → doc/gb/variants.org
View File

120
doc/us/backups.org Normal file
View File

@ -0,0 +1,120 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil
#+BEGIN_CENTER
[[./images/logo.png]]
#+END_CENTER
#+BEGIN_CENTER
#+ATTR_HTML: :border -1
| [[file:index.html][Home]] |
| [[Backup to USB]] |
| [[Restore from USB]] |
| [[Distributed backups]] |
| [[Restore from a friend]] |
#+END_CENTER
* Backup to USB
Insert a USB thumb drive into the front socket of the Beaglebone Black.
Log into the system and become the root user, then run the /backup/ command.
#+BEGIN_SRC bash
su username@domainname -p 2222
su
backup
#+END_SRC
If this is the first time that you've made a backup then you will be prompted for your GPG key password.
When the backup ends remove the USB drive and keep it somewhere safe. Even if it gets lost or falls into the wrong hands the content is encrypted and so is unlikely to become a source of leaks.
* Restore from USB
Insert the USB thumb drive containing your backup into the front socket of the Beaglebone Black.
Log into the system and become the root user, then run the /restore/ command.
#+BEGIN_SRC bash
su username@domainname -p 2222
su
restore
#+END_SRC
You will be prompted to enter your GPG key password, then when the restore is complete you can remove the USB drive.
* Distributed backups
Distributed backups are a better way of ensuring the persistence of your data, such that even if your system gets stolen or destroyed then the data will still be recoverable from your friends. Since the backups are encrypted your friends (or anyone else with access to their systems) won't be able to read your backed up content even if their systems are subsequently compromised.
Firstly you will need to have a user account on one or more of your friends servers. They don't necessarily need to be using Freedombone, just some version of GNU/Linux with ssh access. They can create a user account for you with the *adduser <username>* command when logged in as root and then give you the username and password via a secure method, such as on paper or via an encrypted email or via an XMPP chat using OTR. Make sure that the password used is a strong one - preferably a long random string stored in a password manager - so that dictionary attacks will fail. Also for maximum resilience put your password manager file onto a USB thumb drive and carry it with you.
To add friends servers create a file called /backup.list/ in the following way.
#+BEGIN_SRC bash
ssh username@domainname -p 2222
emacs ~/backup.list
#+END_SRC
Add entries like this. The numbers are the ssh port number to log in on.
#+BEGIN_SRC bash
username1@frienddomain1:2222//home/username1 ssh_password1
username2@frienddomain2:2222//home/username2 ssh_password2
...
#+END_SRC
Save and exit with *CTRL-x CTRL-s* then *CTRL-x CTRL-c*, then type *exit*.
The system will try to backup to these remote locations once per day.
* Restore from a friend
** With a completely new Freedombone installation
This is the ultimate disaster recovery scenario in which you are beginning completely from scratch with new hardware and a new Freedombone installation. It is assumed that the old hardware was destroyed, but that you have the passwords stored within a password manager on a USB thumb drive.
First log in and create a new friends list:
#+BEGIN_SRC bash
ssh username@domainname -p 2222
emacs ~/backup.list
#+END_SRC
Add entries like this. The numbers are the ssh port number to log in on.
#+BEGIN_SRC bash
username1@frienddomain1:2222//home/username1 ssh_password1
username2@frienddomain2:2222//home/username2 ssh_password2
...
#+END_SRC
Save and exit with *CTRL-x CTRL-s* then *CTRL-x CTRL-c*.
Now log in as root and edit the restore script.
#+BEGIN_SRC bash
su
emacs /usr/bin/restorefromfriend
#+END_SRC
Recover your backup password from your password manager and set the PASSPHRASE variable accordingly.
Save and exit with *CTRL-x CTRL-s* and *CTRL-x CTRL-c*.
Then use the command:
#+BEGIN_SRC bash
restorefromfriend <friends server domain name>
#+END_SRC
** On an existing Freedombone installation
This is for more common situations in which maybe some data became corrupted and you want to restore it.
Log in as root:
#+BEGIN_SRC bash
ssh username@domainname -p 2222
su
#+END_SRC
Then use the command:
#+BEGIN_SRC bash
restorefromfriend <friends server domain name>
#+END_SRC

8386
doc/us/beaglebone.txt Normal file
View File

File diff suppressed because it is too large Load Diff

17
doc/us/code.org Normal file
View File

@ -0,0 +1,17 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil
#+BEGIN_CENTER
[[./images/logo.png]]
#+END_CENTER
| [[file:index.html][Home]] |
Freedombone is really just a couple of [[http://www.gnu.org/software/bash][bash]] scripts which install and configure software on a Debian GNU/Linux system. If you're a system administrator, software engineer or Linux hobbyist you'll probably be familiar with command line scripting and be able to make your own modifications or custom variants to suit your needs. Freedombone is licensed under the [[https://www.gnu.org/licenses/gpl-3.0-standalone.html][GNU General Public License version 3]].
You can find the source code for this project [[https://github.com/bashrc/freedombone][on Github]].
Bugs or feature requests should be [[https://github.com/bashrc/freedombone/issues][entered here]].

246
doc/us/faq.org Normal file
View File

@ -0,0 +1,246 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil
#+BEGIN_CENTER
[[./images/logo.png]]
#+END_CENTER
#+BEGIN_CENTER
#+ATTR_HTML: :border -1
| [[file:index.html][Home]] |
| [[Why not supply a disk image download?]] |
| [[Is metadata protected?]] |
| [[Why isn't dynamic DNS working?]] |
| [[How do I get a domain name?]] |
| [[How do I get a "real" SSL certificate?]] |
| [[Why use self-signed certificates?]] |
| [[Why not use the services of $company instead? They took the Seppuku pledge]] |
#+END_CENTER
* Why not supply a disk image download?
Shipping a Freedombone disk image ready to install on a flash disk would be easy, but disk images are relatively opaque. It would be quite easy to hide something nasty within a disk image and the user might never know. To guard against that possibility installing via the *freedombone* command is a lot more transparent, since it's really just a bash script. You can check the script code to see exactly what it's doing, and the packages are all downloaded from standard Debian repos (you can even choose which one you trust) or git repos. Doing it this way the system is fully auditable, whereas when shipping a disk image it's harder to be confident that no nefarious extras have been added.
* Is metadata protected?
Even when using Freedombone metadata analysis by third parties is still possible. They might have a much harder time knowing what the content is, but they can potentially construct extensive dossiers based upon who communicated with your server when. Metadata leakage is a general problem with most current web systems and it is hoped that more secure technology will become available in future. But for now if metadata protection is your main concern using Freedombone won't help.
* Why isn't dynamic DNS working?
If you run the command:
#+BEGIN_SRC bash
service inadyn status
#+END_SRC
And see some error related to checking for changes in the IP address then you can try other external IP services. Edit */etc/inadyn.conf* and change the domain for the *checkip-url* parameter. Possible sites are:
#+BEGIN_SRC bash
https://check.torproject.org/
https://www.whatsmydns.net/whats-my-ip-address.html
https://www.privateinternetaccess.com/pages/whats-my-ip/
http://checkip.two-dns.de
http://ip.dnsexit.com
http://ifconfig.me/ip
http://ipecho.net/plain
http://checkip.dyndns.org/plain
http://ipogre.com/linux.php
http://whatismyipaddress.com/
http://ip.my-proxy.com/
http://websiteipaddress.com/WhatIsMyIp
http://getmyipaddress.org/
http://www.my-ip-address.net/
http://myexternalip.com/raw
http://www.canyouseeme.org/
http://www.trackip.net/
http://icanhazip.com/
http://www.iplocation.net/
http://www.howtofindmyipaddress.com/
http://www.ipchicken.com/
http://whatsmyip.net/
http://www.ip-adress.com/
http://checkmyip.com/
http://www.tracemyip.org/
http://checkmyip.net/
http://www.lawrencegoetz.com/programs/ipinfo/
http://www.findmyip.co/
http://ip-lookup.net/
http://www.dslreports.com/whois
http://www.mon-ip.com/en/my-ip/
http://www.myip.ru
http://ipgoat.com/
http://www.myipnumber.com/my-ip-address.asp
http://www.whatsmyipaddress.net/
http://formyip.com/
http://www.displaymyip.com/
http://www.bobborst.com/tools/whatsmyip/
http://www.geoiptool.com/
http://checkip.dyndns.com/
http://myexternalip.com/
http://www.ip-adress.eu/
http://www.infosniper.net/
http://wtfismyip.com/
http://ipinfo.io/
http://httpbin.org/ip
#+END_SRC
* How do I get a domain name?
Suppose that you have bought a domain name (rather than using a free subdomain on freedns) and you want to use that instead.
Remove any existing nameservers for your domain (or select "custom" nameservers), then add:
#+BEGIN_SRC bash
NS1.AFRAID.ORG
NS2.AFRAID.ORG
NS3.AFRAID.ORG
NS4.AFRAID.ORG
#+END_SRC
It might take a few minutes for the above change to take effect. Within freedns click on "Domains" and add your domains (this might only be available to paid members). Make sure that they're marked as "private".
Select "Subdomains" from the menu on the left then select the MX entry for your domain and change the destination to *10:mydomainname* rather than *10:mail.mydomainname*.
To route email to one of your freedns domains:
#+BEGIN_SRC bash
editor /etc/mailname
#+END_SRC
Add any extra domains which you own, then save and exit.
#+BEGIN_SRC bash
editor /etc/exim4/update-exim4.conf.conf
#+END_SRC
Within dc_other_hostnames add your extra domain names, separated by a colon ':' character.
Save and exit, then restart exim.
#+BEGIN_SRC bash
update-exim4.conf.template -r
update-exim4.conf
service exim4 restart
#+END_SRC
You should now be able to send an email from /postmaster@mynewdomainname/ and it should arrive in your inbox.
* How do I get a "real" SSL certificate?
You can obtain a free "official" (as in recognised by default by web browsers) SSL certificate from [[https://www.startssl.com/][StartSSL]]. You will first need to have bought a domain name, since it's not possible to obtain one for a freedns subdomain, so see [[Using your own domain]] for details of how to do that. You should also have tested that you can send email to the domain and receive it on the Freedombone (via Mutt or any other email client).
When creating a SSL certificate it's important that the private key (the private component of the public/private pair in [[https://en.wikipedia.org/wiki/Public-key_cryptography][public key cryptography]]) be generated on the Freedombone /and remain there/. Don't generate the private key via the StartSSL certificate wizard because this means that potentially they may retain a copy of it which could then be exfiltrated either via [[https://en.wikipedia.org/wiki/Lavabit][Lavabit]] style methodology, "implants", compromised sysadmins or other "side channel" methods. So that the private key isn't broadcast on the internet we can instead generate a certificate request, which is really just a request for authorisation of a public key.
Firstly you should have a web server site configuration ready to go. See [[Setting up a web site]] for details.
Within StartSSL under the validations wizard validate your domain, which means sending an email to it and confirming a code.
Now we can generate the certificate request as follows.
#+BEGIN_SRC bash
export HOSTNAME=mydomainname.com
openssl genrsa -out /etc/ssl/private/$HOSTNAME.key 2048
chown root:ssl-cert /etc/ssl/private/$HOSTNAME.key
chmod 440 /etc/ssl/private/$HOSTNAME.key
mkdir /etc/ssl/requests
#+END_SRC
Now make a certificate request as follows. You should copy and paste the whole of this, not just line by line.
#+BEGIN_SRC bash
openssl req -new -sha256 -key /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/requests/$HOSTNAME.csr
#+END_SRC
For the email address it's a good idea to use postmaster@mydomainname.
Use a random 20 character password, and keep a note of it. We'll remove this later.
View the request with:
#+BEGIN_SRC bash
cat /etc/ssl/requests/$HOSTNAME.csr
#+END_SRC
You can then click on "skip" within the StartSSL certificates wizard and copy and paste the encrypted request into the text entry box. A confirmation will be emailed back to you normally within a few hours.
Log into your StartSSL account and select *Retrieve Certificate* from the *Tool Box* tab. Copy the text.
#+BEGIN_SRC bash
editor /etc/ssl/certs/$HOSTNAME.crt
#+END_SRC
Paste the public key, then save and exit. Then on the Freedombone.
#+BEGIN_SRC bash
mkdir /etc/ssl/roots
mkdir /etc/ssl/chains
wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca"
wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem"
wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem"
wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem"
ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca"
ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca"
cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root"
#+END_SRC
To avoid any possibility of the certificates being accidentally overwritten by self-signed ones at a later date you can create backups.
#+BEGIN_SRC bash
mkdir /etc/ssl/backups
mkdir /etc/ssl/backups/certs
mkdir /etc/ssl/backups/private
cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/
cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/
chmod -R 400 /etc/ssl/backups/certs/*
chmod -R 400 /etc/ssl/backups/private/*
#+END_SRC
Remove the certificate password, so if the server is rebooted then it won't wait indefinitely for a non-existant keyboard user to type in a password.
#+BEGIN_SRC bash
openssl rsa -in /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/private/$HOSTNAME.new.key
cp /etc/ssl/private/$HOSTNAME.new.key /etc/ssl/private/$HOSTNAME.key
shred -zu /etc/ssl/private/$HOSTNAME.new.key
#+END_SRC
Create a bundled certificate which joins the certificate and chain file together.
#+BEGIN_SRC bash
cat /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > /etc/ssl/certs/$HOSTNAME.bundle.crt
#+END_SRC
And also add it to the overall bundle of certificates for the Freedombone. This will allow you to easily install the certificates onto other systems.
#+BEGIN_SRC bash
mkdir /etc/ssl/mycerts
cp /etc/ssl/certs/$HOSTNAME.bundle.crt /etc/ssl/mycerts
cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt
tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt
#+END_SRC
Edit your configuration file.
#+BEGIN_SRC bash
editor /etc/nginx/sites-available/$HOSTNAME
#+END_SRC
Add the following to the section which starts with *listen 443*
#+BEGIN_SRC bash
ssl_certificate /etc/ssl/certs/mydomainname.com.bundle.crt;
#+END_SRC
Save and exit, then restart the web server.
#+BEGIN_SRC bash
service nginx restart
#+END_SRC
Now visit your web site at https://mydomainname.com and you should notice that there is no certificate warning displayed. You will now be able to install systems which don't allow the use of self-signed certificates, such as [[https://redmatrix.me/&JS=1][Red Matrix]].
* Why use self-signed certificates?
Almost everywhere on the web you will read that self-signed certificates are worthless. They bring up scary looking browser warnings and gurus will advise you not to use them. Self-signed certificates are quite useful though. What the scary warnings mean - and it would be good if they explained this more clearly - is that you have an encrypted connection established but there is /no certainty about who that connection is with/. The usual solution to this is to get a "real" SSL certificate from one of the certificate authorities, but it's far from clear that such authorities can be trusted. There have been various scandals involving such organisations, and it does not seem plausible to assume that they are somehow immune to the sort of treatment which [[http://en.wikipedia.org/wiki/Lavabit][Lavabit]] received. So although most internet users have been trained to look for the lock icon as an indication that the connection is secured that belief may not always be well founded.
Security of web sites on the internet is still a somewhat unsolved problem, and what we have now is a less than ideal but /good enough to fool most of the people most of the time/ kind of arrangement. Long term a better solution might be to have a number of certificate authorities in a number of different jurisdictions vote on whether a given certificate actually belongs to a given domain name. Experimental systems like this exist, but they're not widely used. Since the current certificate system has an enormous amount of inertia behind it change could be slow in arriving.
For now a self-signed certificate will probably in most cases protect your communications from "bulk" passive surveillance. Once you've got past the scary browser warning and accepted the certificate under most conditions (except when starting up the Tor browser) you should not repeatedly see that warning. If you do then someone may be trying to meddle with your connection to the server. You can also take a note of the fingerprint of the certificate and verify that if you are especially concerned. If the fingerprint remains the same then you're probably ok.
* Why not use the services of $company instead? They took the Seppuku pledge
[[http://seppuku.cryptostorm.org][That pledge]] is utterly worthless. Years ago people trusted Google in the same sort of way, because they promised not be be evil and because a lot of the engineers working for them seemed like honest types who were "/on our side/". Post-[[https://en.wikipedia.org/wiki/Nymwars][nymwars]] and post-[[https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29][PRISM]] we know exactly how much Google cared about the privacy and security of its users. But Google is only one particular example. In general don't trust pledges made by companies, even if the people running them seem really sincere.

32
doc/us/index.org Normal file
View File

@ -0,0 +1,32 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil
#+BEGIN_CENTER
[[./images/logo.png]]
#+END_CENTER
#+BEGIN_CENTER
#+ATTR_HTML: :border -1
| [[./variants.html][Variants]] | [[./installation.html][Installation]] | [[./usage.html][How to use it]] | [[file:backups.html][Backups]] | [[./code.html][Code]] | [[./related.html][Related Projects]] | [[file:faq.html][FAQ]] | [[file:support.html][Support]] | [[https://www.gnu.org/licenses/gpl-3.0-standalone.html][License]] |
#+END_CENTER
Freedombone is a self-hosted home server configuration which can be installed onto any computer capable of running Debian Jessie. If you have an old laptop or netbook which you can leave turned on then you can use Freedombone to provide your own internet services, such as blogging, wiki, email, chat and social networking and have independence from the well known internet companies.
#+BEGIN_QUOTE
"With the increasing move of our computing to cloud infrastructures, we give up the control of our computing to the managers of those infrastructures. Our terminals (laptops, desktops) might now be running entirely on Free Software, but this is increasingly irrelevant given that most of what actually matters gets executed on a remote closed system that we dont control. The Free Software community needs to work to help users keep the control of all their computing, by developing suitable alternatives and facilitating their deployment." -- Lucas Nussbaum
#+END_QUOTE
Today everyone is concerned about privacy on the internet. At the same time there's a problem with the companies who have traditionally provided most of the web services. The people running those companies may be well-intentioned - as in the famous motto "/don't be evil/" - but the advertising based business model which currently dominates, combined with an increasing level of political pressure to insert backdoors means that it is usually impossible for companies operating within both their own business models and the framework of national laws to provide you with services which don't intentionally leak your private communications to advertisers, insurers or governments.
Another problem is the precariousness of the terms of service. Except in rare cases such terms are not easy to read, so many people end up clicking through terms which if explained more clearly they would never agree to. Over the past decade many internet users have had the unpleasant experience of having their blogs, videos or other web content inexplicably removed, typically due to some ill-defined terms of service violation or a false accusation of copyright infringement.
You can bypass all of these dilemmas and take back ownership of your internet content with Freedombone. Originally based upon the Beaglebone Black, Freedombone is a small and cheap home server which enables you to use email, have your own web site and do social networking without any built-in spying and without having to agree to any legal terms of service other than those of your ISP. It provides independence and security in an era where those things are in short supply.
#+BEGIN_CENTER
[[file:images/surveillance.png]]
#+END_CENTER
An emphasis of the Freedombone project is the protection of private communications from indiscriminate mass surveillance, otherwise known as "/bulk intercept/" or "/warrantless wiretapping/". With only a few exceptions data entering and leaving the system is encrypted using settings recommended by [[https://bettercrypto.org][bettercrypto.org]]. Stored emails are encrypted such that only someone knowing your GPG password can read them and a GPG key is created automatically if you don't already have one. The system is firewalled with only the necessary ports being opened. Exclusively [[http://en.wikipedia.org/wiki/Free_software][free software]] is used so that all of it can potentially be security audited and proprietary repositaries are disabled by default. There are still numerous security problems with the internet in general and software always contains bugs, but a best attempt has been made to ensure that the Freedombone is at least more secure than average. A limitation is that this system will not protect you from metadata analysis, although it is hoped that new types of email system may be able to do that in future.

184
doc/us/installation.org Normal file
View File

@ -0,0 +1,184 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil
#+BEGIN_CENTER
[[./images/logo.png]]
#+END_CENTER
| [[file:index.html][Home]] | [[Preparation for the Beaglebone Black]] | [[Checklist]] | [[GPG Keys]] | [[Interactive Setup]] | [[Non-Interactive Setup]] | [[Post-Setup]] | [[On Client Machines]] |
* Preparation for the Beaglebone Black
This section is specific to the Beaglebone Black hardware. If you're not using that hardware then just skip to the next section.
To get started you will need:
- A Beaglebone Black
- A MicroSD card
- Ethernet cable
- Optionally a 5V 2A power supply for the Beaglebone Black
- Access to the internet via a router with ethernet sockets
- USB thumb drive (for backups or storing media)
- One or more domains available via a dynamic DNS provider, such as https://freedns.afraid.org
- A purchased domain name and SSL certificate (only needed for Red Matrix)
- A laptop or desktop machine with the ability to write to a microSD card (might need an adaptor)
You will also need to know, or find out, the IP address of your internet router and have a suitable static IP address for the Beaglebone on your local network. The router should allow you to forward ports to the Beaglebone (often this is under firewall or "advanced" settings).
You can either install from a debian package or manually as follows:
#+BEGIN_SRC bash
sudo apt-get update
sudo apt-get install git dialog build-essential
git clone https://github.com/bashrc/freedombone
cd freedombone
sudo make install
#+END_SRC
Plug the microSD card into your laptop/desktop and then run the *freedombone-prep* command. For example:
#+BEGIN_SRC bash
freedombone-prep -d /dev/sdX --ip freedombone_IP_address --iprouter router_IP_address
#+END_SRC
where /dev/sdX is the device name for the microSD card. Often it's /dev/sdb or /dev/sdc, depending upon how many drives there are on your system. The script will download the Debian installer and update the microSD card. It can take a while, so be patient.
When the initial setup is done follow the instructions on screen to run the main freedombone command.
* Checklist
Before running the freedombone command you will need a few things.
* Have some domains, or subdomains, registered with a dynamic DNS service
* System with a new installation of Debian Jessie
* Ethernet connection to an internet router
* It is possible to forward ports from the internet router to the system
* If you want to set up a social network or microblog then you will need SSL certificates corresponding to those domains
* Have ssh access to the system
* GPG Keys
If you have existing GPG keys then copy the .gnupg directory onto the system.
#+BEGIN_SRC bash
scp -r ~/.gnupg username@freedombone_IP_address:/home/username
#+END_SRC
* Interactive Setup
The interactive server configuration setup is recommended for most users. On the system where freedombone is to be installed create a configuration file.
#+BEGIN_SRC bash
ssh username@freedombone_IP_address
su
sudo apt-get update
apt-get install git dialog build-essential
git clone https://github.com/bashrc/freedombone
cd freedombone
make install
#+END_SRC
Now the easiest way to install the system is via the interactive setup.
#+BEGIN_SRC bash
freedombone menuconfig
#+END_SRC
You can select which variant you wish to install and then enter the details as requested. A video of the install sequence can be [[./installer.ogv][seen here]].
* Non-Interactive Setup
If you don't want to install interactively then it's possible to manually create a configuration file as follows:
On the system where freedombone is to be installed create a configuration file.
#+BEGIN_SRC bash
ssh username@freedombone_IP_address
su
sudo apt-get update
apt-get install git build-essential
git clone https://github.com/bashrc/freedombone
cd freedombone
make install
nano /home/username/freedombone/freedombone.cfg
#+END_SRC
Add the following, and set the values as needed.
#+BEGIN_SRC bash
MY_EMAIL_ADDRESS=
MY_NAME=
MY_BLOG_TITLE=
MY_BLOG_SUBTITLE=
FULLBLOG_DOMAIN_NAME=
MICROBLOG_DOMAIN_NAME=
REDMATRIX_DOMAIN_NAME=
OWNCLOUD_DOMAIN_NAME=
WIKI_DOMAIN_NAME=
WIKI_TITLE=
ENABLE_CJDNS=no
LOCAL_NETWORK_STATIC_IP_ADDRESS=
ROUTER_IP_ADDRESS=
#+END_SRC
Both of the IP addresses are local IP addresses, typically of the form 192.168.x.x, with one being for the system and the other being for the internet router.
Save the configuration file and exit from your editor.
Now you can begin the installation. If you are doing this on a Beaglebone Black:
#+BEGIN_SRC bash
freedombone --bbb -d [default domain name] -u [username] --ddns [dynamic DNS provider domain] --ddnsuser [dynamic DNS username] --ddnspass [dynamic DNS password]
#+END_SRC
Or on any other system don't include the *--bbb* option.
#+BEGIN_SRC bash
freedombone -d [default domain name] -u [username] --ddns [dynamic DNS provider domain] --ddnsuser [dynamic DNS username] --ddnspass [dynamic DNS password]
#+END_SRC
The above command should be run in the same directory in which your configuration file exists. You can use any of your domains as the default one, but typically the default domain is the same as the one for your wiki.
Also see the manpage for additional options which can be used instead of a configuration file. If you don't specify a variant type with the final option then everything will be installed. If you have a *freedombone.cfg* file then it should be in the same directory from which the *freedombone* command is run.
* Post-Setup
Setup of the server and installation of all the relevant packages is not quick, and depends upon which variant you choose and your internet bandwidth. Allow about three hours for a full installation on the Beaglebone Black. On the Beaglebone installation is in two parts, since a reboot is needed to enable the hardware random number generator and zram.
When done you can ssh into the Freedombone with:
#+BEGIN_SRC bash
ssh username@domain -p 2222
#+END_SRC
Any manual post-installation setup instructions or passwords can be found in /home/username/README. You should remove any passwords from that file and store them within a password manager such as KeepassX.
On your internet router, typically under firewall settings, open the following ports and forward them to your server.
| Service | Ports |
|---------+------------|
| HTTP | 80 |
| HTTPS | 443 |
| SSH | 2222 |
| DLNA | 1900 |
| DLNA | 8200 |
| XMPP | 5222..5223 |
| XMPP | 5269 |
| XMPP | 5280..5281 |
| IRC | 6697 |
| IRC | 9999 |
| Git | 9418 |
| Email | 25 |
| Email | 587 |
| Email | 465 |
| Email | 993 |
| VoIP | 64738 |
* On Client Machines
You can configure laptops or desktop machines which connect to the Freedombone server in the following way. This alters encryption settings to improve overall security.
#+BEGIN_SRC bash
sudo apt-get update
sudo apt-get install git dialog haveged build-essential
git clone https://github.com/bashrc/freedombone
cd freedombone
sudo make install
freedombone-client
#+END_SRC

36
doc/us/related.org Normal file
View File

@ -0,0 +1,36 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil
#+BEGIN_CENTER
[[./images/logo.png]]
#+END_CENTER
| [[file:index.html][Home]] |
#+BEGIN_CENTER
The following projects made Freedombone possible.
#+END_CENTER
#+BEGIN_CENTER
[[http://wiki.nginx.org][file:images/nginx.png]]
[[https://www.openssl.org][file:images/openssl.png]]
#+END_CENTER
#+BEGIN_CENTER
[[https://www.gnupg.org][file:images/gnupg.png]]
[[https://www.debian.org/][file:images/debian.png]]
[[http://freedomboxfoundation.org/][file:images/freedombox.png]]
[[http://beagleboard.org/products/beaglebone+black][file:images/beagleboard.png]]
[[https://www.dokuwiki.org/dokuwiki][file:images/dokuwiki.png]]
#+END_CENTER
#+BEGIN_CENTER
[[http://gnu.io][file:images/gnusocial.png]]
[[https://redmatrix.me/][file:images/redmatrix.png]]
#+END_CENTER
#+BEGIN_CENTER
[[https://prosody.im][file:images/prosody.png]]
[[http://owncloud.org][file:images/owncloud.png]]
[[https://bettercrypto.org/][file:images/bettercrypto.png]]
#+END_CENTER

39
doc/us/support.org Normal file
View File

@ -0,0 +1,39 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil
#+BEGIN_CENTER
[[./images/logo.png]]
#+END_CENTER
You can support the Freedombone project with the following banner ads. Download an image and add it to your site or blog with a link to [[http://freedombone.uk.to][http://freedombone.uk.to]]. If you're using [[https://addons.mozilla.org/en-us/firefox/addon/adblock-edge/][AdBlock]] then you may need to disable it on this page to see the images below.
#+BEGIN_CENTER
[[./ads/freedombone_ad7.jpg]]
#+END_CENTER
#+BEGIN_CENTER
[[./ads/freedombone_ad1.jpg]]
#+END_CENTER
#+BEGIN_CENTER
[[./ads/freedombone_ad2.jpg]]
#+END_CENTER
#+BEGIN_CENTER
[[./ads/freedombone_ad3.jpg]]
#+END_CENTER
#+BEGIN_CENTER
[[./ads/freedombone_ad4.jpg]]
#+END_CENTER
#+BEGIN_CENTER
[[./ads/freedombone_ad5.jpg]]
#+END_CENTER
#+BEGIN_CENTER
[[./ads/freedombone_ad6.jpg]]
#+END_CENTER

463
doc/us/usage.org Normal file
View File

@ -0,0 +1,463 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil
#+BEGIN_CENTER
[[./images/logo.png]]
#+END_CENTER
| [[file:index.html][Home]] | [[Readme]] | [[Using Email]] | [[Mailing List]] | [[Syncing to the Cloud]] | [[Play Music]] | [[Microblogging]] | [[Social Network]] | [[Chat Services]] |
* Readme
After the system has installed a README file will be generated which contains passwords and some brief advice on using the installed systems. You can read this with the following commands:
#+BEGIN_SRC bash
ssh username@domainname -p 2222
emacs ~/README
#+END_SRC
You should transfer any passwords to a password manager such as [[http://www.keepassx.org/][KeepassX]] and then delete them from the README file. To save the file after removing passwords use *CTRL-x CTRL-s*.
To exit you can either just close the terminal or use *CTRL-x CTRL-c* followed by the *exit* command.
* Improving ssh security
To improve ssh security you can generate an ssh key pair on your system and then upload the public key to the Freedombone.
On your local machine:
#+BEGIN_SRC bash
ssh-keygen
#+END_SRC
For extra security you may also want to add a passphrase to the ssh private key. You can show the generated public key with:
#+BEGIN_SRC bash
cat ~/.ssh/id_rsa.pub
#+END_SRC
Copy the contents of *~/.ssh/id_rsa* and *~/.ssh/id_rsa.pub* to you password manager, together with the private key password if you created one.
ssh to the Freedombone and edit the authorized keys:
#+BEGIN_SRC bash
ssh username@domain -p 2222
emacs ~/.ssh/authorized_keys
#+END_SRC
Now copy and paste the contents of *id_rsa.pub* into the authorized_keys file. Save the file and exit. Open another terminal window and try logging in again and you should notice that you are no longer asked for a password, because the ssh key is used instead.
There are advantages and disadvantages to using ssh keys for logins. The advantage is that this is much more secure than a memorised password, but the disadvantage is that you need to carry your ssh keys around and be able to install them on any computer of mobile device that you use. In high security or hostile infosec environments it may not be possible to carry or use USB thumb drives containing your keys and so memorised passwords may be the only available choice.
If you wish to only use ssh keys then log in to the Freedombone and edit */etc/ssh/sshd_config*, then change *PasswordAuthentication* to "no", save and run *service ssh restart*. Any subsequent attempts to log in via a password will then be denied.
* Using Email
** A technical note about email transport security
Port 465 is used for SMTP and this is supposedly deprecated for secure email. However, using TLS from the start of the communications seems far more secure than starting off with insecure communications and then trying to upgrade it with a command to begin TLS, as happens with STARTTLS. There are [[https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks][possible attacks against STARTTLS]] in which the command to begin secure communications is removed or overwritten which could then result in email being transferred in plain text over the internet and be readable by third parties.
** Add a password to your GPG key
If you didn't use existing GPG keys during the Freedombone installation then you'll need to add a password to your newly generated private key. This is highly recommended. Go through the following sequence of commands to ssh into the Freedombone and then change your GPG password.
#+BEGIN_SRC bash
ssh username@domainname -p 2222
gpg --edit-key username@domain
passwd
save
quit
exit
#+END_SRC
Having a password on your GPG key will prevent someone from reading your email /even if your server gets lost or stolen/ or if someone else has physical access to it. Make the password something long and unlikely to be guessable or vulnerable to a brute force [[http://en.wikipedia.org/wiki/Dictionary_attack][dictionary attack]].
** Publishing your GPG public key
If you havn't already then you should publish your GPG public key so that others can find it.
#+BEGIN_SRC bash
ssh username@domainname -p 2222
gpg --send-keys username@domainname
exit
#+END_SRC
** Mutt email client
Mutt is a terminal based email client which comes already installed onto the Freedombone. To access it you'll need to access it via ssh with:
#+BEGIN_SRC bash
ssh username@domainname -p 2222
#+END_SRC
If you're using Windows there is an ssh client called putty, on Linux just open a terminal and enter the above command with your username and domain name. On Android you can use the ConnectBot app with the hostname *username@domain:2222*
Once you have logged in via ssh then just type *mutt*. Like most terminal programs mutt is quite easy once you've learned the main keys.
Some useful keys to know are:
| "/" | Search for text within headers |
| * | Move to the last message |
| TAB | Move to the next unread message |
| d | Delete a message |
| u | Undelete a mail which is pending deletion |
| $ | Delete all messages selected and check for new messages |
| a | Add to the address book |
| m | Send a new mail |
| ESC-m | Mark all messages as having been read |
| S | Mark a message as spam |
| H | Mark a message as ham |
| CTRL-b | Toggle side bar on/off |
| CTRL-n | Next mailbox (on side bar) |
| CTRL-p | Previous mailbox (on side bar) |
| CTRL-o | Open mailbox (on side bar) |
| ] | Expand or collapse all threads |
| [ | Expand of collapse the current thread |
| CTRL-k | Import a PGP/GPG public key |
| q | Quit |
To use the address book system open an email by pressing the enter key on it and then to add the sender to the address list press the A key. It will ask you for an alias which may be used the next time you want to send a mail. Alternatively you may just edit the *~/.mutt-alias* file directly to add email addresses.
One of the most common things which you might wish to do is to send an email. To do this first press /m/ to create a new message. Enter the address to send to and the subject, then after a few seconds the Emacs editor will appear with a blank document. Type your email then press /CTRL-x CTRL-s/ to save it and /CTRL-x CTRL-c/ to exit. You will then see a summary of the email to be sent out. Press /y/ to send it and then enter your GPG key passphrase (the one you gave when creating a PGP/GPG key). The purpose of that is to add a signature which is a strong proof that the email was written by you and not by someone else.
When reading emails you will initially need to enter your GPG password. It will be retained in RAM for a while afterwards.
** Thunderbird
Another common way in which you may want to access email is via Thunderbird. This may be especially useful if you're trying to convert former Windows users who may previously have been using some version of Outlook.
The following instructions should be carried out on the client machines (laptop, etc), not on the BBB itself.
*** Initial setup
Install *Thunderbird* and *Enigmail*. How you do this just depends upon your distro and software manager or "app store".
Open Thinderbird
Select "*Skip this and use existing email*"
Enter your name, email address (myusername@mydomainname.com) and the password for your user (the one from [[Add a user]]).
You'll get a message saying "/Thunderbird failed to find the settings/"
The settings should be as follows, substituting /mydomainname.com/ for your domain name and /myusername/ for the username given previously in [[Add a user]].
* Incoming: IMAP, mydomainname.com, 993, SSL/TLS, Normal Password
* Outgoing: SMTP, mydomainname.com, 465, SSL/TLS, Normal Password
* Username: myusername
Click *Done*.
Click *Get Certificate* and make sure "*permanently store this exception*" is selected", then click *Store Security Exception*.
From OpenPGP setup select "*Yes, I would like the wizard to get me started*". If the wizard doesn't start automatically then "setup wizard" can be selected from OpenPGP on the menu bar.
Select "*Yes, I want to sign all of my email*"
Select "*No, I will create per-recipient rules*"
Select "*yes*" to change default settings.
*** Import your GPG keys
On the Freedombone export your GPG public and private keys.
#+BEGIN_SRC bash
ssh username@domainname -p 2222
gpg --list-keys username@domainname
gpg --output ~/public_key.gpg --armor --export KEY_ID
gpg --output ~/private_key.gpg --armor --export-secret-key KEY_ID
#+END_SRC
On your laptop or desktop you can import the keys with:
#+BEGIN_SRC bash
scp -P 2222 username@domain:/home/username/*.gpg ~/
#+END_SRC
Select "*I have existing public and private keys*".
Select your public and private GPG exported key files.
Select the account which you want to use and click *Next*, *Next* and *Finish*.
Remove your exported key files, both on your laptop/desktop and also on the Freedombone.
#+BEGIN_SRC bash
shred -zu ~/public_key.gpg
shred -zu ~/private_key.gpg
#+END_SRC
*** Using for the first time
Click on the Thunderbird menu, which looks like three horizontal bars on the right hand side.
Hover over *preferences* and then *Account settings*.
Select *OpenPGP Security* and make sure that *use PGP/MIME by default* is ticked. This will enable you to sign/encrypt attachments, HTML bodies and UTF-8 without any problems.
Select *Synchronization & Storage*.
Make sure that *Keep messages for this account on this computer* is unticked, then click *Ok*.
Click on *Inbox*. Depending upon how much email you have it may take a while to import the subject lines.
Note that when sending an email for the first time you will also need to accept the SSL certificate.
Get into the habit of using email encryption and encourage others to do so. Remember that you may not think that your emails are very interesting but the Surveillance State is highly interested in them and will be actively trying to data mine your private life looking for "suspicious" patterns, regardless of whether you are guilty of any crime or not.
*** Making folders visible
By default you won't be able to see any folders which you may have created earlier using the /mailinglistrule/ script. To make folders visible select:
*Menu*, hover over *Preferences*, select *Account Settings*, select *Server Settings* then click on the *Advanced* button.
Make sure that "*show only subscribed folders*" is not checked. Then click the *ok* buttons. Folders will be re-scanned, which may take some time depending upon how much email you have, but your folders will then appear.
** K9 Android client
*NOTE*: Currently the K9 email client will not work with the Freedombone since it doesn't support PGP/MIME encoding. However, there is development work taking place on that feature and it is hoped that K9 may be usable in the near future.
*** Incoming server settings
* Select settings/account settings
* Select Fetching mail/incoming server
* Enter your username and password
* IMAP server should be your domain name
* Security: SSL/TLS (always)
* Authentication: Plain
* Port: 993
*** Outgoing (SMTP) server settings
* Select settings/account settings
* Select Sending mail/outgoing server
* Set SMTP server to your domain name
* Set Security to SSL/TLS (always)
* Set port to 465
* Set authentication to PLAIN
* Enter your username and password
* Accept the SSL certificate
*** Folders
To view any new folders which you may have created using the /mailinglistrule/ script from your inbox press the *K9 icon* at the top left to access folders, then press the *menu button* and select *refresh folder list*.
If your folder still doesn't show up then press the *menu button*, select *show folders* and select *all folders*.
** Subscribing to mailing lists
To subscribe to a mailing list so that it appears within Mutt or Thunderbird.
#+BEGIN_SRC bash
ssh username@domainname -p 2222
addmailinglist <username> <mailinglistname> <subjecttag>
exit
#+END_SRC
The subject tag should be the word or phrase which appears within the brackets in the subject line of emails from the mailing list. The mailing list name should be something short so that it is readable within the left side column of the mutt email client.
** Adding email addresses to a group/folder
Similar to adding mailing list folders you can also add specified email addresses into a folder.
#+BEGIN_SRC bash
ssh username@domainname -p 2222
addemailtofolder <username> <emailaddress> <mailinglistname>
exit
#+END_SRC
The mailing list name should be something short so that it is readable within the left side column of the mutt email client.
* Mailing List
If you want to set up a public mailing list then when installing the system remember to set the *PUBLIC_MAILING_LIST* variable within *freedombone.cfg* to the name of your list. The name should have no spaces in it. Public mailing lists are unencrypted so anyone will be able to read the contents, including non subscribers.
To subscribe to your list send a cleartext email to:
#+BEGIN_SRC bash
mymailinglistname+subscribe@domainname
#+END_SRC
Tip: When using the Mutt email client if you want to send an email in cleartext then press *p* (for PGP) on the sending screen and select *clear*. Unsecure email is treated as being the exception rather than the default.
* Syncing to the Cloud
** Initial install
Within a browser go to your owncloud domain, then create an administrator account. The username and password can be anything, and ideally should be generated from a password manager.
You will also need to enter database details:
| Owncloud database user | owncloudadmin |
| Owncloud database password | See the [[Readme]] file |
| Owncloud database name | owncloud |
After creating an administrator account then create a user account via the Users dropdown menu entry on the right hand side and log the details in a password manager. Give the user a quota suitable for the size of your microSD card or other storage.
Log out from the administrator account and then log back in as the user you just created.
** On Android
Within F-droid search for *owncloud* and install the client. Also install *CalDAV Sync Adapter*.
Open the owncloud app and enter your owncloud domain name (including the https prefix) and login details for the user you created.
Open the calendar app and under *settings* add a CalDav account with the url:
#+BEGIN_SRC bash
https://myownclouddomain/remote.php/caldav/principals/myowncloudusername
#+END_SRC
You will also be prompted to enter login details. Your Android and Owncloud calendars should now be synchronised.
** On Linux
Open your software center and search for "owncloud client". Enter your owncloud domain name (with the https prefix) and login details.
You can now drag files into the *~/owncloud* directory and they will automatically sync to your server. It's that easy.
* Play Music
** With the DLNA service
An easy way to play music on any mobile device in your home is to use the DLNA service. Copy your music into a directory called "/Music/" on a USB thumb drive and then insert it into from socket on the Beaglebone.
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomain.com -p 2222
#+END_SRC
Then mount the USB drive with:
#+BEGIN_SRC bash
su
attach-music
#+END_SRC
The system will scan the Music directory, which could take a while if there are thousands of files, but you don't need to do anything further with the Beaglebone other than perhaps to log out by typing *exit* a couple of times.
If you have an Android device then go to F-Droid (if you don't already have it installed then it can be [[https://f-droid.org/][downloaded here]]) and search for *ControlDLNA*. On running the app you should see a red Debian icon which you can press on, then you may need to select "local". After a few seconds the list of albums or tracks should then appear and you can browse and play them.
The DLNA service will only work within your local home network, and isn't remotely accessible from other locations via the internet. That can be both a good and a bad thing. Another consideration is that there are no access controls on DLNA services, so any music or videos on the USB drive will be playable by anyone within your home network. If you need to restrict access to certain files then it may be better to use the music player within Owncloud.
** With Owncloud
The main advantage of playing music via Owncloud is that you can do that from anywhere - not only within your home network.
By default a music player is installed into Owncloud, so all you need to do is to visit your Owncloud web site, select the *music* directory and then upload some music files. Afterwards you can select the *music icon* from the top left drop down menu and albums will then appear which can be played. If you want to share music with other users then you can select the *share* option from within the files view to make the tracks available.
* Microblogging
** Initial configuration
To set up your microblog go to:
#+BEGIN_SRC bash
https://yourmicroblogdomainname/install.php
#+END_SRC
and enter the following settings:
| Server SSL | enable |
| Hostname | localhost |
| Type | MySql/MariaDB |
| Name | gnusocial |
| DB username | root |
| DB Password | See the MariaDB password in the [[Readme]] file |
| Administrator nickname | Your username |
| Administrator password | See the [[Readme]] file |
| Subscribe to announcements | ticked |
| Site profile | Community |
When the install is complete you will see a lot of warnings but just ignore those and navigate to your microblog domain and you can then complete the configuration via the *Admin* section on the header bar. Some recommended admin settings are:
| Site settings | Text limit 140, Dupe Limit 60000 |
| User settings | Bio limit 1000 |
| Access settings | /Invite only/ ticked |
* Social Network
** Certificates
You will need to have a non self-signed SSL certificate in order to use Red Matrix. Put the public certificate in */etc/ssl/certs/yourredmatrixdomainname.crt* and the private certificate in */etc/ssl/private/yourredmatrixdomainname.key*. If there is an intermediate certificate needed (such as with StartSSL) then this will need to be concatenated onto the end of the crt file, like this:
#+BEGIN_SRC bash
cat /etc/ssl/certs/yourredmatrixdomainname.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem >
/etc/ssl/certs/yourredmatrixdomainname.bundle.crt
#+END_SRC
Then change ssl_certificate to */etc/ssl/certs/yourredmatrixdomainname.bundle.crt* within */etc/nginx/sites-available/yourredmatrixdomainname*
** Initial install
Visit the URL of your Red Matrix site and you should be taken through the rest of the installation procedure. Note that this may take a few minutes so don't be concerned if it looks as if it has crashed - just leave it running.
When installation is complete you can register a new user.
* Chat Services
** IRC
IRC is useful for multi-user chat. The classic use case is for software development where many engineers might need to coordinate their activities, but it's also useful for meetings, parties and general socialising.
*** Irssi
If you are using the [[http://www.irssi.org][irssi]] IRC client then you can use the following commands to connect to your IRC server.
#+BEGIN_SRC bash
/server add -auto -ssl yourdomainname 6697
/connect yourdomainname
/join freedombone
#+END_SRC
*** XChat
If you are using the XChat client:
Within the network list click, *Add* and enter your domain name then click *Edit*.
Select the entry within the servers box, then enter *mydomainname/6697* and press *Enter*.
Uncheck *use global user information*.
Enter first and second nicknames and check *auto connect to this network on startup*.
Check *use SSL* and *accept invalid SSL certificate*.
Enter *#freedombone* as the channel name.
Click *close* and then *connect*.
** XMPP/Jabber
*** Managing users
To add a user:
#+BEGIN_SRC bash
ssh username@domainname -p 2222
su
prosodyctl adduser newusername@newdomainname
exit
exit
#+END_SRC
To change a user password:
#+BEGIN_SRC bash
ssh username@domainname -p 2222
su
prosodyctl passwd username@domainname
exit
exit
#+END_SRC
To remove a user:
#+BEGIN_SRC bash
ssh username@domainname -p 2222
su
prosodyctl deluser username@domainname.com
exit
exit
#+END_SRC
Report the status of the XMPP server:
#+BEGIN_SRC bash
ssh username@domainname -p 2222
su
prosodyctl status
exit
exit
#+END_SRC
*** Using with Jitsi
Jitsi is the recommended communications client for desktop or laptop systems, since it includes the /off the record/ (OTR) feature which provides some additional security beyond the usual SSL certificates.
Jitsi can be downloaded from https://jitsi.org
On your desktop/laptop open Jitsi and select *Options* from the *Tools* menu.
Click *Add* to add a new user, then enter the Jabber ID which you previously specified with /prosodyctl/ when setting up the XMPP server. Close and then you should notice that your status is "Online" (or if not then you should be able to set it to online).
From the *File* menu you can add contacts, then select the chat icon to begin a chat. Click on the lock icon on the right hand side and this will initiate an authentication procedure in which you can specify a question and answer to verify the identity of the person you're communicating with. Once authentication is complete then you'll be chating using OTR, which provides an additional layer of security.
When opening Jitsi initially you will get a certificate warning for your domain name (assuming that you're using a self-signed certificate). If this happens then select *View Certificate* and enable the checkbox to trust the certificate, then select *Continue Anyway*. Once you've done this then the certificate warning will not appear again unless you reinstall Jitsi or use a different computer.
You can also [[https://www.youtube.com/watch?v=vgx7VSrDGjk][see this video]] as an example of using OTR.
*** Using with Ubuntu
The default XMPP client in Ubuntu is Empathy. Using Empathy isn't as secure as using Jitsi, since it doesn't include the /off the record/ feature, but since it's the default it's what many users will have easy access to.
Open *System Settings* and select *Online Accounts*, *Add account* and then *Jabber*.
Enter your username (username@domainname) and password.
Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click *Done* and set your Jabber account and Empathy to *On*.
*** Using with Android
Install [[https://f-droid.org/][F-Droid]]
Search for and install Xabber.
Add an account and enter your Jabber/XMPP ID and password.
From the menu select *Settings* then *Security* then *OTR mode*. Set the mode to *Required*.
Make sure that *Check server certificate* is not checked.
Go back to the initial screen and then using the menu you can add contacts and begin chatting. Both parties will need to go through the off-the-record question and answer verification before the chat can begin, but that only needs to be done once for each person you're chatting with.

21
doc/us/variants.org Normal file
View File

@ -0,0 +1,21 @@
#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil
#+BEGIN_CENTER
[[./images/logo.png]]
#+END_CENTER
| [[file:index.html][Home]] |
Freedombone may be installed either in its entirety or as different variants with a more specialised purpose. So for example if you just want to run a blog but don't care about any other services then you can do that. The following variants are available:
| *Mailbox* | An email server with GPG encryption and mailing list |
| *Cloud* | Share files, maintain a calendar and collaborate on document editing |
| *Social* | Social networking with Red Matrix and GNU Social |
| *Media* | Runs media services such as DLNA to play music or videos on your devices |
| *Writer* | Host your blog and wiki |
| *Chat* | Encrypted IRC and XMPP services for one-to-one and many-to-many chat |
| *Nonmailbox* | Installs eveything except for the email server |