Skip to main content

Raymii.org Logo (IEC resistor symbol) logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Installing Freedombox on Armbian on the Olimex Pioneer

Published: 29-01-2020 | Author: Remy van Elst | Text only version of this article


Table of Contents


FreedomBox is a private server for non-experts: it lets you install and configure server applications with only a few clicks. It runs on cheap hardware of your choice, uses your internet connection and power, and is under your control.

Freedombox is a project that has been running for over 10 years and last year the Pioneer became available, officially supported and sanctioned by the Freedombox Foundation. This is a home server you can buy from Olimex, comes in a nice metal case with a proper power supply, network cable, battery and SD card preloaded with Freedombox. Plug in and go. Perfect for users that don't want to tinker but do want their freedom and control. With the Pioneer, both the hardware and software are fully open source.

The Pioneer case is metal and feels very high quality. The logo on it is beautiful. Under the hood there is a Lime 2 board (A20). Here's a picture:

freedombox

This guide covers the installation of Freedombox and Debian for the Olimex A20 Lime2 Pioneer with Armbian including reinstalling, Apache SSL certificate and LDAP issues.

If you like this article, consider sponsoring me by trying out a Digital Ocean VPS. With this link you'll get $100 credit for 60 days). (referral link)

I'm not sponsored by Olimex, I bought two Freedomboxes myself. There is also no referral link.

I really love Olimex, have been using their hardware since 2014, made linux images before Armbian was a thing and even have a commit in the linux kernel for the A10 board enabling USB OTG. I whole-heartedly recommend their hardware.

Default Freedombox Pioneer Distribution

The Pioneer comes with the operating system on SD card, but that is a customized version of Debian with a few things I dislike. Do note, there is nothing wrong with that system if you want to run Freedombox as provided.

I however, do like a bit more control and tinkering. For example, the battery works, but you can't get the charge level or status. The filesystem is BTRFS and has a lot of logging enabled, causing way more writes than I like to the SD card. The haveged package is not installed, installing OpenVPN takes hours due to limited entropy during key generation

As the Freedombox project is available as a "Debian Pure Blend", you can install it on any system that runs plain Debian. Even if you have a IBM S/390 mainframe, you can install Freedombox because everything is available in the default Debian repository.

You can install another Debian version on the Pioneer and install Freedombox on top of that, allowing for our own setup and customization.

Armbian

Armbian is a project that provides Debian and Ubuntu images for a variety of Arm boards, including the Pioneer A20 Lime2. Their Debian version is compiled for the specific arm board and has specific tweaks for performance and storage (reducing writes). It also includes a modern mainline kernel wich supports the battery.

armbian

Follow the instructions on the Armbian site for their Debian version (not ubuntu). It's as simple as downloading the image and writing it to an SD card (either with dd or if you're on Windows, Balena Etcher). Boot up your Pioneer, login via SSH and setup the root password and a new user account. Armbian will ask you interactively.

Do note that if you want to use the same username for Freedombox, you need to remove this user you've created:

userdel USERNAME
rm -rf /home/USERNAME

I assume you will delete the user and use the root user for the rest of the setup of Freedombox. The installation of freedombox changes the authentication and login of the machine, so it's best not to setup users before installing freedombox.

Installation of Freedombox

The installation of Freedombox on Armbian is not as simple as just installing the package freedombox. You need another package otherwise the webserver won't start and you need to tell the package manager that you don't want to be asked questions. If you don't do that, your LDAP configuration will not work.

Use the below command to install Freedombox:

DEBIAN_FRONTEND=noninteractive apt-get install ssl-cert freedombox 

If you forget the ssl-cert package, the webserver won't start, it will log the following error:

AH00526: Syntax error on line 32 of /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateFile: file '/etc/ssl/certs/ssl-cert-snakeoil.pem' does not exist or is empty

Proceed to the Reinstall section of this article, since the setup has not been done correctly. You need to start over.

Setup of Freedombox

When the installation is completed, you will need to wait about 10 minutes or so for Freedombox to complete its initialization. You can follow what the setup is doing a bit by looking at the system log:

journalctl -f

Fire up your web browser, navigate to the IP of your Freedombox and it will tell you when it is ready. If the initialization is not yet done, the page will tell you so and it will auto refresh.

You will be asked for a setup secret, which you can get with the following command:

cat /var/lib/plinth/firstboot-wizard-secret

Enter it on the webpage and continue. If you get an error with the user creation, related to LDAP, you also have a problem and need to reinstall. If you don't, most things will sort of work, except for single sign on and authentication.

An LDAP error looks like this:

ldap error

If there are no errors, your setup is complete and you can start using your Freedombox.

LDAP issues

If you do have LDAP issues, or log messages like below, or a setup page which never completes and the below lines repeating in the log, and the ldap server restarting, you need to reinstall. Proceed to the Reinstall section of this article.

Jan 29 08:51:19 freedombox nslcd[27778]: [8b4567] <group/member="root"> ldap_result() failed: No such object
Jan 29 08:51:19 freedombox nslcd[27778]: [8b4567] <group/member="root"> ldap_result() failed: No such object
Jan 29 08:51:19 freedombox nslcd[27778]: [7b23c6] <group/member="plinth"> ldap_result() failed: No such object
Jan 29 08:51:19 freedombox nslcd[27778]: [7b23c6] <group/member="plinth"> ldap_result() failed: No such object
Jan 29 08:51:19 freedombox nslcd[27778]: [3c9869] <group="fbx"> ldap_result() failed: No such object
Jan 29 08:51:19 freedombox sudo[27939]:   plinth : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/share/plinth/actions/users first-setup

If you manually execute the first-setup command a more descriptive error message is given:

Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.4.47+dfsg-3+deb10u1... done.
Moving old database directory to /var/backups:
Backup path /var/backups/unknown-2.4.47+dfsg-3+deb10u1.ldapdb exists. Giving up...

Fail2ban warning

Your log might contain the following message from fail2ban, and it might repeat often:

/lib/systemd/system/fail2ban.service:12: PIDFile= references path below legacy directory /var/run/, updating /var/run/fail2ban/fail2ban.pid -> /run/fail2ban/fail2ban.pid; please update the unit file accordingly.

It's related to this issue and a fix is available here. I don't like log that are contaminated with messages like this and an easy fix is available.

This is a one line fix that applies the patch:

sed -i 's:/var/run:/run:g' /lib/systemd/system/fail2ban.service

Restart fail2ban:

systemctl daemon-reload
systemctl restart fail2ban

Reinstall

If you've messed up the setup or have issues afterwards, you can reinstall Freedombox. You do need to remove a few things manually, otherwise the reinstall will fail.

Do note that you will loose all data and applications configured with Freedombox.

Even local backups that you make via the backup module are lost. Create a remote (ssh) backup if you want an easy way to restore, or download a backup to your machine first.

Here are the commands to remove everything and reboot afterwards:

apt-get purge freedombox
rm -rf /var/lib/dpkg/info/slapd.* 
dpkg --remove --force-remove-reinstreq slapd
dpkg --purge slapd
apt-get autoremove --purge
# (Confirm the removal of ldap from nsswitch.conf)
rm -rf /etc/ldap* 
rm -rf /var/lib/ldap*
rm -rf /var/backups/*
rm -rf /etc/apache2
rm -rf /etc/php
rm -rf /var/run/avahi-daemon
rm -rf /etc/firewalld/zones
reboot

After rebooting, you can (re) install freedombox.

Reinstalling an application

If you want to reinstall an application inside Freedombox, you must first remove it manually via the commandline. An example for OpenVPN:

apt-get purge openvpn

Then tell Freedombox that it is removed:

echo "delete from plinth_module where name='openvpn';" | sqlite3 /var/lib/plinth/plinth.sqlite3

There is no way to do this via the webinterface.

Update freedombox from backports

Armbian includes the debian backports repository, so if you want a newer version of Freedombox than is available in debian stable, you can install it from backports without needing to upgrade your entire system to debian testing or unstable.

Security updates are not provided by the debian security team for backports. If security updates are provided, it's on a best effort base.

To install or upgrade Freedombox from backports use the following command:

DEBIAN_FRONTEND=noninteractive apt-get -t buster-backports install ssl-cert freedombox

A warning is given in the Freedombox UI if you use the backports version:

backports

If you need to install an application from backports, there are instructions here, mirrored below.

Edit the sources list:

apt edit-sources 

Replace stable in the file with unstable. Comment out the lines containing testing-updates or stable-backports.

Update the sources list:

apt update 

Install the application from FreedomBox web interface. Afterwards edit the sources again:

apt edit-sources 

Replace unstable with stable. Don't forget to uncomment the updates or backports lines that were commented earlier.

Update the sources list again:

apt update

Always change back the sources list file, otherwise, the automatic updates that run each night will update your entire freedombox to debian unstable.

Tags: allwinner , arm , debian , freedombox , linux , olimex , olinuxino , privacy , security , server , tutorials