Installing Freedombox on Armbian on the Olimex Pioneer
Published: 29-01-2020 | Author: Remy van Elst | Text only version of this article
Table of Contents
FreedomBox is a private server for non-experts: it lets you install and configure server applications with only a few clicks. It runs on cheap hardware of your choice, uses your internet connection and power, and is under your control.
Freedombox is a project that has been running for over 10 years and last year the Pioneer became available, officially supported and sanctioned by the Freedombox Foundation. This is a home server you can buy from Olimex, comes in a nice metal case with a proper power supply, network cable, battery and SD card preloaded with Freedombox. Plug in and go. Perfect for users that don't want to tinker but do want their freedom and control. With the Pioneer, both the hardware and software are fully open source.
The Pioneer case is metal and feels very high quality. The logo on it is beautiful. Under the hood there is a Lime 2 board (A20). Here's a picture:
This guide covers the installation of Freedombox and Debian for the Olimex A20 Lime2 Pioneer with Armbian including reinstalling, Apache SSL certificate and LDAP issues.
I'm not sponsored by Olimex, I bought two Freedomboxes myself. There is also no referral link.
I really love Olimex, have been using their hardware since 2014, made linux images before Armbian was a thing and even have a commit in the linux kernel for the A10 board enabling USB OTG. I whole-heartedly recommend their hardware.
Default Freedombox Pioneer Distribution
The Pioneer comes with the operating system on SD card, but that is a customized version of Debian with a few things I dislike. Do note, there is nothing wrong with that system if you want to run Freedombox as provided.
I however, do like a bit more control and tinkering. For example, the battery
works, but you can't get the charge level or status. The filesystem is BTRFS and
has a lot of logging enabled, causing way more writes than I like to the SD
haveged package is not installed, installing OpenVPN takes
hours due to limited entropy during key generation
As the Freedombox project is available as a "Debian Pure Blend", you can install it on any system that runs plain Debian. Even if you have a IBM S/390 mainframe, you can install Freedombox because everything is available in the default Debian repository.
You can install another Debian version on the Pioneer and install Freedombox on top of that, allowing for our own setup and customization.
Armbian is a project that provides Debian and Ubuntu images for a variety of Arm boards, including the Pioneer A20 Lime2. Their Debian version is compiled for the specific arm board and has specific tweaks for performance and storage (reducing writes). It also includes a modern mainline kernel wich supports the battery.
Follow the instructions on the Armbian site for their Debian version (not
ubuntu). It's as simple as downloading the image and writing it to an SD card
dd or if you're on Windows, Balena Etcher). Boot up your Pioneer,
login via SSH and setup the root password and a new user account. Armbian will
ask you interactively.
Do note that if you want to use the same username for Freedombox, you need to remove this user you've created:
userdel USERNAME rm -rf /home/USERNAME
I assume you will delete the user and use the root user for the rest of the setup of Freedombox. The installation of freedombox changes the authentication and login of the machine, so it's best not to setup users before installing freedombox.
Installation of Freedombox
The installation of Freedombox on Armbian is not as simple as just installing
freedombox. You need another package otherwise the webserver won't
start and you need to tell the package manager that you don't want to be asked
questions. If you don't do that, your LDAP configuration will not work.
Use the below command to install Freedombox:
DEBIAN_FRONTEND=noninteractive apt-get install ssl-cert freedombox
If you forget the
ssl-cert package, the webserver won't start, it will log the
AH00526: Syntax error on line 32 of /etc/apache2/sites-enabled/default-ssl.conf: SSLCertificateFile: file '/etc/ssl/certs/ssl-cert-snakeoil.pem' does not exist or is empty
Proceed to the
Reinstall section of this article, since the setup has not been
done correctly. You need to start over.
Setup of Freedombox
When the installation is completed, you will need to wait about 10 minutes or so for Freedombox to complete its initialization. You can follow what the setup is doing a bit by looking at the system log:
Fire up your web browser, navigate to the IP of your Freedombox and it will tell you when it is ready. If the initialization is not yet done, the page will tell you so and it will auto refresh.
You will be asked for a setup secret, which you can get with the following command:
Enter it on the webpage and continue. If you get an error with the user creation, related to LDAP, you also have a problem and need to reinstall. If you don't, most things will sort of work, except for single sign on and authentication.
An LDAP error looks like this:
If there are no errors, your setup is complete and you can start using your Freedombox.
If you do have LDAP issues, or log messages like below, or a setup page which
never completes and the below lines repeating in the log, and the ldap server
restarting, you need to reinstall. Proceed to the
Reinstall section of this
Jan 29 08:51:19 freedombox nslcd: [8b4567] <group/member="root"> ldap_result() failed: No such object Jan 29 08:51:19 freedombox nslcd: [8b4567] <group/member="root"> ldap_result() failed: No such object Jan 29 08:51:19 freedombox nslcd: [7b23c6] <group/member="plinth"> ldap_result() failed: No such object Jan 29 08:51:19 freedombox nslcd: [7b23c6] <group/member="plinth"> ldap_result() failed: No such object Jan 29 08:51:19 freedombox nslcd: [3c9869] <group="fbx"> ldap_result() failed: No such object Jan 29 08:51:19 freedombox sudo: plinth : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/share/plinth/actions/users first-setup
If you manually execute the
first-setup command a more descriptive error
message is given:
Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.4.47+dfsg-3+deb10u1... done. Moving old database directory to /var/backups: Backup path /var/backups/unknown-2.4.47+dfsg-3+deb10u1.ldapdb exists. Giving up...
Your log might contain the following message from fail2ban, and it might repeat often:
/lib/systemd/system/fail2ban.service:12: PIDFile= references path below legacy directory /var/run/, updating /var/run/fail2ban/fail2ban.pid -> /run/fail2ban/fail2ban.pid; please update the unit file accordingly.
This is a one line fix that applies the patch:
sed -i 's:/var/run:/run:g' /lib/systemd/system/fail2ban.service
systemctl daemon-reload systemctl restart fail2ban
If you've messed up the setup or have issues afterwards, you can reinstall Freedombox. You do need to remove a few things manually, otherwise the reinstall will fail.
Do note that you will loose all data and applications configured with Freedombox.
Even local backups that you make via the backup module are lost. Create a remote (ssh) backup if you want an easy way to restore, or download a backup to your machine first.
Here are the commands to remove everything and reboot afterwards:
apt-get purge freedombox rm -rf /var/lib/dpkg/info/slapd.* dpkg --remove --force-remove-reinstreq slapd dpkg --purge slapd apt-get autoremove --purge # (Confirm the removal of ldap from nsswitch.conf) rm -rf /etc/ldap* rm -rf /var/lib/ldap* rm -rf /var/backups/* rm -rf /etc/apache2 rm -rf /etc/php rm -rf /var/run/avahi-daemon rm -rf /etc/firewalld/zones reboot
After rebooting, you can (re) install freedombox.
Reinstalling an application
If you want to reinstall an application inside Freedombox, you must first remove it manually via the commandline. An example for OpenVPN:
apt-get purge openvpn
Then tell Freedombox that it is removed:
echo "delete from plinth_module where name='openvpn';" | sqlite3 /var/lib/plinth/plinth.sqlite3
There is no way to do this via the webinterface.
Update freedombox from backports
Armbian includes the debian backports repository, so if you want a newer version of Freedombox than is available in debian stable, you can install it from backports without needing to upgrade your entire system to debian testing or unstable.
Security updates are not provided by the debian security team for backports. If security updates are provided, it's on a best effort base.
To install or upgrade Freedombox from backports use the following command:
DEBIAN_FRONTEND=noninteractive apt-get -t buster-backports install ssl-cert freedombox
A warning is given in the Freedombox UI if you use the backports version:
If you need to install an application from backports, there are instructions here, mirrored below.
Edit the sources list:
stable in the file with
unstable. Comment out the lines containing
Update the sources list:
Install the application from FreedomBox web interface. Afterwards edit the sources again:
stable. Don't forget to uncomment the
backports lines that were commented earlier.
Update the sources list again:
Always change back the sources list file, otherwise, the automatic updates that run each night will update your entire freedombox to debian unstable.Tags: allwinner , arm , debian , freedombox , linux , olimex , olinuxino , privacy , security , server , tutorials