This is a text-only version of the following page on https://raymii.org:
---
Title       : 	Installing Freedombox on Armbian on the Olimex Pioneer
Author      : 	Remy van Elst
Date        : 	29-01-2020
URL         : 	https://raymii.org/s/tutorials/Installing_Freedombox_On_Armbian_On_The_Olimex_A20_Pioneer.html
Format      : 	Markdown/HTML
---



> [FreedomBox][1] is a private server for non-experts: it lets you install and
configure server applications with only a few clicks. It runs on cheap hardware
of your choice, uses your internet connection and power, and is under your
control. 

Freedombox is a project that has been running for over 10 years and [last year
the Pioneer][2] became available, officially supported and sanctioned by the
Freedombox Foundation. This is a home server you can [buy from Olimex][7], comes
in a nice metal case with a proper power supply, network cable, battery and SD
card preloaded with Freedombox. Plug in and go. Perfect for users that don't
want to tinker but do want their freedom and control. With the Pioneer, both the
hardware and software are fully open source.  

The Pioneer case is metal and feels very high quality. The logo on it is
beautiful. Under the hood there is a Lime 2 board (A20). Here's a picture:

![freedombox][11]

This guide covers the installation of Freedombox and Debian for the Olimex A20
Lime2 Pioneer with Armbian including reinstalling, Apache SSL certificate and
LDAP issues.

<p class="ad"> <b>Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:</b><br><br> <a href="https://leafnode.nl">I'm developing an open source monitoring app called  Leaf Node Monitoring, for windows, linux & android. Go check it out!</a><br><br> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a><br><br> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a><br><br> </p>


I'm not sponsored by Olimex, I bought two Freedomboxes myself. There is also no
referral link. 

I really love [Olimex][8], have been using their hardware since 2014, [made
linux images][9] before Armbian was a thing and even have a [commit in the linux
kernel][10] for the A10 board enabling USB OTG. I whole-heartedly recommend
their hardware.

### Default Freedombox Pioneer Distribution

The Pioneer comes with the operating system on SD card, but that is a customized
version of Debian with a few things I dislike. **Do note, there is nothing wrong
with that system if you want to run Freedombox as provided.** 

I however, do like a bit more control and tinkering. For example, the battery
works, but you can't get the charge level or status. The filesystem is BTRFS and
has a lot of logging enabled, causing way more writes than I like to the SD
card. The `haveged` package is not installed, installing OpenVPN takes
hours due to limited entropy during key generation

As the Freedombox project is available as a "Debian Pure Blend", you can install
it on any system that runs plain Debian. Even if you have a [IBM S/390
mainframe][3], you can install Freedombox because everything is available in the
default Debian repository. 

You can install another Debian version on the Pioneer and install Freedombox
on top of that, allowing for our own setup and customization.

### Armbian

Armbian is a project that provides Debian and Ubuntu images for a variety of Arm
boards, including the [Pioneer A20 Lime2][4]. Their Debian version is compiled
for the specific arm board and has specific [tweaks][5] for performance and
storage (reducing writes). It also includes a modern mainline kernel wich
supports the battery.

![armbian][6]

Follow the instructions on the Armbian site for their Debian version (not
ubuntu). It's as simple as downloading the image and writing it to an SD card
(either with `dd` or if you're on Windows, Balena Etcher). Boot up your Pioneer,
login via SSH and setup the root password and a new user account. Armbian will
ask you interactively. 

Do note that if you want to use the same username for Freedombox, you need to
remove this user you've created:

    userdel USERNAME
    rm -rf /home/USERNAME

I assume you will delete the user and use the root user for the rest of the
setup of Freedombox. The  installation of freedombox changes the authentication
and login of the machine,  so it's best not to setup users before installing
freedombox.

### Installation of Freedombox

The installation of Freedombox on Armbian is not as simple as just installing 
the package `freedombox`. You need another package otherwise the webserver won't
start and you need to tell the package manager that you don't want to be asked
questions. If you don't do that, your LDAP configuration will not work.

Use the below command to install Freedombox:

    DEBIAN_FRONTEND=noninteractive apt-get install ssl-cert freedombox 

If you forget the `ssl-cert` package, the webserver won't start, it will log the
following error:

    AH00526: Syntax error on line 32 of /etc/apache2/sites-enabled/default-ssl.conf:
    SSLCertificateFile: file '/etc/ssl/certs/ssl-cert-snakeoil.pem' does not exist or is empty

Proceed to the `Reinstall` section of this article, since the setup has not been
done correctly. You need to start over. 

### Setup of Freedombox

When the installation is completed, you will need to wait about 10 minutes or so
for Freedombox to complete its initialization. You can follow what the setup is
doing a bit by looking at the system log:

    journalctl -f

Fire up your web browser, navigate to the IP of your Freedombox and it will tell
you when it is ready. If the initialization is not yet done, the page will tell
you so and it will auto refresh. 

You will be asked for a setup secret, which you can get with the following command:

    cat /var/lib/plinth/firstboot-wizard-secret

Enter it on the webpage and continue. If you get an error with the user
creation, related to LDAP, you also have a problem and need to reinstall. If you
don't,  most things will sort of work, except for single sign on and
authentication.

An LDAP error looks like this:

![ldap error][12]

If there are no errors, your setup is complete and you can start using your 
Freedombox. 

### LDAP issues

If you do have LDAP issues, or log messages like below, or a setup page which
never completes and the below lines repeating in the log, and the ldap server
restarting, you need to reinstall. Proceed to the `Reinstall` section of this
article.

    Jan 29 08:51:19 freedombox nslcd[27778]: [8b4567] <group/member="root"> ldap_result() failed: No such object
    Jan 29 08:51:19 freedombox nslcd[27778]: [8b4567] <group/member="root"> ldap_result() failed: No such object
    Jan 29 08:51:19 freedombox nslcd[27778]: [7b23c6] <group/member="plinth"> ldap_result() failed: No such object
    Jan 29 08:51:19 freedombox nslcd[27778]: [7b23c6] <group/member="plinth"> ldap_result() failed: No such object
    Jan 29 08:51:19 freedombox nslcd[27778]: [3c9869] <group="fbx"> ldap_result() failed: No such object
    Jan 29 08:51:19 freedombox sudo[27939]:   plinth : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/share/plinth/actions/users first-setup

If you manually execute the `first-setup` command a more descriptive error
message is given:

    Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.4.47+dfsg-3+deb10u1... done.
    Moving old database directory to /var/backups:
    Backup path /var/backups/unknown-2.4.47+dfsg-3+deb10u1.ldapdb exists. Giving up...

### Fail2ban warning

Your log might contain the following message from fail2ban, and it might repeat
often:

    /lib/systemd/system/fail2ban.service:12: PIDFile= references path below legacy directory /var/run/, updating /var/run/fail2ban/fail2ban.pid -> /run/fail2ban/fail2ban.pid; please update the unit file accordingly.

It's related to [this issue][13] and a fix is available [here][14]. I don't like
 log that are contaminated with messages like this and an easy fix is available.

This is a one line fix that applies the patch:

    sed -i 's:/var/run:/run:g' /lib/systemd/system/fail2ban.service

Restart fail2ban:

    systemctl daemon-reload
    systemctl restart fail2ban

### Reinstall

If you've messed up the setup or have issues afterwards, you can reinstall
Freedombox.  You do need to remove a few things manually, otherwise the
reinstall will fail.

**Do note that you will loose all data and applications configured with
Freedombox**.

Even local backups that you make via the backup module are lost. Create a remote
 (ssh) backup if you want an easy way to restore, or download a backup to your 
machine first.

Here are the commands to remove everything and reboot afterwards:

    apt-get purge freedombox
    rm -rf /var/lib/dpkg/info/slapd.* 
    dpkg --remove --force-remove-reinstreq slapd
    dpkg --purge slapd
    apt-get autoremove --purge
    # (Confirm the removal of ldap from nsswitch.conf)
    rm -rf /etc/ldap* 
    rm -rf /var/lib/ldap*
    rm -rf /var/backups/*
    rm -rf /etc/apache2
    rm -rf /etc/php
    rm -rf /var/run/avahi-daemon
    rm -rf /etc/firewalld/zones
    reboot

After rebooting, you can (re) install freedombox.

### Reinstalling an application

If you want to reinstall an application inside Freedombox, you must first remove 
it manually via the commandline. An example for OpenVPN:

    apt-get purge openvpn

Then tell Freedombox that it is removed:

    echo "delete from plinth_module where name='openvpn';" | sqlite3 /var/lib/plinth/plinth.sqlite3

There is no way to do this via the webinterface.

### Update freedombox from backports

Armbian includes the debian backports repository, so if you want a newer version
of Freedombox than is available in debian stable, you can install it from
backports without needing to upgrade your entire system to debian testing or
unstable.

__Security updates are not provided by the debian security team for 
backports. If security updates are provided, it's on a best effort base.__

To install or upgrade Freedombox from backports use the following command:

    DEBIAN_FRONTEND=noninteractive apt-get -t buster-backports install ssl-cert freedombox

A warning is given in the Freedombox UI if you use the backports version:

![backports][15]

If you need to install an application from backports, there are [instructions
here][16], mirrored below.

Edit the sources list:

    apt edit-sources 

Replace `stable` in the file with `unstable`. Comment out the lines containing
`testing-updates` or `stable-backports`.

Update the sources list:

    apt update 

Install the application from FreedomBox web interface. Afterwards edit the
sources again:

    apt edit-sources 

Replace `unstable` with `stable`. Don't forget to uncomment the `updates` or
`backports` lines that were commented earlier.

Update the sources list again:
    
    apt update

**Always change back the sources list file, otherwise, the automatic updates that 
run each night will update your entire freedombox to debian unstable**.


[1]: https://freedombox.org/
[2]: https://freedomboxfoundation.org/news/launching_sales/
[3]: https://www.debian.org/ports/s390/
[4]: https://www.armbian.com/olimex-lime-2/
[5]: https://docs.armbian.com/#what-is-armbian
[6]: /s/inc/img/armbian.png
[7]: https://www.olimex.com/Products/OLinuXino/Home-Server/Pioneer-FreedomBox-HSK/open-source-hardware
[8]: /s/tags/olimex.html
[9]: https://olimex.wordpress.com/2015/02/20/building-debian-linux-image-for-a20-olinuxino-lime2-with-mainline-kernel-3-19-new-tutorial-by-remy-van-elst/
[10]: https://github.com/torvalds/linux/commit/b7b1d645bb7a3dab4be9d4114cbe319b67a45c01
[11]: /s/inc/img/pioneer-edition.png
[12]: /s/inc/img/ldap-error.png
[13]: https://github.com/fail2ban/fail2ban/issues/2474
[14]: https://github.com/fail2ban/fail2ban/commit/d5a5efcd5af272372153e86436d7c8cde2ddf66d
[15]: /s/inc/img/backports.png
[16]: https://wiki.debian.org/FreedomBox/QuestionsAndAnswers#A_FreedomBox_application_has_been_removed_from_testing.2Fstable._How_do_I_manually_install_it.3F

---

License:
All the text on this website is free as in freedom unless stated otherwise. 
This means you can use it in any way you want, you can copy it, change it 
the way you like and republish it, as long as you release the (modified) 
content under the same license to give others the same freedoms you've got 
and place my name and a link to this site with the article as source.

This site uses Google Analytics for statistics and Google Adwords for 
advertisements. You are tracked and Google knows everything about you. 
Use an adblocker like ublock-origin if you don't want it.

All the code on this website is licensed under the GNU GPL v3 license 
unless already licensed under a license which does not allows this form 
of licensing or if another license is stated on that page / in that software:

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

Just to be clear, the information on this website is for meant for educational 
purposes and you use it at your own risk. I do not take responsibility if you 
screw something up. Use common sense, do not 'rm -rf /' as root for example. 
If you have any questions then do not hesitate to contact me.

See https://raymii.org/s/static/About.html for details.