A => copypaste.txt +409 -0
@@ 1,409 @@
+# By Felix Freeman <libsys@hacktivista.org> 2021
+# License: CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0/
+
+# Instrucciones descarga e instalación FreedomBox en español
+- https://wiki.debian.org/es/FreedomBox/Download
+
+# Manual de usuario FreedomBox en español
+- https://wiki.debian.org/es/FreedomBox/Manual
+
+# SSL certificate
+
+# Prepare environment
+mkdir ~/ca/
+cd ~/ca/
+mkdir certs crl csr newcerts private
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+echo 1000 > crlnumber
+
+wget https://git.hacktivista.org/leechbox/blob/master/openssl.cnf
+
+# Change SSL directory on config file
+dir="$HOME/ca"
+sed -i -Ee "s#^(dir += ).+#\1$dir#" openssl.cnf
+
+# Create root key
+openssl genrsa -aes256 -out private/ca.key 4096
+chmod 400 private/ca.key
+# Root certificate
+openssl req -config openssl.cnf -key private/ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -subj "/O=Network/CN=Network Root CA" -out certs/ca.crt
+chmod 444 certs/ca.crt
+# Verify certificate
+openssl x509 -noout -text -in certs/ca.crt
+
+# Create server key
+openssl genrsa -out private/freedombox.key 2048
+chmod 400 private/freedombox.key
+# Create server CSR
+openssl req -config openssl.cnf -key private/freedombox.key -new -sha256 -subj "/C=XB/CN=*.freedombox.local" -addext "subjectAltName = DNS:*.freedombox.local, DNS:freedombox.local, DNS:*.youtube.com, DNS:youtube.com, DNS: *.youtube-nocookie.com, DNS: youtube-nocookie.com, DNS:youtu.be, DNS:*.google.cl, DNS:google.cl, DNS:*.twitter.com, DNS:twitter.com, DNS:*.instagram.com, DNS:instagram.com, DNS:instagr.am" -out csr/freedombox.csr
+# Sign server certificate
+openssl ca -config openssl.cnf -extensions server_cert -days 365 -notext -md sha256 -in csr/freedombox.csr -out certs/freedombox.crt
+chmod 444 certs/freedombox.crt
+
+# Install the root certificate (NOT THE KEY) on your network computers
+sudo trust anchor --store certs/ca.crt
+# For other distros check https://wiki.archlinux.org/index.php/User:Grawity/Adding_a_trusted_CA_certificate
+
+# Copy freedombox cert to your freedombox
+scp certs/freedombox.crt private/freedombox.key me@freedombox.local:
+
+# Now go back to the server
+sudo sh -c 'chown root:root freedombox.* && mv freedombox.key /etc/ssl/private/freedombox.local.key && mv freedombox.crt /etc/ssl/certs/freedombox.local.crt'
+sudo -i
+
+# Apply SSL certs to local network cert
+sed -i -e "s/ssl-cert-snakeoil\.pem/freedombox.local.crt/" -e "s/ssl-cert-snakeoil\.key/freedombox.local.key/" /etc/apache2/sites-available/default-ssl.conf
+
+# Move Apache ssl conf to 000-*
+mv /etc/apache2/sites-enabled/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf
+
+# Configure DNS
+apt install dnsmasq
+https://freedombox.local/_cockpit/network/firewall # enable port 53
+myip=$(ip address show dev eth0 | sed -nE '/inet /{ s/.*inet (([0-9]{1,3}\.?)+).*/\1/p }')
+cat << EOF | tee -a /etc/dnsmasq.conf
+no-resolv
+
+server=9.9.9.9
+server=1.1.1.1
+
+address=/freedombox.local/youtube.com/instagram.com/twitter.com/$myip
+addn-hosts=/etc/dnsmasq.hosts
+EOF
+echo "$myip youtu.be. instagr.am. www.google.cl. google.cl." | tee /etc/dnsmasq.hosts
+echo 'DNSMASQ_EXCEPT=lo' | tee -a /etc/default/dnsmasq
+systemctl restart dnsmasq
+
+# Configure DNS pointing to Freedombox on Arch
+cat << EOF | sudo tee -a /etc/systemd/resolved.conf
+DNS=192.168.10.2
+Domains=~.
+EOF
+sudo systemctl enable --now systemd-resolved.service
+# or: sudo systemctl restart systemd-resolved.service
+
+
+# CloudTube
+
+https://git.sr.ht/~cadence/tube-docs/tree/main/item/docs
+
+apt install python3-pip npm git
+usermod -s /bin/bash cloudtube
+sudo -iu cloudtube
+
+git clone https://git.sr.ht/~cadence/NewLeaf
+cd NewLeaf
+pip3 install --user -r requirements.txt
+bash -l
+cat << EOF > configuration.py
+website_origin = "http://127.0.0.1:3000"
+bind_host = "127.0.0.1"
+bind_port = 3001
+EOF
+exit
+cat << EOF > /etc/systemd/system/newleaf.service
+[Unit]
+Description=NewLeaf
+
+[Service]
+User=cloudtube
+Group=cloudtube
+Type=simple
+ExecStart=/usr/bin/python3 /home/cloudtube/NewLeaf/index.py
+WorkingDirectory=/home/cloudtube/NewLeaf
+
+# Restart timing
+Restart=always
+RestartSec=60
+
+# Disable logs
+StandardOutput=null
+StandardError=null
+SyslogIdentifier=newleaf
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable --now newleaf
+
+sudo -iu cloudtube
+git clone https://git.sr.ht/~cadence/cloudtube
+cd cloudtube
+npm install
+cat << EOF > config/config.js
+module.exports = {
+ user_settings: {
+ instance: {
+ default: "http://localhost:3001"
+ }
+ }
+}
+EOF
+exit
+cat << EOF > /etc/systemd/system/cloudtube.service
+[Unit]
+Description=cloudtube website
+
+[Service]
+User=cloudtube
+Group=cloudtube
+Type=simple
+ExecStart=/usr/bin/node /home/cloudtube/cloudtube/server.js
+WorkingDirectory=/home/cloudtube/cloudtube
+
+# Restart timing
+Restart=always
+RestartSec=60
+
+SyslogIdentifier=cloudtube
+
+[Install]
+WantedBy=default.target
+EOF
+systemctl enable --now cloudtube
+cat << EOF > /etc/apache2/sites-available/cloudtube.conf
+<VirtualHost *:80>
+ ServerName cloudtube.freedombox.local
+ ServerAlias www.youtube.com m.youtube.com youtube.com youtu.be youtube-nocookie.com www.youtube-nocookie.com
+
+ Redirect / https://%{SERVER_NAME}/
+</VirtualHost>
+<IfModule mod_ssl.c>
+ <VirtualHost *:443>
+ ServerName youtu.be
+
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/freedombox.local.crt
+ SSLCertificateKeyFile /etc/ssl/private/freedombox.local.key
+
+ RedirectMatch /(.*) https://www.youtube.com/watch?v=$1
+ </VirtualHost>
+
+ <VirtualHost *:443>
+ ServerName cloudtube.freedombox.local
+ ServerAlias www.youtube.com m.youtube.com youtube.com youtube-nocookie.com www.youtube-nocookie.com
+
+ ServerAdmin sir@hacktivista.com
+
+ ErrorLog \${APACHE_LOG_DIR}/error.log
+ CustomLog \${APACHE_LOG_DIR}/access.log combined
+
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/freedombox.local.crt
+ SSLCertificateKeyFile /etc/ssl/private/freedombox.local.key
+
+ <Location "/embed/">
+ RedirectMatch /embed/(.*) /watch?v=$1
+ </Location>
+
+ ProxyPass / http://127.0.0.1:10412/
+ </VirtualHost>
+</IfModule>
+EOF
+ln -s /etc/apache2/sites-available/cloudtube.conf /etc/apache2/sites-enabled/
+sudo systemctl reload apache2
+
+# Bibliogram
+apt update && apt install fish net-tools graphicsmagick -y
+useradd bibliogram -m -r -g nogroup -s /usr/sbin/nologin -k /dev/null -d /opt/bibliogram
+cd /opt/bibliogram
+alias subg='sudo -u bibliogram'
+subg git clone https://git.sr.ht/~cadence/bibliogram-updater .
+subg ./run.fish # y https://bibliogram.freedombox.local 10407 y n no
+bind 'set disable-completion on'
+cat << EOF > /etc/systemd/system/bibliogram.service
+[Unit]
+Description=bibliogram
+
+[Service]
+User=bibliogram
+Group=nogroup
+Type=simple
+ExecStart=/usr/bin/fish run.fish
+WorkingDirectory=/opt/bibliogram
+
+# Restart timing
+Restart=always
+RestartSec=60
+
+SyslogIdentifier=bibliogram
+
+[Install]
+WantedBy=default.target
+EOF
+systemctl daemon-reload
+systemctl enable --now bibliogram
+
+cat << EOF > /etc/apache2/sites-available/bibliogram.conf
+<VirtualHost *:80>
+ ServerName bibliogram.freedombox.local
+ ServerAlias www.instagram.com instagram.com instagr.am
+
+ Redirect / https://%{SERVER_NAME}/
+</VirtualHost>
+<VirtualHost *:443>
+ ServerName bibliogram.freedombox.local
+ ServerAlias www.instagram.com instagram.com instagr.am
+
+ ServerAdmin sir@hacktivista.com
+
+ ErrorLog \${APACHE_LOG_DIR}/error.log
+ CustomLog \${APACHE_LOG_DIR}/access.log combined
+
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/freedombox.local.crt
+ SSLCertificateKeyFile /etc/ssl/private/freedombox.local.key
+
+ ProxyPass / http://127.0.0.1:10407/
+</VirtualHost>
+EOF
+bind 'set disable-completion off'
+ln -s /etc/apache2/sites-available/bibliogram.conf /etc/apache2/sites-enabled/
+sudo systemctl reload apache2
+
+# Nitter
+apt install pwgen
+sudo -iu fbx
+mkdir src
+cd src
+wget https://nim-lang.org/download/nim-1.4.6.tar.xz
+tar xf nim-1.4.6.tar.xz
+rm nim-1.4.6.tar.xz
+cd nim-1.4.6
+sh build.sh
+bin/nim c koch
+./koch boot -d:release
+./koch tools
+exit
+echo 'PATH="/home/fbx/src/nim-1.4.6/bin:$PATH"' | tee /etc/profile.d/nim.sh
+sed -n '/secure_path/{ s#"$#:/home/fbx/src/nim-1.4.6/bin"#p }' /etc/sudoers | tee /etc/sudoers.d/nim
+bash -l
+useradd nitter -m -r -s /usr/sbin/nologin -k /dev/null -d /opt/nitter
+apt install libsass-dev redis-server
+cd /opt/nitter
+alias sunt='sudo -u nitter'
+sunt git clone https://github.com/zedeus/nitter .
+sunt nimble build -d:release
+sunt nimble scss
+vim nitter.conf # address 127.0.0.1, port 17732, https true, hostname nitter.freedombox.local, hmacKey :.!pwgen -s 32 1
+cat << EOF > /etc/systemd/system/nitter.service
+[Unit]
+Description=Nitter (An alternative Twitter front-end)
+After=syslog.target
+After=network.target
+
+[Service]
+Type=simple
+
+# set user and group
+User=nitter
+Group=nitter
+
+# configure location
+WorkingDirectory=/opt/nitter
+ExecStart=/opt/nitter/nitter
+
+Restart=always
+RestartSec=15
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable --now redis-server
+systemctl enable --now nitter
+bind 'set disable-completion on'
+cat << EOF > /etc/apache2/sites-available/nitter.conf
+<VirtualHost *:80>
+ ServerName nitter.freedombox.local
+ ServerAlias www.twitter.com twitter.com
+
+ Redirect / https://%{SERVER_NAME}/
+</VirtualHost>
+<VirtualHost *:443>
+ ServerName nitter.freedombox.local
+ ServerAlias www.twitter.com twitter.com
+
+ ServerAdmin sir@hacktivista.com
+
+ ErrorLog \${APACHE_LOG_DIR}/error.log
+ CustomLog \${APACHE_LOG_DIR}/access.log combined
+
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/freedombox.local.crt
+ SSLCertificateKeyFile /etc/ssl/private/freedombox.local.key
+
+ ProxyPreserveHost On
+ ProxyPass / http://127.0.0.1:17732/ nocanon
+ ProxyPassReverse / http://127.0.0.1:17732/
+ AllowEncodedSlashes On
+</VirtualHost>
+EOF
+bind 'set disable-completion off'
+ln -s /etc/apache2/sites-available/nitter.conf /etc/apache2/sites-enabled/
+sudo systemctl reload apache2
+
+# Whoogle
+
+apt-get install -y libcurl4-openssl-dev libssl-dev libffi-dev
+useradd whoogle -g nogroup -m -r -s /usr/sbin/nologin -k /dev/null -d /opt/whoogle
+cd /opt/whoogle
+alias user='sudo -u whoogle'
+user git clone https://github.com/benbusby/whoogle-search.git src
+user pip3 install --user -r src/requirements.txt
+cat << EOF > /etc/systemd/system/whoogle.service
+[Unit]
+Description=Whoogle
+
+[Service]
+Environment=WHOOGLE_CONFIG_ALTS=0
+Environment=WHOOGLE_CONFIG_LANGUAGE=lang_es
+Environment=WHOOGLE_CONFIG_GET_ONLY=0
+Environment=WHOOGLE_CONFIG_URL=https://whoogle.freedombox.local
+
+Type=simple
+
+User=whoogle
+
+WorkingDirectory=/opt/whoogle/src
+ExecStart=/usr/bin/python3 -um app --host 127.0.0.1 --port 5000
+ExecReload=/bin/kill -HUP $MAINPID
+
+Restart=always
+RestartSec=3
+
+SyslogIdentifier=whoogle
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable --now whoogle
+
+bind 'set disable-completion on'
+cat << EOF > /etc/apache2/sites-available/whoogle.conf
+<VirtualHost *:80>
+ ServerName whoogle.freedombox.local
+ ServerAlias www.google.cl google.cl
+
+ Redirect / https://%{SERVER_NAME}/
+</VirtualHost>
+<VirtualHost *:443>
+ ServerName whoogle.freedombox.local
+ ServerAlias www.google.cl google.cl
+
+ ServerAdmin sir@hacktivista.com
+
+ ErrorLog \${APACHE_LOG_DIR}/error.log
+ CustomLog \${APACHE_LOG_DIR}/access.log combined
+
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/freedombox.local.crt
+ SSLCertificateKeyFile /etc/ssl/private/freedombox.local.key
+
+ ProxyPass / http://127.0.0.1:5000/
+</VirtualHost>
+EOF
+bind 'set disable-completion off'
+ln -s /etc/apache2/sites-available/whoogle.conf /etc/apache2/sites-enabled/
+sudo systemctl reload apache2
A => openssl.cnf +124 -0
@@ 1,124 @@
+# OpenSSL CA configuration file.
+#
+# License: CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0/
+# Copyright (c) 2021, Felix Freeman <libsys@hacktivista.org>
+# Copyright (c) 2013-2015, Jamie Nguyen <j@jamielinux.com>
+#
+# Has been modified, find originals on:
+# https://jamielinux.com/docs/openssl-certificate-authority/
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir = CHANGEME
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.rand
+
+# The root key and root certificate.
+private_key = $dir/private/ca.key
+certificate = $dir/certs/ca.crt
+
+# For certificate revocation lists.
+crlnumber = $dir/crlnumber
+crl = $dir/crl/ca.crl
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+copy_extensions = copy
+default_days = 375
+preserve = no
+policy = policy_loose
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 2048
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning