Best Practices for Setting Up FreedomBox for a Small Home Network

Hi everyone… :wave:

I am new to FreedomBox and excited about the potential it offers for managing a private home server. I’m planning to use it for a small home network with basic services like file sharing, a local chat server and possibly hosting a family wiki.

I have successfully installed FreedomBox on a Raspberry Pi 4, but I want to ensure I am setting it up in the most secure and efficient way. Could anyone share best practices or tips for:

  1. Configuring user access securely?
  2. Enabling and managing backups for critical data?
  3. Choosing the right apps for basic home use?

I also check this: https://discuss.freedombox.org/t/freedombox-newbie-seeking-guidance-secure-home-network-setudevopsonlinetraining But I have not found any solution. Could anyone guide me about this? Any advice, resources or personal experiences would be greatly appreciated!

Thanks in advance for your help!

Respected community member! :blush:

Hi,

User access is pretty straight forward and then you have to configure users for the apps you install and follow their own guides/Wiki.

What do you want to back up? Syncthing is a good choice, if you are connecting with multiple devices and want a shared folder, an extra HDD would be good to add some storage for items.

Install that on your companion device and you share everything or you just access the FB, by it’s IP address on your local Lan and then you can download what you want. I can’t help with the other apps; I don’t use them. You can also access it away from home, if your router &/switch is configured properly.

I would install Samba, Syncthing and your favourite WIKI, I don’t know about the chat software.

If you are looking for advanced configuration, it really depends upon what your home hardware can support & what you are doing. It’s Linux, you can really do what you want with it. (In your router, I would assign it a fixed/static IP address, based upon mac id).

I don’t think you’ll get a guide as it’s European Christmas and most are offline for the holidays.

Hope this helps!

1 Like

Hi @yirele3827

If you’re using SSH to connect to your FBX, I suggest you enable SSH keys.

Cheers.

1 Like

Samba for file sharing (read/write) on your local network.
Sharing for read only access from anywhere (select directories within a samba share, so that you can put files from samba.

Nextcloud is an alternative but is experimental. Also, samba and sharing have been in every GNU/Linux machine for decades, so it is extremely stable and perhaps a million times less likely to have security bug as compared with nextcloud.

I have an excellent experience with ejabberd. It is not only local. You can use it on PCs (gajim or dino), Android (Conversations/Monocles/Quicksy), iOS (Monal/Quicksy). JSXC also can provide a web interface for it.

You have several apps, I have used mediawiki but I stopped after having some problems, perhaps they are fixed now.

1 Like

As of the upcoming version of FreedomBox, the experimental status for the Nextcloud app is removed.

I would actually argue the opposite. Nextcloud has better track record of historical high/critical vulnerabilities. And unlike Samba it offers a fine graned access control and second factor authentication.

I did not know this, I don’t have the upcoming version yet.

I am not competent on security, but I have a guess that more complexity comes with more bugs, and probably more vulnerabilities, and Nextcloud does a lot more than the Sharing app. Also, remember than samba is local only.

On the fine grained permissions, I actually tried on some nextcloud instance, it looks nice at first but with time, I realize that I forgot how I set then and I can’t find easily how to have an overview of what I did. So I am not sure that is really more secure in the end.

However, I am also worried about two other aspects:

  • I don’t know who is the “nextcloud community” and how I should trust that they only take free software and from where it comes. Debian has clear procedures, a community that is enforcing them, while here I don’t know.
  • if I use tools that do one thing (like samba, apache, radicale, etc) and stick to super standard things, I can be confident that it will continue to work for a really long time (like 10 years maybe) while with nextcloud, things seem to change really fast, perhaps I will pick for my work flow an option that gets deprecated after 1 year.

These aspects make me not want to depend on nextcloud now.

The official Nextcloud container image containes an all in one configuration which includes settings that wouldn’t necessarily fit into the current FreedomBox ecosystem. Also, we use Podman instead of Docker for its systemd capability and Podman is officially not supported for this image. See: Can I run this with Podman instead of Docker?.
What makes the image official is that it is maintained by Nextcloud GmbH., the company behind Nextcloud.

The community image is a much simplified setup that isn’t maintained by Nextcloud GmbH. They however take the official upstream Nextcloud code into the container image so you are really getting the same thing. The source code can be examined at GitHub - nextcloud/docker: ⛴ Docker image of Nextcloud and you can build your own container from there too.

Thanks for the additional insights.

Is docker/30/apache/Dockerfile at master · nextcloud/docker · GitHub the build recipe that is used for the container that plinth may install? In that file, besides the Debian package manager (apt), I see that things called docker-php-ext-install and pecl are used.

I see that pecl is a third party repository. On the related website, I could not find any commitment to only include free software in that repository, and not to fetch anything from any other third party repository when what is there is installed, so I looked at the licenses and tarballs of the components that are installed from there, they all have the PHP license that is a free software license. As files in the tarballs are source .c files, it is necessary to compile them at some point but I could not see any command in the Dockerfile for this, so perhaps this is done by pecl or perhaps pecl is fetching pre-made binaries? I’d like to understand this to make sure nothing else is fetched in order to do this and that the binaries are made using free software only.

With respect to docker-php-install, I could not find where this is taking its software from.

With respect to nexcloud source files in the archive, was there some checking that these files all have proper licenses and that there is nothing like a binary disguised as a source file (which is something that exists in the upstream linux kernel and that Debian takes care to remove)? I understand that checking this thoroughly is a tedious task, but I think it is really important. For packages in Debian, I assume this checking was done by people who made the packages.

Is docker/30/apache/Dockerfile at master · nextcloud/docker · GitHub the build recipe that is used for the container that plinth may install?

No, it is docker/30/fpm/Dockerfile at master · nextcloud/docker · GitHub, which you can see here in the FreedomBox source code.

As files in the tarballs are source .c files, it is necessary to compile them at some point but I could not see any command in the Dockerfile for this, so perhaps this is done by pecl or perhaps pecl is fetching pre-made binaries? I’d like to understand this to make sure nothing else is fetched in order to do this and that the binaries are made using free software only.

If you read the PHP Manual, you can see:

$ pecl install extname
This will download the source for extname, compile, and install extname.so into the extension_dir. extname.so may then be loaded via php.ini.

With respect to docker-php-install, I could not find where this is taking its software from.

It also compiles PHP extensions from source. See docs/php at master · docker-library/docs · GitHub.

With respect to nexcloud source files in the archive, was there some checking that these files all have proper licenses and that there is nothing like a binary disguised as a source file (which is something that exists in the upstream linux kernel and that Debian takes care to remove)?

To the best of my knowledge none of us checked the files one by one for proper licensing and hidden binaries.