Automatic provisioning of Librem 5

Hi! This year I had to change a lot of hardware(notebooks and phones) and this wasted me a lot of time in installing software and logging-in in the different software and apps.
As Librem 5 is Linux, there must be a more elegant way to set-up the phone when one needs a fresh install.
What would be your approach? Would you use Ansible?
Does someone already has some experience, a guide, and maybe some example Skripts/Ansible playbooks that one could copy and adjust for own needs?

I was going to say something maybe with a bit of humor. Then the bottom half of the screen rolled down and someone by the name of “S” was replying (with an elipsis). So I wonder what “S” is going to say.

My restore procedure (which I have used a total of three times on the librem 5 thus far is):

  1. Reimage the librem 5 via the flashing tools purism provides (it nicely works with Fedora from my laptop).
  2. I have a shell script available via web access on my backup server that I download that sets up passwordless ssh on the linux device from my backup server only.
  3. I then run a restore script against the device from the backup server which prevents backups from running against said device and runs:
    a. Updates the system to get the latest patches
    b. Ansible for configuration and package installs
    c. Rsyncs over the latest backup to the device (I just back up /home on my librem 5)

Overall it works pretty well and is nice as once I get to the run the restore script I can largely ignore it until it’s finished. I use this process on all the computers in my house(obviously with a usb drive install instead of the flash for the non librem 5 systems). It does require that you re-test it every once in awhile as with upgrades to new os versions packages change names, and sometimes config files change enough to break the ansible. This is all on my LAN so no internet

There also are a few differences between distros that can give you problems with initial setup (such as different paths to config files or package names). Overall it works pretty well for me. Maintaining it generally requires a couple of hours a year of my time to test the ansible runs smoothly still.

I did attempt to see if I could port this approach to a degoogled andriod, and can say it’s too hard/way too much maintenance to keep working.


Could you share some anonymized scripts so that one could use them as an example? It is much easier to edit a script than to write it from scratch.

My host setup script:

### Package Manager

command -v dnf
if [[ $? -eq 0 ]]; then
command -v apt-get
if [[ $? -eq 0 ]]; then

if [[ -z "$PACKAGE_MANAGER" ]]; then
	echo "Error! Cannot detect package manager"
	exit 1

### Install needed software
$PACKAGE_MANAGER install openssh-server
$PACKAGE_MANAGER install ansible

## Setup ssh keys
mkdir -p /root/.ssh
chmod 700 /root/.ssh
echo '<public key goes here>' > /root/.ssh/authorized_keys
chmod 700 /root/.ssh/authorized_keys

## Setup ssh
sed -i 's/^#PermitRootLogin .*/PermitRootLogin without-password/' /etc/ssh/sshd_config
sed -i 's/^PermitRootLogin .*/PermitRootLogin without-password/' /etc/ssh/sshd_config
systemctl enable sshd
systemctl start sshd
1 Like

The restore script I think you;d be better off writing your own, I have a lot of custom stuff in it for a variety of things.

More or less the sudo code is(replace bold with the relevant data):

  1. Reset the known_hosts ssh key for the host (ssh-keygen -R host)
  2. Run ansible (ansible-playbook -l host playbook file)
  3. Restore the backed up paths (rsync -arv --progress backup path/ remote path/)
  4. Reboot the system (ssh host reboot)
1 Like


Flash the phone, set it up the way you like it, then use Jumpdrive to make the eMMC drive available to your host computer, then dd to make a disk image.

Then you can do a fresh install by using Jumpdrive and dd to restore the disk image.

That’s going to be badness if you are doing more than one phone because they will end up with the same underlying LUKS encryption key and the same LUKS passphrase. But this is OK to do a fresh install of an existing, single phone.

1 Like

I’m using NixOS on the laptops of my kids and myself, and on my servers, and plan to use it on the Librem 5.

In NixOS one declares what needs to be installed and configured in a file. There is no need to edit any OS files, and the filesystem is actually mounted read-only. Nix is more powerfull than Ansible and Puppet: configuration can be rolled-back and -forward, one can install multiple versions of the same software, and it is also possible to just try out software in a shell. It is quite complex to use though.

If my laptop breaks down I fetch /etc/nixos/configuration.nix from backup, apply that on a new laptop, and restore /home/ from backup. Last weekend I moved my router from a Raspberry pi to an Intel-based server by simply merging the relevant configuration.

Example package management (available software:





All options:

1 Like

Interesting, but I did not wanted to go to a different OS for now. And learning some Ansible is a useful skill as well, so I wanted to go the PureOS + Ansible path.