Why? I already have such a setup, and have Google Pinyin installed for Chinese input. Shortly after configuring Google Pinyin as my main keyboard, I got a popup reporting that Google Pinyin tried to access my address book. Why? Or how about this: Google breaks networking for anyone in an iffy network environment (that would include all of China) just so Android can have a tantrum because it cannot callback to Google's servers. Why is that necessary? Sadly, even with minimal Google malware, the latter issue means that in China, the newest version of CyanogenMod (CM) I can run is CM11.
Down to business: the following is an outline of the necessary steps, if anyone needs more detail let me know and I will try to fill in the gaps.
First get yourself a CM-compatible phone from , and follow the installation instructions MINUS the bit about installing Google Play and friends. You do not need Google play, and you REALLY do not want it because of all the other Google crap it drags along. You just need to flash the bare CM image. Note that if you use a recent version of Debian or Ubuntu, all the necessary tools for flashing CM are already in the repos.
The first thing you want to install on your newly-flashed CM phone is FDroid. (You can install FDroid with adb, one of the tools you just used to flash the CM image.) FDroid only contains open source software, so install as much of the software as you want / need first from the FDroid reposities. (This is also not blocked within China.) For the stuff you cannot find in FDroid, we will next get by a backdoor method that avoids running Google Play on your phone (which *is* blocked in China, anyway.)
On your (recent Debian/Ubuntu) machine install fdroidserver, apache, and pip. Also install gplaycli as follows:
pip install gplaycli
(Note that gplaycli is often installable by other methods, but in my experience it is extremely sensitive to dependency versions, and probably will not work. Use pip.)
Setup your FDroid repository. (I run this on one of my desktop Linux machines.)
mkdir -p /srv/fdroid/repo
ln -s /srv/fdroid
FDroid apps look automatically for a repository at /fdroid/repo/ for any configured server. The above directory structure and symlink in /var/www/ provides exactly that.
I have a script that updates the repository as follows:
#!/bin/sh echo "Update custom FDroid Google Play mirror:" chown -R user: /srv/fdroid chmod -R 755 /srv/fdroid chmod 600 /srv/fdroid/config.py proxychains /usr/local/bin/gplaycli -u /srv/fdroid/repo --progress --verbose cd /srv/fdroid/ fdroid update --create-metadata
gplaycli updates all Android apps (apk's) in the repo from Google Play. (Note: I use proxychains to proxy this action to a server outside China, where Google Play is blocked.) Then fdroid needs to update the repo metadata for any changes.
Applications in the repo can get there initially by either copying an existing apk file in your possession into the repo, or searching / downloading the apk with gplaycli.
Now on your Android, add the FDroid server you just created as a repository. For this machine on my local network, for example, I just added an IP address like this:
After that, if port 80 is open on your server machine and all permissions are correct, when you next update the repositories in your Android FDroid app, they should make available the apk's in your new repository.
Something really worth noting about CM: if you look in settings under "Privacy", have a look at "Privacy Guard". Any app selected in there (which should be most of them, certainly from among the non-Open Source apps) is blocked from accessing the address book or call logs. That is how I know Google Pinyin tried to access my Address Book, CM told me.
Last I checked reading about LetsEncrypt can make one a bit dizzy, but if you follow these steps it is really very straight forward:
letsencrypt certonly --webroot -d sub.domain.net --webroot-path=/var/www/html/
letsencrypt renew --webroot --webroot-path=/var/www/html/ | mail -s 'renew LetsEncrypt SSL' firstname.lastname@example.org"
On the subject of renewals, as I recall every issued certificate expires after three months, and becomes eligible for renewal after two months. A two week period seems just about right.