=====Repo Mirror Using Rocky Linux 8=====

https://help.ubuntu.com/community/Rsyncmirror \\
https://computingforgeeks.com/create-local-centos-7-centos-6-mirrors/

Plan is to create a slimmed down mirror of CentOS 7, Rocky Linux 8, ELRepo, Remi PHP Repo, Zimbra Repo and others for internal systems (not as a public mirror or as an archive). Starting with a 500GB disk.

====Base Install====
  * Download and install Rocky Linux 8 minimal, setup FQDN and set static IP, enable NTP and set timezone, set root password, use LVM for partitioning, select minimal software.
==Install Misc Tools, Create Sudo User and Reboot==
<code>
dnf install unzip wget vim tar rsync
dnf update
useradd example_user && passwd example_user
usermod -aG wheel example_user
shutdown -r now
</code>

==Disallow root login over SSH==
  * Login using sudo user
<code>
sudo vim /etc/ssh/sshd_config
</code>
then set
<code>
PermitRootLogin no
</code>

  * Restart sshd
<code>
sudo systemctl restart sshd
</code>

====Setup/Sync Repos CentOS/Rocky====
  * Create Repo Dirs
<code>
sudo mkdir -p /var/mirror/pub/centos/7
sudo mkdir -p /var/mirror/pub/rocky/8
sudo mkdir -p /var/mirror/pub/epel/7
sudo mkdir -p /var/mirror/pub/epel/8
sudo mkdir -p /var/mirror/pub/remi/enterprise/7/php74
sudo mkdir -p /var/mirror/pub/remi/enterprise/8
sudo mkdir -p /var/mirror/pub/debian
</code>

==Repo Mirror Script for CentOS==
https://gist.github.com/didip/4506837
  * Create file centos.sh and chmod +x it

Note: there are excludes so that only the packages I want are synced, modify to your needs
<code bash>
#!/bin/bash

# Number of arguments should be at least 1
if [ $# -lt 1 ]; then
  echo "Usage: $0 centos-version-number"
  exit 1
fi

VERSION=$1

# Change these variables as appropriate
LOCK_FILE=/tmp/centos_mirror_rsync_updates
DOWNLOAD_LOCATION=rsync://mirrors.kernel.org/centos
TARGET_DIR=/var/mirror/pub/centos
RSYNC_RETVAL=1

if [ -f $LOCK_FILE ]; then
  echo "CentOS updates via rsync already running."
  exit 0
fi

echo "Starting rsync from $DOWNLOAD_LOCATION/$VERSION to $TARGET_DIR/$VERSION..."
mkdir -p $TARGET_DIR/$VERSION

touch $LOCK_FILE

# add --exclude as necessary
rsync  -avSHP --delete --delete-excluded --copy-links --exclude "atomic" --exclude "cloud" --exclude "configmanagement" --exclude "cr" --exclude "dotnet" --exclude "fasttrack" --exclude "infra" --exclude "messaging" --exclude "nfv" --exclude "opstools" --exclude "paas" --exclude "rt" --exclude "sclo"  --exclude "storage"  --exclude "virt" $DOWNLOAD_LOCATION/$VERSION $TARGET_DIR/
RSYNC_RETVAL=$?

rsync -avSHP $DOWNLOAD_LOCATION/RPM-GPG-KEY-CentOS-$VERSION  $TARGET_DIR/RPM-GPG-KEY-CentOS-$VERSION 

/bin/rm -f $LOCK_FILE

if [ $RSYNC_RETVAL -eq 0 ]; then
  echo "Finished rsync from $DOWNLOAD_LOCATION/$VERSION to $TARGET_DIR/$VERSION."
fi

exit 0
</code>

  * Run the script for CentOS 7:
<code>
sudo ./centos.sh 7
</code>

==Repo Mirror Script for Rocky Linux==
https://gist.github.com/didip/4506837
  * Create file rocky.sh and chmod +x it

Note: there are excludes so that only the packages I want are synced, modify to your needs
<code bash>
#!/bin/bash

# Number of arguments should be at least 1
if [ $# -lt 1 ]; then
  echo "Usage: $0 rocky-version-number"
  exit 1
fi

VERSION=$1

# Change these variables as appropriate
LOCK_FILE=/tmp/rocky_mirror_rsync_update
DOWNLOAD_LOCATION=rsync://mirrors.vcea.wsu.edu/rocky
TARGET_DIR=/var/mirror/pub/rocky
RSYNC_RETVAL=1

if [ -f $LOCK_FILE ]; then
  echo "Rocky updates via rsync already running."
  exit 0
fi

echo "Starting rsync from $DOWNLOAD_LOCATION/$VERSION to $TARGET_DIR/$VERSION..."
mkdir -p $TARGET_DIR/$VERSION

touch $LOCK_FILE

# add --exclude as necessary
rsync  -avSHP --delete --delete-excluded --copy-links --exclude "AppStream/aarch64" --exclude "AppStream/source" --exclude "AppStream/x86_64/debug" --exclude "AppStream/x86_64/kickstart" --exclude "BaseOS/aarch64" --exclude "BaseOS/source" --exclude "BaseOS/x86_64/iso" --exclude "BaseOS/x86_64/debug" --exclude "BaseOS/x86_64/kickstart" --exclude "Devel" --exclude "HighAvailability" --exclude "isos/aarch64" --exclude "isos/x86_64" --exclude "live/x86_64" --exclude "Live" --exclude "Minimal" --exclude "PowerTools" --exclude "RT" --exclude "ResilientStorage" --exclude "extras/aarch64" --exclude "extras/source" --exclude "extras/x86_64/debug" --exclude "plus/aarch64" --exclude "plus/source" --exclude "plus/x86_64/debug" --exclude "images"  --exclude "nfv"  --exclude "rockypi" $DOWNLOAD_LOCATION/$VERSION $TARGET_DIR/
RSYNC_RETVAL=$?

rsync -avSHP $DOWNLOAD_LOCATION/RPM-GPG-KEY-rockyofficial  $TARGET_DIR/RPM-GPG-KEY-rockyofficial

/bin/rm -f $LOCK_FILE

if [ $RSYNC_RETVAL -eq 0 ]; then
  echo "Finished rsync from $DOWNLOAD_LOCATION/$VERSION to $TARGET_DIR/$VERSION."
fi

exit 0
</code>
  * Run the script for Rocky Linux 8:
<code>
sudo ./rocky.sh 8
</code>

==EPEL==
Same as Rocky but modified for EPEL. Pick an appropriate mirror closer to you and modify the exclusions as necessary
<code bash>
#!/bin/bash

# Number of arguments should be at least 1
if [ $# -lt 1 ]; then
  echo "Usage: $0 epel-version-number"
  exit 1
fi

VERSION=$1

# Change these variables as appropriate
LOCK_FILE=/tmp/epel_mirror_rsync_update
DOWNLOAD_LOCATION=rsync://dfw.mirror.rackspace.com/epel
TARGET_DIR=/var/mirror/pub/epel
RSYNC_RETVAL=1

if [ -f $LOCK_FILE ]; then
  echo "epel updates via rsync already running."
  exit 0
fi

echo "Starting rsync from $DOWNLOAD_LOCATION/$VERSION to $TARGET_DIR/$VERSION..."
mkdir -p $TARGET_DIR/$VERSION

touch $LOCK_FILE

# add --exclude as necessary
rsync  -avSHP --delete --delete-excluded --copy-links --exclude "Everything/SRPMS/" --exclude "Everything/aarch64/" --exclude "Everything/ppc64le" --exclude "Everything/s390x/" --exclude "Everything/source/" --exclude "Everything/x86_64/debug/" --exclude "Modular/SRPMS/" --exclude "Modular/aarch64/" --exclude "Modular/ppc64le" --exclude "Modular/s390x/" --exclude "Modular/source/" --exclude "Modular/x86_64/debug/" $DOWNLOAD_LOCATION/$VERSION $TARGET_DIR/
RSYNC_RETVAL=$?

rsync -avSHP $DOWNLOAD_LOCATION/RPM-GPG-KEY-EPEL-$VERSION  $TARGET_DIR/RPM-GPG-KEY-EPEL-$VERSION

/bin/rm -f $LOCK_FILE

if [ $RSYNC_RETVAL -eq 0 ]; then
  echo "Finished rsync from $DOWNLOAD_LOCATION/$VERSION to $TARGET_DIR/$VERSION."
fi

exit 0
</code>

====Setup/Sync Repos Debian====
We're going to use debmirror to create a private mirror: https://linux.die.net/man/1/debmirror

Install EPEL release and debmirror: 
<code>
sudo dnf install epel-release
sudo dnf install debmirror
</code>

Edit the config file:
<code>
sudo vim /etc/debmirror.conf
</code>

Set the variables as such:
<code bash>
# Location of the local mirror (use with care)
$mirrordir="/var/mirror/debian";

# Output options
$verbose=1;
$progress=1;
$debug=0;

# Download options
$host="ftp.us.debian.org";
$user="anonymous";
$passwd="anonymous@";
$remoteroot="debian";
$download_method="rsync";
@dists="bullseye";
@sections="main,main/debian-installer,contrib,non-free";
@arches="amd64";
</code>

==debian-archive-keyring.gpg==
I couldn't find a simple way to get this file on a non-debian system so I ended up grabbing it from another Debian Bullseye/11 install.

Create dir for gpg file:
<code>
sudo mkdir -p /usr/share/keyring
</code>

Copy the debian-archive-keyring.gpg file to /usr/share/keyring

Import the key:
<code>
gpg --keyring /usr/share/keyrings/debian-archive-keyring.gpg --export | gpg --no-default-keyring --keyring trustedkeys.gpg --import
</code>

Run the mirror sync
<code>
sudo ./debmirror
</code> 

====Install Apache====
==Configure hosts==
<code>
sudo vim /etc/hosts
</code>
  *Add a line for your FQDN
<code>
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.30  mirror.domainname.com mirror
</code>

==Install Apache and Configure Firewall==
<code>
sudo dnf install httpd httpd-tools
sudo systemctl enable httpd
sudo systemctl start httpd
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
</code>


====Create Virtual Hosts====

==Setup virtual host config files==
<code>
sudo vim /etc/httpd/conf.d/mirror.example.conf
</code>
Add the following content. Make sure the website directory path, server name, and PHP version match your setup:

<code>
<Directory /var/mirror>
        Require all granted
        Options +Indexes
</Directory>
<VirtualHost *:80>
     ServerAdmin webmaster@example.com
     ServerName mirror.example.com
     DocumentRoot /var/mirror
     ErrorLog /var/log/httpd/mirror.example.com_error.log
     CustomLog /var/log/httpd/mirror.example.com_access.log combined
</VirtualHost>
<IfModule mod_autoindex.c>
  IndexOptions NameWidth=*
</ifModule>
</code>
Save and close the file when you are finished. Then check the Apache configuration file for any syntax errors:
<code>
sudo httpd -t
</code>
You’ll see the following output:
<code>
Output
Syntax OK
</code>
==Disable Exposing Apache Server Info==
https://www.if-not-true-then-false.com/2009/howto-hide-and-modify-apache-server-information-serversignature-and-servertokens-and-hide-php-version-x-powered-by/ \\
This will help to prevent being the target of a an attack if you're running an out of date or vunerable release
<code>
sudo vim /etc/httpd/conf/httpd.conf
</code>
Add the following:
<code>
ServerSignature Off
ServerTokens Prod
</code>

delete the welconf.conf to disable the default apache welcome page.
<code>
sudo rm /etc/httpd/conf.d/welcome.conf
</code>

==Remove Default Access from httpd.conf==
This is important as it would allow access to the /var/www/html path via HTTP.
<code>
sudo vim /etc/httpd/conf/httpd.conf
</code>
Modify the following statements to mirror the examples below:
<code>
DocumentRoot "/var/www/html"

<Directory "/var/www">
    AllowOverride None
    Require all denied
    Options None
</Directory>

<Directory "/var/www/html">
    AllowOverride None
    Require all denied
    Options None
</Directory>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Require all denied
    Options None
</Directory>
</code>

==Set Owner and File Permissons==
<code>
sudo chown -R apache:apache /var/mirror
sudo chmod -R 755 /var/mirror
</code>

==Set SElinux Permissions==
https://www.redhat.com/sysadmin/apache-yum-dnf-repo
<code>
sudo chcon -Rt httpd_sys_content_t /var/mirror/
</code>

Finally, restart the Apache service to implement your changes:
<code>
sudo systemctl restart httpd
</code>

====Automatic Updates for Rocky Linux====

https://www.tecmint.com/dnf-automatic-install-security-updates-automatically-in-centos-8/
<code>
sudo dnf install dnf-automatic
sudo vim /etc/dnf/automatic.conf
</code>

Set:
<code>
upgrade_type = security
download_updates = yes
apply_updates = yes
system_name = (your system name)
emit_via = motd
</code>

Enable the auto-update timer
<code>
sudo systemctl enable --now dnf-automatic.timer
</code>

====fail2ban====

https://idroot.us/install-fail2ban-centos-8/
https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
<code>
sudo dnf install epel-release
sudo dnf install fail2ban
</code>

==Create a Jail for SSHd==
<code>sudo vim /etc/fail2ban/jail.d/sshd.local</code>
Add the following:
<code>
[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[selinux-ssh]
enabled  = true
port     = ssh
logpath  = %(auditd_log)s
</code>

==Create a Jail for Apache==
<code>sudo vim /etc/fail2ban/jail.d/apache.local</code>
Add the following:
<code>
[apache-auth]
enabled  = true
port     = http,https
logpath  = %(apache_error_log)s

[apache-badbots]
enabled  = true
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

[apache-noscript]
enabled  = true
port     = http,https
logpath  = %(apache_error_log)s

[apache-overflows]
enabled  = true
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2

[apache-nohome]
enabled  = true
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2

[apache-botsearch]
enabled  = true
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2

[apache-fakegooglebot]
enabled  = true
port     = http,https
logpath  = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>

[apache-modsecurity]
enabled  = true
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2

[apache-shellshock]
enabled = true
port    = http,https
logpath = %(apache_error_log)s
maxretry = 1
</code>

<code>
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo fail2ban-client status sshd
</code>
====Configure Client Repos====
==CentOS 7==
  * Edit the Repo Config
<code>
sudo vim /etc/yum.repos.d/CentOS-Base.repo
</code>
Comment out any line like
<code>
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
</code>
Uncomment the baseurl lines and change the FQDN to your FQDN or IP of the repo server
<code>
baseurl=http://10.222.0.21/centos/$releasever/os/$basearch/
</code>
Now you should be able to do a yum update.

Rocky 8
<code>
sudo vim /etc/yum.repos.d/Rocky-AppStream.repo
</code>

Modify as such, commenting out mirror and uncommenting baseurl then modifying the url:
<code>
# Rocky-AppStream.repo
#
# The mirrorlist system uses the connecting IP address of the client and the
# update status of each mirror to pick current mirrors that are geographically
# close to the client.  You should use this for Rocky updates unless you are
# manually picking other mirrors.
#
# If the mirrorlist does not work for you, you can try the commented out
# baseurl line instead.

[appstream]
name=Rocky Linux $releasever - AppStream
#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$releasever
baseurl=http://10.222.0.21/$contentdir/$releasever/AppStream/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial
</code>

Repeat for /etc/yum.repos.d/Rocky-BaseOS.repo and any other branches you've included and will use from your local mirror.