====Sync Server for Unison on CentOS 8====

This will setups a basic SSH server with the intent of using it as a hub for syncing various devices via Unison over SSH.

Install CentOS 8 minimal with 2 CPU, 512MB+ RAM, 20GB+ storage, set FQDN, set static IP, enable NTP.

After install is finished reboot -> login -> perform a "dnf update".

====Base Configuration====
==Create limited user account and add to wheel group for sudo==
<code>
useradd example_user && passwd example_user
usermod -aG wheel example_user
</code>

==Install Important Stuff==
<code>
dnf install vim tar wget
</code>

Logout of root and login using sudo user

==Disallow root login over SSH==
<code>
sudo vim /etc/ssh/sshd_config
</code>
then set
<code>
PermitRootLogin no
</code>

==Generate SSH key for sudo user on client computer (not the webserver)==
To help keep things organized we'll create a keypair that is specific to the user and the remote sudo user+host. \\
https://www.ssh.com/ssh/keygen/

<code>
ssh-keygen -C "your_email@example.com" -f ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname -t ed25519
</code>

Record the private and public keys in a secure document for the webserver. \\
Copy the public key to the remote webserver. \\

<code>
ssh-copy-id -i ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname.pub sudo_username@remote_hostname
</code>

<code>
sudo vim /etc/ssh/sshd_config
</code>
then set
<code>
PasswordAuthentication no
</code>

Restart sshd
<code>
sudo systemctl restart sshd
</code>

Login using SSH key
<code>
ssh -i deployment_key.txt demo@192.237.248.66
</code>

==Configure hosts==
<code>
sudo vim /etc/hosts
</code>
Add a line for your FQDN
<code>
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.30  sync01.domainname.com sync01
</code>

===Performance Settings===

Set the proper performance profile via tuned-adm:
<code>
tuned-adm profile virtual-guest
</code>
then check to make sure:
<code>
tuned-adm list
</code>
This should adjust the swappiness, change to the scheduler and other things.

==Manually Specify Swappiness==
By default swappiness is set to 10 with the virtual-host profile, if you really want to try to avoid using RAM set it to 10, though make sure you have enough RAM for all of your guests. You might want to set your virtual guests that run linux the same so they avoid swapping if posssible.
<code>
sudo vim /etc/systemctl.conf
</code>
Add the following:
<code>
vm.swappiness = 1
</code>

====Install Unison====
https://geekdudes.wordpress.com/2020/05/05/installing-unison-on-centos-8/

==Enable Power Toys Repo==
<code>
sudo vim /etc/yum.repos.d/CentOS-PowerTools.repo
</code>
Set the Enabled variable to:
<code>
enabled=1
</code>

==Install Packages==
There is no package in EPEL or other for Unison so we'll need to compile it.
<code>
sudo dnf install make ocaml ocaml-camlp4-devel ctags ctags-etags
</code>

==Download Unison==
<code>
wget http://www.seas.upenn.edu/~bcpierce/unison//download/releases/stable/unison-2.48.4.tar.gz
</code>
Unpack:
<code>
tar xvfz unison-2.48.4.tar.gz
</code>
==Edit Source File==
<code>
vim unison-2.48.4/src/Makefile.OCaml
</code>
Replace:
<code>
CAMLFLAGS+=-g
</code>
With:
<code>
CAMLFLAGS+=-g -unsafe-string
</code>
==Compile and Install==
<code>
cd unison-2.48.4/src
sudo make
sudo cp unison /usr/bin/
</code>

====Automatic Updates for CentOS====

https://www.tecmint.com/dnf-automatic-install-security-updates-automatically-in-centos-8/
<code>
sudo dnf install dnf-automatic
sudo vim /etc/dnf/automatic.conf
</code>

Set:
<code>
upgrade_type = security
download_updates = yes
system_name = (your system name)
emit_via = motd
</code>

Enable the auto-update timer
<code>
sudo systemctl enable --now dnf-automatic.timer
</code>

====fail2ban====

https://idroot.us/install-fail2ban-centos-8/
https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
<code>
sudo dnf install fail2ban
</code>

==Create a Jail for SSHd==
<code>sudo vim /etc/fail2ban/jail.d/sshd.local</code>
Add the following:
<code>
[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[selinux-ssh]
enabled  = true
port     = ssh
logpath  = %(auditd_log)s
</code>

====Add Sync Users====
Here were are going to add local users that will have access only to their home directories by won't be able to login to the console.

==Create Group for Sync Only Users==
https://serverfault.com/questions/242391/can-i-disable-interactive-shell-access-while-tunneling-web-traffic-through-ssh \\
We will use this group to restrict SSH access
<code>
sudo groupadd unison_client
</code>

<code>
sudo useradd sync_user && sudo passwd sync_user
sudo usermod -aG unison_client sync_user
mkdir /home/sync_user/unison
sudo chown -R sync_user:sync_user /home/sync_user
</code>

==Add Options/Restrictions to SSHD for Sync Only Users==
<code>
sudo vim /etc/ssh/sshd_config
</code>
Add the following at the bottom of the file:
<code>
Match group unison_client
   X11Forwarding no
   AllowTcpForwarding no
   PasswordAuthentication yes
</code>

Restart SSHD
<code>
sudo systemctl restart sshd
</code>

Now you can install the unison client on your favorite distro (ok, the one that's most convenient to use) and setup your sync pairs from there.