This will setups a basic SSH server with the intent of using it as a hub for syncing various devices via Unison over SSH.
Install CentOS 8 minimal with 2 CPU, 512MB+ RAM, 20GB+ storage, set FQDN, set static IP, enable NTP.
After install is finished reboot → login → perform a “dnf update”.
useradd example_user && passwd example_user usermod -aG wheel example_user
dnf install vim tar wget
Logout of root and login using sudo user
sudo vim /etc/ssh/sshd_config
then set
PermitRootLogin no
To help keep things organized we'll create a keypair that is specific to the user and the remote sudo user+host.
https://www.ssh.com/ssh/keygen/
ssh-keygen -C "your_email@example.com" -f ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname -t ed25519
Record the private and public keys in a secure document for the webserver.
Copy the public key to the remote webserver.
ssh-copy-id -i ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname.pub sudo_username@remote_hostname
sudo vim /etc/ssh/sshd_config
then set
PasswordAuthentication no
Restart sshd
sudo systemctl restart sshd
Login using SSH key
ssh -i deployment_key.txt demo@192.237.248.66
sudo vim /etc/hosts
Add a line for your FQDN
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.30 sync01.domainname.com sync01
Set the proper performance profile via tuned-adm:
tuned-adm profile virtual-guest
then check to make sure:
tuned-adm list
This should adjust the swappiness, change to the scheduler and other things.
By default swappiness is set to 10 with the virtual-host profile, if you really want to try to avoid using RAM set it to 10, though make sure you have enough RAM for all of your guests. You might want to set your virtual guests that run linux the same so they avoid swapping if posssible.
sudo vim /etc/systemctl.conf
Add the following:
vm.swappiness = 1
sudo vim /etc/yum.repos.d/CentOS-PowerTools.repo
Set the Enabled variable to:
enabled=1
There is no package in EPEL or other for Unison so we'll need to compile it.
sudo dnf install make ocaml ocaml-camlp4-devel ctags ctags-etags
wget http://www.seas.upenn.edu/~bcpierce/unison//download/releases/stable/unison-2.48.4.tar.gz
Unpack:
tar xvfz unison-2.48.4.tar.gz
vim unison-2.48.4/src/Makefile.OCaml
Replace:
CAMLFLAGS+=-g
With:
CAMLFLAGS+=-g -unsafe-string
cd unison-2.48.4/src sudo make sudo cp unison /usr/bin/
https://www.tecmint.com/dnf-automatic-install-security-updates-automatically-in-centos-8/
sudo dnf install dnf-automatic sudo vim /etc/dnf/automatic.conf
Set:
upgrade_type = security download_updates = yes system_name = (your system name) emit_via = motd
Enable the auto-update timer
sudo systemctl enable --now dnf-automatic.timer
https://idroot.us/install-fail2ban-centos-8/ https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
sudo dnf install fail2ban
sudo vim /etc/fail2ban/jail.d/sshd.local
Add the following:
[sshd] enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s [selinux-ssh] enabled = true port = ssh logpath = %(auditd_log)s
Here were are going to add local users that will have access only to their home directories by won't be able to login to the console.
https://serverfault.com/questions/242391/can-i-disable-interactive-shell-access-while-tunneling-web-traffic-through-ssh
We will use this group to restrict SSH access
sudo groupadd unison_client
sudo useradd sync_user && sudo passwd sync_user sudo usermod -aG unison_client sync_user mkdir /home/sync_user/unison sudo chown -R sync_user:sync_user /home/sync_user
sudo vim /etc/ssh/sshd_config
Add the following at the bottom of the file:
Match group unison_client X11Forwarding no AllowTcpForwarding no PasswordAuthentication yes
Restart SSHD
sudo systemctl restart sshd
Now you can install the unison client on your favorite distro (ok, the one that's most convenient to use) and setup your sync pairs from there.