Sync Server for Unison on CentOS 8
This will setups a basic SSH server with the intent of using it as a hub for syncing various devices via Unison over SSH.
Install CentOS 8 minimal with 2 CPU, 512MB+ RAM, 20GB+ storage, set FQDN, set static IP, enable NTP.
After install is finished reboot → login → perform a “dnf update”.
Base Configuration
Create limited user account and add to wheel group for sudo
useradd example_user && passwd example_user usermod -aG wheel example_user
Install Important Stuff
dnf install vim tar wget
Logout of root and login using sudo user
Disallow root login over SSH
sudo vim /etc/ssh/sshd_config
then set
PermitRootLogin no
Generate SSH key for sudo user on client computer (not the webserver)
To help keep things organized we'll create a keypair that is specific to the user and the remote sudo user+host.
https://www.ssh.com/ssh/keygen/
ssh-keygen -C "your_email@example.com" -f ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname -t ed25519
Record the private and public keys in a secure document for the webserver.
Copy the public key to the remote webserver.
ssh-copy-id -i ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname.pub sudo_username@remote_hostname
sudo vim /etc/ssh/sshd_config
then set
PasswordAuthentication no
Restart sshd
sudo systemctl restart sshd
Login using SSH key
ssh -i deployment_key.txt demo@192.237.248.66
Configure hosts
sudo vim /etc/hosts
Add a line for your FQDN
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.30 sync01.domainname.com sync01
Performance Settings
Set the proper performance profile via tuned-adm:
tuned-adm profile virtual-guest
then check to make sure:
tuned-adm list
This should adjust the swappiness, change to the scheduler and other things.
Manually Specify Swappiness
By default swappiness is set to 10 with the virtual-host profile, if you really want to try to avoid using RAM set it to 10, though make sure you have enough RAM for all of your guests. You might want to set your virtual guests that run linux the same so they avoid swapping if posssible.
sudo vim /etc/systemctl.conf
Add the following:
vm.swappiness = 1
Install Unison
Enable Power Toys Repo
sudo vim /etc/yum.repos.d/CentOS-PowerTools.repo
Set the Enabled variable to:
enabled=1
Install Packages
There is no package in EPEL or other for Unison so we'll need to compile it.
sudo dnf install make ocaml ocaml-camlp4-devel ctags ctags-etags
Download Unison
wget http://www.seas.upenn.edu/~bcpierce/unison//download/releases/stable/unison-2.48.4.tar.gz
Unpack:
tar xvfz unison-2.48.4.tar.gz
Edit Source File
vim unison-2.48.4/src/Makefile.OCaml
Replace:
CAMLFLAGS+=-g
With:
CAMLFLAGS+=-g -unsafe-string
Compile and Install
cd unison-2.48.4/src sudo make sudo cp unison /usr/bin/
Automatic Updates for CentOS
https://www.tecmint.com/dnf-automatic-install-security-updates-automatically-in-centos-8/
sudo dnf install dnf-automatic sudo vim /etc/dnf/automatic.conf
Set:
upgrade_type = security download_updates = yes system_name = (your system name) emit_via = motd
Enable the auto-update timer
sudo systemctl enable --now dnf-automatic.timer
fail2ban
https://idroot.us/install-fail2ban-centos-8/ https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
sudo dnf install fail2ban
Create a Jail for SSHd
sudo vim /etc/fail2ban/jail.d/sshd.local
Add the following:
[sshd] enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s [selinux-ssh] enabled = true port = ssh logpath = %(auditd_log)s
Add Sync Users
Here were are going to add local users that will have access only to their home directories by won't be able to login to the console.
Create Group for Sync Only Users
https://serverfault.com/questions/242391/can-i-disable-interactive-shell-access-while-tunneling-web-traffic-through-ssh
We will use this group to restrict SSH access
sudo groupadd unison_client
sudo useradd sync_user && sudo passwd sync_user sudo usermod -aG unison_client sync_user mkdir /home/sync_user/unison sudo chown -R sync_user:sync_user /home/sync_user
Add Options/Restrictions to SSHD for Sync Only Users
sudo vim /etc/ssh/sshd_config
Add the following at the bottom of the file:
Match group unison_client X11Forwarding no AllowTcpForwarding no PasswordAuthentication yes
Restart SSHD
sudo systemctl restart sshd
Now you can install the unison client on your favorite distro (ok, the one that's most convenient to use) and setup your sync pairs from there.