Syncthing as backup

télécharger syncthing : https://syncthing.net/ copier l’exe dans /usr/local/bin

créer deux utilisateur : 1 qui écoute le dossier à backuper et partage ce dossier par syncthing (syncthing), l’autre qui écoute le partage (syncthing_backup).

Créer un service dans system pour chacun avec deux port différents:


[Unit]
Description=Syncthing - Open Source Continuous File Synchronization for %I
Documentation=man:syncthing(1)
After=network.target
[Service]
User=syncthing
#ExecStart=/usr/local/bin/syncthing_backup -gui-address="http://10.8.0.3:8385"
ExecStart=/usr/local/bin/syncthing -gui-address="http://10.8.0.3:8384"
Restart=on-failure
SuccessExitStatus=3 4
RestartForceExitStatus=3 4
# Hardening
ProtectSystem=full
PrivateTmp=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target

Gérer les permissions pour que les user accèdent au dossier partagé visé (chmod g+w), ignorer les permissions dans la webUI de celui qui écoute le dossier (sinon : restauration pas possible)

Openvpn and Co

openvpn to create a vpn or to connect

yum install openvpn easy-rsa

http://damiengustave.fr/mise-en-place-dun-vpn-avec-openvpn-2-3-et-easy-rsa-3/

for server :

cd /etc/openvpn/

Choose TCP (mobile connection issue with udp)

copy easy_rsa scripts

cp -Rp /usr/share/easy-rsa/3/ easy-rsa

generate pki and CA:

./easyrsa init-pki

./easyrsa build-ca

generate tsl key for connection :
openvpn --genkey --secret ta.key

generate server key :

./easyrsa gen-req server nopass

generate sign server key :

./easyrsa sign-req server server

for clients :

./easyrsa gen-req client1 nopass

./easyrsa sign-req client client

./easyrsa gen-crl

for another key :

openssl dhparam -out /etc/openvpn/ssl/dh.pem 2048

Once all set up, mount cifs partition to linux :

mount -t cifs //10.8.0.1/public /mnt/cifs -o username=bmartin,password=XXX

Create user just for samba :

adduser –disabled-login –ingroup impacte acdremont

Give it a samba password :

smbpasswd -a acdremont

create a group impacte, add users to it, chown main:impacte /home/impacte

give group write permision

chmod -R g+w /home/impacte/

add this to smb.conf :


[impacte]
comment = Imp'Acte
path = /home/impacte
valid users = bmartin acdremont jpereira
writable = yes
printable = no
group = impacte

if bad named files, use this command at root of share :

find . -exec rename -v ‘s/[^\x00-\x7F]//g’ « {} » \;

find . -name « *’* » -exec rename « s/\’/_/ » {} \;

 

server config file :
~#cat /etc/openvpn/server.conf | egrep -v "(^#.*|^;.*|^$)"
port 1196
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
explicit-exit-notify 1
remote-cert-eku "TLS Web Client Authentication"
persist-key
persist-tun
ca ca.crt
cert server.crt
comp-lzo adaptive
dev tun
ifconfig-pool-persist server-ipp.txt 0
keepalive 10 120
key server.key
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
port 1194
proto udp
verb 3
crl-verify crl.pem

client config file :


~# cat /etc/openvpn/client/client.conf
client
dev tun
proto udp
port 1194
remote openvpn.brunocsmartin.fr 1194 udp
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

ca ca.crt
cert vps_rpi32.crt
key vps_rpi32.key
tls-auth ta.key 1
key-direction 1

pull-filter ignore redirect-gateway