0

I have a failover setup with two servers and would like to sync /etc/letsencrypt and /etc/nginx between primary and replica.

I am planning on using Match Address on replica to only set PermitRootLogin yes for a single IP.

Is it a bad idea? If so, how can I sync these files securely?

sunknudsen
  • 701
  • 3
  • 14
  • 28
  • Why `yes`? That would allow password login, and a setup like this needs to use keys. – Michael Hampton Oct 27 '20 at 21:19
  • @MichaelHampton The servers are configured using `PasswordAuthentication no`. – sunknudsen Oct 27 '20 at 21:27
  • Sure it does today, but can you predict the future? Maybe it'll get changed later, by accident or intentionally. Better to use `PermitRootLogin prohibit-password` or better yet `forced-commands-only` with the command specified. – Michael Hampton Oct 27 '20 at 21:35
  • @MichaelHampton `PermitRootLogin prohibit-password` is a great suggestion, thanks! Still trying to figure out what is the safest way to move these files. – sunknudsen Oct 27 '20 at 22:40

1 Answers1

0

To avoid using root, you could create a dedicated rsync user, say rsync, on both hosts, and add file ACLs to give it read/write permissions:

# Primary: make source files readable
setfacl -R -m u:rsync:rX,d:u:rsync:rX   /etc/letsencrypt /etc/nginx

# Replica: make target files writeable
setfacl -R -m u:rsync:rwX,d:u:rsync:rwX /etc/letsencrypt /etc/nginx

This is better in principle than using root, since the rsync user can only do what you grant it permission to do, while root can do anything unless you effectively restrict it.

You might have to keep reapplying the ACLs now and then, though. The default (d:) part of the ACLs ought to make them apply to new files that get created, but in my experience that tends to break over time. If the rsync job fails, you'll know.

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47