Self-Hostable Linux Home Sync

A secure, self-hostable solution for synchronizing your Linux home directory to remote storage with encryption.

Overview

This project provides a set of scripts and systemd services to:

1. Securely encrypt your home directory files
2. Sync the encrypted files to a remote storage location
3. Download and decrypt files from the remote storage
4. Run automatically at configurable intervals

The service supports multiple remote backends including Nextcloud, Rclone, and Rsync.

Prerequisites

• Linux system with systemd
• Bash shell
• OpenSSL for encryption/decryption
• gzip/gunzip for compression
• crudini for config file parsing
• One of the following sync tools depending on your chosen backend:
  • rsync (for Nextcloud and Rsync backends)
  • rclone (for Rclone backend)

Installation

For distribution-specific instructions, see docs/install-guides.md.

Quick install using the provided installer (recommended):

# Clone the repository
git clone https://gitea.desoter.eu/desoter-org/self-hostable-linux-home-sync.git
cd self-hostable-linux-home-sync

# Prepare ~/.sync_service and install systemd units (for current user)
sudo ./install.sh --enable-now

This will:

• Create ~/.sync_service with required directories
• Copy scripts and default config.ini (if missing)
• Install systemd units as templates
• Enable and start the sync timer for your username

Manual installation (alternative):

1. Clone this repository:

   git clone https://gitea.desoter.eu/desoter-org/self-hostable-linux-home-sync.git
   cd self-hostable-linux-home-sync
   

2. Create the necessary directory structure:

   mkdir -p ~/.sync_service/{encrypted,temp,logs,keys}
   chmod 700 ~/.sync_service/keys
   

3. Copy the scripts to your .sync_service directory:

   cp scripts/encrypt.sh scripts/decrypt.sh scripts/sync.sh ~/.sync_service/
   chmod +x ~/.sync_service/*.sh
   

4. Copy and customize the config file:

   cp config.ini ~/.sync_service/
   

5. Generate an encryption key (see Key Management section below)

6. Install the systemd service and timer:

   # Copy service files to systemd directory as templates
   sudo cp services/sync-service.service /etc/systemd/system/sync-service@.service
   sudo cp services/sync-service.timer   /etc/systemd/system/sync-service@.timer
   sudo systemctl daemon-reload
   
   # Enable timer for your user
   sudo systemctl enable --now sync-service@$(whoami).timer
   

Configuration

Edit the ~/.sync_service/config.ini file to customize your sync settings:

[settings]
sync_interval = 300  # seconds
source_directory = $HOME
encrypted_directory = $HOME/.sync_service/encrypted
temp_directory = $HOME/.sync_service/temp
remote_backend = nextcloud  # or rclone, rsync
nextcloud_remote = user@nextcloud.example.com:/path/to/storage
rclone_remote = nextcloud:path/to/storage
rsync_remote = user@server:/path/to/storage

Configuration options:

• sync_interval: How often the sync occurs (in seconds)
• source_directory: The directory to be synced (default is your home directory)
• encrypted_directory: Where encrypted files are stored
• temp_directory: Temporary processing directory
• remote_backend: Which sync technology to use (nextcloud, rclone, or rsync)
• Remote connection strings for different backends:
  • nextcloud_remote: For Nextcloud backend (uses rsync)
  • rclone_remote: For Rclone backend
  • rsync_remote: For Rsync backend

Additional configuration sections:

[logging]
log_directory = $HOME/.sync_service/logs
max_log_size = 10485760  # 10MB in bytes
max_log_files = 5        # Number of log files to keep

[notifications]
enable_email = false               # true to enable email notifications
email_to = user@example.com        # recipient address
email_from = sync-service@example.com
smtp_server = smtp.example.com
smtp_port = 587
smtp_user = user@example.com
smtp_password = password
enable_desktop = false             # true to enable desktop notifications
notify_level = ERROR               # Minimum level: ERROR, WARNING, INFO

• logging.log_directory: Directory where logs are stored
• logging.max_log_size: Maximum size of a single log file in bytes before rotation
• logging.max_log_files: Number of rotated log files to keep
• notifications.enable_email: Enable/disable email notifications for critical events
• notifications.email_* and SMTP fields: SMTP configuration for sending emails
• notifications.enable_desktop: Enable desktop notifications on the local machine
• notifications.notify_level: Minimum log level that triggers notifications

Key Management

Generate a strong encryption key:

openssl rand -hex 32 > ~/.sync_service/keys/encryption_key
chmod 600 ~/.sync_service/keys/encryption_key

For better security, consider using a key derivation function:

# Create a password file
echo "your_strong_password" > ~/.sync_service/keys/encryption_passphrase
chmod 600 ~/.sync_service/keys/encryption_passphrase

# Derive key from passphrase
openssl enc -aes-256-cbc -pass pass:$(cat ~/.sync_service/keys/encryption_passphrase) -P -md sha512 2>/dev/null | grep "key=" | cut -d"=" -f2 > ~/.sync_service/keys/encryption_key

Service Setup and Execution

Enable and start the service:

sudo systemctl daemon-reload
sudo systemctl enable sync-service.timer
sudo systemctl start sync-service.timer

Check service status:

sudo systemctl status sync-service.timer
sudo systemctl status sync-service.service

View logs:

tail -f ~/.sync_service/logs/sync.log
tail -f ~/.sync_service/logs/error.log

Manual Script Usage

You can also run the scripts manually:

Run a full sync:

~/.sync_service/sync.sh

Encrypt files only:

~/.sync_service/encrypt.sh $HOME

Decrypt files only:

~/.sync_service/decrypt.sh ~/.sync_service/encrypted

Benchmarking Performance

You can run local performance benchmarks (no network required) to evaluate end-to-end performance (encrypt -> upload via local rsync -> download -> decrypt):

• Quick run (fast verification):

  ./benchmark_performance.sh --quick
  

• Custom sizes (comma-separated from: small, medium, large):

  ./benchmark_performance.sh --sizes small,medium
  

Results are written to benchmark_results.csv in the repository root and also printed to the console.

Troubleshooting

Common Issues

1. Permission denied errors:

   • Ensure all scripts have execute permissions: chmod +x ~/.sync_service/*.sh
   • Check that your user has access to the source and destination directories

2. Encryption/decryption failures:

   • Verify the encryption key exists and has correct permissions: ls -la ~/.sync_service/keys/
   • Check for OpenSSL errors in the log file: grep "OpenSSL" ~/.sync_service/logs/error.log

3. Sync failures:

   • Verify your remote backend configuration in config.ini
   • Check network connectivity to your remote storage
   • Ensure you have the correct tools installed for your chosen backend

Logs

Check the log files for detailed error information:

cat ~/.sync_service/logs/sync.log
cat ~/.sync_service/logs/error.log

Security Considerations

• The encryption key is stored on your local system. If your system is compromised, your data could be at risk.
• Consider using a key derivation function with a strong passphrase for better security.
• Regularly backup your encryption key. If you lose it, you won't be able to decrypt your files.
• The service does not encrypt filenames, only file contents.

License

See the LICENSE file for details.