|
|
| (6 intermediate revisions by the same user not shown) |
| Line 147: |
Line 147: |
| Create a directory where AUR build files will go | | Create a directory where AUR build files will go |
|
| |
|
| {{bc| | | {{bc|1= |
| sudo mkdir /var/lib/pacman/aur | | sudo mkdir /var/lib/pacman/aur |
| sudo chmod 1777 /var/lib/pacman/aur | | sudo chmod 1777 /var/lib/pacman/aur |
| $ mkdir /var/lib/pacman/aur/$(whoami)
| | mkdir /var/lib/pacman/aur/$(whoami) |
| }} | | }} |
|
| |
|
| Build {{ic|yay}}. | | Build {{ic|yay}}. |
|
| |
|
| {{bc| | | {{bc|1=<nowiki> |
| $ cd /var/lib/pacman/aur/$(whoami)
| | cd /var/lib/pacman/aur/$(whoami) |
| $ git clone https://aur.archlinux.org/yay.git
| | git clone https://aur.archlinux.org/yay.git |
| $ cd yay
| | cd yay |
| $ makepkg -Ccisr
| | makepkg -Ccisr |
| }} | | </nowiki>}} |
|
| |
|
| The create the configuration file. | | The create the configuration file. |
| Line 231: |
Line 231: |
|
| |
|
| Don't start {{ic|fail2ban}} or {{ic|sshd}} quite yet as they have configuration that needs to be done. | | Don't start {{ic|fail2ban}} or {{ic|sshd}} quite yet as they have configuration that needs to be done. |
|
| |
| == Docker ==
| |
|
| |
| This is only needed for OnlyOffice
| |
|
| |
| {{bc|
| |
| yay -Syu docker
| |
| sudo systemctl enable --now docker
| |
| }}
| |
|
| |
| == Nginx Web Server and Reverse Proxy ==
| |
|
| |
| These packages are typically used when setting up web applications like MediaWiki or Wordpress.
| |
|
| |
| {{bc|yay -Syu --needed apache-tools ca-certificates certbot-nginx nginx php-<nowiki>{acpu,fpm,gd,imagick,intl,redis,sodium}</nowiki> postgresql}}
| |
|
| |
| = Redis =
| |
|
| |
| Redis is used by several programs, including rspamd (e-mail), NextCloud, OnlyOffice, and Wordpress (optional).
| |
|
| |
| By default, {{ic|redis}} is already configured to bind to 127.0.0.1:6379, but the Unix socket is not enabled.
| |
|
| |
| {{hc|/etc/redis.conf|2=
| |
| ...
| |
| # Unix socket.
| |
| #
| |
| # Specify the path for the Unix socket that will be used to listen for
| |
| # incoming connections. There is no default, so Redis will not listen
| |
| # on a unix socket when not specified.
| |
| #
| |
| unixsocket /run/redis/redis.sock
| |
| unixsocketperm 700
| |
| ...
| |
| }}
| |
|
| |
| You will also need to add users to the {{ic|redis}} group so processes can access {{ic|redis}}
| |
|
| |
| {{bc|for username in http rspamd; do sudo usermod -G redis ${username}; done}}
| |
|
| |
| = PHP-FPM =
| |
|
| |
| Look for and edit the following lines in {{ic|/etc/php/php.ini}}:
| |
|
| |
| {{hc|/etc/php/php.ini|2=
| |
| [PHP]
| |
| open_basedir = /srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/:/dev/urandom:/proc/meminfo
| |
| include_path = ".:/php/includes:/usr/share/pear"
| |
| upload_max_filesize = 8M
| |
|
| |
| extension=apcu
| |
| extension=dba
| |
| extension=exif
| |
| extension=gd
| |
| extension=gettext
| |
| extension=iconv
| |
| extension=imagick
| |
| extension=imap
| |
| extension=intl
| |
| extension=sodium
| |
| extension=ldap
| |
| extension=mysqli
| |
| zend_extension=opcache
| |
| extension=pdo_mysql
| |
| extension=soap
| |
|
| |
| [Date]
| |
| date.timezone = <timezone>
| |
|
| |
| [Pdo_mysql]
| |
| pdo_mysql.cache_size = 2000
| |
|
| |
| [opcache]
| |
| opcache.enable=1
| |
| opcache.enable_cli=1
| |
| opcache.memory_consumption=128
| |
| opcache.interned_strings_buffer=8
| |
| opcache.max_accelerated_files=10000
| |
| opcache.revalidate_freq=1
| |
| opcache.save_comments=1
| |
| }}
| |
|
| |
| == tmpfs for PHP Sessions ==
| |
|
| |
| {{hc|/etc/php/php.ini|2=
| |
| [Session]
| |
| session.save_path = "/srv/phptmp"
| |
| }}
| |
|
| |
| Find the id and gid of the mysql user and group:
| |
|
| |
| {{hc|$ id mysql|2=
| |
| uid=27(mysql) gid=27(mysql) groups=27(mysql)
| |
| }}
| |
|
| |
| {{hc|/etc/fstab|2=
| |
| # Static information about the filesystems.
| |
| # See fstab(5) for details.
| |
|
| |
| # <file system> <dir> <type> <options> <dump> <pass>
| |
| ...
| |
| tmpfs /srv/phptmp tmpfs rw,noatime,gid=27,uid=27,size=100M,mode=0750 0 0
| |
| ...
| |
| }}
| |
|
| |
| Then make sure the {{ic|php-fpm}} service is enabled and running:
| |
|
| |
| {{bc|sudo systemctl enable --now php-fpm}}
| |
|
| |
| = Let's Encrypt =
| |
|
| |
| {{bc|sudo certbot certonly --nginx --agree-tos}}
| |
|
| |
| The {{ic|nginx}} plugin will guide you and help automate the process.
| |
|
| |
| Take note that the {{ic|nginx}} configuration in this guide takes into account the settings suggested by {{ic|certbot}}.
| |
|
| |
| == Automatic Renewal ==
| |
|
| |
| These will automatically renew your certificates every 2 months on the first Sunday of the month at 4am.
| |
|
| |
| === Systemd ===
| |
|
| |
| {{hc|/etc/systemd/system/certbot.service|2=
| |
| [Unit]
| |
| Description=Let's Encrypt renewal
| |
|
| |
| [Service]
| |
| Type=oneshot
| |
| ExecStart=/usr/bin/certbot renew --agree-tos --no-redirect
| |
| }}
| |
|
| |
| {{hc|/etc/systemd/system/certbot.timer|2=
| |
| [Unit]
| |
| Description=Bi-monthly renewal of Let's Encrypt's certificates
| |
|
| |
| [Timer]
| |
| OnCalendar=Sun *-1,3,5,7,9,11-1..7 04:00:00
| |
| RandomizedDelaySec=1h
| |
| Persistent=true
| |
|
| |
| [Install]
| |
| WantedBy=timers.target
| |
| }}
| |
|
| |
| === Crontab ===
| |
|
| |
| {{bc|0 4 1-7 2-12/2 0 /usr/bin/certbot renew --agree-tos --no-redirect}}
| |
|
| |
| = OnlyOffice Document Server =
| |
|
| |
| On Arch, OnlyOffice can be installed via an [https://aur.archlinux.org/packages/onlyoffice-documentserver AUR package], with [https://helpcenter.onlyoffice.com/server/docker/document/docker-installation.aspx Docker], or with [https://snapcraft.io/onlyoffice-ds Snap].
| |
|
| |
| == AUR Package ==
| |
|
| |
| The [https://aur.archlinux.org/packages/onlyoffice-documentserver/ AUR package] was broken at the time of this writing.
| |
|
| |
| == Snap ==
| |
|
| |
| Snap did not work for me. However, this might have been due to the Snap's Redis service conflicting with that of the host's.
| |
|
| |
| == Docker ==
| |
|
| |
| The Docker version requires PostreSQL, RabbitMQ, and Redis to be set up. Be sure to install and configure those first.
| |
|
| |
| Once that is complete, set up the database and database user.
| |
|
| |
| {{bc|
| |
| sudo -u postgres psql -c "CREATE DATABASE onlyoffice;"
| |
| sudo -u postgres psql -c "CREATE USER onlyoffice WITH password 'onlyoffice';"
| |
| sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;"
| |
| }}
| |
|
| |
| Create the following directories.
| |
|
| |
| {{bc|sudo mkdir /var/{lib,log}/onlyoffice}}
| |
|
| |
| Issue one command to download and start the Docker instance.
| |
|
| |
| {{bc|<nowiki>
| |
| sudo docker run -i -t -d -p [port]:80 --restart=always \
| |
| -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice \
| |
| -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \
| |
| -v /app/onlyoffice/DocumentServer/db:/srv/psql onlyoffice/documentserver
| |
| </nowiki>}}
| |
|
| |
| Configure nginx to act as a proxy
| |
|
| |
| {{hc|/etc/nginx/sites-available/<domain>|2=<nowiki>
| |
| upstream docservice {
| |
| server <docker-ip>:8888;
| |
| }
| |
|
| |
| map $http_host $this_host {
| |
| "" $host;
| |
| default $http_host;
| |
| }
| |
|
| |
| map $http_x_forwarded_proto $the_scheme {
| |
| default $http_x_forwarded_proto;
| |
| "" $scheme;
| |
|
| |
| }
| |
|
| |
| map $http_x_forwarded_host $the_host {
| |
| default $http_x_forwarded_host;
| |
| "" $this_host;
| |
| }
| |
|
| |
| map $http_upgrade $proxy_connection {
| |
| default upgrade;
| |
| "" close;
| |
| }
| |
|
| |
| proxy_set_header Upgrade $http_upgrade;
| |
| proxy_set_header Connection $proxy_connection;
| |
| proxy_set_header X-Forwarded-Host $the_host;
| |
| proxy_set_header X-Forwarded-Proto $the_scheme;
| |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
| |
|
| |
| server {
| |
| listen 80;
| |
| listen [::]:80;
| |
| server_name <domain>;
| |
| server_tokens off;
| |
| rewrite ^ https://$host$request_uri? permanent;
| |
| }
| |
|
| |
| server {
| |
|
| |
| listen 443 ssl http2;
| |
| listen [::]:443 ssl http2;
| |
| server_name ods.bwt.com.de;
| |
| server_tokens off;
| |
|
| |
| ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
| |
| ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
| |
| ssl_trusted_certificate /etc/letsencrypt/live/<domain>/chain.pem;
| |
|
| |
| add_header Strict-Transport-Security max-age=31536000;
| |
| # add_header X-Frame-Options SAMEORIGIN;
| |
| add_header X-Content-Type-Options nosniff;
| |
|
| |
| access_log /var/log/nginx/access.log main buffer=32k;
| |
| error_log /var/log/nginx/error.log error;
| |
| limit_req zone=gulag burst=200 nodelay;
| |
|
| |
|
| |
| # ACME challenge
| |
| location ^~ /.well-known {
| |
| allow all;
| |
| alias /var/lib/letsencrypt/$host/.well-known;
| |
| default_type "text/plain";
| |
| try_files $uri =404;
| |
| }
| |
|
| |
| location / {
| |
| proxy_pass http://docservice;
| |
| proxy_http_version 1.1;
| |
| }
| |
| }
| |
| </nowiki>}}
| |
|
| |
| After [[Arch_Post-Installation_Checklist#Finalization|finalizing]], you should now be able to navigate to {{ic|<nowiki>https://<domain></nowiki>}} and see the OnlyOffice Document Server welcome page with a green checkmark indicating everything is running properly.
| |
Passwords & User Creation
Make sure root has a password.
Make sure you have a primary user set up.
sudo useradd -m -u <id -ge 1000> -g users -G wheel,games,video,audio,optical,storage,scanner,power <user>
sudo passwd <user>
/etc/fstab
Time Zone
sudo ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime
sudo hwclock --systohc
Localization
Un-comment your desired locales in /etc/locale.conf, then run
sudo locale-gen
If you don't have the default /etc/locale.gen file:
sudo rm /etc/locale.gen
sudo pacman -Syu glibc
Edit /etc/locale.conf as you see fit
/etc/locale.conf
LANG=en_US.UTF-8
LANGUAGE=en_US
LC_COLLATE=POSIX
LC_MESSAGES=C
LC_CTYPE=en_US.UTF-8
LC_NUMERIC=en_US.UTF-8
LC_TIME=en_US.UTF-8
LC_MONETARY=en_US.UTF-8
LC_PAPER=en_US.UTF-8
LC_NAME=en_US.UTF-8
LC_ADDRESS=en_US.UTF-8
LC_TELEPHONE=en_US.UTF-8
LC_MEASUREMENT=en_US.UTF-8
LC_IDENTIFICATION=en_US.UTF-8
Set up /etc/vconsole.conf with a keymap and (optionally) a font:
/etc/vconsole.conf
KEYMAP=us
FONT=Lat2-Terminus16
Initramfs
Look for and edit the following lines:
/etc/mkinitcpio.conf
MODULES=([amdgpu|bochs_drm|cirrus|i915|nouveau|(nvidia nvidia_modeset nvidia_uvm nvidia_drm)] [ehci_pci usb_storage]>)
HOOKS=(base udev autodetect modconf block [zfs] filesystems keyboard fsck [encrypt] keymap consolefont)
COMPRESSION=lz4
Networking
Host Name
Make sure a host name is set in /etc/hostname
Then edit /etc/hosts
/etc/hosts
127.0.0.1 localhost.localdomain locahost
::1 localhost.localdomain localhost
127.0.1.1 <hostname>.localdomain <hostname>
Static Addressing
Use systemd-networkd when a machine will use a static address without consulting a DHCP server.
IPv4 Only
/etc/systemd/network/network.network
[Match]
MACAddress=<mac-address>
[Network]
Address=<ipv4-address>/<mask>
DNS=<ipv4-address>
Gateway=<ipv4-address>
LinkLocalAddressing=no
IPv6AcceptRA=no
IPv4 & IPv6
/etc/systemd/network/network.network
[Match]
MACAddress=<mac-address>
[Network]
Address=<ipv6-address>/<mask>
DNS=<ipv6-address>
Gateway=<ipv6-address>
Address=<ipv4-address>/<mask>
DNS=<ipv4-address>
Gateway=<ipv4-address>
Dynamic Addressing
It's preferable to use connman or Network Manager for dynamic addresses as systemd-networkd doesn't play well with interfaces coming and going.
If you'd rather use systemd-networkd for DHCP:
/etc/systemd/network/network.network
[Match]
MACAddress=<mac-address>
[Network]
DHCP=yes
[DHCP]
UseMTU=true
Packages
Mirror List
Install and use reflector to automate the use and selection of mirrors.
sudo pacman -Syu reflector
sudo reflector -c <country> -p https -l 5 --sort rate --save /etc/pacman.d/mirrorlist
Yay
Make sure you have the base-devel group installed.
sudo pacman -Syu --needed base-devel git
Create a directory where AUR build files will go
sudo mkdir /var/lib/pacman/aur
sudo chmod 1777 /var/lib/pacman/aur
mkdir /var/lib/pacman/aur/$(whoami)
Build yay.
cd /var/lib/pacman/aur/$(whoami)
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -Ccisr
The create the configuration file.
~/.config/yay/config.json
{
"aururl": "https://aur.archlinux.org",
"buildDir": "/var/lib/pacman/aur/$USER",
"editor": "nano",
"editorflags": "",
"makepkgbin": "makepkg",
"makepkgconf": "",
"pacmanbin": "pacman",
"pacmanconf": "/etc/pacman.conf",
"tarbin": "bsdtar",
"redownload": "no",
"rebuild": "no",
"answerclean": "none",
"answerdiff": "all",
"answeredit": "",
"answerupgrade": "0",
"gitbin": "git",
"gpgbin": "gpg",
"gpgflags": "",
"mflags": "",
"sortby": "votes",
"gitflags": "",
"removemake": "yes",
"requestsplitn": 150,
"sortmode": 0,
"completionrefreshtime": 7,
"sudoloop": false,
"timeupdate": false,
"devel": true,
"cleanAfter": false,
"gitclone": true,
"provides": true,
"pgpfetch": true,
"upgrademenu": true,
"cleanmenu": true,
"diffmenu": true,
"editmenu": true,
"combinedupgrade": false,
"useask": false
}
General Utilities
These packages supplement the base system.
yay -Syu --needed adduser archey3 arj bind-tools bzip2 dmidecode dnsutils fail2ban git haveged htop hwdetect inxi iotop lshw lzop nano ncdu openssh p7zip pacman-contrib perl-rename pkgfile polkit ranger rsync strace sudo tmux unrar unzip vim whois zip
If you are not running inside a VM, you may also wish to add these packages:
yay -Syu hddtemp lm_sensors memtest86+ smartmontools
The havaged service can be enabled and started right away as no configuration is needed.
sudo systemctl enable --now haveged
Your sensors need to be configured before starting the lm_sensors service.
Note: This package is useless inside a VM.
sudo sensors-detect
sudo systemctl enable --now lm_sensors
Don't start fail2ban or sshd quite yet as they have configuration that needs to be done.
