Arch Post-Installation Checklist: Difference between revisions

From The Brainwrecked Wiki
Jump to navigation Jump to search
← Older edit
mNo edit summary
m Yay: Fixed some code blocks
 
(148 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Passwords & User Creation =
= Passwords & User Creation =


Make sure <code>root</code> has a password.
Make sure {{ic|root}} has a password.


Make sure you have a primary user set up.
Make sure you have a primary user set up.


# useradd -m -u <id -ge 1000> -g users -G wheel,games,video,audio,optical,storage,scanner,power <user>
{{bc|
# passwd <user>
sudo useradd -m -u <id -ge 1000> -g users -G wheel,games,video,audio,optical,storage,scanner,power <user>
sudo passwd <user>
}}
 
= /etc/fstab =
 
= Time Zone =
 
{{bc|
sudo ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime
sudo hwclock --systohc
}}
 
= Localization =
 
Un-comment your desired locales in {{ic|/etc/locale.conf}}, then run
 
{{bc|sudo locale-gen}}
 
If you don't have the default {{ic|/etc/locale.gen}} file:
 
{{bc|
sudo rm /etc/locale.gen
sudo pacman -Syu glibc
}}
 
Edit {{ic|/etc/locale.conf}} as you see fit
 
{{hc|/etc/locale.conf|2=
<nowiki>LANG=en_US.UTF-8
LANGUAGE=en_US
LC_COLLATE=POSIX
LC_MESSAGES=C
LC_CTYPE=en_US.UTF-8
LC_NUMERIC=en_US.UTF-8
LC_TIME=en_US.UTF-8
LC_MONETARY=en_US.UTF-8
LC_PAPER=en_US.UTF-8
LC_NAME=en_US.UTF-8
LC_ADDRESS=en_US.UTF-8
LC_TELEPHONE=en_US.UTF-8
LC_MEASUREMENT=en_US.UTF-8
LC_IDENTIFICATION=en_US.UTF-8</nowiki>
}}
 
Set up {{ic|/etc/vconsole.conf}} with a keymap and (optionally) a font:
 
{{hc|/etc/vconsole.conf|2=
KEYMAP=us
FONT=Lat2-Terminus16
}}
 
= Initramfs =
 
Look for and edit the following lines:
 
{{hc|/etc/mkinitcpio.conf|2=
<nowiki>MODULES=([amdgpu|bochs_drm|cirrus|i915|nouveau|(nvidia nvidia_modeset nvidia_uvm nvidia_drm)] [ehci_pci usb_storage]>)
HOOKS=(base udev autodetect modconf block [zfs] filesystems keyboard fsck [encrypt] keymap consolefont)
COMPRESSION=lz4</nowiki>
}}


= Networking =
= Networking =


== systemd-networkd ==
== Host Name ==
 
Make sure a host name is set in {{ic|/etc/hostname}}
 
Then edit {{ic|/etc/hosts}}
 
{{hc|/etc/hosts|2=
127.0.0.1 localhost.localdomain locahost
::1 localhost.localdomain localhost
127.0.1.1 <hostname>.localdomain <hostname>
}}
 
== Static Addressing ==
 
Use {{ic|systemd-networkd}} when a machine will use a static address without consulting a DHCP server.
 
=== IPv4 Only ===
 
{{hc|/etc/systemd/network/network.network|2=
[Match]
MACAddress=<mac-address>
[Network]
Address=<ipv4-address>/<mask>
DNS=<ipv4-address>
Gateway=<ipv4-address>
LinkLocalAddressing=no
IPv6AcceptRA=no
}}


=== Static Addressing ===
=== IPv4 & IPv6 ===


[Match]
{{hc|/etc/systemd/network/network.network|2=
MACAddress=<mac-address>
[Match]
MACAddress=<mac-address>
[Address]
[Network]
Address=<ip-address>/<mask>
Address=<ipv6-address>/<mask>
DNS=<ipv6-address>
[Network]
Gateway=<ipv6-address>
DNS=<ip-address>
Address=<ipv4-address>/<mask>
DNS=<ipv4-address>
[Route]
Gateway=<ipv4-address>
Gateway=<ip-address>
}}


=== Dynamic Addressing ===
=== Dynamic Addressing ===


[Match]
It's preferable to use {{ic|connman}} or {{ic|Network Manager}} for dynamic addresses as {{ic|systemd-networkd}} doesn't play well with interfaces coming and going.
MACAddress=<mac-address>
[Network]
DHCP=yes
[DHCP]
UseMTU=true


== IPTables Firewall ==
If you'd rather use {{ic|systemd-networkd}} for DHCP:


# SIMPLE STATEFUL FIREWALL
{{hc|/etc/systemd/network/network.network|2=
*filter
[Match]
:INPUT DROP [0:0]
MACAddress=<mac-address>
:FORWARD DROP [0:0]
[Network]
:OUTPUT ACCEPT [100308:88697975]
DHCP=yes
:TCP - [0:0]
[DHCP]
:UDP - [0:0]
UseMTU=true
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
}}
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
# OPEN NECESSARY PORTS HERE
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "ssh"
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "http"
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "https"
-A TCP -p tcp -m tcp --dport 465 -j ACCEPT -m comment --comment "smtp secure"
-A TCP -p tcp -m tcp --dport 873 -j ACCEPT  -m comment --comment "rsync"
-A TCP -p tcp -m tcp --dport 993 -j ACCEPT -m comment --comment "imap secure"
-A TCP -p tcp -m tcp --dport 3000 -j ACCEPT -m comment --comment "cryptpad http"
-A TCP -p tcp -m tcp --dport 3001 -j ACCEPT -m comment --comment "cryptpad safe http"
-A TCP -p tcp -m tcp --dport 64738 -j ACCEPT -m comment --comment "mumble tcp"
-A UDP -p udp -m udp --dport 64738 -j ACCEPT -m comment --comment "mumble udp"
COMMIT


= SSH Setup =
= Packages =


Look for and edit the following lines:
== Mirror List ==


Port <port>
Install and use {{ic|reflector}} to automate the use and selection of mirrors.
AddressFamily <any|inet|inet6>
ListenAddress <ip4-address>
ListenAddress <ip6-address>
LogLevel VERBOSE
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowUsers <space-separated-list-of-users>
AllowAgentForwarding no
AllowTcpForwarding no


= Mirror Selection =
{{bc|
sudo pacman -Syu reflector
sudo reflector -c <country> -p https -l 5 --sort rate --save /etc/pacman.d/mirrorlist
}}


# pacman -Syu reflector
== Yay ==
# reflector -c <country> -p https -l 5 --sort rate --save /etc/pacman.d/mirrorlist


= /etc/fstab =
Make sure you have the {{ic|base-devel}} group installed.


= Time Zone =
{{bc|sudo pacman -Syu --needed base-devel git}}


# ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime
Create a directory where AUR build files will go
# hwclock --systohc


= Localization =
{{bc|1=
sudo mkdir /var/lib/pacman/aur
sudo chmod 1777 /var/lib/pacman/aur
mkdir /var/lib/pacman/aur/$(whoami)
}}


Un-comment your desired locales in <code>/etc/locale.conf</code>, then run
Build {{ic|yay}}.


# locale-gen
{{bc|1=<nowiki>
cd /var/lib/pacman/aur/$(whoami)
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -Ccisr
</nowiki>}}


If you don't have the default <code>/etc/locale.gen</code> file:
The create the configuration file.


# rm /etc/locale.gen
{{hc|~/.config/yay/config.json|2=
# pacman -Syu glibc
{
"aururl": "https://aur.archlinux.org",
"buildDir": "/var/lib/pacman/aur/$USER",
"editor": "nano",
"editorflags": "",
"makepkgbin": "makepkg",
"makepkgconf": "",
"pacmanbin": "pacman",
"pacmanconf": "/etc/pacman.conf",
"tarbin": "bsdtar",
"redownload": "no",
"rebuild": "no",
"answerclean": "none",
"answerdiff": "all",
"answeredit": "",
"answerupgrade": "0",
"gitbin": "git",
"gpgbin": "gpg",
"gpgflags": "",
"mflags": "",
"sortby": "votes",
"gitflags": "",
"removemake": "yes",
"requestsplitn": 150,
"sortmode": 0,
"completionrefreshtime": 7,
"sudoloop": false,
"timeupdate": false,
"devel": true,
"cleanAfter": false,
"gitclone": true,
"provides": true,
"pgpfetch": true,
"upgrademenu": true,
"cleanmenu": true,
"diffmenu": true,
"editmenu": true,
"combinedupgrade": false,
"useask": false
}
}}


Edit <code>/etc/locale.conf</code> as you see fit
== General Utilities ==


LANG=en_US.UTF-8
These packages supplement the base system.
LANGUAGE=en_US
LC_COLLATE=POSIX
LC_MESSAGES=C
LC_CTYPE=en_US.UTF-8
LC_NUMERIC=en_US.UTF-8
LC_TIME=en_US.UTF-8
LC_MONETARY=en_US.UTF-8
LC_PAPER=en_US.UTF-8
LC_NAME=en_US.UTF-8
LC_ADDRESS=en_US.UTF-8
LC_TELEPHONE=en_US.UTF-8
LC_MEASUREMENT=en_US.UTF-8
LC_IDENTIFICATION=en_US.UTF-8


Set up <code>/etc/vconsole.conf</code> with a keymap and (optionally) a font:
{{bc|yay -Syu --needed adduser archey3 arj bind-tools bzip2 dmidecode dnsutils fail2ban git haveged htop hwdetect inxi iotop lshw lzop nano ncdu openssh p7zip pacman-contrib perl-rename pkgfile polkit ranger rsync strace sudo tmux unrar unzip vim whois zip}}


KEYMAP=us
If you are not running inside a VM, you may also wish to add these packages:
FONT=Lat2-Terminus16


= Network =
{{bc|yay -Syu hddtemp lm_sensors memtest86+ smartmontools}}


Put a host name in <code>/etc/hostname</code>
The {{ic|havaged}} service can be enabled and started right away as no configuration is needed.


The edit <code>/etc/hosts</code>
{{bc|sudo systemctl enable --now haveged}}


127.0.0.1 localhost.localdomain locahost
Your sensors need to be configured before starting the {{ic|lm_sensors}} service.
::1 localhost.localdomain localhost
127.0.1.1 <hostname>.localdomain <hostname>


= Initramfs =
{{note|This package is useless inside a VM.}}


Look for and edit the following lines:
{{bc|
sudo sensors-detect
sudo systemctl enable --now lm_sensors
}}


MODULES=([amdgpu|bochs_drm|cirrus|i915|nouveau|(nvidia nvidia_modeset nvidia_uvm nvidia_drm)] [ehci_pci usb_storage]>)
Don't start {{ic|fail2ban}} or {{ic|sshd}} quite yet as they have configuration that needs to be done.
HOOKS=(base udev autodetect modconf block [zfs] filesystems keyboard fsck [encrypt] keymap consolefont)
COMPRESSION=lz4

Latest revision as of 03:39, 28 December 2019

Passwords & User Creation

Make sure root has a password.

Make sure you have a primary user set up. 

sudo useradd -m -u <id -ge 1000> -g users -G wheel,games,video,audio,optical,storage,scanner,power <user>
sudo passwd <user>

/etc/fstab

Time Zone

sudo ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime
sudo hwclock --systohc

Localization

Un-comment your desired locales in /etc/locale.conf, then run 

sudo locale-gen

If you don't have the default /etc/locale.gen file: 

sudo rm /etc/locale.gen
sudo pacman -Syu glibc

Edit /etc/locale.conf as you see fit 

/etc/locale.conf
LANG=en_US.UTF-8
LANGUAGE=en_US
LC_COLLATE=POSIX
LC_MESSAGES=C
LC_CTYPE=en_US.UTF-8
LC_NUMERIC=en_US.UTF-8
LC_TIME=en_US.UTF-8
LC_MONETARY=en_US.UTF-8
LC_PAPER=en_US.UTF-8
LC_NAME=en_US.UTF-8
LC_ADDRESS=en_US.UTF-8
LC_TELEPHONE=en_US.UTF-8
LC_MEASUREMENT=en_US.UTF-8
LC_IDENTIFICATION=en_US.UTF-8

Set up /etc/vconsole.conf with a keymap and (optionally) a font: 

/etc/vconsole.conf
KEYMAP=us
FONT=Lat2-Terminus16

Initramfs

Look for and edit the following lines: 

/etc/mkinitcpio.conf
MODULES=([amdgpu|bochs_drm|cirrus|i915|nouveau|(nvidia nvidia_modeset nvidia_uvm nvidia_drm)] [ehci_pci usb_storage]>)
HOOKS=(base udev autodetect modconf block [zfs] filesystems keyboard fsck [encrypt] keymap consolefont)
COMPRESSION=lz4

Networking

Host Name

Make sure a host name is set in /etc/hostname

Then edit /etc/hosts 

/etc/hosts
127.0.0.1	localhost.localdomain	locahost
::1		localhost.localdomain	localhost
127.0.1.1	<hostname>.localdomain	<hostname>

Static Addressing

Use systemd-networkd when a machine will use a static address without consulting a DHCP server.

IPv4 Only

/etc/systemd/network/network.network
[Match]
MACAddress=<mac-address>
[Network]
Address=<ipv4-address>/<mask>
DNS=<ipv4-address>
Gateway=<ipv4-address>
LinkLocalAddressing=no
IPv6AcceptRA=no

IPv4 & IPv6

/etc/systemd/network/network.network
[Match]
MACAddress=<mac-address>
[Network]
Address=<ipv6-address>/<mask>
DNS=<ipv6-address>
Gateway=<ipv6-address>
Address=<ipv4-address>/<mask>
DNS=<ipv4-address>
Gateway=<ipv4-address>

Dynamic Addressing

It's preferable to use connman or Network Manager for dynamic addresses as systemd-networkd doesn't play well with interfaces coming and going.

If you'd rather use systemd-networkd for DHCP: 

/etc/systemd/network/network.network
[Match]
MACAddress=<mac-address>
[Network]
DHCP=yes
[DHCP]
UseMTU=true

Packages

Mirror List

Install and use reflector to automate the use and selection of mirrors. 

sudo pacman -Syu reflector
sudo reflector -c <country> -p https -l 5 --sort rate --save /etc/pacman.d/mirrorlist

Yay

Make sure you have the base-devel group installed. 

sudo pacman -Syu --needed base-devel git

Create a directory where AUR build files will go 

sudo mkdir /var/lib/pacman/aur
sudo chmod 1777 /var/lib/pacman/aur
mkdir /var/lib/pacman/aur/$(whoami)

Build yay. 

cd /var/lib/pacman/aur/$(whoami)
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -Ccisr

The create the configuration file. 

~/.config/yay/config.json
{
	"aururl": "https://aur.archlinux.org",
	"buildDir": "/var/lib/pacman/aur/$USER",
	"editor": "nano",
	"editorflags": "",
	"makepkgbin": "makepkg",
	"makepkgconf": "",
	"pacmanbin": "pacman",
	"pacmanconf": "/etc/pacman.conf",
	"tarbin": "bsdtar",
	"redownload": "no",
	"rebuild": "no",
	"answerclean": "none",
	"answerdiff": "all",
	"answeredit": "",
	"answerupgrade": "0",
	"gitbin": "git",
	"gpgbin": "gpg",
	"gpgflags": "",
	"mflags": "",
	"sortby": "votes",
	"gitflags": "",
	"removemake": "yes",
	"requestsplitn": 150,
	"sortmode": 0,
	"completionrefreshtime": 7,
	"sudoloop": false,
	"timeupdate": false,
	"devel": true,
	"cleanAfter": false,
	"gitclone": true,
	"provides": true,
	"pgpfetch": true,
	"upgrademenu": true,
	"cleanmenu": true,
	"diffmenu": true,
	"editmenu": true,
	"combinedupgrade": false,
	"useask": false
}

General Utilities

These packages supplement the base system. 

yay -Syu --needed adduser archey3 arj bind-tools bzip2 dmidecode dnsutils fail2ban git haveged htop hwdetect inxi iotop lshw lzop nano ncdu openssh p7zip pacman-contrib perl-rename pkgfile polkit ranger rsync strace sudo tmux unrar unzip vim whois zip

If you are not running inside a VM, you may also wish to add these packages: 

yay -Syu hddtemp lm_sensors memtest86+ smartmontools

The havaged service can be enabled and started right away as no configuration is needed. 

sudo systemctl enable --now haveged

Your sensors need to be configured before starting the lm_sensors service.

Note: This package is useless inside a VM.
sudo sensors-detect
sudo systemctl enable --now lm_sensors

Don't start fail2ban or sshd quite yet as they have configuration that needs to be done.

Retrieved from "https://wiki.bwt.com.de/index.php?title=Arch_Post-Installation_Checklist&oldid=392"