|
|
| (135 intermediate revisions by the same user not shown) |
| Line 5: |
Line 5: |
| Make sure you have a primary user set up. | | Make sure you have a primary user set up. |
|
| |
|
| {{bc|1= | | {{bc| |
| # useradd -m -u <id -ge 1000> -g users -G wheel,games,video,audio,optical,storage,scanner,power <user>
| | sudo useradd -m -u <id -ge 1000> -g users -G wheel,games,video,audio,optical,storage,scanner,power <user> |
| # passwd <user>
| | sudo passwd <user> |
| }} | | }} |
|
| |
|
| Line 14: |
Line 14: |
| = Time Zone = | | = Time Zone = |
|
| |
|
| {{bc|1= | | {{bc| |
| # ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime
| | sudo ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime |
| # hwclock --systohc
| | sudo hwclock --systohc |
| }} | | }} |
|
| |
|
| Line 23: |
Line 23: |
| Un-comment your desired locales in {{ic|/etc/locale.conf}}, then run | | Un-comment your desired locales in {{ic|/etc/locale.conf}}, then run |
|
| |
|
| {{bc|locale-gen}} | | {{bc|sudo locale-gen}} |
|
| |
|
| If you don't have the default {{ic|/etc/locale.gen}} file: | | If you don't have the default {{ic|/etc/locale.gen}} file: |
|
| |
|
| {{bc|1= | | {{bc| |
| # rm /etc/locale.gen
| | sudo rm /etc/locale.gen |
| # pacman -Syu glibc
| | sudo pacman -Syu glibc |
| }} | | }} |
|
| |
|
| Line 128: |
Line 128: |
| }} | | }} |
|
| |
|
| == IPTables Firewall == | | = Packages = |
| | |
| {{hc|/etc/iptables/iptables.rules|2=
| |
| # SIMPLE STATEFUL FIREWALL
| |
| *filter
| |
| :INPUT DROP [0:0]
| |
| :FORWARD DROP [0:0]
| |
| :OUTPUT ACCEPT [100308:88697975]
| |
| :TCP - [0:0]
| |
| :UDP - [0:0]
| |
| -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
| |
| -A INPUT -i lo -j ACCEPT
| |
| -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
| |
| -A INPUT -m conntrack --ctstate INVALID -j DROP
| |
| -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
| |
| -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
| |
| -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
| |
| -A INPUT -p tcp -j REJECT --reject-with tcp-reset
| |
| -A INPUT -j REJECT --reject-with icmp-proto-unreachable
| |
| | |
| # OPEN NECESSARY PORTS HERE
| |
| -A TCP -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "ssh"
| |
| -A TCP -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "http"
| |
| -A TCP -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "https"
| |
| -A TCP -p tcp -m tcp --dport 465 -j ACCEPT -m comment --comment "smtp secure"
| |
| -A TCP -p tcp -m tcp --dport 873 -j ACCEPT -m comment --comment "rsync"
| |
| -A TCP -p tcp -m tcp --dport 993 -j ACCEPT -m comment --comment "imap secure"
| |
| -A TCP -p tcp -m tcp --dport 3000 -j ACCEPT -m comment --comment "cryptpad http"
| |
| -A TCP -p tcp -m tcp --dport 3001 -j ACCEPT -m comment --comment "cryptpad safe http"
| |
| -A TCP -p tcp -m tcp --dport 64738 -j ACCEPT -m comment --comment "mumble tcp"
| |
| -A UDP -p udp -m udp --dport 64738 -j ACCEPT -m comment --comment "mumble udp"
| |
| COMMIT
| |
| }}
| |
| | |
| = Pacman =
| |
|
| |
|
| == Mirror List == | | == Mirror List == |
| Line 168: |
Line 134: |
| Install and use {{ic|reflector}} to automate the use and selection of mirrors. | | Install and use {{ic|reflector}} to automate the use and selection of mirrors. |
|
| |
|
| {{bc|1= | | {{bc| |
| # pacman -Syu reflector
| | sudo pacman -Syu reflector |
| # reflector -c <country> -p https -l 5 --sort rate --save /etc/pacman.d/mirrorlist
| | sudo reflector -c <country> -p https -l 5 --sort rate --save /etc/pacman.d/mirrorlist |
| }} | | }} |
| == General Utilities ==
| |
|
| |
|
| {{bc|# pacman -Syu --needed git rsync openssh}}
| | == Yay == |
|
| |
|
| == E-mail ==
| | Make sure you have the {{ic|base-devel}} group installed. |
|
| |
|
| {{bc|# pacman -Syu --needed dovecot postfix rspamd swaks}} | | {{bc|sudo pacman -Syu --needed base-devel git}} |
|
| |
|
| == Nginx Web Server and Reverse Proxy ==
| | Create a directory where AUR build files will go |
|
| |
|
| {{bc|# pacman -Syu --needed ca-certificates certbot-nginx mariadb nginx php-fpm}} | | {{bc|1= |
| | | sudo mkdir /var/lib/pacman/aur |
| == Roundcube Web Mail ==
| | sudo chmod 1777 /var/lib/pacman/aur |
| | | mkdir /var/lib/pacman/aur/$(whoami) |
| {{bc|# pacman -Syu --needed pigeonhole roundcube}}
| |
| | |
| = SSH Setup =
| |
| | |
| Look for and edit the following lines in {{ic|/etc/ssh/sshd_config}}:
| |
| | |
| {{hc|/etc/ssh/ssd_config|2=
| |
| <nowiki>Port <port>
| |
| AddressFamily <any|inet|inet6>
| |
| ListenAddress <ip4-address>
| |
| ListenAddress <ip6-address>
| |
| | |
| LogLevel VERBOSE
| |
| | |
| PermitRootLogin prohibit-password
| |
| | |
| PubkeyAuthentication yes
| |
| | |
| PasswordAuthentication no
| |
| PermitEmptyPasswords no
| |
| | |
| ChallengeResponseAuthentication no
| |
| | |
| UsePAM yes
| |
| AllowUsers <space-separated-list-of-users>
| |
| | |
| AllowAgentForwarding no
| |
| AllowTcpForwarding no</nowiki>
| |
| }} | | }} |
|
| |
|
| Then make sure the {{ic|sshd}} service is enabled and running:
| | Build {{ic|yay}}. |
| | |
| {{bc|# systemctl enable --now sshd}}
| |
| | |
| = PHP-FPM =
| |
| | |
| Look for and edit the following lines in {{ic|/etc/php/php.ini}}:
| |
|
| |
|
| {{hc|/etc/php/php.ini|2= | | {{bc|1=<nowiki> |
| [PHP]
| | cd /var/lib/pacman/aur/$(whoami) |
| open_basedir = /srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/:/dev/urandom:/proc/meminfo
| | git clone https://aur.archlinux.org/yay.git |
| include_path = ".:/php/includes:/usr/share/pear"
| | cd yay |
| upload_max_filesize = 8M
| | makepkg -Ccisr |
| | </nowiki>}} |
|
| |
|
| extension=apcu
| | The create the configuration file. |
| extension=dba
| |
| extension=exif
| |
| extension=gd
| |
| extension=gettext
| |
| extension=iconv
| |
| extension=intl
| |
| extension=sodium
| |
| extension=ldap
| |
| extension=mysqli
| |
| zend_extension=opcache
| |
| extension=pdo_mysql
| |
| extension=soap
| |
|
| |
|
| [Pdo_mysql]
| | {{hc|~/.config/yay/config.json|2= |
| pdo_mysql.cache_size = 2000
| | { |
| | | "aururl": "https://aur.archlinux.org", |
| [Session]
| | "buildDir": "/var/lib/pacman/aur/$USER", |
| session.save_path = "/tmp/php/sessions"
| | "editor": "nano", |
| | | "editorflags": "", |
| [opcache]
| | "makepkgbin": "makepkg", |
| opcache.enable=1
| | "makepkgconf": "", |
| opcache.enable_cli=1
| | "pacmanbin": "pacman", |
| opcache.memory_consumption=128
| | "pacmanconf": "/etc/pacman.conf", |
| opcache.interned_strings_buffer=8
| | "tarbin": "bsdtar", |
| opcache.max_accelerated_files=10000
| | "redownload": "no", |
| opcache.revalidate_freq=1
| | "rebuild": "no", |
| opcache.save_comments=1
| | "answerclean": "none", |
| }}
| | "answerdiff": "all", |
| | | "answeredit": "", |
| Then make sure the {{ic|php-fpm}} service is enabled and running:
| | "answerupgrade": "0", |
| | | "gitbin": "git", |
| {{bc|# systemctl enable --now php-fpm}}
| | "gpgbin": "gpg", |
| | | "gpgflags": "", |
| = Nginx =
| | "mflags": "", |
| | | "sortby": "votes", |
| First, edit {{ic|/etc/nginx/nginx.conf}}:
| | "gitflags": "", |
| | | "removemake": "yes", |
| {{hc|/etc/nginx/nginx.conf|2=
| | "requestsplitn": 150, |
| <nowiki>user http;
| | "sortmode": 0, |
| worker_processes 1; # one(1) worker or equal the number of _real_ cpu cores. 4=4 core cpu
| | "completionrefreshtime": 7, |
| worker_priority 15; # renice workers to reduce priority compared to system processes for machine health. Worst case nginx will get ~25% system resources at nice=15
| | "sudoloop": false, |
| worker_rlimit_nofile 1024; # maximum number of open files
| | "timeupdate": false, |
| worker_cpu_affinity auto;
| | "devel": true, |
| | | "cleanAfter": false, |
| events {
| | "gitclone": true, |
| multi_accept on; | | "provides": true, |
| accept_mutex on; # serially accept() connections and pass to workers, efficient if workers gt 1 | | "pgpfetch": true, |
| accept_mutex_delay 500ms; # worker process will accept mutex after this delay if not assigned. (default 500ms) | | "upgrademenu": true, |
| worker_connections 1024; # number of parallel or concurrent connections per worker_processes | | "cleanmenu": true, |
| | "diffmenu": true, |
| | "editmenu": true, |
| | "combinedupgrade": false, |
| | "useask": false |
| } | | } |
|
| |
| http {
| |
| charset utf-8;
| |
| aio on; # asynchronous file I/O, fast with ZFS, make sure sendfile=off
| |
| sendfile off; # on for decent direct disk IO, off for VMs
| |
| tcp_nopush off; # turning on requires sendfile=on
| |
| tcp_nodelay on; # Nagle buffering algorithm, used for keepalive only
| |
| server_tokens off; # version number in error pages
| |
| log_not_found off;
| |
| types_hash_max_size 4096;
| |
|
| |
| # MIME
| |
| include mime.types;
| |
| default_type application/octet-stream;
| |
|
| |
| # logging
| |
| access_log /var/log/nginx/access.log;
| |
| error_log /var/log/nginx/error.log warn;
| |
|
| |
| # SSL
| |
| ssl_session_timeout 1440m;
| |
| ssl_session_cache shared:le_nginx_SSL:10m;
| |
| ssl_session_tickets off;
| |
| ssl_prefer_server_ciphers off;
| |
|
| |
| # Diffie-Hellman parameter for DHE ciphersuites
| |
| ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
| |
|
| |
| # Mozilla Intermediate configuration
| |
| ssl_protocols TLSv1.2 TLSv1.3;
| |
| ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
| |
|
| |
| # OCSP Stapling
| |
| ssl_stapling on;
| |
| ssl_stapling_verify on;
| |
| resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
| |
| resolver_timeout 2s;
| |
|
| |
| # Size Limits
| |
| #client_body_buffer_size 8k;
| |
| #client_header_buffer_size 1k;
| |
| client_max_body_size 16M;
| |
| #large_client_header_buffers 4 4k/8k;
| |
|
| |
| ## From StackOverflow: for "upstream sent too big header while reading response header from upstream"
| |
| fastcgi_buffers 8 16k;
| |
| fastcgi_buffer_size 32k;
| |
|
| |
| # Timeouts, do not keep connections open longer then necessary to reduce
| |
| # resource usage and deny Slowloris type attacks.
| |
| client_body_timeout 5s; # maximum time between packets the client can pause when sending nginx any data
| |
| client_header_timeout 5s; # maximum time the client has to send the entire header to nginx
| |
| keepalive_timeout 75s; # timeout which a single keep-alive client connection will stay open
| |
| send_timeout 15s; # maximum time between packets nginx is allowed to pause when sending the client data
| |
|
| |
| ## General Options
| |
|
| |
| gzip off; # disable on the fly gzip compression due to higher latency, only use gzip_static
| |
| #gzip_http_version 1.0; # serve gzipped content to all clients including HTTP/1.0
| |
| gzip_static on; # precompress content (gzip -9) with an external script
| |
| #gzip_vary on; # send response header "Vary: Accept-Encoding"
| |
| gzip_proxied any; # allows compressed responses for any request even from proxies
| |
| ignore_invalid_headers on;
| |
| keepalive_requests 50; # number of requests per connection, does not affect SPDY
| |
| keepalive_disable none; # allow all browsers to use keepalive connections
| |
| max_ranges 1; # allow a single range header for resumed downloads and to stop large range header DoS attacks
| |
| msie_padding off;
| |
| open_file_cache max=1000 inactive=2h;
| |
| open_file_cache_errors on;
| |
| open_file_cache_min_uses 1;
| |
| open_file_cache_valid 1h;
| |
| output_buffers 1 512;
| |
| postpone_output 1440; # postpone sends to match our machine's MSS
| |
| read_ahead 512K; # kernel read head set to the output_buffers
| |
| recursive_error_pages on;
| |
| reset_timedout_connection on; # reset timed out connections freeing ram
| |
| server_name_in_redirect off; # if off, nginx will use the requested Host header
| |
| source_charset utf-8; # same value as "charset"
| |
|
| |
| ## Request limits
| |
| limit_req_zone $binary_remote_addr zone=gulag:1m rate=60r/m;
| |
|
| |
| ## Log Format
| |
| log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';
| |
|
| |
| # load configs
| |
| include /etc/nginx/conf.d/*.conf;
| |
| include /etc/nginx/sites-enabled/*.conf;
| |
|
| |
| }</nowiki>
| |
| }} | | }} |
|
| |
|
| Make the {{ic|sites-available}} and {{ic|sites-enabled}} directories.
| | == General Utilities == |
| | |
| {{bc|# mkdir /etc/nginx/sites-<nowiki>{available,enabled}</nowiki>}}
| |
| | |
| Then make a site available by creating {{ic|/etc/nginx/sites-available/<domain>.conf}}:<br/>
| |
| (Remove the {{ic|#}} after setting up Let's Encrypt.)
| |
| | |
| {{hc|/etc/nginx/sites-available/<donmain>.conf|2=
| |
| <nowiki>server {
| |
| listen 80;
| |
| listen [::]:80;
| |
| server_name <domain>;
| |
| root /srv/http/$host;
| |
| index index.html index.php;
| |
| | |
| # if ($host = <domain>) {
| |
| # return 301 https://$host$request_uri;
| |
| # }
| |
| #
| |
| # return 404;
| |
| #
| |
| #}
| |
| #
| |
| #server {
| |
| #
| |
| # listen 443 ssl http2;
| |
| # listen [::]:443 ssl http2;
| |
| # server_name <domain>;
| |
| # root /srv/http/$host;
| |
| # index index.html index.php;
| |
| #
| |
| # ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
| |
| # ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
| |
| # ssl_trusted_certificate /etc/letsencrypt/live/<domain>/chain.pem;
| |
| #
| |
| # fastcgi_param HTTPS on;
| |
| #
| |
| # add_header Strict-Transport-Security max-age=15768000;
| |
| add_header Cache-Control "public";
| |
| add_header X-Frame-Options "DENY";
| |
| | |
| access_log /var/log/nginx/access.log main buffer=32k;
| |
| error_log /var/log/nginx/error.log error;
| |
| limit_req zone=gulag burst=200 nodelay;
| |
| | |
| | |
| # ACME challenge
| |
| location ^~ /.well-known {
| |
| allow all;
| |
| alias /var/lib/letsencrypt/$host/.well-known;
| |
| default_type "text/plain";
| |
| try_files $uri =404;
| |
| }
| |
| | |
| location ~ /(data|conf|bin|inc)/ {
| |
| deny all;
| |
| }
| |
| | |
| # static file 404's are strict access by hostname aren't logged and expires header is set to maximum age
| |
| location ~* \.(jpg|jpeg|gif|css|png|js|ico|html)$ {
| |
| access_log off;
| |
| expires max;
| |
| }
| |
| | |
| location ~ \.php$ {
| |
| try_files $uri = 404;
| |
| fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
| |
| fastcgi_index index.php;
| |
| include fastcgi.conf;
| |
| }
| |
| | |
| location ~ \.php5$ {
| |
| try_files $uri = 404;
| |
| fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
| |
| fastcgi_index index.php5;
| |
| include fastcgi.conf;
| |
| }
| |
| | |
| location ~ /\.ht {
| |
| deny all;
| |
| }
| |
| | |
| }</nowiki>
| |
| }}
| |
|
| |
|
| Enable the site
| | These packages supplement the base system. |
|
| |
|
| {{bc|# ln -s ../sites-available/<domain>.conf /etc/nginx/sites-enabled/<domain>.conf}} | | {{bc|yay -Syu --needed adduser archey3 arj bind-tools bzip2 dmidecode dnsutils fail2ban git haveged htop hwdetect inxi iotop lshw lzop nano ncdu openssh p7zip pacman-contrib perl-rename pkgfile polkit ranger rsync strace sudo tmux unrar unzip vim whois zip}} |
|
| |
|
| Then create {{ic|index.php}} for your new site.
| | If you are not running inside a VM, you may also wish to add these packages: |
|
| |
|
| {{hc|/srv/http/<domain>/index.php|2= | | {{bc|yay -Syu hddtemp lm_sensors memtest86+ smartmontools}} |
| <nowiki><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
| |
| <html xmlns="http://www.w3.org/1999/xhtml">
| |
| <head>
| |
| <title>Server Configuration Confirmation</title>
| |
| <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
| |
| </head>
| |
|
| |
|
| <body style="font-family:sans-serif;">
| | The {{ic|havaged}} service can be enabled and started right away as no configuration is needed. |
|
| |
|
| <h1>Web server is properly configured!</h1>
| | {{bc|sudo systemctl enable --now haveged}} |
|
| |
|
| <?php echo "<h2>PHP is properly configured as well!</h2>" ?>
| | Your sensors need to be configured before starting the {{ic|lm_sensors}} service. |
|
| |
|
| <p>Time to add some content!</p>
| | {{note|This package is useless inside a VM.}} |
|
| |
|
| </body>
| | {{bc| |
| </html></nowiki>
| | sudo sensors-detect |
| | sudo systemctl enable --now lm_sensors |
| }} | | }} |
|
| |
|
| Finally, make sure the {{ic|nginx}} service is enabled and running:
| | Don't start {{ic|fail2ban}} or {{ic|sshd}} quite yet as they have configuration that needs to be done. |
| | |
| {{bc|# systemctl enable --now nginx}}
| |
| | |
| = Let's Encrypt =
| |
| | |
| {{bc|# certbot --nginx}}
| |
| | |
| The {{ic|nginx}} plugin will guide you and help automate the process.
| |
| | |
| Take note that the {{ic|nginx}} configuration in this guide takes into account the settings suggested by {{ic|certbot}}.
| |
| | |
| == Automatic Renewal ==
| |
| | |
| These will automatically renew your certificates every 2 months on the first Sunday of the month at 4am.
| |
| | |
| === Systemd ===
| |
| | |
| {{hc|/etc/systemd/system/certbot.service|2=
| |
| [Unit]
| |
| Description=Let's Encrypt renewal
| |
| | |
| [Service]
| |
| Type=oneshot
| |
| ExecStart=/usr/bin/certbot renew --quiet --agree-tos
| |
| }}
| |
| | |
| {{hc|/etc/systemd/system/certbot.timer|2=
| |
| [Unit]
| |
| Description=Bi-monthly renewal of Let's Encrypt's certificates
| |
| | |
| [Timer]
| |
| OnCalendar=Sun *-1,3,5,7,9,11-1..7 04:00:00
| |
| RandomizedDelaySec=1h
| |
| Persistent=true
| |
| | |
| [Install]
| |
| WantedBy=timers.target
| |
| }}
| |
| | |
| === Crontab ===
| |
| | |
| {{bc|0 4 1-7 2-12/2 0 /usr/bin/certbot renew}}
| |
| | |
| = E-mail =
| |
| | |
| = Roundcube =
| |
Passwords & User Creation
Make sure root has a password.
Make sure you have a primary user set up.
sudo useradd -m -u <id -ge 1000> -g users -G wheel,games,video,audio,optical,storage,scanner,power <user>
sudo passwd <user>
/etc/fstab
Time Zone
sudo ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime
sudo hwclock --systohc
Localization
Un-comment your desired locales in /etc/locale.conf, then run
sudo locale-gen
If you don't have the default /etc/locale.gen file:
sudo rm /etc/locale.gen
sudo pacman -Syu glibc
Edit /etc/locale.conf as you see fit
/etc/locale.conf
LANG=en_US.UTF-8
LANGUAGE=en_US
LC_COLLATE=POSIX
LC_MESSAGES=C
LC_CTYPE=en_US.UTF-8
LC_NUMERIC=en_US.UTF-8
LC_TIME=en_US.UTF-8
LC_MONETARY=en_US.UTF-8
LC_PAPER=en_US.UTF-8
LC_NAME=en_US.UTF-8
LC_ADDRESS=en_US.UTF-8
LC_TELEPHONE=en_US.UTF-8
LC_MEASUREMENT=en_US.UTF-8
LC_IDENTIFICATION=en_US.UTF-8
Set up /etc/vconsole.conf with a keymap and (optionally) a font:
/etc/vconsole.conf
KEYMAP=us
FONT=Lat2-Terminus16
Initramfs
Look for and edit the following lines:
/etc/mkinitcpio.conf
MODULES=([amdgpu|bochs_drm|cirrus|i915|nouveau|(nvidia nvidia_modeset nvidia_uvm nvidia_drm)] [ehci_pci usb_storage]>)
HOOKS=(base udev autodetect modconf block [zfs] filesystems keyboard fsck [encrypt] keymap consolefont)
COMPRESSION=lz4
Networking
Host Name
Make sure a host name is set in /etc/hostname
Then edit /etc/hosts
/etc/hosts
127.0.0.1 localhost.localdomain locahost
::1 localhost.localdomain localhost
127.0.1.1 <hostname>.localdomain <hostname>
Static Addressing
Use systemd-networkd when a machine will use a static address without consulting a DHCP server.
IPv4 Only
/etc/systemd/network/network.network
[Match]
MACAddress=<mac-address>
[Network]
Address=<ipv4-address>/<mask>
DNS=<ipv4-address>
Gateway=<ipv4-address>
LinkLocalAddressing=no
IPv6AcceptRA=no
IPv4 & IPv6
/etc/systemd/network/network.network
[Match]
MACAddress=<mac-address>
[Network]
Address=<ipv6-address>/<mask>
DNS=<ipv6-address>
Gateway=<ipv6-address>
Address=<ipv4-address>/<mask>
DNS=<ipv4-address>
Gateway=<ipv4-address>
Dynamic Addressing
It's preferable to use connman or Network Manager for dynamic addresses as systemd-networkd doesn't play well with interfaces coming and going.
If you'd rather use systemd-networkd for DHCP:
/etc/systemd/network/network.network
[Match]
MACAddress=<mac-address>
[Network]
DHCP=yes
[DHCP]
UseMTU=true
Packages
Mirror List
Install and use reflector to automate the use and selection of mirrors.
sudo pacman -Syu reflector
sudo reflector -c <country> -p https -l 5 --sort rate --save /etc/pacman.d/mirrorlist
Yay
Make sure you have the base-devel group installed.
sudo pacman -Syu --needed base-devel git
Create a directory where AUR build files will go
sudo mkdir /var/lib/pacman/aur
sudo chmod 1777 /var/lib/pacman/aur
mkdir /var/lib/pacman/aur/$(whoami)
Build yay.
cd /var/lib/pacman/aur/$(whoami)
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -Ccisr
The create the configuration file.
~/.config/yay/config.json
{
"aururl": "https://aur.archlinux.org",
"buildDir": "/var/lib/pacman/aur/$USER",
"editor": "nano",
"editorflags": "",
"makepkgbin": "makepkg",
"makepkgconf": "",
"pacmanbin": "pacman",
"pacmanconf": "/etc/pacman.conf",
"tarbin": "bsdtar",
"redownload": "no",
"rebuild": "no",
"answerclean": "none",
"answerdiff": "all",
"answeredit": "",
"answerupgrade": "0",
"gitbin": "git",
"gpgbin": "gpg",
"gpgflags": "",
"mflags": "",
"sortby": "votes",
"gitflags": "",
"removemake": "yes",
"requestsplitn": 150,
"sortmode": 0,
"completionrefreshtime": 7,
"sudoloop": false,
"timeupdate": false,
"devel": true,
"cleanAfter": false,
"gitclone": true,
"provides": true,
"pgpfetch": true,
"upgrademenu": true,
"cleanmenu": true,
"diffmenu": true,
"editmenu": true,
"combinedupgrade": false,
"useask": false
}
General Utilities
These packages supplement the base system.
yay -Syu --needed adduser archey3 arj bind-tools bzip2 dmidecode dnsutils fail2ban git haveged htop hwdetect inxi iotop lshw lzop nano ncdu openssh p7zip pacman-contrib perl-rename pkgfile polkit ranger rsync strace sudo tmux unrar unzip vim whois zip
If you are not running inside a VM, you may also wish to add these packages:
yay -Syu hddtemp lm_sensors memtest86+ smartmontools
The havaged service can be enabled and started right away as no configuration is needed.
sudo systemctl enable --now haveged
Your sensors need to be configured before starting the lm_sensors service.
Note: This package is useless inside a VM.
sudo sensors-detect
sudo systemctl enable --now lm_sensors
Don't start fail2ban or sshd quite yet as they have configuration that needs to be done.
