Arch Post-Installation Checklist: Difference between revisions

From The Brainwrecked Wiki
Jump to navigation Jump to search
← Older edit
PHP-FPM: Deleted section -- content moved to its own section
m Yay: Fixed some code blocks
 
(5 intermediate revisions by the same user not shown)
Line 147: Line 147:
Create a directory where AUR build files will go
Create a directory where AUR build files will go


{{bc|
{{bc|1=
sudo mkdir /var/lib/pacman/aur
sudo mkdir /var/lib/pacman/aur
sudo chmod 1777 /var/lib/pacman/aur
sudo chmod 1777 /var/lib/pacman/aur
$ mkdir /var/lib/pacman/aur/$(whoami)
mkdir /var/lib/pacman/aur/$(whoami)
}}
}}


Build {{ic|yay}}.
Build {{ic|yay}}.


{{bc|
{{bc|1=<nowiki>
$ cd /var/lib/pacman/aur/$(whoami)
cd /var/lib/pacman/aur/$(whoami)
$ git clone https://aur.archlinux.org/yay.git
git clone https://aur.archlinux.org/yay.git
$ cd yay
cd yay
$ makepkg -Ccisr
makepkg -Ccisr
}}
</nowiki>}}


The create the configuration file.
The create the configuration file.
Line 231: Line 231:


Don't start {{ic|fail2ban}} or {{ic|sshd}} quite yet as they have configuration that needs to be done.
Don't start {{ic|fail2ban}} or {{ic|sshd}} quite yet as they have configuration that needs to be done.
== Docker ==
This is only needed for OnlyOffice
{{bc|
yay -Syu docker
sudo systemctl enable --now docker
}}
== Nginx Web Server and Reverse Proxy ==
These packages are typically used when setting up web applications like MediaWiki or Wordpress.
{{bc|yay -Syu --needed apache-tools ca-certificates certbot-nginx nginx php-<nowiki>{acpu,fpm,gd,imagick,intl,redis,sodium}</nowiki> postgresql}}
= Redis =
Redis is used by several programs, including rspamd (e-mail), NextCloud, OnlyOffice, and Wordpress (optional).
By default, {{ic|redis}} is already configured to bind to 127.0.0.1:6379, but the Unix socket is not enabled.
{{hc|/etc/redis.conf|2=
...
# Unix socket.
#
# Specify the path for the Unix socket that will be used to listen for
# incoming connections. There is no default, so Redis will not listen
# on a unix socket when not specified.
#
unixsocket /run/redis/redis.sock
unixsocketperm 700
...
}}
You will also need to add users to the {{ic|redis}} group so processes can access {{ic|redis}}
{{bc|for username in http rspamd; do sudo usermod -G redis ${username}; done}}
= Let's Encrypt =
{{bc|sudo certbot certonly --nginx --agree-tos}}
The {{ic|nginx}} plugin will guide you and help automate the process.
Take note that the {{ic|nginx}} configuration in this guide takes into account the settings suggested by {{ic|certbot}}.
== Automatic Renewal ==
These will automatically renew your certificates every 2 months on the first Sunday of the month at 4am.
=== Systemd ===
{{hc|/etc/systemd/system/certbot.service|2=
[Unit]
Description=Let's Encrypt renewal
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --agree-tos --no-redirect
}}
{{hc|/etc/systemd/system/certbot.timer|2=
[Unit]
Description=Bi-monthly renewal of Let's Encrypt's certificates
[Timer]
OnCalendar=Sun *-1,3,5,7,9,11-1..7 04:00:00
RandomizedDelaySec=1h
Persistent=true
[Install]
WantedBy=timers.target
}}
=== Crontab ===
{{bc|0 4 1-7 2-12/2 0 /usr/bin/certbot renew --agree-tos --no-redirect}}
= OnlyOffice Document Server =
On Arch, OnlyOffice can be installed via an [https://aur.archlinux.org/packages/onlyoffice-documentserver AUR package], with [https://helpcenter.onlyoffice.com/server/docker/document/docker-installation.aspx Docker], or with [https://snapcraft.io/onlyoffice-ds Snap].
== AUR Package ==
The [https://aur.archlinux.org/packages/onlyoffice-documentserver/ AUR package] was broken at the time of this writing.
== Snap ==
Snap did not work for me.  However, this might have been due to the Snap's Redis service conflicting with that of the host's.
== Docker ==
The Docker version requires PostreSQL, RabbitMQ, and Redis to be set up.  Be sure to install and configure those first.
Once that is complete, set up the database and database user.
{{bc|
sudo -u postgres psql -c "CREATE DATABASE onlyoffice;"
sudo -u postgres psql -c "CREATE USER onlyoffice WITH password 'onlyoffice';"
sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;"
}}
Create the following directories.
{{bc|sudo mkdir /var/{lib,log}/onlyoffice}}
Issue one command to download and start the Docker instance.
{{bc|<nowiki>
sudo docker run -i -t -d -p [port]:80 --restart=always \
  -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice  \
  -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \
  -v /app/onlyoffice/DocumentServer/db:/srv/psql  onlyoffice/documentserver
</nowiki>}}
Configure nginx to act as a proxy
{{hc|/etc/nginx/sites-available/<domain>|2=<nowiki>
upstream docservice {
server <docker-ip>:8888;
}
map $http_host $this_host {
"" $host;
default $http_host;
}
map $http_x_forwarded_proto $the_scheme {
default $http_x_forwarded_proto;
"" $scheme;
}
map $http_x_forwarded_host $the_host {
default $http_x_forwarded_host;
"" $this_host;
}
map $http_upgrade $proxy_connection {
default upgrade;
"" close;
}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
server {
listen 80;
listen [::]:80;
server_name <domain>;
server_tokens off;
rewrite ^ https://$host$request_uri? permanent;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ods.bwt.com.de;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/<domain>/chain.pem;
add_header Strict-Transport-Security max-age=31536000;
# add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
access_log /var/log/nginx/access.log main buffer=32k;
error_log /var/log/nginx/error.log error;
limit_req zone=gulag burst=200 nodelay;
# ACME challenge
location ^~ /.well-known {
allow all;
alias /var/lib/letsencrypt/$host/.well-known;
default_type "text/plain";
try_files $uri =404;
}
location / {
proxy_pass http://docservice;
proxy_http_version 1.1;
}
}
</nowiki>}}
After [[Arch_Post-Installation_Checklist#Finalization|finalizing]], you should now be able to navigate to {{ic|<nowiki>https://<domain></nowiki>}} and see the OnlyOffice Document Server welcome page with a green checkmark indicating everything is running properly.

Latest revision as of 03:39, 28 December 2019

Passwords & User Creation

Make sure root has a password.

Make sure you have a primary user set up. 

sudo useradd -m -u <id -ge 1000> -g users -G wheel,games,video,audio,optical,storage,scanner,power <user>
sudo passwd <user>

/etc/fstab

Time Zone

sudo ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime
sudo hwclock --systohc

Localization

Un-comment your desired locales in /etc/locale.conf, then run 

sudo locale-gen

If you don't have the default /etc/locale.gen file: 

sudo rm /etc/locale.gen
sudo pacman -Syu glibc

Edit /etc/locale.conf as you see fit 

/etc/locale.conf
LANG=en_US.UTF-8
LANGUAGE=en_US
LC_COLLATE=POSIX
LC_MESSAGES=C
LC_CTYPE=en_US.UTF-8
LC_NUMERIC=en_US.UTF-8
LC_TIME=en_US.UTF-8
LC_MONETARY=en_US.UTF-8
LC_PAPER=en_US.UTF-8
LC_NAME=en_US.UTF-8
LC_ADDRESS=en_US.UTF-8
LC_TELEPHONE=en_US.UTF-8
LC_MEASUREMENT=en_US.UTF-8
LC_IDENTIFICATION=en_US.UTF-8

Set up /etc/vconsole.conf with a keymap and (optionally) a font: 

/etc/vconsole.conf
KEYMAP=us
FONT=Lat2-Terminus16

Initramfs

Look for and edit the following lines: 

/etc/mkinitcpio.conf
MODULES=([amdgpu|bochs_drm|cirrus|i915|nouveau|(nvidia nvidia_modeset nvidia_uvm nvidia_drm)] [ehci_pci usb_storage]>)
HOOKS=(base udev autodetect modconf block [zfs] filesystems keyboard fsck [encrypt] keymap consolefont)
COMPRESSION=lz4

Networking

Host Name

Make sure a host name is set in /etc/hostname

Then edit /etc/hosts 

/etc/hosts
127.0.0.1	localhost.localdomain	locahost
::1		localhost.localdomain	localhost
127.0.1.1	<hostname>.localdomain	<hostname>

Static Addressing

Use systemd-networkd when a machine will use a static address without consulting a DHCP server.

IPv4 Only

/etc/systemd/network/network.network
[Match]
MACAddress=<mac-address>
[Network]
Address=<ipv4-address>/<mask>
DNS=<ipv4-address>
Gateway=<ipv4-address>
LinkLocalAddressing=no
IPv6AcceptRA=no

IPv4 & IPv6

/etc/systemd/network/network.network
[Match]
MACAddress=<mac-address>
[Network]
Address=<ipv6-address>/<mask>
DNS=<ipv6-address>
Gateway=<ipv6-address>
Address=<ipv4-address>/<mask>
DNS=<ipv4-address>
Gateway=<ipv4-address>

Dynamic Addressing

It's preferable to use connman or Network Manager for dynamic addresses as systemd-networkd doesn't play well with interfaces coming and going.

If you'd rather use systemd-networkd for DHCP: 

/etc/systemd/network/network.network
[Match]
MACAddress=<mac-address>
[Network]
DHCP=yes
[DHCP]
UseMTU=true

Packages

Mirror List

Install and use reflector to automate the use and selection of mirrors. 

sudo pacman -Syu reflector
sudo reflector -c <country> -p https -l 5 --sort rate --save /etc/pacman.d/mirrorlist

Yay

Make sure you have the base-devel group installed. 

sudo pacman -Syu --needed base-devel git

Create a directory where AUR build files will go 

sudo mkdir /var/lib/pacman/aur
sudo chmod 1777 /var/lib/pacman/aur
mkdir /var/lib/pacman/aur/$(whoami)

Build yay. 

cd /var/lib/pacman/aur/$(whoami)
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -Ccisr

The create the configuration file. 

~/.config/yay/config.json
{
	"aururl": "https://aur.archlinux.org",
	"buildDir": "/var/lib/pacman/aur/$USER",
	"editor": "nano",
	"editorflags": "",
	"makepkgbin": "makepkg",
	"makepkgconf": "",
	"pacmanbin": "pacman",
	"pacmanconf": "/etc/pacman.conf",
	"tarbin": "bsdtar",
	"redownload": "no",
	"rebuild": "no",
	"answerclean": "none",
	"answerdiff": "all",
	"answeredit": "",
	"answerupgrade": "0",
	"gitbin": "git",
	"gpgbin": "gpg",
	"gpgflags": "",
	"mflags": "",
	"sortby": "votes",
	"gitflags": "",
	"removemake": "yes",
	"requestsplitn": 150,
	"sortmode": 0,
	"completionrefreshtime": 7,
	"sudoloop": false,
	"timeupdate": false,
	"devel": true,
	"cleanAfter": false,
	"gitclone": true,
	"provides": true,
	"pgpfetch": true,
	"upgrademenu": true,
	"cleanmenu": true,
	"diffmenu": true,
	"editmenu": true,
	"combinedupgrade": false,
	"useask": false
}

General Utilities

These packages supplement the base system. 

yay -Syu --needed adduser archey3 arj bind-tools bzip2 dmidecode dnsutils fail2ban git haveged htop hwdetect inxi iotop lshw lzop nano ncdu openssh p7zip pacman-contrib perl-rename pkgfile polkit ranger rsync strace sudo tmux unrar unzip vim whois zip

If you are not running inside a VM, you may also wish to add these packages: 

yay -Syu hddtemp lm_sensors memtest86+ smartmontools

The havaged service can be enabled and started right away as no configuration is needed. 

sudo systemctl enable --now haveged

Your sensors need to be configured before starting the lm_sensors service.

Note: This package is useless inside a VM.
sudo sensors-detect
sudo systemctl enable --now lm_sensors

Don't start fail2ban or sshd quite yet as they have configuration that needs to be done.

Retrieved from "https://wiki.bwt.com.de/index.php?title=Arch_Post-Installation_Checklist&oldid=392"