Passwords & User Creation

Make sure root has a password.

Make sure you have a primary user set up.

# useradd -m -u <id -ge 1000> -g users -G wheel,games,video,audio,optical,storage,scanner,power <user>
# passwd <user>

Networking

systemd-networkd

Static Addressing

[Match]
MACAddress=<mac-address>

[Address]
Address=<ip-address>/<mask>

[Network]
DNS=<ip-address>

[Route]
Gateway=<ip-address>

Dynamic Addressing

[Match]
MACAddress=<mac-address>

[Network]
DHCP=yes

[DHCP]
UseMTU=true

IPTables Firewall

# SIMPLE STATEFUL FIREWALL
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [100308:88697975]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

# OPEN NECESSARY PORTS HERE

-A TCP -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "ssh"
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "http"
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "https"
-A TCP -p tcp -m tcp --dport 465 -j ACCEPT -m comment --comment "smtp secure"
-A TCP -p tcp -m tcp --dport 873 -j ACCEPT  -m comment --comment "rsync"
-A TCP -p tcp -m tcp --dport 993 -j ACCEPT -m comment --comment "imap secure"
-A TCP -p tcp -m tcp --dport 3000 -j ACCEPT -m comment --comment "cryptpad http"
-A TCP -p tcp -m tcp --dport 3001 -j ACCEPT -m comment --comment "cryptpad safe http"
-A TCP -p tcp -m tcp --dport 64738 -j ACCEPT -m comment --comment "mumble tcp"
-A UDP -p udp -m udp --dport 64738 -j ACCEPT -m comment --comment "mumble udp"
COMMIT

SSH Setup

Look for and edit the following lines:

Port <port>
AddressFamily <any|inet|inet6>
ListenAddress <ip4-address>
ListenAddress <ip6-address>

LogLevel VERBOSE

PermitRootLogin prohibit-password

PubkeyAuthentication yes

PasswordAuthentication no
PermitEmptyPasswords no

ChallengeResponseAuthentication no

UsePAM yes
AllowUsers <space-separated-list-of-users>

AllowAgentForwarding no
AllowTcpForwarding no

Mirror Selection

# pacman -Syu reflector
# reflector -c <country> -p https -l 5 --sort rate --save /etc/pacman.d/mirrorlist

/etc/fstab

Time Zone

# ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime
# hwclock --systohc

Localization

Un-comment your desired locales in /etc/locale.conf, then run

# locale-gen

If you don't have the default /etc/locale.gen file:

# rm /etc/locale.gen
# pacman -Syu glibc

Edit /etc/locale.conf as you see fit

LANG=en_US.UTF-8
LANGUAGE=en_US
LC_COLLATE=POSIX
LC_MESSAGES=C
LC_CTYPE=en_US.UTF-8
LC_NUMERIC=en_US.UTF-8
LC_TIME=en_US.UTF-8
LC_MONETARY=en_US.UTF-8
LC_PAPER=en_US.UTF-8
LC_NAME=en_US.UTF-8
LC_ADDRESS=en_US.UTF-8
LC_TELEPHONE=en_US.UTF-8
LC_MEASUREMENT=en_US.UTF-8
LC_IDENTIFICATION=en_US.UTF-8

Set up /etc/vconsole.conf with a keymap and (optionally) a font:

KEYMAP=us
FONT=Lat2-Terminus16

Network

Put a host name in /etc/hostname

The edit /etc/hosts

127.0.0.1	localhost.localdomain	locahost
::1		localhost.localdomain	localhost
127.0.1.1	<hostname>.localdomain	<hostname>

Initramfs

Look for and edit the following lines:

MODULES=([amdgpu|bochs_drm|cirrus|i915|nouveau|(nvidia nvidia_modeset nvidia_uvm nvidia_drm)] [ehci_pci usb_storage]>)
HOOKS=(base udev autodetect modconf block [zfs] filesystems keyboard fsck [encrypt] keymap consolefont)
COMPRESSION=lz4