Arch Post-Installation Checklist: Difference between revisions
Jump to navigation
Jump to search
m →systemd-networkd: Switched to shorthand |
m Combined two Networking sections |
||
| Line 10: | Line 10: | ||
= Networking = | = Networking = | ||
== | == Host Name == | ||
Make sure a host name is set in <code>/etc/hostname</code> | |||
==== IPv4 Only | Then edit <code>/etc/hosts</code> | ||
127.0.0.1 localhost.localdomain locahost | |||
::1 localhost.localdomain localhost | |||
127.0.1.1 <hostname>.localdomain <hostname> | |||
== Static Addressing == | |||
Use <code>systemd-networkd</code> when a machine will use a static address without consulting a DHCP server. | |||
=== IPv4 Only === | |||
[Match] | [Match] | ||
| Line 25: | Line 35: | ||
IPv6AcceptRA=no | IPv6AcceptRA=no | ||
=== IPv4 & IPv6 === | |||
[Match] | [Match] | ||
| Line 38: | Line 48: | ||
=== Dynamic Addressing === | === Dynamic Addressing === | ||
It's preferable to use <code>connman</code> or <code>Network Manager</code> for dynamic addresses as <code>systemd-networkd</code> doesn't play well with interfaces coming and going. | |||
If you'd rather use <code>systemd-networkd</code> for DHCP: | |||
[Match] | [Match] | ||
| Line 149: | Line 163: | ||
KEYMAP=us | KEYMAP=us | ||
FONT=Lat2-Terminus16 | FONT=Lat2-Terminus16 | ||
= Initramfs = | = Initramfs = | ||
Revision as of 23:45, 4 November 2019
Passwords & User Creation
Make sure root has a password.
Make sure you have a primary user set up.
# useradd -m -u <id -ge 1000> -g users -G wheel,games,video,audio,optical,storage,scanner,power <user> # passwd <user>
Networking
Host Name
Make sure a host name is set in /etc/hostname
Then edit /etc/hosts
127.0.0.1 localhost.localdomain locahost ::1 localhost.localdomain localhost 127.0.1.1 <hostname>.localdomain <hostname>
Static Addressing
Use systemd-networkd when a machine will use a static address without consulting a DHCP server.
IPv4 Only
[Match] MACAddress=<mac-address> [Network] Address=<ipv4-address>/<mask> DNS=<ipv4-address> Gateway=<ipv4-address> LinkLocalAddressing=no IPv6AcceptRA=no
IPv4 & IPv6
[Match] MACAddress=<mac-address> [Network] Address=<ipv6-address>/<mask> DNS=<ipv6-address> Gateway=<ipv6-address> Address=<ipv4-address>/<mask> DNS=<ipv4-address> Gateway=<ipv4-address>
Dynamic Addressing
It's preferable to use connman or Network Manager for dynamic addresses as systemd-networkd doesn't play well with interfaces coming and going.
If you'd rather use systemd-networkd for DHCP:
[Match] MACAddress=<mac-address> [Network] DHCP=yes [DHCP] UseMTU=true
IPTables Firewall
# SIMPLE STATEFUL FIREWALL *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [100308:88697975] :TCP - [0:0] :UDP - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p udp -m conntrack --ctstate NEW -j UDP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -j REJECT --reject-with icmp-proto-unreachable # OPEN NECESSARY PORTS HERE -A TCP -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "ssh" -A TCP -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "http" -A TCP -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "https" -A TCP -p tcp -m tcp --dport 465 -j ACCEPT -m comment --comment "smtp secure" -A TCP -p tcp -m tcp --dport 873 -j ACCEPT -m comment --comment "rsync" -A TCP -p tcp -m tcp --dport 993 -j ACCEPT -m comment --comment "imap secure" -A TCP -p tcp -m tcp --dport 3000 -j ACCEPT -m comment --comment "cryptpad http" -A TCP -p tcp -m tcp --dport 3001 -j ACCEPT -m comment --comment "cryptpad safe http" -A TCP -p tcp -m tcp --dport 64738 -j ACCEPT -m comment --comment "mumble tcp" -A UDP -p udp -m udp --dport 64738 -j ACCEPT -m comment --comment "mumble udp" COMMIT
SSH Setup
Look for and edit the following lines:
Port <port> AddressFamily <any|inet|inet6> ListenAddress <ip4-address> ListenAddress <ip6-address> LogLevel VERBOSE PermitRootLogin prohibit-password PubkeyAuthentication yes PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes AllowUsers <space-separated-list-of-users> AllowAgentForwarding no AllowTcpForwarding no
Mirror Selection
# pacman -Syu reflector # reflector -c <country> -p https -l 5 --sort rate --save /etc/pacman.d/mirrorlist
/etc/fstab
Time Zone
# ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime # hwclock --systohc
Localization
Un-comment your desired locales in /etc/locale.conf, then run
# locale-gen
If you don't have the default /etc/locale.gen file:
# rm /etc/locale.gen # pacman -Syu glibc
Edit /etc/locale.conf as you see fit
LANG=en_US.UTF-8 LANGUAGE=en_US LC_COLLATE=POSIX LC_MESSAGES=C LC_CTYPE=en_US.UTF-8 LC_NUMERIC=en_US.UTF-8 LC_TIME=en_US.UTF-8 LC_MONETARY=en_US.UTF-8 LC_PAPER=en_US.UTF-8 LC_NAME=en_US.UTF-8 LC_ADDRESS=en_US.UTF-8 LC_TELEPHONE=en_US.UTF-8 LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=en_US.UTF-8
Set up /etc/vconsole.conf with a keymap and (optionally) a font:
KEYMAP=us FONT=Lat2-Terminus16
Initramfs
Look for and edit the following lines:
MODULES=([amdgpu|bochs_drm|cirrus|i915|nouveau|(nvidia nvidia_modeset nvidia_uvm nvidia_drm)] [ehci_pci usb_storage]>) HOOKS=(base udev autodetect modconf block [zfs] filesystems keyboard fsck [encrypt] keymap consolefont) COMPRESSION=lz4
