Rip the .iso and boot. Make sure all the settings in BIOS force UEFI boot (hardware needs to be compatible as well). You might need a hardwired internet connection. Run:

pacman -S archinstall

And then run archinstall. This is the closest you will get to a guided OS installation with Arch.

Alternatively you can manually install with the official installation guide.

To update:

pacman -Syu

You can also check if you need to restart with:

checkservices

• cronie / fcron: Cron jobs, for automating stuff or running scripts every given time. To add/edit/remove jobs:
• crontabs -e
• micro: Basically the easiest text editor to use with a mouse. All commands are the same as in the OS. EG, ctrl + c is copy, ctrl + v is paste, ctrl + s is save, ctrl + q is quit, etc.
• nano: another simple text editor.
• docker: Container driver. Used in conjunction the orchestration tool, docker-compose. Docker Documentation.
• git: GIT cli client
• gnome: Desktop Environment. Also check gnome-extras, gnome-shell-extensions.
• nftables: Firewall rules. Good idea to replace iptables as they are slowly getting deprecated.
• vnstat: Network traffic monitor
• wireshark-cli: Packet sniffer. Use with termshark.
• lf: ‘list-files' … basically ranger.

edit .bashsrc and .bash_profile

add:

export EDITOR = [text_editor] #---this goes to bashrc
export VISUAL = [text_editor] #---this goes to bash_profile

If using different shell usually it’s the same files to the corresponding shell, eg, for zsh it’s .zshrc and .zprofile

List all available shells:

chsh -l

Change:

chsh -s /path/to/shell

Zsh is the superior shell, so use this instead of bash. All plugins and customizations for zsh happen in the .zshrc file in your home directory.

if [ -x /usr/bin/dircolors ]; then
    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
    alias ls='ls --color=auto'
    #alias dir='dir --color=auto'
    #alias vdir='vdir --color=auto'

    alias grep='grep --color=auto'
    alias fgrep='fgrep --color=auto'
    alias egrep='egrep --color=auto'
fi

Install zsh-autosuggestions and source to the .zshrc file.

Install zsh-syntax-highlighting and source to the .zshrc file.

Install bat and then replace cat with alias in the .zshrc file:

alias cat=batcat

In some distros it's simply bat, in some other distros it might be batcat. To change the default prompt look

add the following to .zshrc:

PROMPT="%F{red}%n%f %~ > "

You can customize the prompt to your liking. Here is one resource.

When using a device as e.g a server, suspending might not be needed or it could even be undesired. To configure system sleep states:

nano /etc/systemd/sleep.conf.d/disable-suspend.conf

And change the following:

[Sleep]
AllowSuspend=no
AllowHibernation=no
AllowSuspendThenHibernate=no
AllowHybridSleep=no

First you need the QEMU server, which is the backend for the VMs, the libvirt manager, and optionally the cockpit web interface.

pacman -S qemu-full libvirt virt-manager cockpit cockpit-machines

You need to also enable/start libvirtd.

For cockpit you might need dnsmasq for DCHP for the VMs

pacman -S dnsmasq

Enable/Start dnsmasq

For simpler VM frontend you can use Gnome Boxes which is included with the gnome-extra package.

pacman -S gnome-extra

Software for TPM emulator. Needed for Windows 11.

pacman -S swtpm

==== For Windows 11 ====

  Download Win11 iso.
  Open gnome boxes.
  Start a new VM from local files.
  Edit memory to at least 4GB.
  Edit storage to at least 100GB.
  Edit configuration file to enable TPM. Under add:

<tpm model="tpm-crb">
  <backend type="emulator" version="2.0"/>
</tpm>

Save and start the VM.

In windows 11 installation, to skip internet, hit Shift + F10 to bring up the console and type OOBE\BYPASSNRO and restart. Remember to disconnect the host from the internet so no internet passes through to the guest OS.

You can swap between using a desktop environment or just CLI. To force CLI:

systemctl set-default multi-user.target

To force Desktop Environment:

systemctl set-default graphical.target

You can use the openssl command to generate key together with rand. Optionally, you can pass as flags the format you want and the number of digits.

For base64 and 60 digits key:

openssl rand -base64 60

For hexadecimal and 32 digits key:

openssl rand -hex 32

After 3 attempts of sudo the accounts is locked. Check first the failed attempts with faillock and make sure it's actually you. Then you can reset the account fails with:

faillock --user <user> --reset

Archivers are used to put multiple files into a single file. Compressors are used to reduce the size of a file. These two tools are used together usually when packaging applications or backing up. One combo is tar + gzip. Tar creates and extracts files from archives. Gzip compresses and decompresses the archive files.

Tar flags:

-c 	Create a new archive. 	We use this flag whenever we need to create a new archive.
-z 	Use gzip compression. 	When we specify this flag, it means that archive will be created using gzip compression.
-v 	Provide verbose output. 	Providing the -v flag shows details of the files compressed.
-f 	Archive file name. 	Archive file names are mapped using the -f flag.
-x 	Extract from a compressed file. 	We use this flag when files need to be extracted from an archive.

Creating an archive and compressing it:

tar -czf example_archive.tar.gz /path/to/files

Extracting an archive (remember the -z flag if it's compressed):

tar -xzf example_archive.tar.gz

One can use the -C to specific location of extraction:

tar -xzf example_archive.tar.gz -C /path/to/extraction

pass is a unix password manager. It stores the passwords in a gpg file and uses git to sync.

You need to generate a gpg key to initialize pass:

pass init <your_public_gpg_key>

You can then initialize git for pass store:

pass git init

You can use normal git commands to view history, push, pull and sync your passwords across devices.

To add an existing password:

pass insert github

Where github is any password you want to add. pass is using normal files to save your passwords so you can nest them in folders.

pass insert websites/github

You can see all the stored passwords by running pass.

To generate a new password:

pass generate github

To show a password:

pass show websites/github

If you want to add a url, an email, or any data to a password, you can add it as metadata on the password file:

pass edit websites/github
------------------------------------
random_password
email: [email protected]
URL: https://eelslap.com/

Generating a new gpg key:

gpg --gen-key

You can check the public id of your key by:

gpg -K

By default, gpg keys expire, but you change that by editing your key. Copy the id of your key and run:

gpg --edit-key <key_public_id>

and then, in the gpg prompt run: expire

Make sure you have openssh. Usually comes with most Linux distributions.

To use keys instead of passwords, you need first to generate the key pair on the machine that will connect to the server:

ssh-keygen

Then you need to copy the public key to the server, and add the private key to the machine identity list:

ssh-copy-id -i <path/to/publickey.pub> <user>@<host>
ssh-add <path/to/privatekey>

(ARCH-SPECIFIC) And finally on the server, you need to enable publickey authentication and disable password to avoid brute force attacks.

micro /etc/ssh/sshd_config.d/10-force_publickey.conf
----------------------------------------------
PasswordAuthentication no
AuthenticationMethods publickey

Restart the sshd daemon on the server and it should work.

SSH Tunnels are used to exposed ports to and from connected systems.

Forward Tunnels (or local port forwarding)are used to connect to a host and expose their ports that would othewise wouldn't be accessible creating access to webservers or services that are still not public. Forward tunnels are created with the -L flag. In this example, local will be the client and remote will be the server:

ssh -L local:localport:remote:remoteport user@serverip_or_domain_name * * * ssh -L localhost:888:11.22.33.44:80 [email protected]

Reverse tunnels (or remote port forwarding) let you access a computer inside a private network. To do this, you usually need three systems:

1. S1: The computer inside the private network (the one you want to access).
2. S2: A public system that both you and S1 can connect to.
3. S3: Your computer, trying to access S1.

S1 connects to S2 using SSH with the -R flag, creating a reverse tunnel. This forwards a port (like port 2222) on S2 back to S1’s port 22 (SSH). Now, S3 can connect to S2 on port 2222, which forwards the connection back to S1, letting you access it as if you were inside its network.

This setup helps you bypass S1’s firewall.

#FROM THE ENDPOINT SYSTEM
ssh -R S2:S2port:S1:S1port S2user@S2

#FROM THE CLIENT SYSTEM
ssh -p S2port S1user@S2

This should work with MacOS and any Linux distro:

scp <source path> <user>@<server>:<destination path>

add the -r flag if it’s a folder. To connect via SSH the format is user@host:/path/to/folder/ eg.:

scp -r /etc/systemd/destroyd [email protected]:/opt/something

You might need to add the SSH fingerprint.

systemd-networkd - the system daemon running the network configuration. Is needed for ipvlans for docker.

networkctl list - show interfaces

nmap [host] #to see if/what ports are open
ss -tlpn | grep [port] # OR
fuser [port]/tcp

Add flag -k to fuser to kill the task as well (needs root)

/etc/systemd/network/20-wired.network
----------------------------------------
[Match]
Name=enp1s0

[Network]
Address=10.1.10.9/24
Gateway=10.1.10.1
DNS=10.1.10.1

A .link file can be used to rename an interface. A useful example is to set a predictable interface name for a USB-to-Ethernet adapter based on its MAC address, as those adapters are usually given different names depending on which USB port they are plugged into.

/etc/systemd/network/10-ethusb0.link
--------------------------------------
[Match]
MACAddress=12:34:56:78:90:ab

[Link]
Description=USB to Ethernet Adapter
Name=ethusb0

Partitioning deletes everything on your disk!

lsblk Will show all the drives on the computer. Find the drive you want to partition and memorize the drive's path. I'll use sda for this example:

fdisk /dev/sda

Make sure the drive is unmounted.

umount <device>

Then fdisk starts and you will have a new prompt. For most cases:

  g make a new GPT partition table
  n create a new partition
  select the number assigned. Default picks the next available.
  select start of the sector. Default picks the first available byte.
  select the end of the sector. If you want one partition on the whole disk, then use default. Otherwise you need to define in which byte to end (you need to do some math to figure it out).
  t if you want to change the partition type. You might need this if you're setting up a RAID. Default is Linux Filesystem.
  w to write the partition and exit.

Formatting deletes everything on your disk!

lsblk Will show all the drives on the computer. Find the partition you want to format and memorize the path. I'll use /dev/sda1 for this example.

Make sure the drive is unmounted.

umount <device>

You need to figure out what file system you want. Usually btrfs or ext4 is best for Linux. I do ext4 for single disks and btrfs for RAID arrays.

mkfs.ext4 /dev/sda1

You might need to mount the drive.

You need to download mdadm.

pacman -S mdadm

Make sure you have partitioned the drives you want to use and the partition type is Linux RAID (it might work on empty space as well).

Also make sure the drives are unmounted.

umount <device1>
umount <device2>

Then you can build the array:

mdadm --create --verbose --level=0 --metadata=1.2 --raid-devices=2 /dev/md/myRAIDarray /dev/sda1 /dev/sdb1

1. -level determines the RAID type. level 0 is RAID0, level 1 is RAID1, level 5 is RAID5, level 10 is RAID10, etc.
2. -metadata default is 1.2 and should stay like that. If you are writing an OS on the RAID, then you probably need 1.0.
3. -raid-devices the number of partitions in the RAID array.

The path will be the path of your new RAID partition. The rest are the partitions to be used in the RAID.

Once the array is created, you double check it's ready with:

cat /proc/mdstat

and:

mdadm --detail --scan

You will then need to format the new array, and mount:

mkfs.<FILESYSTEM> -F /path/to/dev
mount /path/to/mount /path/to/dev

You can double check that the array is available with df.

We need to then save the array layout so it's available at boot. We do that by writing the details of the array to mdadm.conf in etc.

sudo mdadm --detail --scan | sudo tee -a /etc/mdadm/mdadm.conf

We can also update the initramfs so the array is available early in the boot process:

sudo update-initramfs -u

You can also add the array to fstab so it automatically mounts on startup.

mount /path/to/dev /path/to/mount

If you want to permanently mount a drive you have to add it to fstab

/etc/fstab
------------------------------------------------------------------------------
# <device>                                <dir> <type> <options> <dump> <fsck>
UUID=0a3407de-014b-458b-b5c1-848e92a327a3 /     ext4   defaults  0      1
UUID=f9fe0b69-a280-415d-a03a-a32752370dee none  swap   defaults  0      0
UUID=b411dc99-f0a0-4c87-9e05-184977be8539 /home ext4   defaults  0      2

To find your device UUID:

lsblk -f

• <device> describes the block special device or remote file system to be mounted.
• <dir> describes the mount directory.
• <type> the file system type.
• <options> the associated mount options.
• <dump> is checked by the dump(8) utility. This field is usually set to 0, which disables the check.
• <fsck> sets the order for file system checks at boot time. For the root device it should be 1. For other partitions it should be 2, or 0 to disable checking.

Once you are done editing the fstab, reload the system daemon and mount all drives:

systemctl daemon-reload
mount -a

If the partition is pretty big, you can automount with systemd. You need to add x-systemd.automount in the options field. eg:

# <device>                                <dir> <type> <options>                  <dump> <fsck>
UUID=0a3407de-014b-458b-b5c1-848e92a327a3 /     ext4   defaults,x-systemd.automount  0      1

I recommend ncdu to check disk usage.

pacman -S ncdu

and then to run it, just:

ncdu

You can also check free space with:

df -h

Firewall Back-end

nftables is on it's way to replace iptables. For that, I decided to replace iptables with nftables already. As of now, Archlinux comes with both installed but is using iptables. Usually just stop/disabling iptables and enable/starting nftables is good enough.

To move rules from iptables to nftables you need to translate them. Iptables comes with a tool thankfully that does that. FIrst you need to export to a file your iptables rules:

iptables-save > tables.txt

Then translate the rules and save them in another file:

iptables-restore-translate -f tables.txt > ruleset.nft

And then just import the rules to nft:

nft -f ruleset.nft

Nftables already comes with some basic rules. To clear the ruleset:

nft flush ruleset

Front-end

These are the firewalls that support nftables:

  ufw
  firewalld
  nft-blackhole