Installing/Updating
Rip the .iso and boot. Make sure all the settings in BIOS force UEFI boot (hardware needs to be compatible as well). You might need a hardwired internet connection. Run:
pacman -S archinstall
And then run archinstall. This is the closest you will get to a guided OS installation with Arch.
Alternatively you can manually install with the official installation guide.
To update:
pacman -Syu
You can also check if you need to restart with:
checkservices
General Arch (and linux)
Packages to get started (check arch-wiki too)
- cronie / fcron: Cron jobs, for automating stuff or running scripts every given time. To add/edit/remove jobs:
- crontabs -e
- micro: Basically the easiest text editor to use with a mouse. All commands are the same as in the OS. EG, ctrl + c is copy, ctrl + v is paste, ctrl + s is save, ctrl + q is quit, etc.
- nano: another simple text editor.
- docker: Container driver. Used in conjunction the orchestration tool, docker-compose. Docker Documentation.
- git: GIT cli client
- gnome: Desktop Environment. Also check gnome-extras, gnome-shell-extensions.
- nftables: Firewall rules. Good idea to replace iptables as they are slowly getting deprecated.
- vnstat: Network traffic monitor
- wireshark-cli: Packet sniffer. Use with termshark.
- lf: ‘list-files' … basically ranger.
Default console text editor
edit .bashsrc and .bash_profile
add:
export EDITOR = [text_editor] #---this goes to bashrc export VISUAL = [text_editor] #---this goes to bash_profile
If using different shell usually it’s the same files to the corresponding shell, eg, for zsh it’s .zshrc and .zprofile
Change Default Shell
List all available shells:
chsh -l
Change:
chsh -s /path/to/shell
ZSH
Zsh is the superior shell, so use this instead of bash. All plugins and customizations for zsh happen in the .zshrc file in your home directory.
To highlight folders:
if [ -x /usr/bin/dircolors ]; then test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" alias ls='ls --color=auto' #alias dir='dir --color=auto' #alias vdir='vdir --color=auto' alias grep='grep --color=auto' alias fgrep='fgrep --color=auto' alias egrep='egrep --color=auto' fi
For shell suggestions
Install zsh-autosuggestions
and source to the .zshrc
file.
For syntax highlighting
Install zsh-syntax-highlighting
and source to the .zshrc
file.
For amazing cat
Install bat and then replace cat with alias in the .zshrc
file:
alias cat=batcat
In some distros it's simply bat, in some other distros it might be batcat. To change the default prompt look
add the following to .zshrc:
PROMPT="%F{red}%n%f %~ > "
You can customize the prompt to your liking. Here is one resource.
Disabling system suspend
When using a device as e.g a server, suspending might not be needed or it could even be undesired. To configure system sleep states:
nano /etc/systemd/sleep.conf.d/disable-suspend.conf
And change the following:
[Sleep] AllowSuspend=no AllowHibernation=no AllowSuspendThenHibernate=no AllowHybridSleep=no
VMs
First you need the QEMU server, which is the backend for the VMs, the libvirt manager, and optionally the cockpit web interface.
pacman -S qemu-full libvirt virt-manager cockpit cockpit-machines
You need to also enable/start libvirtd.
For cockpit you might need dnsmasq for DCHP for the VMs
pacman -S dnsmasq
Enable/Start dnsmasq
For simpler VM frontend you can use Gnome Boxes which is included with the gnome-extra package.
pacman -S gnome-extra
Software for TPM emulator. Needed for Windows 11.
pacman -S swtpm
==== For Windows 11 ====
Download Win11 iso. Open gnome boxes. Start a new VM from local files. Edit memory to at least 4GB. Edit storage to at least 100GB. Edit configuration file to enable TPM. Under add:
<tpm model="tpm-crb"> <backend type="emulator" version="2.0"/> </tpm>
Save and start the VM.
In windows 11 installation, to skip internet, hit Shift + F10 to bring up the console and type OOBE\BYPASSNRO and restart. Remember to disconnect the host from the internet so no internet passes through to the guest OS.
GUI / CLI Boot
You can swap between using a desktop environment or just CLI. To force CLI:
systemctl set-default multi-user.target
To force Desktop Environment:
systemctl set-default graphical.target
Generate Keys
You can use the openssl command to generate key together with rand. Optionally, you can pass as flags the format you want and the number of digits.
For base64 and 60 digits key:
openssl rand -base64 60
For hexadecimal and 32 digits key:
openssl rand -hex 32
Faillock
After 3 attempts of sudo the accounts is locked. Check first the failed attempts with faillock and make sure it's actually you. Then you can reset the account fails with:
faillock --user <user> --reset
Archiving and Compression
Archivers are used to put multiple files into a single file. Compressors are used to reduce the size of a file. These two tools are used together usually when packaging applications or backing up. One combo is tar + gzip. Tar creates and extracts files from archives. Gzip compresses and decompresses the archive files.
Tar flags:
-c Create a new archive. We use this flag whenever we need to create a new archive. -z Use gzip compression. When we specify this flag, it means that archive will be created using gzip compression. -v Provide verbose output. Providing the -v flag shows details of the files compressed. -f Archive file name. Archive file names are mapped using the -f flag. -x Extract from a compressed file. We use this flag when files need to be extracted from an archive.
Creating an archive and compressing it:
tar -czf example_archive.tar.gz /path/to/files
Extracting an archive (remember the -z flag if it's compressed):
tar -xzf example_archive.tar.gz
One can use the -C to specific location of extraction:
tar -xzf example_archive.tar.gz -C /path/to/extraction
Password Store
pass is a unix password manager. It stores the passwords in a gpg file and uses git to sync.
You need to generate a gpg key to initialize pass:
pass init <your_public_gpg_key>
You can then initialize git for pass store:
pass git init
You can use normal git commands to view history, push, pull and sync your passwords across devices.
To add an existing password:
pass insert github
Where github is any password you want to add. pass is using normal files to save your passwords so you can nest them in folders.
pass insert websites/github
You can see all the stored passwords by running pass.
To generate a new password:
pass generate github
To show a password:
pass show websites/github
If you want to add a url, an email, or any data to a password, you can add it as metadata on the password file:
pass edit websites/github ------------------------------------ random_password email: hello@world.com URL: https://eelslap.com/
Cryptography
Generating a new gpg key:
gpg --gen-key
You can check the public id of your key by:
gpg -K
By default, gpg keys expire, but you change that by editing your key. Copy the id of your key and run:
gpg --edit-key <key_public_id>
and then, in the gpg prompt run: expire
Networking
SSH Keys
Make sure you have openssh. Usually comes with most Linux distributions.
To use keys instead of passwords, you need first to generate the key pair on the machine that will connect to the server:
ssh-keygen
Then you need to copy the public key to the server, and add the private key to the machine identity list:
ssh-copy-id -i <path/to/publickey.pub> <user>@<host> ssh-add <path/to/privatekey>
(ARCH-SPECIFIC) And finally on the server, you need to enable publickey authentication and disable password to avoid brute force attacks.
micro /etc/ssh/sshd_config.d/10-force_publickey.conf ---------------------------------------------- PasswordAuthentication no AuthenticationMethods publickey
Restart the sshd daemon on the server and it should work.
SSH Tunneling
SSH Tunnels are used to exposed ports to and from connected systems.
Forward Tunnels (or local port forwarding)are used to connect to a host and expose their ports that would othewise wouldn't be accessible creating access to webservers or services that are still not public. Forward tunnels are created with the -L flag. In this example, local will be the client and remote will be the server:
ssh -L local:localport:remote:remoteport user@serverip_or_domain_name * * * ssh -L localhost:888:11.22.33.44:80 admin@11.22.33.44
Reverse tunnels (or remote port forwarding) let you access a computer inside a private network. To do this, you usually need three systems:
- S1: The computer inside the private network (the one you want to access).
- S2: A public system that both you and S1 can connect to.
- S3: Your computer, trying to access S1.
S1 connects to S2 using SSH with the -R flag, creating a reverse tunnel. This forwards a port (like port 2222) on S2 back to S1’s port 22 (SSH). Now, S3 can connect to S2 on port 2222, which forwards the connection back to S1, letting you access it as if you were inside its network.
This setup helps you bypass S1’s firewall.
#FROM THE ENDPOINT SYSTEM ssh -R S2:S2port:S1:S1port S2user@S2 #FROM THE CLIENT SYSTEM ssh -p S2port S1user@S2
SSH File Transfer
This should work with MacOS and any Linux distro:
scp <source path> <user>@<server>:<destination path>
add the -r flag if it’s a folder. To connect via SSH the format is user@host:/path/to/folder/ eg.:
scp -r /etc/systemd/destroyd takis@29.231.0.43:/opt/something
You might need to add the SSH fingerprint.
Network management
systemd-networkd
- the system daemon running the network configuration. Is needed for ipvlans for docker.
networkctl
list - show interfaces
Force close ports
nmap [host] #to see if/what ports are open ss -tlpn | grep [port] # OR fuser [port]/tcp
Add flag -k to fuser to kill the task as well (needs root)
Static IP Config (requires systemd-networkd)
/etc/systemd/network/20-wired.network ---------------------------------------- [Match] Name=enp1s0 [Network] Address=10.1.10.9/24 Gateway=10.1.10.1 DNS=10.1.10.1
Renaming an interface (requires systemd-networkd)
A .link file can be used to rename an interface. A useful example is to set a predictable interface name for a USB-to-Ethernet adapter based on its MAC address, as those adapters are usually given different names depending on which USB port they are plugged into.
/etc/systemd/network/10-ethusb0.link -------------------------------------- [Match] MACAddress=12:34:56:78:90:ab [Link] Description=USB to Ethernet Adapter Name=ethusb0
Disk Management
Partitioning
Partitioning deletes everything on your disk!
lsblk Will show all the drives on the computer. Find the drive you want to partition and memorize the drive's path. I'll use sda for this example:
fdisk /dev/sda
Make sure the drive is unmounted.
umount <device>
Then fdisk starts and you will have a new prompt. For most cases:
g make a new GPT partition table n create a new partition select the number assigned. Default picks the next available. select start of the sector. Default picks the first available byte. select the end of the sector. If you want one partition on the whole disk, then use default. Otherwise you need to define in which byte to end (you need to do some math to figure it out). t if you want to change the partition type. You might need this if you're setting up a RAID. Default is Linux Filesystem. w to write the partition and exit.
Formatting
Formatting deletes everything on your disk!
lsblk
Will show all the drives on the computer. Find the partition you want to format and memorize the path. I'll use /dev/sda1 for this example.
Make sure the drive is unmounted.
umount <device>
You need to figure out what file system you want. Usually btrfs or ext4 is best for Linux. I do ext4 for single disks and btrfs for RAID arrays.
mkfs.ext4 /dev/sda1
You might need to mount the drive.
RAID
You need to download mdadm.
pacman -S mdadm
Make sure you have partitioned the drives you want to use and the partition type is Linux RAID (it might work on empty space as well).
Also make sure the drives are unmounted.
umount <device1> umount <device2>
Then you can build the array:
mdadm --create --verbose --level=0 --metadata=1.2 --raid-devices=2 /dev/md/myRAIDarray /dev/sda1 /dev/sdb1
- -level determines the RAID type. level 0 is RAID0, level 1 is RAID1, level 5 is RAID5, level 10 is RAID10, etc.
- -metadata default is 1.2 and should stay like that. If you are writing an OS on the RAID, then you probably need 1.0.
- -raid-devices the number of partitions in the RAID array.
The path will be the path of your new RAID partition. The rest are the partitions to be used in the RAID.
Once the array is created, you double check it's ready with:
cat /proc/mdstat
and:
mdadm --detail --scan
You will then need to format the new array, and mount:
mkfs.<FILESYSTEM> -F /path/to/dev mount /path/to/mount /path/to/dev
You can double check that the array is available with df.
We need to then save the array layout so it's available at boot. We do that by writing the details of the array to mdadm.conf in etc.
sudo mdadm --detail --scan | sudo tee -a /etc/mdadm/mdadm.conf
We can also update the initramfs so the array is available early in the boot process:
sudo update-initramfs -u
You can also add the array to fstab so it automatically mounts on startup.
Mounting
mount /path/to/dev /path/to/mount
If you want to permanently mount a drive you have to add it to fstab
/etc/fstab ------------------------------------------------------------------------------ # <device> <dir> <type> <options> <dump> <fsck> UUID=0a3407de-014b-458b-b5c1-848e92a327a3 / ext4 defaults 0 1 UUID=f9fe0b69-a280-415d-a03a-a32752370dee none swap defaults 0 0 UUID=b411dc99-f0a0-4c87-9e05-184977be8539 /home ext4 defaults 0 2
To find your device UUID:
lsblk -f
- <device> describes the block special device or remote file system to be mounted.
- <dir> describes the mount directory.
- <type> the file system type.
- <options> the associated mount options.
- <dump> is checked by the dump(8) utility. This field is usually set to 0, which disables the check.
- <fsck> sets the order for file system checks at boot time. For the root device it should be 1. For other partitions it should be 2, or 0 to disable checking.
Once you are done editing the fstab, reload the system daemon and mount all drives:
systemctl daemon-reload mount -a
Automount with systemd
If the partition is pretty big, you can automount with systemd. You need to add x-systemd.automount in the options field. eg:
# <device> <dir> <type> <options> <dump> <fsck> UUID=0a3407de-014b-458b-b5c1-848e92a327a3 / ext4 defaults,x-systemd.automount 0 1
Disk Usage
I recommend ncdu to check disk usage.
pacman -S ncdu
and then to run it, just:
ncdu
You can also check free space with:
df -h
Firewall Back-end
nftables is on it's way to replace iptables. For that, I decided to replace iptables with nftables already. As of now, Archlinux comes with both installed but is using iptables. Usually just stop/disabling iptables and enable/starting nftables is good enough.
To move rules from iptables to nftables you need to translate them. Iptables comes with a tool thankfully that does that. FIrst you need to export to a file your iptables rules:
iptables-save > tables.txt
Then translate the rules and save them in another file:
iptables-restore-translate -f tables.txt > ruleset.nft
And then just import the rules to nft:
nft -f ruleset.nft
Nftables already comes with some basic rules. To clear the ruleset:
nft flush ruleset
Front-end
These are the firewalls that support nftables:
ufw firewalld nft-blackhole