User:Rdeckard/Post-installation
Networking
Connect to the internet
If you have not already, start/enable systemd-networkd.service
. You should have already set up a configuration file in User:Rdeckard/Installation guide.
If you have a wireless connection, start/enable the iwd.service
if you have not already. Then connect by doing:
# iwctl [iwd]# station device scan [iwd]# station device get-networks [iwd]# station device connect SSID
Clock synchronization
Run timedatectl set-ntp true
to keep your clock in sync.
DNS Resolver
Set your DNS server to 127.0.0.1
:
/etc/resolv.conf
127.0.0.1
Add the following configuration file for unbound. It includes DNSSEC, root hints, and DNS over TLS. Modify IP addresses of DNS servers if desired.
/etc/unbound/unbound.conf
server: use-syslog: yes do-daemonize: no username: "unbound" directory: "/etc/unbound" root-hints: root.hints trust-anchor-file: trusted-key.key tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt forward-zone: name: "." forward-tls-upstream: yes forward-addr: 1.1.1.1@853#cloudflare-dns.com
Update the root hints file:
# curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
Start/enable the unbound.service
.
Test DNSSEC
$ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
The first output line should be something like the following. Note the word "secure".
sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
$ unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net
The first output line should be something like the following. Note the word "BOGUS".
sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))
Firewall
Here is a simple stateful firewall using nftables. First install nftables. Then create the following configuration file. Modify for your needs.
/etc/nftables.conf
table inet filter { chain input { type filter hook input priority 0; policy drop; ct state {established, related} accept ct state invalid drop iifname lo accept ip protocol icmp accept reject with icmp type port-unreachable } chain forward { type filter hook forward priority 0; policy drop; } chain output { type filter hook output priority 0; policy accept; } }
Then start/enable nftables.service
.
Pacman
Create local repository for AUR
Install the aurutilsAUR package. Then create a local repository called aur
:
/etc/pacman.d/aur
[options] CacheDir = /var/cache/pacman/pkg CacheDir = /var/cache/pacman/aur CleanMethod = KeepCurrent [aur] SigLevel = Optional TrustAll Server = file:///var/cache/pacman/aur
Additional line:
/etc/pacman.conf
Include = /etc/pacman.d/aur
# mkdir -p /var/cache/pacman/aur # chown user:user /var/cache/pacman/aur $ cd /var/cache/pacman/aur $ repose -vf aur
Now use aurutils or aurbuild to create packages that are put in the local database.
Pacman hooks
Get notified when a package become an orphan.
/etc/pacman.d/hooks/orphans.hook
[Trigger] Operation = Upgrade Operation = Install Operation = Remove Type = Package Target = * [Action] Description = Checking for orphans... When = PostTransaction Exec = /usr/bin/bash -c "/usr/bin/pacman -Qtd || true"
Clean up pacman cache on transactions.
/etc/pacman.d/hooks/paccache.hook
[Trigger] Operation = Upgrade Operation = Install Operation = Remove Type = Package Target = * [Action] Description = Cleaning pacman cache... When = PostTransaction Exec = /usr/bin/paccache -rv
Get notified when a package is no longer in a repository.
/etc/pacman.d/hooks/repocheck.hook
[Trigger] Operation = Upgrade Operation = Install Operation = Remove Type = Package Target = * [Action] Description = Checking for dropped packages... When = PostTransaction Exec = /usr/bin/bash -c "/usr/bin/pacman -Qqm || true"