User:AdamT/Installation Notes

From ArchWiki
< User:AdamT
Revision as of 23:42, 28 August 2013 by AdamT (talk | contribs) (Desktop environment: Did not properly close note.)
Jump to: navigation, search

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Work in progress (Discuss in User talk:AdamT/Installation Notes#)
Template:Article summary start

Template:Article summary text Template:Article summary heading Template:Article summary link Template:Article summary heading Template:Article summary text Template:Article summary heading Template:Article summary wiki Template:Article summary text Template:Article summary text Template:Article summary heading Template:Article summary wiki Template:Article summary wiki Template:Article summary end

Note: Greetings,
This article serves for me to better learn Mediawiki and specific Arch Wiki practices. I also have a large collection of install notes that are getting unwieldy and transferring and combining them into a wiki article allows me to kill a couple birds at once.
AdamT (talk) 03:05, 2 August 2013 (UTC)
Below are my installation notes that I created while following the Official Installation Guide as well as (selectively) the Beginners' Guide. I pulled in additional sources from off of both the above articles as well as many many others which I will reference throughout.

These notes assume a clean installation. I base the install on a system running a modern Intel CPU (Sandy or Ivy Bridge or later) as well as a modern NVIDIA GeForce GPU (600 series or later). I have used these notes on my home systems as well as a Virtual Private Server that I rent (RamNode).

I will make use of some arguably bleeding-edge, as well as some out of stream, technologies below. Btrfs will be used exclusively as will the Linux-ck kernel. I spent multiple days stubbornly wrestling with Btrfs to get it working and to get it configured correctly and absolutely adore it now.

I have completed a few Arch Linux installations prior to tackling Btrfs and running an out of stream kernel. With that said, if you have a technical knack, a willingness to learn, and the time to spend then I have no doubt that you could accomplish the same sort of installation as detailed below.

I will not be attempting to hold your hand throughout, this will be primarily notes that I need to repeat the installation without additional hassles. I intend to update the relevant Arch Wiki articles that I link to so that the needed information is accessible to those that need it (and to minimize work and redundant content).

I will follow the same flow as the official Installation Guide until we leave it behind.

Tip: If at any point below you do not understand exactly what a flag or command does. Check the relevant man page! Without understanding what you are doing, you waste a precious chance to learn more about your system and to better adjust it to your own needs!


Installation media

  1. Arch Linux Download
  2. USB Installation Media
Tip: If creating the installation media under Windows, I suggest using this method: USB_Installation_Media#Win32_Disk_Imager.


Keyboard layout

If you are using a non-US or non-QWERTY keyboard layout set this now. For example:

# loadkeys dvorak
# loadkeys uk
Warning: If doing this install on a VPS or, in general over a VNC connection, verify whether your preferred keyboard layout is already working. If so do not load a different keyboard layout on the remote machine or it will transpose characters as the VNC server may be assuming a QWERTY layout on the client.

Set font

# setfont Lat2-Terminus16

See also

Partition disks

GPT fdisk

Warning: If there is any chance that the first few megabytes of your drive have ever had a file system formatted to them, then take the time to zero out this section (or the entire drive) before moving on. Grub will throw an error much, much later on in the install if there is a file system on this (or at least Btrfs) and you will have to roll the dice and zero out then and attempt to recover your MBR and GPT table at that point. I was successful in doing so, but better to be safe if given the option. A quick way to zero out the first part of your drive is to run the following.
# badblocks -wv /dev/DRIVE 16384 0
After that you may want to go into gdisk, into the expert commands (x, and run zap (z)

First up we will load our (first) drive and partition it with gdisk. This will give the disk a GUID partition table and we will also set up an initial partition for Bios-booting grub on an UEFI system. In addition to this partition we will setup exactly one partition for use with Btrfs. Examples:

# gdisk /dev/sda
# gdisk /dev/vda
# gdisk /dev/mapper/array-name
Tip: If you are unsure of what drives you have available a few commands that might be helpful are:
  • lsblk
  • blkid
  • ls /dev/
See also

Insights into "clusters" versus "blocks":

SSD alignment

Warning: If using a HDD skip this step
Note: Initially I used two SSDs in Btrfs Raid0 and searched far and long to verify the proper alignment. With no success on my particular drive (Samsung 830 128 GB) I settled on what seems to be the largest Wikipedia:lowest common denominator alignment of 3072 KiB (or 6000 sectors x 512 bytes, or 3,145,728 bytes). This should work for SSDs with NAND erase blocks of 1024 KiB, 1536 KiB, 2048 KiB (or less). Ultimately, I am not yet convinced that partition alignment is fully necessary (see sources below) but to hedge my bet I am currently using it anyway as I do not mind sacrificing a little bit of disk space for the insurance policy.

By default gptfdisk (gdisk) aligns on 2048-sector boundaries (1 MiB) to change the alignment enter into the extra functionality (experts only) with x.

See also

Partitioning the first disk

Grub system partition

First off, we need to create a partition so GRUB can run on a GPT disk with an (emulated) BIOS (assuming UEFI mainboard). On your first (or only) disk, n then Enter for default partition number of "1" then Template:Keypress for default starting partition alignment of 2048 (1 MiB), then +2M, then EF02.

Use P to print your current partition table to be written to your disk. This should start on sector 2048 and end on sector 6143. Everything else should match what we input above.

See also
Brtfs partition

Next we need to create a partition to house the B-tree file system. Btrfs has its own support for sub-volumes so no additional partitions are needed (on this disk). For the Btrfs partition you can use all defaults while creating the partition in gdisk.

Boot flag

Before continuing on we will also need to set the bootflag on the first (or only) disk. First, x for expert commands, then a to set an attribute on a partition, then 2 for the partition number of the Btrfs partition, and then 2 again for the legacy BIOS bootable option, and Enter to exit the attribute tool.

Warning: The Grub system partition (partition 1) will not be touched again for the rest of the install process. You can effectively forget that it exists. Do not use it for anything for the rest of the install!

Check your work with p again to verify everything looks correct, then w to write changes and exit GPT fdisk. Confirm your work by running gdisk /dev/DISK -l.

Partition additional disks

If you have any additional disks that will be used for Btrfs partition them now by following the steps outlined above while adjusting as necessary.

As indicated above, for RAID 0 I maintain an even 1:1 ratio between the partitions to be used. For other RAID types this is not necessary.

Note: I have either been unable to document whether it is safe to use differently sized partitions for RAID 0 in Btrfs or I have read that it should not be done but have failed to document it. At least for the time being to err on the safe side I am sacrificing 2 MB at the front of my second disk. See [btrfs raid]

Format the partitions

Warning: As stated in the introduction, I will be using Btrfs exclusively in these notes. Btrfs is still considered experimental.
Note: Originally I attempted to configure Btrfs with a sector size of 16 kb (-s 16384) but this caused issues when I went to mount it for me. I have retested with 16 kb and 8 kb with issues at mount time again. If you attempt to change the sector size and hit a wall when you go to mount dmesg | tail will tell you there was an incompatible sector size found), then try backtracking and allowing the sector size to be its default (do not use the -s flag).
Warning: Be sure to designate the partition(s) you intended for Btrfs. Not the full disk or the Grub system partition!

Standard Example

mkfs.btrfs -l 16384 /dev/<PARTITION1>

RAID-0 Example

mkfs.btrfs -l 16384 -m raid0 -d raid0 /dev/<PARTITION1> /dev/<PARTITION2>
Tip: If you run into problems here be sure to check dmesg | tail (as the error message will likely also instruct). This can save you time and headaches!

Check your work with btrfs filesystem show.

Tip: If you make a mistake you can re-run mkfs.btrfs with the changes you desire using the -f flag to force the writing of the new partition.

See also

Setup the sub-volumes

# mkdir /mnt/btrfs-root
# mount -t btrfs -o defaults,compress=zlib,space_cache,autodefrag /dev/sda2 /mnt/btrfs-root
Tip: Additional options you might consider: ssd discard noacl compress=lzo
Note: As noted above, be sure to run dmesg | tail if you get an error when attempting to mount.

Enable quota

Just in case we ever want to use the quota features that Btrfs has it is easiest to enable it now, before we add any sub-volumes.

btrfs quota enable /mnt/btrfs-root

Create sub-volumes

$ cd /mnt/btrfs-root
# btrfs subvolume create root_subvolume
Note: Having root in a sub-volume will allow snapshots of root for system rollbacks if ever needed. Further post-install work is needed to fully implement these features.
$ cd root_subvolume

From here, repeat the process as outlined above to create as many additional sub_volumes as you wish to have on your system.

# btrfs subvolume create home
# btrfs subvolume create var
# btrfs subvolume create usr
Tip: If you wish to make your system as secure as possible consider breaking out more sub-volumes and mount points as shown here.

You can now check your work with btrfs subvolume list -p . (Note the space and period). You may also want to check permissions with ls -l.

See also

Mount the partitions

Since we will be having root contained within its own sub-volume we need to make a new directory to mount it in and then mount it. We do not need to mount our sub-volumes separately.

Warning: Make sure to use the options you wish to use on your installed system here!
# mkdir /mnt/btrfs-system
# mount -o subvol=root_subvolume,defaults,compress=zlib,space_cache,autodefrag /dev/sda2 /mnt/btrfs-system

Connect to the Internet

Make sure you have a connection to the Internet.

See Installation_Guide#Connect_to_the_internet if not.

Tip: The available network interface cards (NICs) can be found in /sys/class/net/ within you will likely see eth0 or wlan0 or both or neither. In those directories you can find information pertaining to any given NIC by using cat or nano.


Note: If you are installing from really old media see here: Installing_Arch_Using_Old_Installation_Media

Install the base system


To start, install reflector which will allow your system to find the fastest and the most up-to-date mirrors accessible by it by running the following command.

# reflector -a 2 -l 100 -f 10 --sort score --save /etc/pacman.d/mirrorlist
Tip: To see the commands and what they do execute reflector --help.

This will help the installation to go as fast as possible and will subsequently help with all packages installed from here on out! You can check your work with cat /etc/pacman.d/mirrorlist


# pacstrap /mnt/btrfs-system base grub-bios

See also

Configure the system

File-system table

# genfstab -Up /mnt/btrfs-system >> /mnt/btrfs-system/etc/fstab

Check your work: cat /mnt/btrfs-system/etc/fstab

Tip: How-to send a UUID to fstab:
# ls -l /dev/disk/by-uuid | grep 'sda2' | gawk -F' ' '{ print $9 }' >> /etc/fstab


# arch-chroot /mnt/btrfs-system

You are now working in your new install!

Miscellaneous system configurations

Adapt for your location as needed.

# hostname <name>
# ln -s /usr/share/zoneinfo/US/Alaska /etc/localtime
# hwclock --systohc --utc

Locale and languages

# nano /etc/locale.gen
# Configuration file for locale-gen
# lists of locales that are to be generated by the locale-gen command.
# Each line is of the form:
#     <locale> <charset>
#  where <locale> is one of the locales given in /usr/share/i18n/locales
#  and <charset> is one of the character sets listed in /usr/share/i18n/charmaps
#  Examples:
#  en_US ISO-8859-1
#  en_US.UTF-8 UTF-8
#  de_DE ISO-8859-1
#  de_DE@euro ISO-8859-15
#  The locale-gen command will generate all the locales,
#  placing them in /usr/lib/locale.
#  A list of supported locales is included in this file.
#  Uncomment the ones you need.
#en_PH ISO-8859-1
#en_SG.UTF-8 UTF-8
#en_SG ISO-8859-1
en_US.UTF-8 UTF-8
#en_US ISO-8859-1
#en_ZA.UTF-8 UTF-8
#en_ZA ISO-8859-1
# locale-gen
# echo LANG=en_US.UTF-8 > /etc/locale.conf
# export LANG=en_US.UTF-8
# nano /etc/vconsole.conf
# /etc/vconsole.conf
KEYMAP=dvorak #Comment out if non-dvorak user or VPS/VNC.


# nano /etc/mkinitcpio.conf
Tip: List all hooks available with mkinitcpio -L.

In the hooks section move fsck before autodetect.

Note: If you changed your keyboard layout you will also need to add the keymap hook between the filesystems and keyboard ones.

Uncomment xz compression below and uncomment and set the compression options as -C sha256 -8e.

Warning: If you are installing on a VPS or other Xen virtual machine that uses or can use virtio drivers add "virtio virtio_blk virtio_pci virtio_net" to the MODULES section or your system may not boot!
Note: If you need to manually generate the initial ram environment in the future you can run
# mkinitcpio -p linux
# mkinitcpio -p linux-ck

Root password


See also

Install Linux-ck

# echo [repo-ck] >> /etc/pacman.conf && echo Server =\$arch >> /etc/pacman.conf
Tip: If you delete or overwrite your pacman.conf file you can replace it from the archive file in /var/cache/packman/pkg. See here for more information.
# pacman-key -r 5EE46C4C && pacman-key --lsign-key 5EE46C4C
# pacman -Syy
Tip: To see the contents of repo-ck run pacman -Sl repo-ck | less

Next install linux-ck-ivybridge as well as the nvidia-ck-ivybridge drivers.

Tip: To determine which package set you should use run
$ gcc -c -Q -march=native --help=target | grep march
If you are using RamNode or another VPS you may need to request CPU/Host pass-through before you can use the best optimizations for the VPS. The VPS will need to be restarted from the control panel before the effects take place!

See also

Install and configure a bootloader

# modprobe dm-mod
# grub-install --directory=/usr/lib/grub/i386-pc --target=i386-pc --boot-directory=/boot --recheck --debug /dev/sda
Note: Even if your system is x86_64 and you are running the 64 bit version of Arch Linux, you still need to use the i386 sections as indicated above for a grub on efi bios-emulated boot! I have been unable to find no documentation to the contrary and this has worked on two separate x86_64 based installs with no problems.
Warning: As noted in the partitioning section. If there is a file system in the space reserved for grub it will throw an error about "filesystem 'btrfs' doesn't support blocklists." If you see this, you likely need to go back and zero out your first partition and everything before it (don't touch the sectors of your second partition though! If you are lucky (and the software is awesome) you will be able to recover your MBR and repair btrfs (btrfsck --repair and continue on.
# mkdir -p /boot/grub/locale
# cp /usr/share/locale/en\@quot/LC_MESSAGES/ /boot/grub/locale/
# /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="verbose add_efi_memmap elevator=bfq"

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable Hidden Menu, and optionally hide the timeout count

# Uncomment to use basic console

# Uncomment to disable graphical terminal

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'

# Uncomment to allow the kernel use the same resolution used by grub

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"

# Uncomment to disable generation of recovery mode menu entries

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.

# Uncomment one of them for the gfx desired, a image background or a gfxtheme

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

Tip: In the file below, you can create custom Grub entries, load modules, and essentially anything you might need to do. This allows you to effectively edit anything in grub without breaking the scripted generations that occur when you need to regenerate your grub.conf file.
# /etc/grub.d/40_custom
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
insmod btrfs

Now is it is time to see if your commands worked.

# grub-mkconfig -o /boot/grub/grub.cfg
Tip: You will need to run this same command anytime you make changes to your grub script files (as we have done above). You may wish to save this command somewhere or know how to easily find it here or elsewhere.

Check your grub file with # cat /boot/grub/grub.cfg | less. If you look closely, you will be able to spot the additions we made above in /etc/default/grub and /etc/grub.d/40_custom. You will also see similar (not the same) entries as your file-system table (fstab) file.

See also

Unmount and reboot

First exit your arch-chroot session. Now, make sure your file system has synced everything from primary storage (DDR SDRAM) to secondary storage (your installation drive(s)).

# btrfs filesystem sync /mnt/btrfs-root
# umount /mnt/btrfs-system
Tip: If you have made more than one mount point (for tmpfs, ramfs, or anything else) you can unmount them simultaneously so long as you do root by itself and last. umount /mnt/btrfs-system/{tmp,var/spool,var/log,home} Cross your fingers and toes, and reboot!


Bring up internet


# dhcpcd
# dhcpcd eth0
$ ping
Tip: The available network interface cards (NICs) can be found in /sys/class/net/ within you will likely see eth0 or wlan0 or both or neither. In those directories you can find information pertaining to any given NIC by using cat or nano.

Persistent server

Check hostname.

# echo >> /etc/resolv.conf && echo >> /etc/resolv.conf

for OpenDNS DNS resolving over local ISP or VPS provided DNS.

Tip: I recommend setting up your own caching, local DNS server at some point that uses OpenDNS (or another alternative) as its forwarders.
# cp /etc/netctl/examples/ethernet-dhcp /etc/netctl/ethernet0

Edit ethernet0 and uncomment IP6=stateless or IP6=dhcp for IPv6 networking.

# netctl enable ethernet0

Reboot to test.

Persistent desktop

You can use the same as the server section or NetworkManager depending on your preference. For NetworkManager install networkmanager network-manager-applet dhclient. See additional NetworkManager packages with pacman -Ss networkmanager.

# systemctl enable NetworkManager
# systemctl start NetworkManager

User management

# useradd -m -g users -G wheel USER
# chfn USER


Install sudo and bash-completion.

# VISUAL="/usr/bin/nano" visudo
# sudoers file.
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
## See the sudoers man page for the details on how to write a sudoers file.
## User privilege specification
root ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL

## Same thing without a password
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d
  • Find Uncomment to allow members of group wheel to execute any command
    • Uncomment it in.

Check your work with su -l USER then attempt to run something like pacman -Sy and pacman -Su with and without sudo to test and verify. I recommend rebooting logging in as your new user, testing that you can do everything you need to do with sudo before proceeding.

Tip: You can use sudo !! to repeat the previous command but with sudo in front of it.

Lockout root logins

Warning: This is not recommended, but I like to do it anyway for security.
# passwd -l root

Arch Users Repository

Install yaourtAUR using AUR or their unofficial repository. Install desired optional dependencies.

Install namcap for automated AUR and other package checking via Yaourt.

Yaourt provides all in one support for Official Repositories, AUR, and ABS.

See also


Congratulations, you have progressed beyond the official installation guides and onto much deeper waters. Your system should be up and running, the basic post-installation tasks should be completed and you are now ready to move on to more system specific system configurations.



Install: pulseaudio paprefs pavucontrol pulseaudio-alsa.

If using multi-lib: lib32-libpulse lib32-alsa-plugins.

Note: If you have problems with sound consistently playing back, and recieve an error about invalid argument when attempting to playback in pianobar, you may need to edit your /etc/libao.conf file and remove the dev section and leave the driver as pulse. This may fail at first, but keep trying and check pauvcontrol.
See also

Desktop environment

Note: You may wish to consider AUR options prior to installing the full group (with its dependencies).

Install: xfce4

Additional packages to consider: xfce4-weather-plugin xfce4-taskmanager xfce4-screenshooter xfce4-notifyd xfce4-artwork thunar-media-tags-plugin thunar-archive-plugin mousepad

Alternative file manager suggestion: SpaceFM

AUR Suggestions: xfce4-whiskermenu-pluginAUR

AUR Consideration: xfce4-session-lightAUR

Multiple monitors

See, NVIDIA#Multiple_monitors and my sample here: Xorg#Sample_configurations (NVIDIA, nvidia-ck, et cetera).

Suggest not using twinview or Xinerama. May need to disable composting though. I configured through NVIDIA and then checked my work by editing the file. Save to home then # cp to /etc/X11/xorg.conf.d/10-monitor.conf.


# /etc/pacman.conf
Server =$arch

#[infinality-bundle-multilib] # Uncomment for multilib usage.
#Server =$arch # Uncomment for multilib usage.
# pacman-key -r 962DDE58
# pacman-key --lsign-key 962DDE58

Refresh your repositories.

Install: infinality-bundle

Web browser

Install: firefox


Disable Firefox's blocking of web-forgeries and attack sites. This feature slows down Firefox's start-up and shut-down and takes up space for the database it maintains. This feature also relies on Google services.

  • delete urlclassifier*.sqlite files in your profile
    • ~/.mozilla/firefox/<PROFILE>/urlclassifier*.sqlite
  • While in your profile, in the terminal:
echo "" > urlclassifier*.sqlite
chmod 400 urlclassifier*.sqlite

Especially for SSDs it may prolong your drive's life to disable Firefox's disk cache.

  • about:config
    • Set browser.cache.disk.enable to false
    • Verify browse.cache.memory.enable is true
    • Set browser.cache.memory.max_entry_size to -1 for automatic memory usage
      • There is another similar memory flag that may also be set to -1 for automatic usage.

Optional: Profile Sync to Ram

  • Download from AUR
  • tar -xzf <make_package>
  • cd <package folder>
  • make -s
  • pacman -U <package>
  • systemctl enable psd psd-resync
  • (close firefox!) systemctl start psd psd-resync
See also


Install: xbmc

Suggested skin: Bello.


See: Pianobar


Install: aria2

Usenet tools

Install desired Usenet tools from AUR.

Tip: Make sure your /etc/make.conf file is configured to your preferences. You may be able to edit this file to increase the optimizations that are applied to any packages you build from source (such as AUR and ABS packages).

Install: sabnzbdAUR


tar -xvzf sabnzbd.tar.gz}}

To enable SABnzbd+ to create folders, your chosen Downloads directory will need to be chmod'd to 777 (chmod 777 -R <DIRECTORY>).

Note: Similar permissions will likely need to be set for Sick Beard's completed folder and such. An alternative method can be found below (struck out).

I recommend changing the services and configuration file and changing the user name to your username (for easy writing to home dir).

  • edit /usr/lib/systemd/system/<program>.service to <USER>:<program> instead of default
  • chown /opt/<program> to <USER>:<program> instead of root:<program> or <program>:<program>

An alternative may be to create a dedicated folder for SABnzbd to use in your home directory and chown that to its user/group.


Optional: ticker style syndicated news reader. Really neat. tickrAUR


Allows running Windows browser plugins in Wine to be used in native GNU/Linux browsers.


See also


For dependencies install: ib32-glibc lib32-libic lib32-libx11 lib32-libsm lib32-gcc-libs lib32-libxext lib32-libpng lib32-freetype2 lib32-libpng12 lib32-lcms lib32-libxrandr lib32-nvidia-libgl lib32-nvidia-utils libtxc_dxtn lib32-libtxc_dxtn lib32-flashplugin flashplugin

See also


Team Fortress 2
  • Try noatime on SSD for gaming.
    • Done
  • Possible bug in Intel drivers, try updating to developmental version via AUR both 32 and 64.
    • Dev. version in AUR. Try last. Repo version highest stable release. Mesa drivers used.
  • BFS set as scheduler?
    • Done
  • Defragment cache in steam.
    • Option not available. Possibly due to SSD detection.
  • Enabled pre-release dev. version of TF2.

Things to check:

  • Does steam peg CPU usage to 100%?
  • May be bug that does not allow multi-threading and begs core 0.


Secure Shell


Install openssh.

# nano /etc/ssh/sshd_config

Generate a random port number between 49152-65535 at's Integer service and replace the default SSH port with that number and uncomment it in.

Uncomment PermitRootLogin and change to no.

Under the same # Authentication section add AllowUsers USER1 USER2

# nano /lib/systemd/system/sshd.socket

Change this to the new port number as generated and set above.

# cp /lib/systemd/system/sshd.socket /etc/systemd/system/sshd.socket
# systemctl enable sshd.socket
# systemctl start sshd.socket

Test locally with the information below and then connecting from a remote system if feasible.

$ ssh -v localhost -p PORT -l USERNAME

Harden server

TTD: go back through this link and update this guide. Cross reference with the Hardening Guides.

General Guidelines
  • Keep installed packages to a minimum.
  • Update regularly.
Physical security

For a VPS, disable VNC once you have SSH setup. Configure it to boot from the hard drive by default. With a VPS you are essentially surrendering your ability to control the physical protection of your server. Make sure to choose a good provider!

Filesystem permissions
# chmod 700 /boot /root /etc/iptables
Prevent root login at console
Temporary lockout after failed login attempts
# nano /etc/pam.d/system-login
Limiting su to wheel group
# nano /etc/pam.d/su

Uncomment in the line following Uncomment the following line to require a user to be in the "wheel" group.

Harden TCP/IP stack
# /etc/sysctl.conf
# Configuration file for runtime kernel parameters.
# See sysctl.conf(5) for more information.

# Have the CD-ROM close when you use it, and open when you are done.
#dev.cdrom.autoclose = 1
#dev.cdrom.autoeject = 1

# Protection from the SYN flood attack. Matches Arch Wiki
net.ipv4.tcp_syncookies = 1

# See evil packets in your logs. Enabled as per Arch Wiki
net.ipv4.conf.all.log_martians = 1

# Never accept redirects or source routes (these are only useful for routers). Uncommented in as per Arch Wiki
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_source_route = 0

# Disable packet forwarding. Matches Arch Wiki
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Tweak the port range used for outgoing connections.
#net.ipv4.ip_local_port_range = 32768 61000

# Tweak those values to alter disk syncing and swap behavior.
#vm.vfs_cache_pressure = 100
#vm.laptop_mode = 0
#vm.swappiness = 60

# Tweak how the flow of kernel messages is throttled.
#kernel.printk_ratelimit_burst = 10
#kernel.printk_ratelimit = 5

# Reboot 600 seconds after kernel panic or oops.
#kernel.panic_on_oops = 1
#kernel.panic = 600

# Arch Wiki
net.ipv4.tpc_rfc1337 = 1
net.ipv4.tcp_timestamps = 0 #Enable timestamps at gigabitspeeds
net.ipv4.conf.all.rp_filter = 1 #
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 1 #CentOS Wiki says 0 here.

#CentOS Wiki
net.ipv4.tcp_max_syn_backlog = 1280

See also


First check the rules that iptables currently has. We want to start with a blank slate. The following commands and output should look the same or similar on yours.

# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 156 packets, 12541 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 82 packets, 8672 bytes)
num   pkts bytes target     prot opt in     out     source               destination
# iptables-save
# Generated by iptables-save v1.4.19.1 on Thu Aug  1 19:28:53 2013
:INPUT ACCEPT [50:3763]
:OUTPUT ACCEPT [30:3472]
# Completed on Thu Aug  1 19:28:53 2013
See also


Install: ufw.

# ufw default deny
description=Secure Shell Server
ports=XXXX/tcp #Generate a random integer from or elsewhere (/dev/(u)random)
# ufw allow SSH-Custom
Warning: Be super sure here if you are working on a remote system or have critical remote connections coming in!
# ufw enable
# systemctl enable ufw.service
Note: Existing connections will likely be lost here, but if properly configured they should be able to be re-established shortly thereafter.
# ufw status
# ufw limit SSH-Custom
Note: I enable limiting SSH later on just to make sure that it does not get in the way of attempting to connect to SSH after enabling ufw. This is probably silly, but to be safe.
Tip: Both the man page and the Arch Wiki article are very well written for this program. Be sure to make use of them both.
See also

Hiawatha webserver

  1. polarsslAUR
  2. hiawathaAUR
  3. php-fpm

See also

  • Developer's how-to: [4]

Team Fortress 2 Dedicated Server

Multilib Repository

Edit /etc/pacman.conf and uncomment in the multilib repository (include its heading!). See also Multilib.


Install lib32-gcc-libs


SteamCMD is a command line version of the Steam client. To download, this link should be persistent, if not see here.

Extract and copy the contents to the directory you want to store it it. For ease of use I just used a hidden folder in my home directory for now.

Execute: ./ or sh

Login: login anonymous

Download Team Fortress 2 Dedicated Server

In SteamCMD, after logging in install the Team Fortress 2 dedicated server:

S* force_install_dir /home/<USER>/.tf2
S* app_update 232250 validate

I ran into some errors first off here which were resolved by changing the permissions on my home directory (recursively) to 755 {{ic}chmod 755 -R /home/<USER>}}

You may need to repeat the update command above until you get it completed.

Once you get a Success! App '232250' fully installed consider running the command again just to verify the installation once more.

Configure TF2
hostname "Your_Servers_Name"
rcon_password "Your_Rcon_Password"
sv_contact ""
mp_timelimit "30"

Run under screen? See here

Launch Server

From .tf2,

srcds_run -game tf +sv_pure 2 +maxplayers 24
Tip: Before moving on to modifications consider having a very solid server.cfg file and understanding SteamCMD's output when you launch your server!

SourceMod is our focus here. AMXmodx is another consideration, but sourcemod seems to be the more popular one and the better maintained one. SourceMod is technically a plugin for Metamod:Source. As such, this also needs to be installed.

Get the latest release's download URL from here (use the wget one).

Change into .tf2/tf and then download:

$ aria2c


$ tar -xvzf mmsource-X.XX.X-linux.tar.gz

You should now have addons/ folders.

Launch your server and see if meta list provides an output (or just meta).

For Sourcemod you essentially need to rinse and repeat. Get the download from here. Extract Sourcemod in the same folder as you did for Metamod. The archive will have the folder paths set relative to that same folder.

Begin to configure ~/.tf2/tf/cfg/sourcemod/sourcemod.cfg is a good place to start. See links below for more information.

To extract .gz (no tar) use {{ic|gunzip -c ARCHIVE > EXTRACTEDFILENAME

SoureMod plugins will often (if not always) have their own configuration file that should be used over the server.cfg.

Tip: Consider adding commented out (//) notes about all your plugins in your server.cfg so you have a quick and easy reference and reminder!
See also

See here. 27015 default TF2 port. May change this. More info


See [5] and [6].

See also

Murmur Server

See Wikipedia:Mumble_(software)

Handy commands

  • who
    • see who is currently logged in (handy for a VPS).
  • whereis
    • Find something on your system.
  • pacman -Rs
    • Removes unwanted packages along with their unused dependencies.

RamNode KVM VPS peculiar configurations

See also

  • Open a ticket to request CPU/Host pass-through: [23]
  • Performance Tweakes: [24]
  • Available Operating Systems: [25]