Difference between revisions of "User:Rdeckard/Post-installation"

From ArchWiki
Jump to navigation Jump to search
(move content from installation page)
(add some pacman hooks)
Line 88: Line 88:
 
The first output line should be something like the following. Note the word "BOGUS".
 
The first output line should be something like the following. Note the word "BOGUS".
 
  sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))
 
  sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))
 +
 +
== Pacman hooks ==
 +
 +
Get notified when a package become an orphan.
 +
 +
{{hc|/etc/pacman.d/hooks/orphans.hook|<nowiki>
 +
[Trigger]
 +
Operation = Upgrade
 +
Operation = Install
 +
Operation = Remove
 +
Type = Package
 +
Target = *
 +
 +
[Action]
 +
Description = Checking for orphans...
 +
When = PostTransaction
 +
Exec = /usr/bin/bash -c "/usr/bin/pacman -Qtd || true"</nowiki>}}
 +
 +
Clean up pacman cache on transactions.
 +
 +
{{hc|/etc/pacman.d/hooks/paccache.hook|<nowiki>
 +
[Trigger]
 +
Operation = Upgrade
 +
Operation = Install
 +
Operation = Remove
 +
Type = Package
 +
Target = *
 +
 +
[Action]
 +
Description = Cleaning pacman cache...
 +
When = PostTransaction
 +
Exec = /usr/bin/paccache -rv</nowiki>}}
 +
 +
Get notified when a package is no longer in a repository.
 +
 +
{{hc|/etc/pacman.d/hooks/repocheck.hook|<nowiki>
 +
[Trigger]
 +
Operation = Upgrade
 +
Operation = Install
 +
Operation = Remove
 +
Type = Package
 +
Target = *
 +
 +
[Action]
 +
Description = Checking for dropped packages...
 +
When = PostTransaction
 +
Exec = /usr/bin/bash -c "comm -23 <(pacman -Qtq | sort) <(pacman -Slq core extra community multilib | sort)"</nowiki>}}

Revision as of 13:32, 16 February 2018

Setup networking

If you have a wired connection, start/enable the dhcpcd@interface.service unit.

If you have a wireless connection, create the following file:

/etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=/run/wpa_supplicant
update_config=1

Then connect to a wifi network with:

# wpa_supplicant -B -i interface -c /etc/wpa_supplicant/wpa_supplicant.conf
# wpa_cli
> scan
> scan_results
> add_network
> set_network 0 ssid "SSID"
> set_network 0 psk "passphrase"
> enable_network 0
> save_config
> quit

Now start/enable the dhcpcd.service.

Now add the dhcpcd hook for wpa_supplicant:

# ln -s /usr/share/dhcpcd/hooks/10-wpa_supplicant /usr/lib/dhcpcd/dhcpcd-hooks/

Enable the ntpd.service to keep your clock in sync.

DNS Resolver

Install the unbound package.

Set your DNS server to 127.0.0.1:

/etc/resolv.conf
127.0.0.1

Ensure that dhcpcd won't overwrite it:

/etc/dhcpcd.conf
nohook resolv.conf

Add the following configuration file for unbound. It includes DNSSEC, root hints, and ad blocking. Add the IP addresses of DNS servers where indicated.

/etc/unbound/unbound.conf
server:

  username: unbound
  pidfile: "/etc/unbound/unbound.pid"
  directory: "/etc/unbound"

  trust-anchor-file: "/etc/unbound/root.key"
  root-hints: "/etc/unbound/root.hints"
  include: /etc/unbound/ads.conf

  do-not-query-localhost: no
  forward-zone:
    name: "."
    forward-addr: dns_ip_addr1
    forward-addr: dns_ip_addr2

Update the trust anchor file:

# unbound-anchor -a /etc/unbound/root.key

Update the root hints file:

# curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache

Update the ad blocking file:

# curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '/^0\.0\.0\.0/ {print "local-zone: \""$2"\" redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > /etc/unbound/ads.conf
Tip: Put the above two commands in systemd timers to regularly update the files.

Start/enable the unbound.service.

Test DNSSEC

$ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net

The first output line should be something like the following. Note the word "secure".

sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
$ unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net

The first output line should be something like the following. Note the word "BOGUS".

sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))

Pacman hooks

Get notified when a package become an orphan.

/etc/pacman.d/hooks/orphans.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Checking for orphans...
When = PostTransaction
Exec = /usr/bin/bash -c "/usr/bin/pacman -Qtd || true"

Clean up pacman cache on transactions.

/etc/pacman.d/hooks/paccache.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Cleaning pacman cache...
When = PostTransaction
Exec = /usr/bin/paccache -rv

Get notified when a package is no longer in a repository.

/etc/pacman.d/hooks/repocheck.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Checking for dropped packages...
When = PostTransaction
Exec = /usr/bin/bash -c "comm -23 <(pacman -Qtq | sort) <(pacman -Slq core extra community multilib | sort)"