Difference between revisions of "User:Rdeckard/Post-installation"

From ArchWiki
Jump to navigation Jump to search
(Connect to the internet: expand, typos)
(Connect to the internet: update to use systemd to connect)
Line 3: Line 3:
 
=== Connect to the internet ===
 
=== Connect to the internet ===
  
If you have a '''wired''' connection, [[start/enable]] the {{ic|dhcpcd@''interface''.service}} unit.
+
If you have not already, [[start/enable]] {{ic|systemd-networkd.service}}. You should have already set up a configuration file in [[User:Rdeckard/Installation guide]].
  
If you have a '''wireless''' connection, [[start/enable]] the {{ic|iwd.service}} and {{ic|dhcpcd@''interface''}}. Then connect by doing:
+
If you have a '''wireless''' connection, [[start/enable]] the {{ic|iwd.service}} if you have not already. Then connect by doing:
  
 
  # iwctl
 
  # iwctl
Line 14: Line 14:
 
Run {{ic|timedatectl set-ntp true}} to keep your clock in sync.
 
Run {{ic|timedatectl set-ntp true}} to keep your clock in sync.
  
{{Tip|
+
{{Tip|To prevent a known race condition that prevents iwd from starting on reboot, create a systemd unit as follows:
* To prevent ''dhcpcd'' from holding boot until it gets an IP address, edit the unit with a [[Systemd#Drop-in files|drop-in file]] so that it forks right away:
 
{{hc|1=/etc/systemd/system/dhcpcd@.service.d/override.conf|2=
 
[Service]
 
ExecStart=
 
ExecStart=/usr/bin/dhcpcd -b -q %I}}
 
 
 
* To prevent a known race condition that prevents iwd from starting on reboot, create a systemd unit as follows:
 
 
{{hc|1=/etc/system/system/iwd@.service|2=
 
{{hc|1=/etc/system/system/iwd@.service|2=
 
[Unit]
 
[Unit]

Revision as of 15:44, 28 March 2019

Networking

Connect to the internet

If you have not already, start/enable systemd-networkd.service. You should have already set up a configuration file in User:Rdeckard/Installation guide.

If you have a wireless connection, start/enable the iwd.service if you have not already. Then connect by doing:

# iwctl
[iwd]# station device scan
[iwd]# station device get-networks
[iwd]# station device connect SSID

Run timedatectl set-ntp true to keep your clock in sync.

Tip: To prevent a known race condition that prevents iwd from starting on reboot, create a systemd unit as follows:
/etc/system/system/iwd@.service
[Unit]
Description=Wireless service on %I
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
Type=dbus
BusName=net.connman.iwd
ExecStart=/usr/lib/iwd/iwd --interface %i
LimitNPROC=1
Restart=on-failure

Then start/enable the unit and disable iwd.service.

DNS Resolver

Install the unbound package.

Set your DNS server to 127.0.0.1:

/etc/resolv.conf
127.0.0.1

Ensure that dhcpcd won't overwrite it:

/etc/dhcpcd.conf
nohook resolv.conf

Add the following configuration file for unbound. It includes DNSSEC, root hints, and ad blocking. Add the IP addresses of DNS servers where indicated.

/etc/unbound/unbound.conf
server:

  username: unbound
  pidfile: "/etc/unbound/unbound.pid"
  directory: "/etc/unbound"

  trust-anchor-file: "/etc/unbound/root.key"
  root-hints: "/etc/unbound/root.hints"
  include: /etc/unbound/ads.conf

  do-not-query-localhost: no
  forward-zone:
    name: "."
    forward-addr: dns_ip_addr1
    forward-addr: dns_ip_addr2

Update the trust anchor file:

# unbound-anchor -a /etc/unbound/root.key

Update the root hints file:

# curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache

Update the ad blocking file:

# curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '/^0\.0\.0\.0/ {print "local-zone: \""$2"\" redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > /etc/unbound/ads.conf
Tip: Put the above two commands in systemd timers to regularly update the files.

Start/enable the unbound.service.

Test DNSSEC

$ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net

The first output line should be something like the following. Note the word "secure".

sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
$ unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net

The first output line should be something like the following. Note the word "BOGUS".

sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))

Pacman

Create local repository for AUR

Install the aurutilsAUR package. Then create a local repository called aur:

/etc/pacman.d/aur
[options]
CacheDir = /var/cache/pacman/pkg
CacheDir = /var/cache/pacman/aur
CleanMethod = KeepCurrent

[aur]
SigLevel = Optional TrustAll
Server = file:///var/cache/pacman/aur

Additional line:

/etc/pacman.conf
Include = /etc/pacman.d/aur
# mkdir -p /var/cache/pacman/aur
# chown user:user /var/cache/pacman/aur
$ cd /var/cache/pacman/aur
$ repose -vf aur

Now use aurutils or aurbuild to create packages that are put in the local database.

Pacman hooks

Get notified when a package become an orphan.

/etc/pacman.d/hooks/orphans.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Checking for orphans...
When = PostTransaction
Exec = /usr/bin/bash -c "/usr/bin/pacman -Qtd || true"

Clean up pacman cache on transactions.

/etc/pacman.d/hooks/paccache.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Cleaning pacman cache...
When = PostTransaction
Exec = /usr/bin/paccache -rv

Get notified when a package is no longer in a repository.

/etc/pacman.d/hooks/repocheck.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Checking for dropped packages...
When = PostTransaction
Exec = /usr/bin/bash -c "/usr/bin/pacman -Qqm || true"