Difference between revisions of "User:Rdeckard/Post-installation"

From ArchWiki
Jump to navigation Jump to search
(New page)
 
(DNS Resolver: link to article)
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
== Networking ==
  
 +
=== Connect to the internet ===
 +
 +
If you have not already, [[start/enable]] {{ic|systemd-networkd.service}}. You should have already set up a configuration file in [[User:Rdeckard/Installation guide]].
 +
 +
If you have a '''wireless''' connection, [[start/enable]] the {{ic|iwd.service}} if you have not already. Then connect by doing:
 +
 +
# iwctl
 +
[iwd]# station ''device'' scan
 +
[iwd]# station ''device'' get-networks
 +
[iwd]# station device connect ''SSID''
 +
 +
=== Clock synchronization ===
 +
 +
Run {{ic|timedatectl set-ntp true}} to keep your clock in sync.
 +
 +
=== DNS Resolver ===
 +
 +
[[Install]] the {{pkg|unbound}} package.
 +
 +
Set your DNS server to {{ic|127.0.0.1}}:
 +
 +
{{hc|/etc/resolv.conf|127.0.0.1}}
 +
 +
Add the following configuration file for [[unbound]]. It includes DNSSEC, root hints, and DNS over TLS. Modify IP addresses of DNS servers if desired.
 +
 +
{{hc|/etc/unbound/unbound.conf|
 +
server:
 +
  use-syslog: yes
 +
  do-daemonize: no
 +
  username: "unbound"
 +
  directory: "/etc/unbound"
 +
  root-hints: root.hints
 +
  trust-anchor-file: trusted-key.key
 +
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 +
  forward-zone:
 +
    name: "."
 +
    forward-tls-upstream: yes
 +
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
 +
}}
 +
 +
Update the root hints file:
 +
 +
# curl -o /etc/unbound/root.hints <nowiki>https://www.internic.net/domain/named.cache</nowiki>
 +
 +
{{Tip|Put the above above command in a systemd timer to regularly update the root hints file.}}
 +
 +
[[Start/enable]] the {{ic|unbound.service}}.
 +
 +
==== Test DNSSEC ====
 +
 +
$ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
 +
 +
The first output line should be something like the following. Note the word "secure".
 +
sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
 +
 +
$ unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net
 +
 +
The first output line should be something like the following. Note the word "BOGUS".
 +
sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))
 +
 +
=== Firewall ===
 +
 +
Here is a [[simple stateful firewall]] using [[nftables]]. First [[install]] {{pkg|nftables}}. Then create the following configuration file. Modify for your needs.
 +
 +
{{hc|/etc/nftables.conf|
 +
table inet filter {
 +
 +
  chain input {
 +
    type filter hook input priority 0; policy drop;
 +
    ct state {established, related} accept
 +
    ct state invalid drop
 +
    iifname lo accept
 +
    ip protocol icmp accept
 +
    reject with icmp type port-unreachable
 +
  }
 +
 +
  chain forward {
 +
    type filter hook forward priority 0; policy drop;
 +
  }
 +
 
 +
  chain output {
 +
    type filter hook output priority 0; policy accept;
 +
  }
 +
 +
}
 +
}}
 +
 +
{{Warning|The package-provided configuration file opens port 22.}}
 +
 +
Then [[start/enable]] {{ic|nftables.service}}.
 +
 +
== Pacman ==
 +
 +
=== Create local repository for AUR ===
 +
 +
[[Install]] the {{aur|aurutils}} package. Then create a local repository called {{ic|aur}}:
 +
 +
{{hc|/etc/pacman.d/aur|
 +
<nowiki>[options]
 +
CacheDir = /var/cache/pacman/pkg
 +
CacheDir = /var/cache/pacman/aur
 +
CleanMethod = KeepCurrent
 +
 +
[aur]
 +
SigLevel = Optional TrustAll
 +
Server = file:///var/cache/pacman/aur</nowiki>
 +
}}
 +
 +
Additional line:
 +
 +
{{hc|/etc/pacman.conf|<nowiki>Include = /etc/pacman.d/aur</nowiki>}}
 +
 +
# mkdir -p /var/cache/pacman/aur
 +
# chown ''user'':''user'' /var/cache/pacman/aur
 +
$ cd /var/cache/pacman/aur
 +
$ repose -vf aur
 +
 +
Now use ''aurutils'' or ''aurbuild'' to create packages that are put in the local database.
 +
 +
=== Pacman hooks ===
 +
 +
Get notified when a package become an orphan.
 +
 +
{{hc|/etc/pacman.d/hooks/orphans.hook|<nowiki>
 +
[Trigger]
 +
Operation = Upgrade
 +
Operation = Install
 +
Operation = Remove
 +
Type = Package
 +
Target = *
 +
 +
[Action]
 +
Description = Checking for orphans...
 +
When = PostTransaction
 +
Exec = /usr/bin/bash -c "/usr/bin/pacman -Qtd || true"</nowiki>}}
 +
 +
Clean up pacman cache on transactions.
 +
 +
{{hc|/etc/pacman.d/hooks/paccache.hook|<nowiki>
 +
[Trigger]
 +
Operation = Upgrade
 +
Operation = Install
 +
Operation = Remove
 +
Type = Package
 +
Target = *
 +
 +
[Action]
 +
Description = Cleaning pacman cache...
 +
When = PostTransaction
 +
Exec = /usr/bin/paccache -rv</nowiki>}}
 +
 +
Get notified when a package is no longer in a repository.
 +
 +
{{hc|/etc/pacman.d/hooks/repocheck.hook|<nowiki>
 +
[Trigger]
 +
Operation = Upgrade
 +
Operation = Install
 +
Operation = Remove
 +
Type = Package
 +
Target = *
 +
 +
[Action]
 +
Description = Checking for dropped packages...
 +
When = PostTransaction
 +
Exec = /usr/bin/bash -c "/usr/bin/pacman -Qqm || true"</nowiki>}}

Latest revision as of 17:35, 28 March 2019

Networking

Connect to the internet

If you have not already, start/enable systemd-networkd.service. You should have already set up a configuration file in User:Rdeckard/Installation guide.

If you have a wireless connection, start/enable the iwd.service if you have not already. Then connect by doing:

# iwctl
[iwd]# station device scan
[iwd]# station device get-networks
[iwd]# station device connect SSID

Clock synchronization

Run timedatectl set-ntp true to keep your clock in sync.

DNS Resolver

Install the unbound package.

Set your DNS server to 127.0.0.1:

/etc/resolv.conf
127.0.0.1

Add the following configuration file for unbound. It includes DNSSEC, root hints, and DNS over TLS. Modify IP addresses of DNS servers if desired.

/etc/unbound/unbound.conf
server:
  use-syslog: yes
  do-daemonize: no
  username: "unbound"
  directory: "/etc/unbound"
  root-hints: root.hints
  trust-anchor-file: trusted-key.key
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com

Update the root hints file:

# curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
Tip: Put the above above command in a systemd timer to regularly update the root hints file.

Start/enable the unbound.service.

Test DNSSEC

$ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net

The first output line should be something like the following. Note the word "secure".

sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
$ unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net

The first output line should be something like the following. Note the word "BOGUS".

sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))

Firewall

Here is a simple stateful firewall using nftables. First install nftables. Then create the following configuration file. Modify for your needs.

/etc/nftables.conf
table inet filter {

  chain input {
    type filter hook input priority 0; policy drop;
    ct state {established, related} accept
    ct state invalid drop
    iifname lo accept
    ip protocol icmp accept
    reject with icmp type port-unreachable
  }

  chain forward {
    type filter hook forward priority 0; policy drop;
  }
  
  chain output {
    type filter hook output priority 0; policy accept;
  }

}
Warning: The package-provided configuration file opens port 22.

Then start/enable nftables.service.

Pacman

Create local repository for AUR

Install the aurutilsAUR package. Then create a local repository called aur:

/etc/pacman.d/aur
[options]
CacheDir = /var/cache/pacman/pkg
CacheDir = /var/cache/pacman/aur
CleanMethod = KeepCurrent

[aur]
SigLevel = Optional TrustAll
Server = file:///var/cache/pacman/aur

Additional line:

/etc/pacman.conf
Include = /etc/pacman.d/aur
# mkdir -p /var/cache/pacman/aur
# chown user:user /var/cache/pacman/aur
$ cd /var/cache/pacman/aur
$ repose -vf aur

Now use aurutils or aurbuild to create packages that are put in the local database.

Pacman hooks

Get notified when a package become an orphan.

/etc/pacman.d/hooks/orphans.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Checking for orphans...
When = PostTransaction
Exec = /usr/bin/bash -c "/usr/bin/pacman -Qtd || true"

Clean up pacman cache on transactions.

/etc/pacman.d/hooks/paccache.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Cleaning pacman cache...
When = PostTransaction
Exec = /usr/bin/paccache -rv

Get notified when a package is no longer in a repository.

/etc/pacman.d/hooks/repocheck.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Checking for dropped packages...
When = PostTransaction
Exec = /usr/bin/bash -c "/usr/bin/pacman -Qqm || true"