Difference between revisions of "User:Rdeckard/Post-installation"

From ArchWiki
Jump to navigation Jump to search
(Pacman hooks: fix error)
(DNS Resolver: link to article)
 
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Setup networking ==
+
== Networking ==
  
If you have a '''wired''' connection, [[start/enable]] the {{ic|dhcpcd@''interface''.service}} unit.
+
=== Connect to the internet ===
  
If you have a '''wireless''' connection, create the following file:
+
If you have not already, [[start/enable]] {{ic|systemd-networkd.service}}. You should have already set up a configuration file in [[User:Rdeckard/Installation guide]].
  
{{hc|1=/etc/wpa_supplicant/wpa_supplicant.conf|2=
+
If you have a '''wireless''' connection, [[start/enable]] the {{ic|iwd.service}} if you have not already. Then connect by doing:
ctrl_interface=/run/wpa_supplicant
 
update_config=1}}
 
  
Now add the dhcpcd hook for wpa_supplicant:
+
# iwctl
 +
[iwd]# station ''device'' scan
 +
[iwd]# station ''device'' get-networks
 +
[iwd]# station device connect ''SSID''
  
# ln -s /usr/share/dhcpcd/hooks/10-wpa_supplicant /usr/lib/dhcpcd/dhcpcd-hooks/
+
=== Clock synchronization ===
  
Now [[start/enable]] the {{ic|dhcpcd@''interface''.service}}.
+
Run {{ic|timedatectl set-ntp true}} to keep your clock in sync.
  
Then connect to a wifi network with:
+
=== DNS Resolver ===
 
 
# wpa_passphrase ''MYSSID'' ''passphrase'' >> /etc/wpa_supplicant/wpa_supplicant.conf
 
 
 
You may need to [[restart]] {{ic|dhcpcd@''interface''.service}}.
 
 
 
Alternatively, use ''wpa_cli'' to scan and connect to a network.
 
 
 
[[Enable]] the {{ic|ntpd.service}} to keep your clock in sync.
 
 
 
{{Tip|To prevent ''dhcpcd'' from holding boot until it gets an IP address, edit the unit with a [[Systemd#Drop-in files|drop-in file]] so that it forks right away:
 
{{hc|/etc/systemd/system/dhcpcd@.service.d/override.conf|
 
<nowiki>[Service]
 
ExecStart=
 
ExecStart=/usr/bin/dhcpcd -b -q %I</nowiki>
 
}}}}
 
 
 
== DNS Resolver ==
 
  
 
[[Install]] the {{pkg|unbound}} package.
 
[[Install]] the {{pkg|unbound}} package.
Line 40: Line 24:
 
{{hc|/etc/resolv.conf|127.0.0.1}}
 
{{hc|/etc/resolv.conf|127.0.0.1}}
  
Ensure that ''dhcpcd'' won't overwrite it:
+
Add the following configuration file for [[unbound]]. It includes DNSSEC, root hints, and DNS over TLS. Modify IP addresses of DNS servers if desired.
 
 
{{hc|/etc/dhcpcd.conf|nohook resolv.conf}}
 
 
 
Add the following configuration file for ''unbound''. It includes DNSSEC, root hints, and ad blocking. Add the IP addresses of DNS servers where indicated.
 
  
 
{{hc|/etc/unbound/unbound.conf|
 
{{hc|/etc/unbound/unbound.conf|
 
server:
 
server:
 
+
  use-syslog: yes
   username: unbound
+
   do-daemonize: no
   pidfile: "/etc/unbound/unbound.pid"
+
   username: "unbound"
 
   directory: "/etc/unbound"
 
   directory: "/etc/unbound"
 
+
  root-hints: root.hints
   trust-anchor-file: "/etc/unbound/root.key"
+
   trust-anchor-file: trusted-key.key
   root-hints: "/etc/unbound/root.hints"
+
   tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
  include: /etc/unbound/ads.conf
 
 
 
  do-not-query-localhost: no
 
 
   forward-zone:
 
   forward-zone:
 
     name: "."
 
     name: "."
     forward-addr: ''dns_ip_addr1''
+
     forward-tls-upstream: yes
     forward-addr: ''dns_ip_addr2''}}
+
     forward-addr: 1.1.1.1@853#cloudflare-dns.com
 
+
}}
Update the trust anchor file:
 
 
 
# unbound-anchor -a /etc/unbound/root.key
 
  
 
Update the root hints file:
 
Update the root hints file:
Line 71: Line 45:
 
  # curl -o /etc/unbound/root.hints <nowiki>https://www.internic.net/domain/named.cache</nowiki>
 
  # curl -o /etc/unbound/root.hints <nowiki>https://www.internic.net/domain/named.cache</nowiki>
  
Update the ad blocking file:
+
{{Tip|Put the above above command in a systemd timer to regularly update the root hints file.}}
 
 
# curl <nowiki>https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts</nowiki> | awk '/^0\.0\.0\.0/ {print "local-zone: \""$2"\" redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > /etc/unbound/ads.conf
 
 
 
{{Tip|Put the above two commands in systemd timers to regularly update the files.}}
 
  
 
[[Start/enable]] the {{ic|unbound.service}}.
 
[[Start/enable]] the {{ic|unbound.service}}.
  
=== Test DNSSEC ===
+
==== Test DNSSEC ====
  
 
  $ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
 
  $ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
Line 91: Line 61:
 
  sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))
 
  sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))
  
== AUR ==
+
=== Firewall ===
 +
 
 +
Here is a [[simple stateful firewall]] using [[nftables]]. First [[install]] {{pkg|nftables}}. Then create the following configuration file. Modify for your needs.
 +
 
 +
{{hc|/etc/nftables.conf|
 +
table inet filter {
 +
 
 +
  chain input {
 +
    type filter hook input priority 0; policy drop;
 +
    ct state {established, related} accept
 +
    ct state invalid drop
 +
    iifname lo accept
 +
    ip protocol icmp accept
 +
    reject with icmp type port-unreachable
 +
  }
 +
 
 +
  chain forward {
 +
    type filter hook forward priority 0; policy drop;
 +
  }
 +
 
 +
  chain output {
 +
    type filter hook output priority 0; policy accept;
 +
  }
 +
 
 +
}
 +
}}
 +
 
 +
{{Warning|The package-provided configuration file opens port 22.}}
 +
 
 +
Then [[start/enable]] {{ic|nftables.service}}.
 +
 
 +
== Pacman ==
 +
 
 +
=== Create local repository for AUR ===
  
 
[[Install]] the {{aur|aurutils}} package. Then create a local repository called {{ic|aur}}:
 
[[Install]] the {{aur|aurutils}} package. Then create a local repository called {{ic|aur}}:
Line 117: Line 120:
 
Now use ''aurutils'' or ''aurbuild'' to create packages that are put in the local database.
 
Now use ''aurutils'' or ''aurbuild'' to create packages that are put in the local database.
  
== Pacman hooks ==
+
=== Pacman hooks ===
  
 
Get notified when a package become an orphan.
 
Get notified when a package become an orphan.

Latest revision as of 17:35, 28 March 2019

Networking

Connect to the internet

If you have not already, start/enable systemd-networkd.service. You should have already set up a configuration file in User:Rdeckard/Installation guide.

If you have a wireless connection, start/enable the iwd.service if you have not already. Then connect by doing:

# iwctl
[iwd]# station device scan
[iwd]# station device get-networks
[iwd]# station device connect SSID

Clock synchronization

Run timedatectl set-ntp true to keep your clock in sync.

DNS Resolver

Install the unbound package.

Set your DNS server to 127.0.0.1:

/etc/resolv.conf
127.0.0.1

Add the following configuration file for unbound. It includes DNSSEC, root hints, and DNS over TLS. Modify IP addresses of DNS servers if desired.

/etc/unbound/unbound.conf
server:
  use-syslog: yes
  do-daemonize: no
  username: "unbound"
  directory: "/etc/unbound"
  root-hints: root.hints
  trust-anchor-file: trusted-key.key
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com

Update the root hints file:

# curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
Tip: Put the above above command in a systemd timer to regularly update the root hints file.

Start/enable the unbound.service.

Test DNSSEC

$ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net

The first output line should be something like the following. Note the word "secure".

sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
$ unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net

The first output line should be something like the following. Note the word "BOGUS".

sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))

Firewall

Here is a simple stateful firewall using nftables. First install nftables. Then create the following configuration file. Modify for your needs.

/etc/nftables.conf
table inet filter {

  chain input {
    type filter hook input priority 0; policy drop;
    ct state {established, related} accept
    ct state invalid drop
    iifname lo accept
    ip protocol icmp accept
    reject with icmp type port-unreachable
  }

  chain forward {
    type filter hook forward priority 0; policy drop;
  }
  
  chain output {
    type filter hook output priority 0; policy accept;
  }

}
Warning: The package-provided configuration file opens port 22.

Then start/enable nftables.service.

Pacman

Create local repository for AUR

Install the aurutilsAUR package. Then create a local repository called aur:

/etc/pacman.d/aur
[options]
CacheDir = /var/cache/pacman/pkg
CacheDir = /var/cache/pacman/aur
CleanMethod = KeepCurrent

[aur]
SigLevel = Optional TrustAll
Server = file:///var/cache/pacman/aur

Additional line:

/etc/pacman.conf
Include = /etc/pacman.d/aur
# mkdir -p /var/cache/pacman/aur
# chown user:user /var/cache/pacman/aur
$ cd /var/cache/pacman/aur
$ repose -vf aur

Now use aurutils or aurbuild to create packages that are put in the local database.

Pacman hooks

Get notified when a package become an orphan.

/etc/pacman.d/hooks/orphans.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Checking for orphans...
When = PostTransaction
Exec = /usr/bin/bash -c "/usr/bin/pacman -Qtd || true"

Clean up pacman cache on transactions.

/etc/pacman.d/hooks/paccache.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Cleaning pacman cache...
When = PostTransaction
Exec = /usr/bin/paccache -rv

Get notified when a package is no longer in a repository.

/etc/pacman.d/hooks/repocheck.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Checking for dropped packages...
When = PostTransaction
Exec = /usr/bin/bash -c "/usr/bin/pacman -Qqm || true"