Difference between revisions of "User:Rdeckard/Post-installation"

From ArchWiki
Jump to navigation Jump to search
(update sections)
(→‎DNS Resolver: link to article)
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Setup networking ==
+
== Networking ==
  
If you have a '''wired''' connection, [[start/enable]] the {{ic|dhcpcd@''interface''.service}} unit.
+
=== Connect to the internet ===
  
If you have a '''wireless''' connection, create the following file:
+
If you have not already, [[start/enable]] {{ic|systemd-networkd.service}}. You should have already set up a configuration file in [[User:Rdeckard/Installation guide]].
  
{{hc|1=/etc/wpa_supplicant/wpa_supplicant.conf|2=
+
If you have a '''wireless''' connection, [[start/enable]] the {{ic|iwd.service}} if you have not already. Then connect by doing:
ctrl_interface=/run/wpa_supplicant
 
update_config=1}}
 
  
Now add the dhcpcd hook for wpa_supplicant:
+
# iwctl
 +
[iwd]# station ''device'' scan
 +
[iwd]# station ''device'' get-networks
 +
[iwd]# station device connect ''SSID''
  
# ln -s /usr/share/dhcpcd/hooks/10-wpa_supplicant /usr/lib/dhcpcd/dhcpcd-hooks/
+
=== Clock synchronization ===
  
Now [[start/enable]] the {{ic|dhcpcd@''interface''.service}}.
+
Run {{ic|timedatectl set-ntp true}} to keep your clock in sync.
  
Then connect to a wifi network with:
+
=== DNS Resolver ===
 
 
# wpa_passphrase ''MYSSID'' ''passphrase'' >> /etc/wpa_supplicant/wpa_supplicant.conf
 
 
 
You may need to [[restart]] {{ic|dhcpcd@''interface''.service}}.
 
 
 
Alternatively, use ''wpa_cli'' to scan and connect to a network.
 
 
 
[[Enable]] the {{ic|ntpd.service}} to keep your clock in sync.
 
 
 
{{Tip|To prevent ''dhcpcd'' from holding boot until it gets an IP address, edit the unit with a [[Systemd#Drop-in files|drop-in file]] so that it forks right away:
 
{{hc|/etc/systemd/system/dhcpcd@.service.d/override.conf|
 
<nowiki>[Service]
 
ExecStart=
 
ExecStart=/usr/bin/dhcpcd -b -q %I</nowiki>
 
}}}}
 
 
 
== DNS Resolver ==
 
  
 
[[Install]] the {{pkg|unbound}} package.
 
[[Install]] the {{pkg|unbound}} package.
Line 40: Line 24:
 
{{hc|/etc/resolv.conf|127.0.0.1}}
 
{{hc|/etc/resolv.conf|127.0.0.1}}
  
Ensure that ''dhcpcd'' won't overwrite it:
+
Add the following configuration file for [[unbound]]. It includes DNSSEC, root hints, and DNS over TLS. Modify IP addresses of DNS servers if desired.
 
 
{{hc|/etc/dhcpcd.conf|nohook resolv.conf}}
 
 
 
Add the following configuration file for ''unbound''. It includes DNSSEC, root hints, and ad blocking. Add the IP addresses of DNS servers where indicated.
 
  
 
{{hc|/etc/unbound/unbound.conf|
 
{{hc|/etc/unbound/unbound.conf|
 
server:
 
server:
 
+
  use-syslog: yes
   username: unbound
+
   do-daemonize: no
   pidfile: "/etc/unbound/unbound.pid"
+
   username: "unbound"
 
   directory: "/etc/unbound"
 
   directory: "/etc/unbound"
 
+
  root-hints: root.hints
   trust-anchor-file: "/etc/unbound/root.key"
+
   trust-anchor-file: trusted-key.key
   root-hints: "/etc/unbound/root.hints"
+
   tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
  include: /etc/unbound/ads.conf
 
 
 
  do-not-query-localhost: no
 
 
   forward-zone:
 
   forward-zone:
 
     name: "."
 
     name: "."
     forward-addr: ''dns_ip_addr1''
+
     forward-tls-upstream: yes
     forward-addr: ''dns_ip_addr2''}}
+
     forward-addr: 1.1.1.1@853#cloudflare-dns.com
 
+
}}
Update the trust anchor file:
 
 
 
# unbound-anchor -a /etc/unbound/root.key
 
  
 
Update the root hints file:
 
Update the root hints file:
Line 71: Line 45:
 
  # curl -o /etc/unbound/root.hints <nowiki>https://www.internic.net/domain/named.cache</nowiki>
 
  # curl -o /etc/unbound/root.hints <nowiki>https://www.internic.net/domain/named.cache</nowiki>
  
Update the ad blocking file:
+
{{Tip|Put the above above command in a systemd timer to regularly update the root hints file.}}
 
 
# curl <nowiki>https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts</nowiki> | awk '/^0\.0\.0\.0/ {print "local-zone: \""$2"\" redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > /etc/unbound/ads.conf
 
 
 
{{Tip|Put the above two commands in systemd timers to regularly update the files.}}
 
  
 
[[Start/enable]] the {{ic|unbound.service}}.
 
[[Start/enable]] the {{ic|unbound.service}}.
  
=== Test DNSSEC ===
+
==== Test DNSSEC ====
  
 
  $ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
 
  $ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
Line 90: Line 60:
 
The first output line should be something like the following. Note the word "BOGUS".
 
The first output line should be something like the following. Note the word "BOGUS".
 
  sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))
 
  sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))
 +
 +
=== Firewall ===
 +
 +
Here is a [[simple stateful firewall]] using [[nftables]]. First [[install]] {{pkg|nftables}}. Then create the following configuration file. Modify for your needs.
 +
 +
{{hc|/etc/nftables.conf|
 +
table inet filter {
 +
 +
  chain input {
 +
    type filter hook input priority 0; policy drop;
 +
    ct state {established, related} accept
 +
    ct state invalid drop
 +
    iifname lo accept
 +
    ip protocol icmp accept
 +
    reject with icmp type port-unreachable
 +
  }
 +
 +
  chain forward {
 +
    type filter hook forward priority 0; policy drop;
 +
  }
 +
 
 +
  chain output {
 +
    type filter hook output priority 0; policy accept;
 +
  }
 +
 +
}
 +
}}
 +
 +
{{Warning|The package-provided configuration file opens port 22.}}
 +
 +
Then [[start/enable]] {{ic|nftables.service}}.
  
 
== Pacman ==
 
== Pacman ==

Latest revision as of 17:35, 28 March 2019

Networking

Connect to the internet

If you have not already, start/enable systemd-networkd.service. You should have already set up a configuration file in User:Rdeckard/Installation guide.

If you have a wireless connection, start/enable the iwd.service if you have not already. Then connect by doing:

# iwctl
[iwd]# station device scan
[iwd]# station device get-networks
[iwd]# station device connect SSID

Clock synchronization

Run timedatectl set-ntp true to keep your clock in sync.

DNS Resolver

Install the unbound package.

Set your DNS server to 127.0.0.1:

/etc/resolv.conf
127.0.0.1

Add the following configuration file for unbound. It includes DNSSEC, root hints, and DNS over TLS. Modify IP addresses of DNS servers if desired.

/etc/unbound/unbound.conf
server:
  use-syslog: yes
  do-daemonize: no
  username: "unbound"
  directory: "/etc/unbound"
  root-hints: root.hints
  trust-anchor-file: trusted-key.key
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com

Update the root hints file:

# curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
Tip: Put the above above command in a systemd timer to regularly update the root hints file.

Start/enable the unbound.service.

Test DNSSEC

$ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net

The first output line should be something like the following. Note the word "secure".

sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
$ unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net

The first output line should be something like the following. Note the word "BOGUS".

sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))

Firewall

Here is a simple stateful firewall using nftables. First install nftables. Then create the following configuration file. Modify for your needs.

/etc/nftables.conf
table inet filter {

  chain input {
    type filter hook input priority 0; policy drop;
    ct state {established, related} accept
    ct state invalid drop
    iifname lo accept
    ip protocol icmp accept
    reject with icmp type port-unreachable
  }

  chain forward {
    type filter hook forward priority 0; policy drop;
  }
  
  chain output {
    type filter hook output priority 0; policy accept;
  }

}
Warning: The package-provided configuration file opens port 22.

Then start/enable nftables.service.

Pacman

Create local repository for AUR

Install the aurutilsAUR package. Then create a local repository called aur:

/etc/pacman.d/aur
[options]
CacheDir = /var/cache/pacman/pkg
CacheDir = /var/cache/pacman/aur
CleanMethod = KeepCurrent

[aur]
SigLevel = Optional TrustAll
Server = file:///var/cache/pacman/aur

Additional line:

/etc/pacman.conf
Include = /etc/pacman.d/aur
# mkdir -p /var/cache/pacman/aur
# chown user:user /var/cache/pacman/aur
$ cd /var/cache/pacman/aur
$ repose -vf aur

Now use aurutils or aurbuild to create packages that are put in the local database.

Pacman hooks

Get notified when a package become an orphan.

/etc/pacman.d/hooks/orphans.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Checking for orphans...
When = PostTransaction
Exec = /usr/bin/bash -c "/usr/bin/pacman -Qtd || true"

Clean up pacman cache on transactions.

/etc/pacman.d/hooks/paccache.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Cleaning pacman cache...
When = PostTransaction
Exec = /usr/bin/paccache -rv

Get notified when a package is no longer in a repository.

/etc/pacman.d/hooks/repocheck.hook
[Trigger]
Operation = Upgrade
Operation = Install
Operation = Remove
Type = Package
Target = *

[Action]
Description = Checking for dropped packages...
When = PostTransaction
Exec = /usr/bin/bash -c "/usr/bin/pacman -Qqm || true"