User:Cvlc/Notes/General recommendations

From ArchWiki
Warning: WIP Do not follow (yet...)

System administration

Users and groups

Use Systemd-homed to create a new user : 

# systemctl enable --now systemd-homed
# homectl create username

homectl will autodetect LUKS + Btrfs, and this will create @home/username.homedir subvolume mounted with same flags as above (compress/discard)

Privilege elevation

# EDITOR=nano visudo /etc/sudoers.d/01_conf
username  ALL=(ALL) ALL

# Reset environment by default
Defaults      env_reset

# Set default EDITOR to nano, and do not allow visudo to use EDITOR/VISUAL.
Defaults      editor=/usr/bin/nano, !env_editor

See Sudo#Editing_files and Security #Use_sudo_instead_of_su

Service management

System maintenance

Check for errors

Check for failed services / errors in log 

$ systemctl --failed
$ sudo journalctl -p 3 -b

Limit logging to 6 months 

$ mkdir /etc/systemd/journald.conf.d/
$ sudo nano /etc/systemd/journald.conf.d/00-journal-size.conf

/etc/systemd/journald.conf.d/00-journal-size.conf
[Journal]
MaxRetentionSec=6months

Backup

Cryptsetup's luksHeaderBackup action stores a binary backup of the LUKS header and keyslot area: 

$ sudo cryptsetup luksHeaderBackup /dev/nvme0n1p2 --header-backup-file /<safe-place>/<backup>/<file>.img

Snapshots

Snapper

Create a config for root and username.homedir: 

$ sudo snapper -c root create-config /
$ sudo snapper -c home_username create-config /home/user.homedir/

Snapper create-config automatically creates snapshot subvolumes that are not needed for the suggested filesystem layout. Those can be deleted : 

$ sudo btrfs subvolume delete /.snapshots
$ sudo btrfs subvolume delete /home/username.homedir/.snapshots

After deleting the subvolumes, recreate the snapshot directories to be used as mount points : 

$ sudo mkdir /.snapshots
$ sudo mkdir /home/username.homedir/.snapshots

Edit /etc/fstab to to add the snapshot lines : 

/mnt/etc/fstab
[...]
LABEL=Arch	/.snapshots				btrfs	rw,subvol=@snap_root	0 0
LABEL=Arch	/home/username.homedir/.snapshots	btrfs	rw,subvol=@snap_<user>	0 0

Remount all entries from /etc/fstab to mount them, and check that everything went well : 

$ sudo mount -a
$ findmnt | grep btrfs

Give the folders 750 permission 

$ sudo chmod 750 /.snapshots
$ sudo chmod 750 /home/username.homedir/.snapshots

Use the provided systemd units to start the automatic snapshot timeline : 

$ sudo systemctl enable --now snapper-timeline.timer snapper-cleanup.timer

To prevent slowdowns, edit the configurations files to reduce the amount of snapshots kept, for example : 


/etc/snapper/configs/root
TIMELINE_MIN_AGE="1800"
TIMELINE_LIMIT_HOURLY="5"
TIMELINE_LIMIT_DAILY="7"
TIMELINE_LIMIT_WEEKLY="0"
TIMELINE_LIMIT_MONTHLY="0"
TIMELINE_LIMIT_YEARLY="0"

Install snap-pac to take pre/post transaction snapshots automatically when using pacman : 

$ sudo pacman -S snap-pac

See Snapper#Restoring / to its previous snapshot

Manual Snapshots
# btrfs subvolume snapshot -r / "/.snapshots/@-$(date +%F-%R)"

To restore from a snapshot, delete the currently used @ and replace it with an earlier snapshot, and reboot 

# mount -o subvolid=5 /dev/mapper/root /mnt
# btrfs subvolume delete /mnt/@
# brtfs subvolume snapshot /mnt/@snapshots/@root-(date) /mnt/@

Package management

Pacman

useful scripts from pacman-contrib : 

$ checkupdates
$ pacdiff

Use paccache.timer to discard unused cached versions of installed and uninstalled packages weekly with paccache(8) from pacman-contrib.

To keep only one version of cached packages instead of the default three : 

$ sudo systemctl edit paccache.service
[Service]
ExecStart=
ExecStart=/usr/bin/paccache -rk1
$ sudo systemctl enable --now paccache.timer

To delete cached versions of uninstalled packages: 

$ sudo paccache -ruk0

Uncomment VerbosePkgLists to see old and new versions of available packages, as well as Color and ParallelDownloads : 

$ sudoedit /etc/pacman.conf

Repositories

Mirrors

$ sudo systemctl enable --now reflector

If reflector.service fails due to NetworkManager-wait-online.service finishing too early, remove the -s switch from the service : 

$ sudo systemctl edit NetworkManager-wait-online.service
[Service]
ExecStart=
ExecStart=/usr/bin/nm-online -q

Arch Build System

Arch User Repository

Booting

Hardware auto-recognition

Microcode

Retaining boot messages

Num Lock activation

Graphical user interface

Display server

Display drivers

Desktop environments

$ sudo pacman -S gnome gdm gnome-tweaks arc-gtk-theme arc-icon-theme

When prompted, choose Wireplumber over pipewire-media-session 

$ sudo systmectl enable --now gdm.service

Disable the logout confirmation prompt 

$ gsettings set org.gnome.SessionManager logout-prompt false

Window managers

Display manager

User directories

Power management

ACPI events

CPU frequency scaling

$ sudo pacman -S thermald
$ sudo systemctl enable --now thermald

Laptops

$ sudo systemctl enable --now power-profiles-daemon

Suspend and hibernate

Disable hibernate (there is no swap to resume from): 

/etc/systemd/sleep.conf
AllowHibernation=no 
AllowSuspendThenHibernate=no

Multimedia

Enable playback in Totem 

$ sudo pacman -S gst-libav

Sound system

Use Pipewire instead of Pulseaudio 

$ sudo pacman -S pipewire-alsa pipewire-pulse

Enable WebRTC screen sharing on Wayland using Pipewire 

$ sudo pacman -S xdg-desktop-portal xdg-desktop-portal-gtk

Networking

Clock synchronization

$ sudo timedatectl set-ntp true

DNS security

Configure encrypted DNS 

$ sudo mkdir /etc/systemd/resolved.conf.d


/etc/systemd/resolved.conf.d/dnsotls.conf
[Resolve]
DNS=9.9.9.9 #dns.quad9.net
DNSOverTLS=yes
Domains=~.

or Nextdns, etc...

Setting up a firewall

$ sudo pacman -S firewalld
$ sudo systemctl enable --now firewalld

Network shares

Input devices

Optimization

Benchmarking

Improving performance

Storage devices

Enable Btrfs monthly scrub 

$ sudo systemctl enable btrfs-scrub@-.timer

Profile-sync-daemon Firefox/Tweaks#Move disk cache to RAM

CPU

GCC can automatically detect and enable safe architecture-specific optimizations. To use this feature, first remove any -march and -mtune flags, then add -march=native. Also add -C target-cpu=native for the rust compiler. For example: 

sudo nano /etc/makepkg.conf
CFLAGS="-march=native -O2 -pipe -fno-plt"
...
RUSTFLAGS="-C opt-level=2 -C target-cpu=native"
...
MAKEFLAGS="-j4"
...
BUILDDIR=/tmp/makepkg

Graphics

Hardware Video Acceleration
Warning: steps specific to my device (Intel integrated Graphics)
$ sudo pacman -S intel-media-driver libvdpau-va-gl
$ mkdir ~/.config/environment.d/01_env.conf

$ sudoedit ~/.config/environment.d/01_env.conf
LIBVA_DRIVER_NAME=iHD
VDPAU_DRIVER=va_gl
GPGPU
$ sudo pacman -S intel-compute-runtime ocl-icd
Vulkan
$ sudo pacman -S vulkan-intel

Configure specific applications (Firefox, etc..)

RAM, swap and OOM handling

$ sudo pacman -S zram-generator	


$ sudoedit /etc/systemd/zram-generator.conf
[zram0]
$ sudo systemctl enable --now systemd-oomd

/etc/kernel/cmdline
[...] nowatchdog
/etc/modprobe.d/blacklist.conf
blacklist iTCO_wdt

Uresourced from AUR

Solid state drives

$ sudo systemctl enable fstrim.timer

System services

File index and search

Local mail delivery

Printing

Appearance

Fonts

GTK and Qt themes

Console improvements

/etc/environment
VISUAL=nano
EDITOR=nano

Tab-completion enhancements

Aliases

~/.bash_aliases
alias ls='ls --color=auto'
alias diff='diff --color=auto'
alias grep='grep --color=auto'
alias mkdir='mkdir -p -v'
#alias sudo='sudo -v && sudo'

alias sublist='sudo btrfs subvolume list -t --sort=path'
alias pacdiff='sudo DIFFPROG=nano pacdiff'
alias checkupdates='checkupdates

Alternative shells

Bash additions

Colored output

Compressed files

Console prompt

~/.bashrc
PS1='\[\e[1m\][\u@\h \W]\$ \[\e[0m\]'

Emacs shell

Mouse support

Session management

Retrieved from "https://wiki.archlinux.org/index.php?title=User:Cvlc/Notes/General_recommendations&oldid=708154"