User:Rdeckard/Post-installation
Networking
Connect to the internet
If you have not already, start/enable systemd-networkd.service. You should have already set up a configuration file in User:Rdeckard/Installation guide.
If you have a wireless connection, start/enable the iwd.service if you have not already. Then connect by doing:
# iwctl [iwd]# station device scan [iwd]# station device get-networks [iwd]# station device connect SSID
Clock synchronization
Run timedatectl set-ntp true to keep your clock in sync.
DNS Resolver
Set your DNS server to 127.0.0.1:
/etc/resolv.conf
127.0.0.1
Add the following configuration file for unbound. It includes DNSSEC, root hints, and DNS over TLS. Modify IP addresses of DNS servers if desired.
/etc/unbound/unbound.conf
server:
use-syslog: yes
do-daemonize: no
username: "unbound"
directory: "/etc/unbound"
root-hints: root.hints
trust-anchor-file: trusted-key.key
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
Update the root hints file:
# curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
Start/enable the unbound.service.
Test DNSSEC
$ unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
The first output line should be something like the following. Note the word "secure".
sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
$ unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net
The first output line should be something like the following. Note the word "BOGUS".
sigfail.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security failure))
Firewall
Here is a simple stateful firewall using nftables. First install nftables. Then create the following configuration file. Modify for your needs.
/etc/nftables.conf
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state {established, related} accept
ct state invalid drop
iifname lo accept
ip protocol icmp accept
reject with icmp type port-unreachable
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
Then start/enable nftables.service.
Pacman
Create local repository for AUR
Install the aurutilsAUR package. Then create a local repository called aur:
/etc/pacman.d/aur
[options] CacheDir = /var/cache/pacman/pkg CacheDir = /var/cache/pacman/aur CleanMethod = KeepCurrent [aur] SigLevel = Optional TrustAll Server = file:///var/cache/pacman/aur
Additional line:
/etc/pacman.conf
Include = /etc/pacman.d/aur
# mkdir -p /var/cache/pacman/aur # chown user:user /var/cache/pacman/aur $ cd /var/cache/pacman/aur $ repose -vf aur
Now use aurutils or aurbuild to create packages that are put in the local database.
Pacman hooks
Get notified when a package become an orphan.
/etc/pacman.d/hooks/orphans.hook
[Trigger] Operation = Upgrade Operation = Install Operation = Remove Type = Package Target = * [Action] Description = Checking for orphans... When = PostTransaction Exec = /usr/bin/bash -c "/usr/bin/pacman -Qtd || true"
Clean up pacman cache on transactions.
/etc/pacman.d/hooks/paccache.hook
[Trigger] Operation = Upgrade Operation = Install Operation = Remove Type = Package Target = * [Action] Description = Cleaning pacman cache... When = PostTransaction Exec = /usr/bin/paccache -rv
Get notified when a package is no longer in a repository.
/etc/pacman.d/hooks/repocheck.hook
[Trigger] Operation = Upgrade Operation = Install Operation = Remove Type = Package Target = * [Action] Description = Checking for dropped packages... When = PostTransaction Exec = /usr/bin/bash -c "/usr/bin/pacman -Qqm || true"