A video is available that walks through these steps if you would prefer that format:
Arch Linux: Essential Post-Install Configuration (plus some tmux and man tips)
I used the following resources when building this runbook:
- Arch Wiki: Example adding a user
- Arch Wiki: Other examples of user management
- Arch Wiki: Uncomplicated Firewall
- Requirements
- Update package list and packages
- Install and configure sudo
- Create a non-root user for admin tasks
- Reboot
- Verify non-root user's sudo ability
- Install and configure firewall
- Install additional preferred packages
- Next steps
Table of contents generated with markdown-toc
A base installation of Arch Linux. You can build your own by following this gist or this video, or you can download an OVF image generated in VMware Workstation 15 here (filename is 2020-08-25_arch-linux-base.ova).
pacman -Syu
This step covers installing and configuring sudo
, which is critical for system management as a non-root user.
First, install sudo
:
pacman -S sudo
Next, run visudo
using vim
, which is the only editor installed on the example base system:
sudo EDITOR=/bin/vim visudo
Find the very end of the "Defaults" section of the file and add a new line to override the default text editor:
Defaults editor=/bin/vim
Find and uncomment the following line (remove #
) to allow users belonging to the wheel
group to use sudo
for any system command without needing to enter their password:
# %wheel ALL=(ALL) NOPASSWD: ALL
If ability to use sudo
without a password makes you nervous, uncomment the line near this one that looks the same aside from NOPASSWD:
.
After edits are complete, write and save the file (:wq
in vim
).
We rarely if ever want or need to use the root
user, therefore the first user we create will also be the user we use for system configuration tasks. In this runbook, I'm using admin
as the username; you should modify this username to suit your preferences.
First, create the user:
useradd -m admin
The -m
in this command specifies that a home directory should be created
Next, set this user's password:
passwd admin
Finally, add this user to the wheel
group so they can use sudo
(-a
appends specified groups, -G
specifies groups:
usermod -aG wheel admin
The -aG
in this command is actually a combination of two arguments:
-a
: Append any specified groups to the user's current groups-G
: Update the user's groups to the group(s) specified (e.g.:group1,group2,group3
) - by default the user's groups are overwritten unless-a
is also specified
The system update run earlier likely updated the kernel - we'll reboot to boot to the new initramfs image/kernel. Either of these commands are effective to prompt a reboot:
shutdown -r now
reboot
When the reboot is complete, log in as admin
.
Before moving on, check that you are able to use sudo
as your admin user - a simple test is launching a sudo
shell as root:
sudo -i
If you don't get an error, you're all set. If you do get an error, you'll need to double check the visudo
configuration and your admin user's groups.
Go ahead and stay in this sudo
shell for the remaining steps in this runbook, as many of the commands to follow require elevated permissions.
Arch Linux's base
package includes iptables
, which is a net filter/firewall in its own right - it's totally possible to configure iptables
to do all the firewalling you would ever want it to do. That said, there are firewall management utilities available at this point that are a bit more convenient to use, and in this runbook, we'll be installing and configuring Uncomplicated Firewall.
First, install the ufw
package:
pacman -S ufw
Next, ensure the iptables
service is disabled, and enable/start the ufw
service:
systemctl disable iptables
systemctl enable ufw
systemctl start ufw
Once ufw
has started, we'll configure ufw
to deny or reject inbound traffic by default (network traffic sourced from remote clients to this destination host):
ufw default deny
At this point we can enable ufw
to enforce the default deny policy, and check its status:
ufw enable
ufw status
By default, ufw
only seems to show rules entered by the user - because we haven't made any exceptions, output is a bit boring, indicating only that ufw
is active. You can get a better idea of what traffic is allowed with the following command:
iptables -S|grep ACCEPT
While the above steps are truly essential, there are a handful packages I just can't live without:
man
- Provides an interface to system manuals. Don't know whatusermod
does? Justman usermod
and read up. It's super helpful, near necessary. Half the battle is knowing a utility exists to do a job, the other half is understanding or remembering that utility's usage and syntax...if you're like me, and lean heavily on reference material, you probably needman
.tmux
- A virtual terminal emulator/multiplexer, similar toscreen
. It's very helpful if you'll only be interacting with the system via command line/tty sessions, as it supports creating and managing multiple windows/panes on a single screen. It's also handy when you need to run a process in the background and return to it later - you can open atmux
session, run a process, detach from the session, and the process will continue without interruption. You can reattach to the session at all time. If you've ever been disconnected from an SSH server during a long transfer or a system update, you'll understand the value.tcpdump
- Allows you to monitor packets flowing across your system's interfaces.which
- Returns the full path of the program/command passed as an argument.
To install these packages, just run:
pacman -S man tmux tcpdump which
If there are others packages you can't live without, add them to the command as well.