- Update system & install basics
- Set hostname
- Enable time sync
- Add new user
- SSH Server
- Improve SSH Security
- Install Paru AUR Helper
- Install Uncomplicated Firewall
- Install Zsh & Oh My Zsh
- Install Docker
- Install Portainer
- Update packages:
sudo pacman -Syu - Install additional packages:
sudo pacman -S nano vi screen git wget curl gnupg neofetch lolcat ncdu zip unzip htop iotop inetutils
Set a hostname:
hostnamectl set-hostname <hostname>
To temporarily set the hostname (until reboot):
hostname <hostname>
Enable time sync and start the service:
sudo timedatectl set-ntp true
sudo systemctl enable systemd-timesyncd
sudo systemctl start systemd-timesyncd
Add new user:
useradd -m <user>
Set a password:
passwd <user>
Add user to sudoers:
usermod -a -G wheel <user>
Open the sudoers file with sudo visudo and uncomment the following line:
# %wheel ALL=(ALL) ALL
sudo pacman -S openssh
sudo systemctl start sshd
sudo systemctl enable sshd
Open the sshd configuration:
sudo nano /etc/ssh/sshd_config
Add, edit, or append to the end of the file the following line, which contains the usernames you wish to allow to log in:
AllowUsers <user> <...>You can also use DenyUsers to specifically stop some usernames from logging in:
DenyUsers <user> <...>After the change you will need to restart the sshd service using sudo systemctl restart sshd or reboot so the changes take effect.
Create a new SSH key using ssh-keygen on the client and copy the public key to the server:
ssh-copy-id -i ~/.ssh/<id_rsa> <user>@<host>
Now we need to disable password logins, so that all authentication is done by the key pairs.
sudo nano /etc/ssh/sshd_config
There are three lines that need to be changed to no, if they are not set that way already:
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes=+ssh-rsa
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM noSave the file and either restart the ssh system with sudo systemctl restart sshd or reboot.
Install fail2ban package:
paru -S fail2ban
Copy jail.conf to jail.local:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Start and enable the fail2ban service:
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
Install Paru AUR Helper
Install dependencies:
sudo pacman -S cargo
rustup update stable
Install Paru:
sudo pacman -S --needed base-devel
git clone https://aur.archlinux.org/paru.git
cd paru
makepkg -si
Install ufw package:
paru -S ufw
Start and enable the ufw service:
sudo systemctl start ufw
sudo systemctl enable ufw
A very simplistic configuration which will deny all by default, allow any protocol from inside a 192.168.0.1-192.168.0.255 LAN, and allow incoming Deluge and rate limited SSH traffic from anywhere:
sudo ufw default deny
sudo ufw allow from 192.168.0.0/24
sudo ufw limit ssh
Enable ufw:
sudo ufw enable
paru -S zsh
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
Install Powerlevel10k:
git clone --depth=1 https://github.com/romkatv/powerlevel10k.git ${ZSH_CUSTOM:-$HOME/.oh-my-zsh/custom}/themes/powerlevel10k
Get compatible fonts from ryanoasis/nerd-fonts e.g. JetBrainsMono
Set the Zsh theme ZSH_THEME="powerlevel10k/powerlevel10k" in ~/.zshrc.
Start using powerlevel10k by restarting the shell and follow the configuration instructions.
You can use the following example configuration by pasting it: yyyy3121111121n1y
Install Antibody
sudo curl -sfL git.io/antibody | sudo sh -s - -b /usr/local/bin
An extensive list of plugins can be found at unixorn/awesome-zsh-plugins.
Add a list of your desired plugins to ~/.zsh_plugins.txt.
Here's a list of the plugins I use:
b4b4r07/emoji-cli
bobthecow/git-flow-completion
chrissicool/zsh-256color
supercrabtree/k
wting/autojump
zsh-users/zsh-autosuggestions
zsh-users/zsh-syntax-highlightingAdd the following lines at the end of ~/.zshrc in order for Antibody to load the plugins:
source <(antibody init)
antibody bundle < ~/.zsh_plugins.txt
Install dependencies:
paru -S fzf jqAdd
export FZF_DEFAULT_OPTS='--height 40% --layout=reverse --border'at the end of~/.zshrc
Install Docker
Install docker package:
paru -S docker
Start and enable the Docker service:
sudo systemctl start docker
sudo systemctl enable docker
Check if Docker works correctly:
sudo docker info
docker run -it --rm archlinux bash -c "echo hello world"
Install Portainer
Create a volume for the Portainer data:
sudo docker volume create portainer_data
Start the Portainer container:
sudo docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest
Modify the UFW configuration file /etc/ufw/after.rules and add the following rules at the end of the file:
# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-forward
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
-A DOCKER-USER -j RETURN
-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP
COMMIT
# END UFW AND DOCKER
Use sudo systemctl restart ufw or sudo ufw reload to restart UFW after changing the file.
Allow container port e.g. 8080:
ufw route allow 8080
Allow host port e.g. 8080:
ufw allow 8080
source: chaifeng/ufw-docker
...