Basic configuration

After system preparation I am able to boot the installed system and log in using the root account.

I check the Internet connection invoking ping archlinux.org and troubleshoot if necessary. In my case I needed to manually start Systemd’s network services using the following commands:

systemctl start systemd-networkd.service
systemctl start systemd-resolved.service

Upgrading packages is most advisable and done with Pacman ¹ via:

pacman -Su

The recommendations for a general basic setup to my needs include the following tasks:

1. Creating #Users and groups
2. Apply #Security measures
3. #Package management
4. Adding #Console improvements
5. Installing a #Graphics driver

Users and groups

I create a new group with the same name as the user to be created to use it as a primary group for this new user (thisven in this example):

groupadd thisven
useradd -m -g thisven -G users -s /bin/bash thisven

I also set a password for the new user:

passwd thisven

Security measures

Although personal computers might be less of a target for cyber attacks, it’s important to consider means to migitate risks and know about some general security concepts.

Sudo, not su

To avoid unintended modifications restricting the root user by installing and configuring sudo for the wheel group is an option I use to implement:

pacman -S sudo
gpasswd -a thisven wheel
EDITOR=nvim visudo

In the NeoVim editor, I uncomment (removing the # and space character) in the following line in the file that has just been opened by the visudo command:

# %wheel ALL=(ALL:ALL) ALL

I exit the root session and re-login as the new user thisven. In the user session, I lock the root user login to only allow unprivileged user sessions:

sudo passwd --lock root

Hardware vulnerabilities

The CPU² might be vulnerable to known attacks. To display these I run:

grep -r . /sys/devices/system/cpu/vulnerabilities/

For mitigation, use the latest kernel and microcode for your CPU brand. I install the intel-ucode package providing µcode (ucode or microcode) for Intel processors:

sudo pacman -S intel-ucode

To load the microcode, it can be integrated in the initramfs image by using the microcode hook in the /etc/mkinitcpio.conf file, which is the default configuration (see the #Initramfs configuration section of the system preparation guide). However, after installing the microcode, I need to rebuild the initramfs to include it:

sudo mkinitcpio -P

Afterwards, I can verify that the initramfs image includes the microcode update files with this command:

lsinitcpio --early /boot/initramfs-linux.img | grep microcode

Firewall

The Uncomplicated Firewall should be a sufficient solution for setting up a basic firewall. I install the package ufw, and start and enable its service afterwards:

sudo pacman -S ufw
sudo systemctl start ufw.service
sudo systemctl enable ufw.service

A basic configuration is to simply deny all traffic. I activate this rule once before viewing the service status:

sudo ufw default deny
sudo ufw enable
sudo ufw status

Additionally, you may want to disable ufw logging to avoid cluttering system logs by executing:

sudo ufw logging off

Package management

In order to automatically retrieve, build and install the many packages from an Arch User Repository (AUR) I use to install an AUR helper that preserves the pacman syntax and is a wrapper for it.

AUR helper

First, I install yay by using the manual installation approach:

sudo pacman -S --needed base-devel git
git clone https://aur.archlinux.org/yay
cd yay
makepkg -si

Afterwards, I cleanup the build directory afterwards:

cd ..
rm -rf yay

Now it’s time for upgrading packages using yay as a pacman wrapper:

yay -Syu

Ommit debug files

To avoid the installation of any -debug packages identified as missing by a package update notifier, you may need to adapt options in the GLOBAL PACKAGE OPTIONS section of /etc/makepkg.conf. Though the default should to contain !debug my line is:

OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge debug lto)

For this reason, I change it to:

OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug lto)

Console improvements

To ease work on the terminal I configure some console improvements and color output in console, use command-line completion with the <TAB> key and set aliases for frequently used commands, for example.

Fancy prompt

The customization of the bash shell is configured via a dotfile in my user $HOME directory:

cat <<EOF > $HOME/.bashrc
#
# ~/.bashrc
#

# If not running interactively, don't do anything
[[ $- != *i* ]] && return

# Fancy prompt
PS1='\u@\h \W $(if [[ $? == 0 ]]; then echo "\[\033[0m\][\[\033[1;32m\]✓\[\033[0m\]]"; else echo "\[\033[0m\][\[\033[1;31m\]✗\[\033[0m\]]"; fi)\$ '
EOF

I tend to use another style for the root prompt to make them distinguishable:

sudo cat <<EOF > /root/.bashrc
#
# ~/.bashrc
#

# Fancy prompt 
PS1='\[\033[1;34m\]\u\[\033[0m\]@\h \W $(if [[ $? == 0 ]]; then echo "\[\033[0m\][\[\033[1;32m\]✓\[\033[0m\]]"; else echo "\[\033[0m\][\[\033[1;31m\]✗\[\033[0m\]]"; fi)\$ '
EOF

Aliases

I define the following aliases in both dotfiles:

## aliases
#
alias diff='diff --color=auto'

alias grep='grep --color=auto'

alias ls='ls --color=auto'
alias ll='ls -l --color=auto'
alias lr='ls -R'                    # recursive ls
alias la='ll -A'
alias lx='ll -BX'                   # sort by extension
alias lz='ll -rS'                   # sort by size
alias lt='ll -rt'                   # sort by date

Neovim as default editor

To configure Neovim as the default editor I insert the following variables into the /etc/environment file:

EDITOR=nvim
VISUAL=nvim

Applications that hardcode vi or vim as default editor can be forced to invoke nvim by installing the package neovim-symlinks from the AUR:

yay neovim-symlinks

Neovim has syntax highlighting³ enabled by default. Othe useful options are spell checking, and indentation. Most of these are similar to Vim’s configuration and you can set them permanently by creating ~/.config/nvim/init.vim. My configuration file contains:

" Recognize file type while editing and enable syntax highlighting, see: https://neovim.io/doc/user/filetype.html#filetype
:filetype plugin on
" Deactivate using the mouse, see: https://neovim.io/doc/user/options.html#'mouse'     
set mouse=
" Enable spell checking for US English, see: https://neovim.io/doc/user/spell.html
:setlocal spell spelllang=en_us

Tab-completion and command-not-found

For tab-completion of common programs and options I install the package the bash-completion package and tree to list directory trees:

sudo pacman -S bash-completion tree

A command-not-found message, which hints to packages for missing commands, can be setup through the pkgfile programm. If you are a terminal user beginner, this is a handy tool for your experience.

Graphics driver

To set display resolution from the kernel space rather than the user space I use Kernel mode setting. As the kms module is included in the HOOKS variable in /etc/mkinitcpio.conf, adaption is needed since mkinitcpio v32. If you have a different GPU vendor, refer to the Display drivers section in the General recommendations article in the ArchWiki.

For Intel graphics I enable GuC/HuC firmware loading and use framebuffer compression to reduce the power consumption. For this, I create the file /etc/modprobe.d/i915.conf and insert the following lines:

options i915 enable_guc=3
options i915 enable_fbc=1

lspci -v | grep -A1 -e VGA -e 3D

The acceleration of video output through the hardware can be achieved by installing the package intel-media-driver:

sudo pacman -S intel-media-driver libva-utils

To verify available profiles of the VA-API I run vainfo from the package libva-utils:

vainfo 

I finally reboot my machine to apply the graphics driver configuration and troubleshoot any issues. The configuring of the VA-API is only necessary if you encounter errors.

In the next advanced networking guide, I show how to secure and tweak the default network configuration.