Basic configuration

Basic configuration

After system preparation I am able to boot the installed system and log in using the root account.

I check the Internet connection invoking ping and troubleshoot if necessary. In my case I needed to manually start Systemd’s network services using the following commands:

systemctl start systemd-networkd.service
systemctl start systemd-resolved.service

Upgrading packages is most advisable and done with Pacman 1 via:

pacman -Syu

The recommendations for a general basic setup to my needs include the following tasks:

  1. Creating #Users and groups
  2. Apply #Security measures
  3. #Package management
  4. Adding #Console improvements
  5. Installing a #Graphics driver
Some of my instructions are specific to the hardware found in the laptop model Dell Latitude. If you use different desktop or laptop hardware, you should refer to the brand in the Category:Laptops and also read the kernel module page to check for hardware support.

Users and groups

I create a new group with the same name as the user to be created to use it as a primary group for this new user (thisven in this example):

groupadd thisven
useradd -m -g thisven -G users -s /bin/bash thisven

I also set a password for the new user:

passwd thisven

Security measures

Although personal computers might be less of a target for cyber attacks, it’s important to consider means to migitate risks and know about some general security concepts.

Sudo, not su

To avoid unintended modifications restricting the root user by installing and configuring sudo for the wheel group is an option I use to implement:

pacman -Sy sudo
gpasswd -a thisven wheel
EDITOR=vim visudo

In the ViM editor, I uncomment (removing the # and space character) in the following line in the file that has just been opened by the visudo command:

# %wheel ALL=(ALL:ALL) ALL

I exit the root session and re-login as the new user thisven. In the user session, I lock the root user login to only allow unprivileged user sessions:

sudo passwd --lock root

Hardware vulnerabilities

The CPU2 might be vulnerable to known attacks. To display these I run:

grep -r . /sys/devices/system/cpu/vulnerabilities/

For mitigation, use the latest kernel and microcode for your CPU brand. I install the intel-ucode package providing µcode (ucode) for Intel processors:

sudo pacman -Sy intel-ucode

To load the microcode in the boot loader I insert the following line into the file /boot/loader/entries/linux.conf just before the initramfs-linux.img line:

initrd  /intel-ucode.img

The systemd-boot section in the Microcode article of ArchWiki lists an example configuration for futher details.


The Uncomplicated Firewall should be a sufficient solution for setting up a basic firewall. I install the package ufw, and start and enable its service afterwards:

sudo pacman -Sy ufw
sudo systemctl start ufw.service
sudo systemctl enable ufw.service

A basic configuration is to simply deny all traffic. I activate this rule once before viewing the service status:

sudo ufw default deny
sudo ufw enable
sudo ufw status

Additionally, you may want to disable ufw logging to avoid cluttering system logs by executing:

sudo ufw logging off

Package management

In order to automatically retrieve, build and install the many packages from an Arch User Repository (AUR) I use to install an AUR helper that preserves the pacman syntax and is a wrapper for it.

AUR helper

First, I install yay by using the manual installation approach:

sudo pacman -Sy --needed base-devel git
git clone
cd yay
makepkg -si

Afterwards, I cleanup the build directory afterwards:

cd ..
rm -rf yay

Now it’s time for upgrading packages using yay as a pacman wrapper:

yay -Syu

Ommit debug files

To avoid the installation of any -debug packages identified as missing by a package update notifier, you may need to adapt options in the GLOBAL PACKAGE OPTIONS section of /etc/makepkg.conf. Though the default should to contain !debug my line is:

OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge debug lto)

For this reason, I change it to:

OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug lto)

Console improvements

To ease work on the terminal I configure some console improvements and color output in console, use command-line completion with the <TAB> key and set aliases for frequently used commands, for example.

Fancy prompt

The customization of the bash shell is configured via a dotfile in my user $HOME directory:

cat <<EOF > $HOME/.bashrc
# ~/.bashrc

# If not running interactively, don't do anything
[[ $- != *i* ]] && return

# Fancy prompt
PS1='\u@\h \W $(if [[ $? == 0 ]]; then echo "\[\033[0m\][\[\033[1;32m\]✓\[\033[0m\]]"; else echo "\[\033[0m\][\[\033[1;31m\]✗\[\033[0m\]]"; fi)\$ '

I tend to use another style for the root prompt to make them distinguishable:

sudo cat <<EOF > /root/.bashrc
# ~/.bashrc

# Fancy prompt 
PS1='\[\033[1;34m\]\u\[\033[0m\]@\h \W $(if [[ $? == 0 ]]; then echo "\[\033[0m\][\[\033[1;32m\]✓\[\033[0m\]]"; else echo "\[\033[0m\][\[\033[1;31m\]✗\[\033[0m\]]"; fi)\$ '


I define the following aliases in both dotfiles:

## aliases
alias diff='diff --color=auto'

alias grep='grep --color=auto'

alias ls='ls --color=auto'
alias ll='ls -l --color=auto'
alias lr='ls -R'                    # recursive ls
alias la='ll -A'
alias lx='ll -BX'                   # sort by extension
alias lz='ll -rS'                   # sort by size
alias lt='ll -rt'                   # sort by date

As an alias such as alias vi=vim doesn’t work reliably, I create the following symlink to call vim via vi:

sudo ln -s /usr/bin/vim /usr/bin/vi

Vim configuration

For efficient working with vim in a graphical desktop environment, I like to deactive using the mouse in order to use the copy & paste function in terminal windows. I also set syntax highlighting3, indentation and spell checking. I create a ~/.vimrc configuration file and insert the following settings:

" Syntax highlighting, see:
:filetype plugin on
:syntax on
" Indentation, see
:filetype indent on
" Deactivate using the mouse, see:
set mouse-=a
" Spell checking, see:
set spell

For spell checking you need to install a language package. For German I install vim-spell-de as follows:

sudo pacman -Sy vim-spell-de

Tab-completion and command-not-found

For tab-completion of common programs and options I install the package the bash-completion package and tree to list directory trees:

sudo pacman -Sy bash-completion tree

A command-not-found message, which hints to packages for missing commands, can be setup through the pkgfile programm. I install it via:

sudo pacman -Sy pkgfile

I enable the automatic updates and immediately update the database using:

sudo systemctl enable pkgfile-update.timer
sudo pkgfile -u

Finally, I append the following to my $HOME/.bashrc configuration file:

cat <<EOF > $HOME/.bashrc
source /usr/share/doc/pkgfile/command-not-found.bash

Graphics driver

To set display resolution from the kernel space rather than the user space I use Kernel mode setting. As the kms module is included in the HOOKS variable in /etc/mkinitcpio.conf, adaption is needed since mkinitcpio v32. If you have a different GPU vendor, refer to the Display drivers section in the General recommendations article in the ArchWiki.

For Intel graphics I enable GuC/HuC firmware loading and use framebuffer compression to reduce the power consumption. For this, I create the file /etc/modprobe.d/i915.conf and insert the following lines:

options i915 enable_guc=3
options i915 enable_fbc=1

You can identify your graphics hardware by using the command:

lspci -v | grep -A1 -e VGA -e 3D

Refer to the ArchWiki and adapt the above setup to fit your specific model.

The acceleration of video output through the hardware can be achieved by installing the package intel-media-driver:

sudo pacman -Sy intel-media-driver libva-utils

To verify available profiles of the VA-API I run vainfo from the package libva-utils:


I finally reboot my machine to apply the graphics driver configuration and troubleshoot any issues. The configuring of the VA-API is only necessary if you encounter errors.

In the next advanced networking guide, I show how to secure and tweak the default network configuration.

  1. Pacman in the ArchWiki ↩︎

  2. CPU in the Wikipedia ↩︎

  3. Syntax highlighting in the Wikipedia ↩︎

Last updated on