What to do after installing Arch?

Wondering what to do next after installing the basic version of Arch? Here’s a checklist!

PS: Somethings are already covered in my previous post (Arch installation guide), I’ll add a * to those items

General Edition:

• Sorting the mirrors*- follow the instructions to re-order your mirrors by fastest speed. I have used Reflector.
• Install Sound system and Display Server (Xorg or Wayland)*
• Set up Window manager or Desktop environment like GNOME, Plasma, Xfce etc*
• Create user directory files

sudo pacman -S xdg-user-dirs

xdg-user-dirs-update

• Configure Pacman Using the below command, you can open the pacman configuration file and uncomment the necessary lines: -allow ParallelDownloads under [options] -add colors -enable VerbosePkgLists to view name, version and size of target packages formatted -CleanMethod = KeepCurrent under[options] to clean up the cache so that only outdated tarballs are deleted -NoExtract (Guidelines with examples)

sudo nano /etc/pacman.conf

• Set up paccache to clean package cache

sudo pacman -S pacman-contrib
#activate the paccache timer:
sudo systemctl enable paccache.timer

You can automate the process by creating a hook using package paccache-hook under path /etc/pacman.d/hooks/ with a .hook file (eg: remove_old_cache.hook) Sample script

[Trigger]
Operation = Remove
Operation = Install
Operation = Upgrade
Type = Package
Target = *

[Action]
Description = Keep the last cache and the currently installed.
When = PostTransaction
Exec = /usr/bin/paccache -rvk2

• Install essential packages:

sudo pacman -S --needed firefox nemo leafpad evince ksnip lximage-qt libreoffice-fresh vlc

• Setting up an AUR helper like yay, pacaur, paru etc: AUR helpers automate usage of the Arch User Repository.

sudo pacman -S --needed base-devel git
mkdir Programs
cd Programs
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si

Security Edition:

• Creating a non-root user with sudo permissions* A new installation leaves you with only the superuser account, better known as “root”. Logging in as root for prolonged periods of time, possibly even exposing it via SSH on a server, is insecure. Instead, you should create and use unprivileged user account(s) for most tasks, only using the root account for system administration. How to do that? Add a user and set a password. Add them to the wheel group and use visudo command to edit the sudoers file. Uncomment the command that allows members of wheel group to use sudo.

• Set up password managers and install libpwquality Note: Desktop environments have their own password managers apps available as part of the package.

• Install the microcode* Processor manufacturers release stability and security updates to the processor microcode. These updates provide bug fixes that can be critical to the stability of your system. Without them, you may experience spurious crashes or unexpected system halts that can be difficult to track down.

#for AMD:
sudo pacman -S amd-ucode

#for Intel:
sudo pacman -Sy intel-ucode 

#Check the kernel messages with _journalctl_ to see if the microcode has been updated:
journalctl -k --grep='microcode:'

#One should see something similar to the following on every boot, indicating that microcode is updated very early on:
#kernel: microcode: Current revision: 0x00000012
#kernel: microcode: Updated early from: 0x0000000e

• Enforce a delay after a failed login attempt

Add the following line to /etc/pam.d/system-login to add a delay of at least 4 seconds between failed login attempts:

auth optional pam_faildelay.so delay=4000000
#`4000000` is the time in microseconds to delay.

• Restricting root login Once sudo is properly configured, full root access can be heavily restricted or denied without losing much usability. To disable root, but still allowing to use sudo, you can use

passwd --lock root

• Configure SSH SSH is a protocol used to securely log onto remote systems. Modifying the SSH daemon configuration file, typically found at ‘/etc/ssh/sshd_config’ to customize the configs:

# Disable root login 
PermitRootLogin no 

# Enable public key authentication 
PubkeyAuthentication yes  

# Specify the allowed users (add your sudo user in place of user1 and user 2)
AllowUsers user1 user2 

# Change the default port 
Port 2222 

# Limit the number of authentication attempts 
MaxAuthTries 3
 
# Enable two-factor authentication
AuthenticationMethods publickey,password 
publickey,keyboard-interactive

After making these changes, don’t forget to restart the SSH service for the changes to take effect.

• Configure firewall. By default firewall is not enabled on Arch. You can configure firewall rules via iptables and nftables and implement them. UFW (Uncomplicated Firewall) can also be used. It is a program for managing a netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use.

#Install UFW:
sudo pacman -S ufw

#Enable UFW:
sudo ufw enable

#Check its status:
sudo ufw status numbered

The default settings are good enough for most users.

• Setup backups To be able to restore your machine and data back to it’s original state in case of any errors or issues is important.

Pre-requisites to create a backup: external hard drive or server for storing your backup. You can get cloud storage via rsync.net, koofr or BorgBase.

For backup I recommend and use Borg which is opensource and supports a lot of features like compression, duplicity etc. It also has a GUI interface Vorta.

#For Vorta:
yay -S vorta 
# FYI- Maintained by https://github.com/bjo81 

#For Borg CLI:
sudo pacman -S borg

• For Vorta, checkout- this video by Sun Knudsen or this step-by-step tutorial by Karthick from OSTechNix

• For Borg CLI, checkout the official guide or tutorial by Karthick from OSTechNix