thisven/Website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add basic configuration

Browse source
This commit is contained in:
this.ven 2024-05-19 15:14:36 +02:00
parent 00aa9f0ded
commit 5f8620cf2a
1 changed files with 498 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

498
content/docs/computer/basic-configuration/_index.md Normal file
View file

@ -0,0 +1,498 @@
---
title: 'Basic configuration'
date: 2024-04-28T12:07:39+02:00
---
After [system preparation](../system-preparation/) I am able to boot the
installed system and log in using the root account.
I check the Internet connection invoking `ping archlinux.org` and troubleshoot
if necessary. In my case I needed to manually start Systemd's network services
using the following commands:
```bash
systemctl start systemd-networkd.service
systemctl start systemd-resolved.service
```
[Upgrading packages](https://wiki.archlinux.org/title/Pacman#Upgrading_packages)
is most advisable and done with Pacman [^1] via:
```bash
pacman -Syu
```
The [recommendations](https://wiki.archlinux.org/title/General_recommendations)
for a general basic setup to my needs include the following tasks:
1. Creating [#Users and groups](#users-and-groups)
2. Apply [#Security measures](#security-measures)
3. Improve [#Privacy settings](#privacy-settings)
4. [#Package management](#package-management)
5. Adding [#Console improvements](#console-improvements)
{{< callout type="info" >}}
Some of my instructions are specific to the hardware found in the laptop model
[Dell Latitude](https://wiki.archlinux.org/title/Laptop/Dell#Latitude). If you
use different desktop or laptop hardware, you should refer to the brand in the
[Category:Laptops](https://wiki.archlinux.org/title/Category:Laptops) and also
read the [kernel module](https://wiki.archlinux.org/title/Kernel_module) page
to check for hardware support.
{{< /callout >}}
## Users and groups
I create a new group with the same name as the user to be created to use it as a
primary group for this new user (`thisven` in this example):
```bash
groupadd thisven
useradd -m -g thisven -G users -s /bin/bash thisven
```
I also set a password for the new user:
```bash
passwd thisven
```
## Security measures
Although personal computers might be less of a target for cyber attacks, it's
important to consider means to migitate risks and know about some general
[security concepts](https://wiki.archlinux.org/title/Security#Concepts).
### Sudo, not su
To avoid unintended modifications restricting the root user by installing and
configuring [sudo](https://wiki.archlinux.org/title/Sudo#Example_entries) for
the `wheel` group is an option I use to implement:
```bash
pacman -Sy sudo
gpasswd -a patient0 wheel
EDITOR=vim visudo
```
In the ViM editor, I uncomment (removing the `#` and space character) in the
following line in the file that has just been opened by the `visudo` command:
```
# %wheel ALL=(ALL:ALL) ALL
```
I exit the root session and re-login as the new user `thisven`. In the user
session, I lock the root user login to only allow unprivileged user sessions:
```bash
sudo passwd --lock root
```
### Hardware vulnerabilities
The CPU[^2] might be vulnerable to known attacks. To display these I run:
```bash
grep -r . /sys/devices/system/cpu/vulnerabilities/
```
For mitigation, use the latest [kernel](https://wiki.archlinux.org/title/Kernel)
and [microcode](https://wiki.archlinux.org/title/Microcode) for your CPU brand.
I install the [intel-ucode](https://archlinux.org/packages/?name=intel-ucode)
package providing *µcode* (ucode) for Intel processors:
```bash
sudo pacman -Sy intel-ucode
```
To load the microcode in the boot loader I insert the following line into the
file `/boot/loader/entries/linux.conf` just before the `initramfs-linux.img`
line:
```
initrd /intel-ucode.img
```
The [systemd-boot](https://wiki.archlinux.org/title/Microcode#systemd-boot)
section in the Microcode article of ArchWiki lists an example configuration for
futher details.
### Firewall
The [Uncomplicated Firewall](https://wiki.archlinux.org/title/Uncomplicated_Firewall)
should be a sufficient solution for setting up a basic firewall. I install the
package [ufw](https://archlinux.org/packages/?name=ufw), and start and enable
its service afterwards:
```bash
sudo pacman -Sy ufw
sudo systemctl start ufw.service
sudo systemctl enable ufw.service
```
A basic configuration is to simply deny all traffic. I activate this rule once
before viewing the service status:
```bash
sudo ufw default deny
sudo ufw enable
sudo ufw status
```
Additionally, you may want to [disable ufw logging](https://wiki.archlinux.org/title/Uncomplicated_Firewall#Disable_UFW_logging)
to avoid cluttering system logs by executing:
```bash
sudo ufw logging off
```
## Privacy settings
Further measures for tightening security and improving privacy include a more
advanced setup of network services and application fine tuning. The next
sections deal with the adaption of default configurations to use trustworthy
service providers (from my perspective) and a high level of encryption to
prevent some leakage of personal data.
### Securing DNS queries
The DNS[^3] is used to map IP addresses to domain names. DNS traffic from and to
your computer is unencrypted by default and leaks information about the sites
you visit in your web browser or can be used to identify which operating system
you are running, for example. Read more background information on this topic in
the [Privacy and security](https://wiki.archlinux.org/title/Domain_name_resolution#Privacy_and_security)
section in the Arch Wiki article about Domain name resolution.
Create `/etc/systemd/resolved.conf.d/dnssec.conf` with the following content to
enable [DNSSEC](https://wiki.archlinux.org/title/DNSSEC) for DNS query
validation in Systemd-resolved:
```ini {filename="/etc/systemd/resolved.conf.d/dnssec.conf"}
[Resolve]
DNSSEC=true
```
Additionally, to use TLS[^4] for encrypting the traffic between your host and
the DNS server create `/etc/systemd/resolved.conf.d/dns_over_tls.conf` to enable
[DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS) for
Systemd-resolved by containing:
```ini {filename="/etc/systemd/resolved.conf.d/dns_over_tls.conf"}
[Resolve]
DNS=176.9.93.198#dnsforge.de
DNSOverTLS=yes
```
{{< callout type="warning" >}}
The DNS server must support DNS over TLS. Otherwise all requests will fail. A
list of censorship-free DNS servers can be found at
[DNS Checker](https://dnschecker.org/public-dns/de).
{{< /callout >}}
Afterwards restart the `systemd-resolved.service` to activate the changes:
```bash
sudo systemctl restart systemd-resolved.service
```
Check if the new DNS server is used and `+DNSoverTLS` is listed in *Protocols*
in the output of the following command:
```bash
resolvectl status
```
Some applications (such as Firefox or LibreWolf, Thunderbird and other) read the
file `/etc/hosts` instead of using Systemd's resolver[^5]. To prevent resolving
`localhost` over the network I add the following lines to `/etc/hosts`:
```
127.0.0.1 localhost
::1 localhost
127.0.1.1 arch-studio24
```
Remember to change `arch-studio24` to your hostname!
### NTS
The time synchronization can also be configured to require a TLS connections by
[using NTS servers](https://wiki.archlinux.org/title/Chrony#Using_NTS_servers).
Edit the `/etc/chrony.conf` file to use a NTS server and second one as fallback:
```
server ptbtime1.ptb.de offline nts
server nts1.time.nl offline nts
```
After editing restart the following services:
```bash
sudo systemctl restart chronyd.service
sudo systemctl restart NetworkManager-dispatcher.service
```
And check the configured NTP servers via:
```bash
chronyc -N 'sources -a -v'
```
### IPv6 privacy
To prevent [MAC address](https://en.wikipedia.org/wiki/MAC_address) leakage of
my interfaces, I enable the *IPv6 Privacy Extensions* for NetworkManager. I
create the file `/etc/NetworkManager/conf.d/ipv6-privacy.conf` containing:
``` {filename="/etc/NetworkManager/conf.d/ipv6-privacy.conf"}
[connection]
ipv6.ip6-privacy=2
```
### MAC address randomization
Additionally, with [MAC address randomization](https://wiki.archlinux.org/title/NetworkManager#Configuring_MAC_address_randomization)
enabled my physical MAC address is never leaked during layer 2 communication.
I create the file `/etc/NetworkManager/conf.d/rand-mac-address.conf`:
``` {filename="/etc/NetworkManager/conf.d/rand-mac-address.conf"}
[device-mac-randomization]
# "yes" is already default, but let's be safe
wifi.scan-rand-mac-address=yes
[connection-mac-randomization]
# randomize MAC for each connection
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random
```
Don't forget to restart the `NetworkManager.service` after these adaptions:
```bash
sudo systemctl restart NetworkManager.service
```
## Package management
In order to automatically retrieve, build and install the many packages from an
[Arch User Repository](https://wiki.archlinux.org/title/Arch_User_Repository)
(AUR) I use to install an AUR helper that preserves the pacman syntax and is a
[wrapper](https://wiki.archlinux.org/title/AUR_helpers#Pacman_wrappers) for it.
First, I install [yay](https://aur.archlinux.org/packages/yay/) by using the
[manual installation approach](https://wiki.archlinux.org/title/Arch_User_Repository#Installing_and_upgrading_packages):
```bash
sudo pacman -Sy --needed base-devel git
git clone https://aur.archlinux.org/yay
cd yay
makepkg -si
```
Afterwards, I cleanup the build directory afterwards:
```bash
cd ..
rm -rf yay
```
Now it's time for upgrading packages using yay as a pacman wrapper:
```bash
yay -Syu
```
## Console improvements
To ease work on the terminal I configure some [console improvements](https://wiki.archlinux.org/title/General_recommendations#Console_improvements)
and [color output in console](https://wiki.archlinux.org/title/Color_output_in_console),
use [command-line completion](https://en.wikipedia.org/wiki/Command-line_completion)
with the `<TAB>` key and set aliases for frequently used commands, for example.
### Fancy prompt
The [customization](https://wiki.archlinux.org/title/Bash/Prompt_customization)
of the bash shell is configured via a dotfile in my user `$HOME` directory:
```bash{filename="$HOME/.bashrc"}
cat <<EOF > $HOME/.bashrc
#
# ~/.bashrc
#
# If not running interactively, don't do anything
[[ $- != *i* ]] && return
# Fancy prompt
PS1='\u@\h \W $(if [[ $? == 0 ]]; then echo "\[\033[0m\][\[\033[1;32m\]✓\[\033[0m\]]"; else echo "\[\033[0m\][\[\033[1;31m\]✗\[\033[0m\]]"; fi)\$ '
EOF
```
I tend to use another style for the root prompt to make them distinguishable:
```bash{filename="/root/.bashrc"}
sudo cat <<EOF > /root/.bashrc
#
# ~/.bashrc
#
# Fancy prompt
PS1='\[\033[1;34m\]\u\[\033[0m\]@\h \W $(if [[ $? == 0 ]]; then echo "\[\033[0m\][\[\033[1;32m\]✓\[\033[0m\]]"; else echo "\[\033[0m\][\[\033[1;31m\]✗\[\033[0m\]]"; fi)\$ '
EOF
```
### Aliases
I define the following [aliases](https://wiki.archlinux.org/title/Bash#Aliases)
in both dotfiles:
```bash
## aliases
#
alias diff='diff --color=auto'
alias grep='grep --color=auto'
alias ls='ls --color=auto'
alias ll='ls -l --color=auto'
alias lr='ls -R' # recursive ls
alias la='ll -A'
alias lx='ll -BX' # sort by extension
alias lz='ll -rS' # sort by size
alias lt='ll -rt' # sort by date
```
As an alias such as `alias vi=vim` doesn't work reliably, I create the following
symlink to call `vim` via `vi`:
```bash
sudo ln -s /usr/bin/vim /usr/bin/vi
```
### Vim configuration
For efficient working with `vim` in a graphical desktop environment, I like to
deactive [using the mouse](https://wiki.archlinux.org/title/Vim#Using_the_mouse)
in order to use the copy & paste function in terminal windows. I also set syntax
highlighting[^6], indentation and spell checking. I create a `~/.vimrc`
configuration file and insert the following settings:
```vim {filename="$HOME/.vimrc"}
" Syntax highlighting, see: https://wiki.archlinux.org/title/Vim#Syntax_highlighting
:filetype plugin on
:syntax on
" Indentation, see https://wiki.archlinux.org/title/Vim#Indentation
:filetype indent on
" Deactivate using the mouse, see: https://wiki.archlinux.org/title/Vim#Using_the_mouse
set mouse-=a
" Spell checking, see: https://wiki.archlinux.org/title/Vim#Spell_checking
set spell
```
For spell checking you need to install a language package. For German I install
[vim-spell-de](https://archlinux.org/packages/?name=vim-spell-de) as follows:
```bash
sudo pacman -Sy vim-spell-de
```
### Tab-completion and command-not-found
For tab-completion of common programs and options I install the package the
[bash-completion](https://archlinux.org/packages/?name=bash-completion) package
and [tree](https://archlinux.org/packages/?name=tree) to list directory trees:
```bash
sudo pacman -Sy bash-completion tree
```
A [command-not-found](https://wiki.archlinux.org/title/Bash#Command_not_found)
message, which hints to packages for missing commands, can be setup through the
[pkgfile](https://wiki.archlinux.org/title/Pkgfile) programm. I install it via:
```bash
sudo pacman -Sy pkgfile
```
I enable the automatic updates and immediately update the database using:
```bash
sudo systemctl enable pkgfile-update.timer
sudo pkgfile -u
```
Finally, I append the following to my `$HOME/.bashrc` configuration file:
```bash
cat <<EOF > $HOME/.bashrc
source /usr/share/doc/pkgfile/command-not-found.bash
EOF
```
### Graphics driver
To set display resolution from the kernel space rather than the user space I use
[Kernel mode setting](https://wiki.archlinux.org/title/Kernel_mode_setting). As
the `kms` module is included in the `HOOKS` variable in `/etc/mkinitcpio.conf`,
adaption is needed since mkinitcpio v32. If you have a different GPU vendor,
refer to the *Display drivers* section in the General recommendations article in
the ArchWiki.
For [Intel graphics](https://wiki.archlinux.org/title/Intel_graphics) I enable
GuC/HuC firmware loading and use framebuffer compression to reduce the power
consumption. For this, I create the file `/etc/modprobe.d/i915.conf` and insert
the following lines:
``` {filename="/etc/modprobe.d/i915.conf"}
options i915 enable_guc=3
options i915 enable_fbc=1
```
{{< callout type="info" >}}
You can identify your graphics hardware by using the command:
```bash
lspci -v | grep -A1 -e VGA -e 3D
```
Refer to the ArchWiki and adapt the above setup to fit your specific model.
{{< /callout >}}
The [acceleration](https://wiki.archlinux.org/title/Hardware_video_acceleration)
of video output through the hardware can be achieved by installing the package
[intel-media-driver](https://archlinux.org/packages/?name=intel-media-driver):
```bash
sudo pacman -Sy intel-media-driver libva-utils
```
To verify available profiles of the VA-API I run `vainfo` from the package
[libva-utils](https://archlinux.org/packages/?name=libva-utils):
```bash
vainfo
```
I finally [reboot](../system-preparation/#reboot) my machine to apply the
graphics driver configuration and troubleshoot any issues. The configuring of
the VA-API is only necessary if you encounter errors.
As the general recommendations state, running graphical applications requires a
GUI[^7]. On the [Xfce desktop](../xfce-desktop/) page I will describe how to
install and setup a desktop environment.
[^1]: [Pacman](https://wiki.archlinux.org/title/Pacman) in the ArchWiki
[^2]: [CPU](https://en.wikipedia.org/wiki/Central_processing_unit) in the
Wikipedia
[^3]: [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) in
the Wikipedia
[^4]: [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security)
in the Wikipedia
[^5]: The [localhost is resolved over the network](https://wiki.archlinux.org/title/Network_configuration#localhost_is_resolved_over_the_network)
section of the Network configuration article in the ArchWiki
[^6]: [Syntax highlighting](https://en.wikipedia.org/wiki/Syntax_highlighting)
in the Wikipedia
[^7]: [Graphical user interface](https://en.wikipedia.org/wiki/Graphical_user_interface)
in the Wikipedia