diff --git a/content/docs/computer/basic-configuration/_index.md b/content/docs/computer/basic-configuration/_index.md new file mode 100644 index 0000000..851ace1 --- /dev/null +++ b/content/docs/computer/basic-configuration/_index.md @@ -0,0 +1,498 @@ +--- +title: 'Basic configuration' +date: 2024-04-28T12:07:39+02:00 +--- + +After [system preparation](../system-preparation/) I am able to boot the +installed system and log in using the root account. + +I check the Internet connection invoking `ping archlinux.org` and troubleshoot +if necessary. In my case I needed to manually start Systemd's network services +using the following commands: + +```bash +systemctl start systemd-networkd.service +systemctl start systemd-resolved.service +``` + +[Upgrading packages](https://wiki.archlinux.org/title/Pacman#Upgrading_packages) +is most advisable and done with Pacman [^1] via: + +```bash +pacman -Syu +``` + +The [recommendations](https://wiki.archlinux.org/title/General_recommendations) +for a general basic setup to my needs include the following tasks: + +1. Creating [#Users and groups](#users-and-groups) +2. Apply [#Security measures](#security-measures) +3. Improve [#Privacy settings](#privacy-settings) +4. [#Package management](#package-management) +5. Adding [#Console improvements](#console-improvements) + + +{{< callout type="info" >}} + Some of my instructions are specific to the hardware found in the laptop model + [Dell Latitude](https://wiki.archlinux.org/title/Laptop/Dell#Latitude). If you + use different desktop or laptop hardware, you should refer to the brand in the + [Category:Laptops](https://wiki.archlinux.org/title/Category:Laptops) and also + read the [kernel module](https://wiki.archlinux.org/title/Kernel_module) page + to check for hardware support. +{{< /callout >}} + +## Users and groups + +I create a new group with the same name as the user to be created to use it as a +primary group for this new user (`thisven` in this example): + +```bash +groupadd thisven +useradd -m -g thisven -G users -s /bin/bash thisven +``` + +I also set a password for the new user: + +```bash +passwd thisven +``` + +## Security measures + +Although personal computers might be less of a target for cyber attacks, it's +important to consider means to migitate risks and know about some general +[security concepts](https://wiki.archlinux.org/title/Security#Concepts). + +### Sudo, not su + +To avoid unintended modifications restricting the root user by installing and +configuring [sudo](https://wiki.archlinux.org/title/Sudo#Example_entries) for +the `wheel` group is an option I use to implement: + +```bash +pacman -Sy sudo +gpasswd -a patient0 wheel +EDITOR=vim visudo +``` + +In the ViM editor, I uncomment (removing the `#` and space character) in the +following line in the file that has just been opened by the `visudo` command: + +``` +# %wheel ALL=(ALL:ALL) ALL +``` + +I exit the root session and re-login as the new user `thisven`. In the user +session, I lock the root user login to only allow unprivileged user sessions: + +```bash +sudo passwd --lock root +``` + +### Hardware vulnerabilities + +The CPU[^2] might be vulnerable to known attacks. To display these I run: + +```bash +grep -r . /sys/devices/system/cpu/vulnerabilities/ +``` + +For mitigation, use the latest [kernel](https://wiki.archlinux.org/title/Kernel) +and [microcode](https://wiki.archlinux.org/title/Microcode) for your CPU brand. +I install the [intel-ucode](https://archlinux.org/packages/?name=intel-ucode) +package providing *µcode* (ucode) for Intel processors: + +```bash +sudo pacman -Sy intel-ucode +``` + +To load the microcode in the boot loader I insert the following line into the +file `/boot/loader/entries/linux.conf` just before the `initramfs-linux.img` +line: + +``` +initrd /intel-ucode.img +``` + +The [systemd-boot](https://wiki.archlinux.org/title/Microcode#systemd-boot) +section in the Microcode article of ArchWiki lists an example configuration for +futher details. + +### Firewall + +The [Uncomplicated Firewall](https://wiki.archlinux.org/title/Uncomplicated_Firewall) +should be a sufficient solution for setting up a basic firewall. I install the +package [ufw](https://archlinux.org/packages/?name=ufw), and start and enable +its service afterwards: + +```bash +sudo pacman -Sy ufw +sudo systemctl start ufw.service +sudo systemctl enable ufw.service +``` + +A basic configuration is to simply deny all traffic. I activate this rule once +before viewing the service status: + +```bash +sudo ufw default deny +sudo ufw enable +sudo ufw status +``` + +Additionally, you may want to [disable ufw logging](https://wiki.archlinux.org/title/Uncomplicated_Firewall#Disable_UFW_logging) +to avoid cluttering system logs by executing: + +```bash +sudo ufw logging off +``` + +## Privacy settings + +Further measures for tightening security and improving privacy include a more +advanced setup of network services and application fine tuning. The next +sections deal with the adaption of default configurations to use trustworthy +service providers (from my perspective) and a high level of encryption to +prevent some leakage of personal data. + +### Securing DNS queries + +The DNS[^3] is used to map IP addresses to domain names. DNS traffic from and to +your computer is unencrypted by default and leaks information about the sites +you visit in your web browser or can be used to identify which operating system +you are running, for example. Read more background information on this topic in +the [Privacy and security](https://wiki.archlinux.org/title/Domain_name_resolution#Privacy_and_security) +section in the Arch Wiki article about Domain name resolution. + +Create `/etc/systemd/resolved.conf.d/dnssec.conf` with the following content to +enable [DNSSEC](https://wiki.archlinux.org/title/DNSSEC) for DNS query +validation in Systemd-resolved: + +```ini {filename="/etc/systemd/resolved.conf.d/dnssec.conf"} +[Resolve] +DNSSEC=true +``` + +Additionally, to use TLS[^4] for encrypting the traffic between your host and +the DNS server create `/etc/systemd/resolved.conf.d/dns_over_tls.conf` to enable +[DNS over TLS (DoT)](https://en.wikipedia.org/wiki/DNS_over_TLS) for +Systemd-resolved by containing: + +```ini {filename="/etc/systemd/resolved.conf.d/dns_over_tls.conf"} +[Resolve] +DNS=176.9.93.198#dnsforge.de +DNSOverTLS=yes +``` + +{{< callout type="warning" >}} + The DNS server must support DNS over TLS. Otherwise all requests will fail. A + list of censorship-free DNS servers can be found at + [DNS Checker](https://dnschecker.org/public-dns/de). +{{< /callout >}} + +Afterwards restart the `systemd-resolved.service` to activate the changes: + +```bash +sudo systemctl restart systemd-resolved.service +``` + +Check if the new DNS server is used and `+DNSoverTLS` is listed in *Protocols* +in the output of the following command: + +```bash +resolvectl status +``` + +Some applications (such as Firefox or LibreWolf, Thunderbird and other) read the +file `/etc/hosts` instead of using Systemd's resolver[^5]. To prevent resolving +`localhost` over the network I add the following lines to `/etc/hosts`: + +``` +127.0.0.1 localhost +::1 localhost +127.0.1.1 arch-studio24 +``` + +Remember to change `arch-studio24` to your hostname! + +### NTS + +The time synchronization can also be configured to require a TLS connections by +[using NTS servers](https://wiki.archlinux.org/title/Chrony#Using_NTS_servers). +Edit the `/etc/chrony.conf` file to use a NTS server and second one as fallback: + +``` +server ptbtime1.ptb.de offline nts +server nts1.time.nl offline nts +``` + +After editing restart the following services: + +```bash +sudo systemctl restart chronyd.service +sudo systemctl restart NetworkManager-dispatcher.service +``` + +And check the configured NTP servers via: + +```bash +chronyc -N 'sources -a -v' +``` + +### IPv6 privacy + +To prevent [MAC address](https://en.wikipedia.org/wiki/MAC_address) leakage of +my interfaces, I enable the *IPv6 Privacy Extensions* for NetworkManager. I +create the file `/etc/NetworkManager/conf.d/ipv6-privacy.conf` containing: + +``` {filename="/etc/NetworkManager/conf.d/ipv6-privacy.conf"} +[connection] +ipv6.ip6-privacy=2 +``` + +### MAC address randomization + +Additionally, with [MAC address randomization](https://wiki.archlinux.org/title/NetworkManager#Configuring_MAC_address_randomization) +enabled my physical MAC address is never leaked during layer 2 communication. +I create the file `/etc/NetworkManager/conf.d/rand-mac-address.conf`: + +``` {filename="/etc/NetworkManager/conf.d/rand-mac-address.conf"} +[device-mac-randomization] +# "yes" is already default, but let's be safe +wifi.scan-rand-mac-address=yes + +[connection-mac-randomization] +# randomize MAC for each connection +ethernet.cloned-mac-address=random +wifi.cloned-mac-address=random +``` + +Don't forget to restart the `NetworkManager.service` after these adaptions: + +```bash +sudo systemctl restart NetworkManager.service +``` + +## Package management + +In order to automatically retrieve, build and install the many packages from an +[Arch User Repository](https://wiki.archlinux.org/title/Arch_User_Repository) +(AUR) I use to install an AUR helper that preserves the pacman syntax and is a +[wrapper](https://wiki.archlinux.org/title/AUR_helpers#Pacman_wrappers) for it. + +First, I install [yay](https://aur.archlinux.org/packages/yay/) by using the +[manual installation approach](https://wiki.archlinux.org/title/Arch_User_Repository#Installing_and_upgrading_packages): + +```bash +sudo pacman -Sy --needed base-devel git +git clone https://aur.archlinux.org/yay +cd yay +makepkg -si +``` + +Afterwards, I cleanup the build directory afterwards: + +```bash +cd .. +rm -rf yay +``` + +Now it's time for upgrading packages using yay as a pacman wrapper: + +```bash +yay -Syu +``` + +## Console improvements + +To ease work on the terminal I configure some [console improvements](https://wiki.archlinux.org/title/General_recommendations#Console_improvements) +and [color output in console](https://wiki.archlinux.org/title/Color_output_in_console), +use [command-line completion](https://en.wikipedia.org/wiki/Command-line_completion) +with the `` key and set aliases for frequently used commands, for example. + +### Fancy prompt + +The [customization](https://wiki.archlinux.org/title/Bash/Prompt_customization) +of the bash shell is configured via a dotfile in my user `$HOME` directory: + +```bash{filename="$HOME/.bashrc"} +cat < $HOME/.bashrc +# +# ~/.bashrc +# + +# If not running interactively, don't do anything +[[ $- != *i* ]] && return + +# Fancy prompt +PS1='\u@\h \W $(if [[ $? == 0 ]]; then echo "\[\033[0m\][\[\033[1;32m\]✓\[\033[0m\]]"; else echo "\[\033[0m\][\[\033[1;31m\]✗\[\033[0m\]]"; fi)\$ ' +EOF +``` + +I tend to use another style for the root prompt to make them distinguishable: + +```bash{filename="/root/.bashrc"} +sudo cat < /root/.bashrc +# +# ~/.bashrc +# + +# Fancy prompt +PS1='\[\033[1;34m\]\u\[\033[0m\]@\h \W $(if [[ $? == 0 ]]; then echo "\[\033[0m\][\[\033[1;32m\]✓\[\033[0m\]]"; else echo "\[\033[0m\][\[\033[1;31m\]✗\[\033[0m\]]"; fi)\$ ' +EOF +``` + +### Aliases + +I define the following [aliases](https://wiki.archlinux.org/title/Bash#Aliases) +in both dotfiles: + +```bash +## aliases +# +alias diff='diff --color=auto' + +alias grep='grep --color=auto' + +alias ls='ls --color=auto' +alias ll='ls -l --color=auto' +alias lr='ls -R' # recursive ls +alias la='ll -A' +alias lx='ll -BX' # sort by extension +alias lz='ll -rS' # sort by size +alias lt='ll -rt' # sort by date +``` + +As an alias such as `alias vi=vim` doesn't work reliably, I create the following +symlink to call `vim` via `vi`: + +```bash +sudo ln -s /usr/bin/vim /usr/bin/vi +``` + +### Vim configuration + +For efficient working with `vim` in a graphical desktop environment, I like to +deactive [using the mouse](https://wiki.archlinux.org/title/Vim#Using_the_mouse) +in order to use the copy & paste function in terminal windows. I also set syntax +highlighting[^6], indentation and spell checking. I create a `~/.vimrc` +configuration file and insert the following settings: + +```vim {filename="$HOME/.vimrc"} +" Syntax highlighting, see: https://wiki.archlinux.org/title/Vim#Syntax_highlighting +:filetype plugin on +:syntax on +" Indentation, see https://wiki.archlinux.org/title/Vim#Indentation +:filetype indent on +" Deactivate using the mouse, see: https://wiki.archlinux.org/title/Vim#Using_the_mouse +set mouse-=a +" Spell checking, see: https://wiki.archlinux.org/title/Vim#Spell_checking +set spell +``` + +For spell checking you need to install a language package. For German I install +[vim-spell-de](https://archlinux.org/packages/?name=vim-spell-de) as follows: + +```bash +sudo pacman -Sy vim-spell-de +``` + +### Tab-completion and command-not-found + +For tab-completion of common programs and options I install the package the +[bash-completion](https://archlinux.org/packages/?name=bash-completion) package +and [tree](https://archlinux.org/packages/?name=tree) to list directory trees: + +```bash +sudo pacman -Sy bash-completion tree +``` + +A [command-not-found](https://wiki.archlinux.org/title/Bash#Command_not_found) +message, which hints to packages for missing commands, can be setup through the +[pkgfile](https://wiki.archlinux.org/title/Pkgfile) programm. I install it via: + +```bash +sudo pacman -Sy pkgfile +``` + +I enable the automatic updates and immediately update the database using: + +```bash +sudo systemctl enable pkgfile-update.timer +sudo pkgfile -u +``` + +Finally, I append the following to my `$HOME/.bashrc` configuration file: + +```bash +cat < $HOME/.bashrc +source /usr/share/doc/pkgfile/command-not-found.bash +EOF +``` + +### Graphics driver + +To set display resolution from the kernel space rather than the user space I use +[Kernel mode setting](https://wiki.archlinux.org/title/Kernel_mode_setting). As +the `kms` module is included in the `HOOKS` variable in `/etc/mkinitcpio.conf`, +adaption is needed since mkinitcpio v32. If you have a different GPU vendor, +refer to the *Display drivers* section in the General recommendations article in +the ArchWiki. + +For [Intel graphics](https://wiki.archlinux.org/title/Intel_graphics) I enable +GuC/HuC firmware loading and use framebuffer compression to reduce the power +consumption. For this, I create the file `/etc/modprobe.d/i915.conf` and insert +the following lines: + +``` {filename="/etc/modprobe.d/i915.conf"} +options i915 enable_guc=3 +options i915 enable_fbc=1 +``` + +{{< callout type="info" >}} + You can identify your graphics hardware by using the command: + + ```bash + lspci -v | grep -A1 -e VGA -e 3D + ``` + + Refer to the ArchWiki and adapt the above setup to fit your specific model. +{{< /callout >}} + +The [acceleration](https://wiki.archlinux.org/title/Hardware_video_acceleration) +of video output through the hardware can be achieved by installing the package +[intel-media-driver](https://archlinux.org/packages/?name=intel-media-driver): + +```bash +sudo pacman -Sy intel-media-driver libva-utils +``` + +To verify available profiles of the VA-API I run `vainfo` from the package +[libva-utils](https://archlinux.org/packages/?name=libva-utils): + +```bash +vainfo +``` + +I finally [reboot](../system-preparation/#reboot) my machine to apply the +graphics driver configuration and troubleshoot any issues. The configuring of +the VA-API is only necessary if you encounter errors. + +As the general recommendations state, running graphical applications requires a +GUI[^7]. On the [Xfce desktop](../xfce-desktop/) page I will describe how to +install and setup a desktop environment. + + +[^1]: [Pacman](https://wiki.archlinux.org/title/Pacman) in the ArchWiki +[^2]: [CPU](https://en.wikipedia.org/wiki/Central_processing_unit) in the +Wikipedia +[^3]: [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) in +the Wikipedia +[^4]: [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) +in the Wikipedia +[^5]: The [localhost is resolved over the network](https://wiki.archlinux.org/title/Network_configuration#localhost_is_resolved_over_the_network) +section of the Network configuration article in the ArchWiki +[^6]: [Syntax highlighting](https://en.wikipedia.org/wiki/Syntax_highlighting) +in the Wikipedia +[^7]: [Graphical user interface](https://en.wikipedia.org/wiki/Graphical_user_interface) +in the Wikipedia \ No newline at end of file