lnxsrv.org

Personal knowledge base including Linux and self host guides




  • Self-Hosted
  • Self-hosting is the practice of running and maintaining a website or service using a private server, instead of using a service outside of someones own control.

  • Arch Linux
  • Arch Linux is an independently developed, x86-64 general-purpose Linux distribution that strives to provide the latest stable versions of most software by following a rolling-release model

    • Installation
    • How to install an Arch Linux base system

      • Desktop environment
      • A desktop environment (DE) is made of a bundle of programs, which share a common graphical user interface (GUI).

        • KDE
        • How to install and configure KDE Plasma as your desktop environment

          • GNOME
          • How to install and configure GNOME as your desktop environment

          • Pacman
          • How to use the Pacman package manager and fix common errors

            • Hardware video acceleration
            • How to enable hardware video acceleration

              • issue
              • How to customize the tty login screen and SSH banner

                • Zsh
                • How to switch to Zsh and configure it as your default shell

                  • Alacritty
                  • How to install and configure Alacritty, a fast, cross-platform, OpenGL terminal emulator

                    • SSH
                    • How to setup Secure Shell Protocol public key authentication

                      • VNC
                      • How to connect to a remote desktop environment with VNC graphical desktop-sharing system

                        • VPN
                        • How to automatically connect to a Virtual private network system to create secure point-to-point or site-to-site connections

                          • Kill switch
                          • How to create a VPN kill switch with UFW firewall rules that will stop all internet traffic if your VPN connection drops

                          • Bluetooth
                          • How to install and configure Bluetooth

                            • libvirt
                            • How to setup and run KVM/QEMU virtual machines

                              • USB autosuspend
                              • How to disable autosuspend of specific USB devices

                                • Flash android
                                • How to flash an android factory image and uninstall bloat packages without rooting the phone

                                  • Network administration
                                  • Commands for Network administration

                                    • Subnetting
                                    • List of IPv4 and IPv6 ranges, subnet size tables and special address types

                                    • Gaming
                                    • How to install Steam, DXVK

                                      • nVidia
                                      • How to install and configure nVidia drivers and setup a default resolution and refresh rate

                                        • Gamemode
                                        • How to install and use Feral gamemode

                                          • MangoHud
                                          • How to install and use the MangoHud overlay layer for monitoring system performance in Vulkan and OpenGL applications

                                        • Microsoft Windows
                                        • Microsoft Windows proprietary graphical operating system

                                          • Server 2022
                                          • How to setup and manage a Windows Server 2022 with Active Directory domain services and roaming profiles

                                            • 11
                                            • Bypass Windows 11 installation restrictions and join an on-premises Active Directory domain


                                            Andreas Bauer. All rights reserved.

                                            Self-Hosted

                                            Self-hosting guides



                                            Self-hosting is the practice of running and maintaining a website or service using a private server, instead of using a service outside of someones own control.



                                            Andreas Bauer. All rights reserved.

                                            Virtual Mail Server

                                            How to establish a complete virtual user mail system




                                            Postfix will be our MTA (mail transfer agent) to send and recieve encrypted mail. Virtual mail users will be managed with PostfixAdmin, a web interface for Postfix. An unlimited number of domains and domain (specific) user names may be managed and will be stored in a SQL database. Dovecot will be our MDA (mail delivery agent) to access email via secure IMAP from Roundcube, a web-based MUA (mail user agent) or an desktop MUA like Evolution. All encrypted mail communications will be secured with a TLS certificate. SPF (Sender Policy Framework) will ensure that the only verified servers/IP addresses may send mail from a given domain and DKIM (DomainKeys Identified Mail) will sign all outgoing messages with verification keys. This measures prevent our outgoing mail ending up in the junk box or our server being blacklisted for spam entirely. DMARC (Domain-based Message Authentication, Reporting and Conformance) ensures that both DKIM and SPF are properly enforced. Amavis, Spam-assassin will fiter messages for SPAM and ClamAV will be used for virus protection.

                                            Postfix
                                            │ └── PostfixAdmin
                                            ├── Dovecot
                                            ├──┬── SPF
                                            │  ├── DKIM
                                            │  └── DMARC
                                            ├── Amavis
                                            │    ├── SpamAssassin
                                            │    └── ClamAV
                                            └── Roundcube
                                            

                                            Postfix

                                            Install Postfix and MariaDB packages.

                                            pacman -Syu postfix mariadb postfix-mysql ca-certificates
                                            

                                            Configure Postfix Uncomment and add or modify default Postfix settings.

                                            /etc/postfix/main.cf
                                            
                                            mail_owner = postfix
                                            myhostname = mail.wildw1ng.com
                                            mydomain = wildw1ng.com
                                            myorigin = $mydomain
                                            inet_interfaces = all
                                            mydestination = $myhostname, localhost.$mydomain, localhost
                                            mynetworks = 10.0.0.0/22, 127.0.0.0/8
                                            relayhost =
                                            alias_maps = hash:/etc/postfix/aliases
                                            alias_database = $alias_maps
                                            home_mailbox = Maildir/
                                            smtpd_banner = $myhostname ESMTP $mail_name (Arch Linux)
                                            inet_protocols = ipv4
                                            append_dot_mydomain = no
                                            mailbox_size_limit = 0
                                            
                                            relay_domains = $mydestination
                                            virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf,proxy:mysql:/etc/postfix/virtual_alias_domains_maps.cf
                                            virtual_alias_domains = proxy:mysql:/etc/postfix/virtual_alias_domains.cf
                                            virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf
                                            virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf
                                            virtual_mailbox_base = /home/vmail
                                            virtual_mailbox_limit = 512000000
                                            virtual_minimum_uid = 5000
                                            virtual_transport = virtual
                                            virtual_uid_maps = static:5000
                                            virtual_gid_maps = static:5000
                                            local_transport = virtual
                                            local_recipient_maps = $virtual_mailbox_maps
                                            transport_maps = hash:/etc/postfix/transport
                                            
                                            # Secure SMTP (receiving)
                                            smtpd_tls_security_level = may
                                            smtpd_use_tls = yes
                                            smtpd_tls_cert_file = /etc/letsencrypt/live/mail.wildw1ng.com/fullchain.pem
                                            smtpd_tls_key_file = /etc/letsencrypt/live/mail.wildw1ng.com/privkey.pem
                                            smtpd_tls_CApath = /etc/ssl/certs
                                            smtpd_sasl_auth_enable = yes
                                            smtpd_sasl_type = dovecot
                                            smtpd_sasl_path = /var/run/dovecot/auth-client
                                            smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policy-spf
                                            smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
                                            smtpd_sasl_security_options = noanonymous
                                            smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
                                            smtpd_tls_auth_only = yes
                                            smtpd_tls_received_header = yes
                                            smtpd_sasl_local_domain = $mydomain
                                            smtpd_tls_loglevel = 1
                                            
                                            # Enable SASL authentication
                                            smtp_sasl_auth_enable = yes
                                            # Disallow any methods that do allow anonymous authentication
                                            smtp_sasl_security_options = noanonymous
                                            # Define the sasl_passwd file location
                                            smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
                                            
                                            # Enable STARTTLS encryption
                                            smtp_use_tls = yes
                                            
                                            # Secure SMTP (sending)
                                            smtp_tls_security_level = may
                                            # smtp_tls_security_level = secure
                                            # smtp_enforce_tls = yes
                                            
                                            # Enable TLS logging
                                            smtp_tls_loglevel = 1
                                            
                                            # Discovering servers that support TLS
                                            smtp_tls_note_starttls_offer = yes
                                            
                                            non_smtpd_milters   = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
                                            smtpd_milters       = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
                                            
                                            policy-spf_time_limit = 3600s
                                            
                                            # Disable VRFY (verify)
                                            disable_vrfy_command = yes
                                            
                                            # Block spam using DNS blacklists
                                            smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client bl.spamcop.net
                                            # reject_rbl_client zen.spamhaus.org
                                            
                                            smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname
                                            
                                            # Require the client to provide a HELO/EHLO hostname
                                            smtpd_helo_required = yes
                                            smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
                                            smtp_helo_name = $mydomain
                                            
                                            # Unsubscibe header
                                            header_checks = regexp:/etc/postfix/list_unsub_header
                                            
                                            # Protecting against forged sender addresses
                                            smtpd_sender_login_maps=mysql:/etc/postfix/virtual_alias_maps.cf
                                            
                                            # Hide the sender's IP and user agent in the Received header
                                            smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
                                            

                                            /etc/postfix/master.cf
                                            
                                            # ==========================================================================
                                            # service type  private unpriv  chroot  wakeup  maxproc command + args
                                            #               (yes)   (yes)   (no)    (never) (100)
                                            # ==========================================================================
                                            smtp      inet  n       -       n       -       -       smtpd
                                              -o content_filter=amavisfeed:[127.0.0.1]:10024
                                            
                                            submission inet n       -       n       -       -       smtpd
                                              -o syslog_name=postfix/submission
                                              -o smtpd_tls_security_level=encrypt
                                              -o smtpd_sasl_auth_enable=yes
                                              -o smtpd_tls_auth_only=yes
                                              -o smtpd_reject_unlisted_recipient=no
                                              -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
                                              -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
                                              -o milter_macro_daemon_name=ORIGINATING
                                              -o syslog_name=postfix/submission
                                              -o smtpd_tls_wrappermode=no
                                              -o smtpd_tls_security_level=encrypt
                                              -o smtpd_sasl_auth_enable=yes
                                              -o content_filter=amavisfeed:[127.0.0.1]:10024
                                              -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,reject
                                            
                                            policy-spf  unix  -       n       n       -       0       spawn
                                                    user=nobody argv=/usr/bin/policyd-spf
                                            
                                            amavisfeed      unix  -    -       n       -       2       smtp
                                             -o smtp_data_done_timeout=1200
                                             -o smtp_send_xforward_command=yes
                                             -o disable_dns_lookups=yes
                                             -o max_use=20
                                            
                                            127.0.0.1:10025 inet n  -       y       -       -       smtpd
                                             -o content_filter=
                                             -o smtpd_delay_reject=no
                                             -o smtpd_client_restrictions=permit_mynetworks,reject
                                             -o smtpd_helo_restrictions=
                                             -o smtpd_sender_restrictions=
                                             -o smtpd_recipient_restrictions=permit_mynetworks,reject
                                             -o smtpd_data_restrictions=reject_unauth_pipelining
                                             -o smtpd_end_of_data_restrictions=
                                             -o mynetworks=127.0.0.0/8
                                             -o smtpd_error_sleep_time=0
                                             -o smtpd_soft_error_limit=1001
                                             -o smtpd_hard_error_limit=1000
                                             -o smtpd_client_connection_count_limit=0
                                             -o smtpd_client_connection_rate_limit=0
                                             -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
                                             -o local_header_rewrite_clients=
                                            

                                            Create unprivileged user

                                            For security reasons, we create a new user vmail to store the mails.

                                            groupadd -g 5000 vmail
                                            
                                            useradd -u 5000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail
                                            

                                            We use a gid and uid of 5000 in both cases so that we do not run into conflicts with regular users.
                                            All our mail will be stored in /home/vmail.


                                            MariaDB

                                            We have to initialize the MariaDB data directory and create the system tables in the mysql database before starting the mariadb.service.

                                            mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
                                            

                                            Enable and start mariadb.service.

                                            systemctl enable mariadb
                                            
                                            systemctl start mariadb
                                            

                                            Improve the initial security of our MariaDB installation with recommended security measures,
                                            such as removing anonymous accounts and removing the test database.
                                            When prompted to “Switch to unix_socket authentication” enter n for No.

                                            mysql_secure_installation
                                            

                                            By default, MySQL will listen on the 0.0.0.0 address, which includes all network interfaces.
                                            We have to restrict MySQL to listen only to the loopback address.

                                            /etc/my.cnf.d/server.cnf
                                            
                                            [mysqld]
                                            #bind-address = localhost
                                            bind-address = 127.0.0.1
                                            

                                            Restart mariadb.service.

                                            systemctl restart mariadb
                                            

                                            Postfix database initialization

                                            We have to create an empty database and give the corresponding user permission to use the database.
                                            postfix_user will have read/write access to the database postfix_db using POSTFIXDBPASSWORD as password.

                                            mysql -u root -p
                                            
                                            CREATE DATABASE postfix_db;
                                            
                                            GRANT ALL ON postfix_db.* TO 'postfix_user'@'localhost' IDENTIFIED BY 'POSTFIXDBPASSWORD';
                                            
                                            FLUSH PRIVILEGES;
                                            
                                            QUIT;
                                            

                                            We have to set up the necessary configurations for postfix to interact with the database for all its other transport needs.

                                            /etc/postfix/virtual_alias_maps.cf
                                            
                                            user = postfix_user
                                            password = POSTFIXDBPASSWORD
                                            hosts = localhost
                                            dbname = postfix_db
                                            table = alias
                                            select_field = goto
                                            where_field = address
                                            

                                            /etc/postfix/virtual_mailbox_domains.cf
                                            
                                            user = postfix_user
                                            password = POSTFIXDBPASSWORD
                                            hosts = localhost
                                            dbname = postfix_db
                                            table = domain
                                            select_field = domain
                                            where_field = domain
                                            

                                            /etc/postfix/virtual_mailbox_maps.cf
                                            
                                            user = postfix_user
                                            password = POSTFIXDBPASSWORD
                                            hosts = localhost
                                            dbname = postfix_db
                                            table = mailbox
                                            select_field = maildir
                                            where_field = username
                                            

                                            /etc/postfix/virtual_alias_domains_maps.cf
                                            
                                            user = postfix_user
                                            password = POSTFIXDBPASSWORD
                                            hosts = localhost
                                            dbname = postfix_db
                                            query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = '1' AND alias_domain.active='1'
                                            

                                            /etc/postfix/virtual_alias_domains.cf
                                            
                                            user = postfix_user
                                            password = POSTFIXDBPASSWORD
                                            hosts = localhost
                                            dbname = postfix_db
                                            query = SELECT alias_domain FROM alias_domain WHERE alias_domain='%s' AND active = '1'
                                            

                                            Only postfix should have access rights to these files, as they contain passwords.

                                            chown root:postfix -R /etc/postfix/
                                            
                                            chmod 640 /etc/postfix/virtual_*
                                            

                                            We have to run postmap on transport to generate its database.

                                            postmap /etc/postfix/transport
                                            

                                            Dovecot

                                            Install Dovecot package.

                                            pacman -Syu dovecot
                                            

                                            Create the dovecot configuration directory and configuration files.

                                            mkdir /etc/dovecot
                                            

                                            /etc/dovecot/dovecot.conf
                                            
                                            protocols = imap
                                            listen = *
                                            auth_mechanisms = plain login
                                            passdb {
                                                driver = sql
                                                args = /etc/dovecot/dovecot-sql.conf
                                            }
                                            userdb {
                                                driver = sql
                                                args = /etc/dovecot/dovecot-sql.conf
                                            }
                                            
                                            service auth {
                                                unix_listener auth-client {
                                                    group = postfix
                                                    mode = 0660
                                                    user = postfix
                                                }
                                                user = root
                                            }
                                            
                                            
                                            mail_home = /home/vmail/%d/%n
                                            mail_location = maildir:~
                                            
                                            ssl_dh = </etc/dovecot/dh.pem
                                            
                                            ssl_cert = </etc/letsencrypt/live/mail.wildw1ng.com/fullchain.pem
                                            ssl_key = </etc/letsencrypt/live/mail.wildw1ng.com/privkey.pem
                                            

                                            /etc/dovecot/dovecot-sql.conf
                                            
                                            driver = mysql
                                            connect = host=localhost dbname=postfix_db user=postfix_user password=POSTFIXDBPASSWORD
                                            # It is highly recommended to not use deprecated MD5-CRYPT. Read more at http://wiki2.dovecot.org/Authentication/PasswordSchemes
                                            default_pass_scheme = SHA512-CRYPT
                                            # Get the mailbox
                                            user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 5000 AS uid, 5000 AS gid, concat('dirsize:storage=',  quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'
                                            # Get the password
                                            password_query = SELECT username as user, password, '/home/vmail/%d/%n' as userdb_home, 'maildir:/home/vmail/%d/%n' as userdb_mail, 5000 as  userdb_uid, 5000 as userdb_gid FROM mailbox WHERE username = '%u' AND active = '1'
                                            # If using client certificates for authentication, comment the above and uncomment the following
                                            #password_query = SELECT null AS password, ‘%u’ AS user
                                            

                                            Set permissions.

                                            chown dovecot:dovecot /etc/dovecot/*
                                            

                                            Remove the old temporary SSL parameters file.

                                            rm /var/lib/dovecot/ssl-parameters.dat
                                            

                                            We are required to provide DH parameters. Generate a new DH parameters file (this might take a long time).

                                            openssl dhparam -out /etc/dovecot/dh.pem 4096
                                            

                                            Enable Dovecot debug logging.

                                            /etc/dovecot/dovecot.conf
                                            
                                            auth_verbose = yes
                                            auth_verbose_passwords = no
                                            auth_debug = yes
                                            auth_debug_passwords = yes
                                            mail_debug = yes
                                            verbose_ssl = yes
                                            

                                            Testing IMAP.

                                            openssl s_client -connect 127.0.0.1:993
                                            
                                            a login admin@wildw1ng.com PASSWORD
                                            
                                            a examine inbox
                                            
                                            a logout
                                            

                                            PostfixAdmin

                                            Web interface for Postfix used to manage mailboxes, virtual domains and aliases. postfixadmin.png


                                            Install PostfixAdmin, Apache and PHP packages.

                                            pacman -Syu postfixadmin apache php-fpm php-imap
                                            

                                            Apache HTTP Server configuration

                                            /etc/httpd/conf/httpd.conf
                                            
                                            ServerName localhost
                                            Listen 0.0.0.0:80
                                            
                                            # php-fpm, an alternative PHP FastCGI implementation with some additional features (mostly) useful for heavy-loaded sites
                                            LoadModule proxy_module modules/mod_proxy.so
                                            LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
                                            
                                            # SSL
                                            LoadModule ssl_module modules/mod_ssl.so
                                            LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
                                            LoadModule rewrite_module modules/mod_rewrite.so
                                            
                                            # Virtual hosts
                                            Include conf/extra/httpd-vhosts.conf
                                            
                                            # PostfixAdmin
                                            Include /etc/httpd/conf/postfixadmin.conf
                                            
                                            # php-fpm
                                            Include conf/extra/php-fpm.conf
                                            
                                            # Secure (SSL/TLS) connections
                                            Include conf/extra/httpd-ssl.conf
                                            
                                            <IfModule ssl_module>
                                            SSLRandomSeed startup builtin
                                            SSLRandomSeed connect builtin
                                            </IfModule>
                                            
                                            <IfModule mod_ssl.c>
                                            Listen 0.0.0.0:443
                                            </IfModule>
                                            Include /etc/httpd/conf/extra/httpd-vhosts-le-ssl.conf
                                            

                                            php-fpm proxy configuration

                                            /etc/httpd/conf/extra/php-fpm.conf
                                            
                                            DirectoryIndex index.php index.html
                                            <FilesMatch \.php$>
                                                SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"
                                            </FilesMatch>
                                            
                                            chmod 644 /etc/httpd/conf/extra/php-fpm.conf
                                            

                                            Configure Apache HTTP Server with php-fpm

                                            /etc/httpd/conf/postfixadmin.conf
                                            
                                            Alias /postfixadmin "/usr/share/webapps/postfixadmin/public"
                                            <Directory "/usr/share/webapps/postfixadmin/public">
                                                DirectoryIndex index.html index.php
                                                <FilesMatch \.php$>
                                                    SetHandler "proxy:unix:/run/postfixadmin/postfixadmin.sock|fcgi://localhost/"
                                                </FilesMatch>
                                                AllowOverride All
                                                Options FollowSymlinks
                                                Require all granted
                                                SetEnv PHP_ADMIN_VALUE "open_basedir = /tmp/:/usr/share/webapps/postfixadmin:/etc/webapps/postfixadmin/:/var/cache/postfixadmin/templates_c"
                                            </Directory>
                                            

                                            /etc/php/php-fpm.d/postfixadmin.conf
                                            
                                            [postfixadmin]
                                            user = postfixadmin
                                            group = postfixadmin
                                            listen = /run/postfixadmin/postfixadmin.sock
                                            listen.owner = root
                                            listen.group = http
                                            listen.mode = 0660
                                            pm = ondemand
                                            pm.max_children = 4
                                            php_admin_value['date.timezone'] = UTC
                                            php_admin_value['session.save_path'] = /tmp
                                            php_admin_value['open_basedir'] = /tmp/:/usr/share/webapps/postfixadmin/:/etc/webapps/postfixadmin/:/usr/bin/doveadm:/var/cache/postfixadmin
                                            

                                            PHP configuration

                                            /etc/php/php.ini
                                            
                                            open_basedir = /var/cache/postfixadmin/:/etc/webapps/:/usr/share/webapps/:/tmp/:/var/cache/roundcubemail:/usr/share/webapps/roundcubemail:/etc/webapps/roundcubemail:/usr/share/pear/:/var/log/roundcubemail
                                            date.timezone = "UTC"
                                            
                                            extension=imap
                                            extension=mysqli
                                            extension=pdo_mysql
                                            extension=iconv
                                            extension=gd
                                            extension=intl
                                            extension=exif
                                            extension=imagick
                                            

                                            PostfixAdmin configuration

                                            /etc/webapps/postfixadmin/config.local.php
                                            
                                            <?php
                                            $CONF['configured'] = true;
                                            // correspond to dovecot maildir path /home/vmail/%d/%u 
                                            $CONF['domain_path'] = 'YES';
                                            $CONF['domain_in_mailbox'] = 'NO';
                                            $CONF['database_type'] = 'mysqli';
                                            $CONF['database_host'] = 'localhost';
                                            $CONF['database_user'] = 'postfix_user';
                                            $CONF['database_password'] = 'POSTFIXDBPASSWORD';
                                            $CONF['database_name'] = 'postfix_db';
                                            
                                            $CONF['default_aliases'] = array (
                                                'abuse' => 'abuse@wildw1ng.com',
                                                'hostmaster' => 'hostmaster@wildw1ng.com',
                                                'postmaster' => 'postmaster@wildw1ng.com',
                                                'webmaster' => 'webmaster@wildw1ng.com'
                                            );
                                            
                                            $CONF['vacation_domain'] = 'autoreply.wildw1ng.com';
                                            
                                            $CONF['footer_text'] = 'Return to wildw1ng.com';
                                            $CONF['footer_link'] = 'https://wildw1ng.com';
                                            $CONF['encrypt'] = 'dovecot:SHA512-CRYPT';
                                            $CONF['setup_password'] = 'HASHEDSETUPPASSWORD';
                                            

                                            Enable and start Services.

                                            systemctl enable httpd
                                            
                                            systemctl enable php-fpm
                                            
                                            systemctl enable postfix
                                            
                                            systemctl enable dovecot
                                            

                                            Generate hashes with non-default hash functions.

                                            doveadm pw -s SHA512-CRYPT -p "DOVEADMPASSWORD"
                                            

                                            Write the HASHEDSETUPPASSWORD to the configuration file.

                                            Navigate to http://10.0.1.18/postfixadmin/setup.php.
                                            Now we can create a superadmin account.


                                            Restrict access to setup.php after installation is finished.

                                            chmod 600 /usr/share/webapps/postfixadmin/public/setup.php
                                            

                                            Check the apache log for errors.

                                            less /var/log/httpd/error_log
                                            

                                            PostfixAdmin pacman hook

                                            The database needs to be upgraded after a version bump.
                                            We will see a message saying ‘The PostfixAdmin database layout is outdated’ on the login page.
                                            Therefore we may set up a hook that runs the needed upgrade.php script automatically via a pacman hook.

                                            /etc/pacman.d/hooks/postfixadmin.hook
                                            
                                            [Trigger]
                                            Operation = Install
                                            Operation = Upgrade
                                            Type = Package
                                            Target = postfixadmin
                                            
                                            [Action]
                                            Description = Run Postfixadmin upgrade.php to make sure database is up to date
                                            When = PostTransaction
                                            Exec = /usr/bin/runuser -u postfixadmin -- /usr/bin/php /usr/share/webapps/postfixadmin/public/upgrade.php
                                            


                                            Roundcube

                                            Full-featured, PHP web-based mail client. roundcube.png


                                            Install Roundcube and PHP Plugin packages.

                                            pacman -Syu roundcubemail php-gd php-intl php-imagick librsvg
                                            

                                            Warning

                                            Roundcube needs a separate database to work. You should not use the same database for Roundcube and PostfixAdmin.
                                            Create a second database roundcube_db and a new user named roundcube_user.


                                            Create an empty database and give the corresponding user permission to use the database.

                                            mysql -u root -p
                                            
                                            CREATE DATABASE `roundcube_db` DEFAULT CHARACTER SET `utf8` COLLATE `utf8_unicode_ci`;
                                            
                                            CREATE USER `roundcube_user`@'localhost' IDENTIFIED BY 'ROUNDCUBEDBPASSWORD';
                                            
                                            GRANT ALL PRIVILEGES ON `roundcube_db`.* TO `roundcube_user`@`localhost`;
                                            
                                            FLUSH PRIVILEGES;
                                            
                                            QUIT;
                                            

                                            We need to initialize the roundcubemail database tables.

                                            mysql -u root -p roundcube_db < /usr/share/webapps/roundcubemail/SQL/mysql.initial.sql
                                            

                                            Copy the default configuration file and set permisions.

                                            cd /etc/webapps/roundcubemail/config
                                            
                                            cp config.inc.php.sample config.inc.php
                                            
                                            chown http:http config.inc.php
                                            
                                            chmod 640 config.inc.php
                                            

                                            Set our mail server settings.

                                            /etc/webapps/roundcubemail/config/config.inc.php
                                            
                                            ?php
                                            
                                            $config = [];
                                            
                                            // Database connection string (DSN) for read+write operations
                                            // Format (compatible with PEAR MDB2): db_provider://user:password@host/database
                                            // Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
                                            // For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
                                            // NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
                                            //       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
                                            $config['db_dsnw'] = 'mysql://roundcube_user:ROUNDCUBEDBPASSWORD@localhost/roundcube_db';
                                            $config['imap_host'] = 'tls://mail.wildw1ng.com';
                                            $config['smtp_host'] = 'tls://mail.wildw1ng.com';
                                            $config['smtp_port'] = 587;
                                            $config['imap_port'] = 993;
                                            $config['mime_types'] = '/etc/webapps/roundcubemail/config/mime.types';
                                            
                                            // IMAP host chosen to perform the log-in.
                                            // See defaults.inc.php for the option description.
                                            // $config['imap_host'] = 'localhost:143';
                                            
                                            // SMTP server host (for sending mails).
                                            // See defaults.inc.php for the option description.
                                            // $config['smtp_host'] = 'localhost:587';
                                            
                                            // SMTP username (if required) if you use %u as the username Roundcube
                                            // will use the current username for login
                                            $config['smtp_user'] = '%u';
                                            
                                            // SMTP password (if required) if you use %p as the password Roundcube
                                            // will use the current user's password for login
                                            $config['smtp_pass'] = '%p';
                                            
                                            // provide an URL where a user can get support for this Roundcube installation
                                            // PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
                                            $config['support_url'] = 'https://wildw1ng.com';
                                            
                                            // Name your service. This is displayed on the login screen and in the window title
                                            $config['product_name'] = 'Roundcube Webmail';
                                            
                                            // This key is used to encrypt the users imap password which is stored
                                            // in the session record. For the default cipher method it must be
                                            // exactly 24 characters long.
                                            // YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
                                            $config['des_key'] = 'LONGRANDOMSTRING';
                                            
                                            // List of active plugins (in plugins/ directory)
                                            $config['plugins'] = [
                                                'archive',
                                                'zipdownload',
                                                'password',
                                            ];
                                            
                                            // skin name: folder from skins/
                                            $config['skin'] = 'elastic';    
                                            

                                            Set enable_installer to enable the setup wizard

                                            $config['enable_installer'] = true;
                                            

                                            For Roundcube to be able to detect mime-types from filename extensions you need to point it to a mime.types file.
                                            Apache usually comes with one.

                                            cp /etc/httpd/conf/mime.types /etc/webapps/roundcubemail/config/mime.types
                                            
                                            chown http:http /etc/webapps/roundcubemail/config/mime.types
                                            
                                            chmod 640 /etc/webapps/roundcubemail/config/mime.types
                                            
                                            /etc/webapps/roundcubemail/config/config.inc.php
                                            
                                            $config['mime_types'] = '/etc/webapps/roundcubemail/config/mime.types';
                                            

                                            Info

                                            If you have configured open_basedir in php.ini, make sure it includes /etc/webapps and /usr/share/webapps,
                                            so PHP can open the required Roundcube files.


                                            Enable the password plugin to let users change their passwords from within Roundcube.

                                            /etc/webapps/roundcubemail/config/config.inc.php
                                            
                                            $config['plugins'] = password;
                                            

                                            Configure the password plugin and make sure you alter the settings accordingly.

                                            /usr/share/webapps/roundcubemail/plugins/password/config.inc.php
                                            
                                            <?php
                                            
                                            $config['password_driver'] = 'sql';
                                            $config['password_db_dsn'] = 'mysql://postfix_user:POSTFIXDBPASSWORD@localhost/postfix_db';
                                            // If you are not using dovecot specify another algorithm explicitly e.g 'sha256-crypt'
                                            $config['password_algorithm'] = 'dovecot';
                                            // For dovecot salted passwords only (above must be set to 'dovecot')
                                            // $config['password_algorithm_prefix'] = 'true';
                                            // $config['password_dovecotpw'] = 'doveadm pw';
                                            // $config['password_dovecotpw_method'] = 'SHA512-CRYPT';
                                            // $config['password_dovecotpw_with_method'] = true;
                                            $config['password_query'] = 'UPDATE mailbox SET password=%P WHERE username=%u';
                                            

                                            Now we finish the Roundcube installation with the wizard in our browser http://10.0.1.18/roundcube/installer.


                                            For security reasons, we have to disable the installer after finishing the wizard and remove the installer directory.

                                            rm /usr/share/webapps/roundcubemail/installer
                                            
                                            /etc/webapps/roundcubemail/config/config.inc.php
                                            

                                            delete $config['enable_installer'] = true;


                                            DNS Record

                                            We need to set A and MX DNS records pointing our mail server.

                                            dns-records.png

                                            A record pointing our system’s FQDN (hostname) to our mail server IPv4 address.

                                            mail.wildw1ng.com 60 IN A 37.201.217.90

                                            MX record specifies which mail server is responsible for accepting emails on behalf of a recipient’s domain.
                                            All messages sent to @wildw1ng.com email addresses will be accepted by the mail.wildw1ng.com mail server.

                                            wildw1ng.com 3600 IN MX 0 mail.wildw1ng.com


                                            Open ports on mail server

                                            Port Service Description
                                            25 SMTP Transmission of email from email server to email server
                                            993 IMAP Secure session

                                            Check open ports on our machine.

                                            ss -tapn
                                            
                                            netstat -tlpn
                                            

                                            Get SSL certificates with Certbot via Let’s Encrypt for Apache

                                            /etc/httpd/conf/extra/httpd-vhosts.conf
                                            
                                            <VirtualHost *:80>
                                                    ServerAdmin admin@wildw1ng.com
                                                    DocumentRoot "/usr/share/webapps/roundcubemail"
                                                    ServerName mail.wildw1ng.com
                                                    ServerAlias mail.wildw1ng.com
                                                    ErrorLog "/var/log/httpd/mail.wildw1ng.com-error.log"
                                                    CustomLog "/var/log/httpd/mail.wildw1ng.com-access.log" common
                                                    <Directory "/usr/share/webapps/roundcubemail">
                                                            AllowOverride All
                                                            Options FollowSymlinks
                                                            Require all granted
                                                            SetEnv PHP_ADMIN_VALUE "open_basedir /tmp/:/var/cache/roundcubemail:/usr/share/webapps/roundcubemail:/etc/webapps/roundcubemail:/usr/share/pear/:/var/log/roundcubemail"
                                                    </Directory>
                                            RewriteEngine on
                                            RewriteCond %{SERVER_NAME} =mail.wildw1ng.com
                                            RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
                                            </VirtualHost>
                                            

                                            /etc/httpd/conf/extra/httpd-vhosts-le-ssl.conf
                                            
                                            <IfModule mod_ssl.c>
                                            SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
                                            <VirtualHost *:443>
                                                    ServerAdmin admin@wildw1ng.com
                                                    DocumentRoot "/usr/share/webapps/roundcubemail"
                                                    ServerName mail.wildw1ng.com
                                                    ServerAlias mail.wildw1ng.com
                                                    ErrorLog "/var/log/httpd/mail.wildw1ng.com-error.log"
                                                    CustomLog "/var/log/httpd/mail.wildw1ng.com-access.log" common
                                                    <Directory "/usr/share/webapps/roundcubemail">
                                                            AllowOverride All
                                                            Options FollowSymlinks
                                                            Require all granted
                                                            SetEnv PHP_ADMIN_VALUE "open_basedir /tmp/:/var/cache/roundcubemail:/usr/share/webapps/roundcubemail:/etc/webapps/roundcubemail:/usr/share/pear/:/var/log/roundcubemail"
                                                    </Directory>
                                            
                                            Include /etc/letsencrypt/options-ssl-apache.conf
                                            SSLCertificateFile /etc/letsencrypt/live/mail.wildw1ng.com/fullchain.pem
                                            SSLCertificateKeyFile /etc/letsencrypt/live/mail.wildw1ng.com/privkey.pem
                                            SSLUseStapling on
                                            </VirtualHost>
                                            </IfModule>
                                            


                                            Run Certbot to obtain a certificate.

                                            certbot --apache
                                            

                                            Certificate is saved at: /etc/letsencrypt/live/mail.wildw1ng.com/fullchain.pem
                                            Key is saved at: /etc/letsencrypt/live/mail.wildw1ng.com/privkey.pem



                                            If we get errors, we have to ensure that SSL is not multiple defined.

                                            grep -r "Listen 443" /etc/httpd
                                            

                                            Sender Policy Framework

                                            SPF is an email authentication protocol used to stop phishing attacks.
                                            We can specify who is allowed to send email on behalf of our domain.


                                            Install SPF package.

                                            yay -Syu python-spf-engine
                                            

                                            Modify Postfix configuration files to enable SPF.

                                            /etc/postfix/main.cf
                                            
                                            smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policy-spf
                                            policy-spf_time_limit = 3600s
                                            

                                            /etc/postfix/master.cf
                                            
                                            policy-spf  unix  -       n       n       -       0       spawn
                                                user=nobody argv=/usr/bin/policyd-spf
                                            

                                            SPF DNS Record

                                            To allow other mail exchangers to validate mails apparently sent from our domain, we need to set a DNS TXT record with v=spf1 mx ~all. We are approving the domain mail servers (mx) and if the SPF check fails, the result will be a soft failure (~all).


                                            DomainKeys Identified Mail

                                            DKIM is a sender authentication protocol that allows signing messages so mailbox providers can verify them.
                                            This method is designed to detect email spoofing by identifying forged sender addresses in email.


                                            Install OpenDKIM package.

                                            pacman -Syu opendkim
                                            

                                            Create a directory for dkim.

                                            mkdir /var/db/dkim/
                                            

                                            Generate a secret signing key.

                                            opendkim-genkey -r -s default -d wildw1ng.com
                                            
                                            chmod 400 /var/db/dkim/default.*
                                            

                                            Copy the default configuration file.

                                            cp /usr/share/doc/opendkim/opendkim.conf.sample /etc/opendkim/opendkim.conf
                                            
                                            chmod 644 /etc/opendkim/opendkim.conf
                                            

                                            Modify OpenDKIM configuration and create a Socket for DKIM.

                                            /etc/opendkim/opendkim.conf
                                            
                                            Domain                  wildw1ng.com
                                            KeyFile                 /var/db/dkim/default.private
                                            Selector                default
                                            Socket                  unix:/run/opendkim/opendkim.sock
                                            TemporaryDirectory      /run/opendkim
                                            UMask                   002
                                            UserID                  opendkim
                                            Canonicalization        relaxed/simple
                                            

                                            mkdir /run/opendkim
                                            
                                            chown opendkim:postfix /run/opendkim
                                            
                                            chmod 750 /run/opendkim
                                            
                                            mkdir -p /etc/systemd/system/opendkim.service.d/
                                            
                                            chmod 755 /etc/systemd/system/opendkim.service.d/
                                            

                                            /etc/tmpfiles.d/opendkim.conf
                                            
                                            D /run/opendkim 0750 opendkim postfix
                                            

                                            chmod 644 /etc/tmpfiles.d/opendkim.conf
                                            

                                            /etc/systemd/system/opendkim.service.d/override.conf
                                            
                                            [Service]
                                            User=
                                            User=opendkim
                                            Group=
                                            Group=postfix
                                            

                                            chmod 644 /etc/systemd/system/opendkim.service.d/override.conf
                                            
                                            chown opendkim:postfix /var/db/dkim/
                                            
                                            chown opendkim:postfix /var/db/dkim/default.private
                                            

                                            Enable and start the opendkim.service.

                                            systemctl enable opendkim
                                            

                                            DKIM DNS Record

                                            Add a DNS TXT record with the selector and public key.

                                            less /var/db/dkim/default.txt 
                                            

                                            Copy everything in between (" “) without the brackets and quotes into a default._domainkey TXT DNS Record.

                                            v=DKIM1; k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNXDCBiQKBgQDjk96JyEAU2QLfDjZYyHTHVWYP/effPipH3hpgfa+Nk Wg/WmfZXjI3CmDY+N3m+eRmZdIzYO9oPGi+r0h3ceSZe4Cj858/k/0D7aYdG18QQDLIY+x+dmp7MjRK1+/B1xWjWy/Sn4n F1zVmROVxuBraX2eL32deu+qrnZlsu2H9MwIDAQAB
                                            

                                            Check the record.

                                            host -t TXT default._domainkey.wildw1ng.com
                                            

                                            Domain-based Message Authentication, Reporting and Conformance

                                            DMARC is an email authentication protocol that provides domain-level protection, detecting and preventing email spoofing techniques used in phishing.


                                            Install OpenDMARC package.

                                            pacman -Syu opendmarc
                                            

                                            Modify OpenDMARC configuration and create a Socket for DMARC.

                                            /etc/opendmarc/opendmarc.conf
                                            
                                            Socket  unix:/run/opendmarc/opendmarc.sock
                                            UMask 002
                                            

                                            mkdir /run/opendmarc
                                            
                                            chown opendmarc:postfix /run/opendmarc
                                            
                                            chmod 750 /run/opendmarc
                                            

                                            /etc/tmpfiles.d/opendmarc.conf
                                            
                                            D /run/opendmarc 0750 opendmarc postfix
                                            

                                            chmod 644 /etc/tmpfiles.d/opendmarc.conf
                                            
                                            mkdir -p /etc/systemd/system/opendmarc.service.d/
                                            
                                            chmod 755 /etc/systemd/system/opendmarc.service.d/
                                            

                                            /etc/systemd/system/opendmarc.service.d/override.conf
                                            
                                            [Service]
                                            Group=
                                            Group=postfix
                                            

                                            chmod 644 /etc/systemd/system/opendmarc.service.d/override.conf
                                            

                                            Add Mail Filter Sockets to our Postfix configuration and make sure that the DMARC milter is declared after the DKIM milter.

                                            /etc/postfix/main.cf
                                            
                                            non_smtpd_milters   = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
                                            smtpd_milters       = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
                                            

                                            Enable and start the opendmarc.service.

                                            systemctl enable opendmarc
                                            

                                            DMARC DNS Record

                                            To enable DMARC for a domain, add a new TXT record to its DNS zone.


                                            First testing, no harm as (sub)policy is “none”, but start to receive aggregated reports and failing reports (SPF and DKIM).

                                            _dmarc.wildw1ng.com TXT v=DMARC1; rua=mailto:admin@wildw1ng.com; ruf=mailto:admin@wildw1ng.com; adkim=s; fo=1
                                            

                                            After a certain time, after analyzing these reports enable the policy, for wildw1ng, for 10% of e-mail traffic.

                                            _dmarc.wildw1ng.com TXT v=DMARC1; p=quarantine; rua=mailto:admin@wildw1ng.com; ruf=mailto:admin@wildw1ng.com; adkim=s; fo=1; pct=10
                                            

                                            Then slowly raise the percentage and finalize with policy 100% enabled and only failing reports.

                                            _dmarc.wildw1ng.com TXT v=DMARC1; p=quarantine; ruf=mailto:admin@wildw1ng.com; adkim=s; fo=1
                                            

                                            Use DNS blacklists

                                            /etc/postfix/main.cf
                                            
                                            # Block spam using DNS blacklists
                                            smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
                                            

                                            List-Unsubscribe header

                                            Set header checks.

                                            /etc/postfix/main.cf
                                            
                                            header_checks = regexp:/etc/postfix/list_unsub_header
                                            

                                            Create a list_unsub_header file.

                                            /etc/postfix/list_unsub_header
                                            
                                            /Content-Transfer-Encoding:/i PREPEND List-Unsubscribe: mailto:admin@wildw1ng.com?subject=unsubscribe
                                            
                                            chmod 644 /etc/postfix/list_unsub_header
                                            

                                            Amavis and ClamAV

                                            Amavis is an interface between the MTA and content checkers, ClamAV virus scanner and SpamAssassin.


                                            Install packages.

                                            pacman -Syu amavisd-new clamav p7zip unrar arj lrzip lz4 lzo rpmextract
                                            

                                            Disable anti-spam, enable logging.

                                            /etc/amavisd/amavisd.conf
                                            
                                            @bypass_virus_checks_maps = (1);  # controls running of anti-virus code
                                            @bypass_spam_checks_maps  = (1);  # controls running of anti-spam code
                                            # $bypass_decode_parts = 1;         # controls running of decoders&dearchivers
                                             
                                            $mydomain = 'wildw1ng.com';
                                            $myhostname = 'mail.wildw1ng.com';
                                             
                                            $log_level = 5;              # verbosity 0..5, -d
                                            

                                            Enable ClamAV support and list the same clamd.sock as in /etc/clamav/clamd.conf.

                                            # http://www.clamav.net/
                                            ['ClamAV-clamd',
                                               \&ask_daemon, ["CONTSCAN {}\n", "/run/clamav/clamd.ctl"],
                                               qr/\bOK$/m, qr/\bFOUND$/m,
                                               qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
                                            # # NOTE: run clamd under the same user as amavisd - or run it under its own
                                            # #   uid such as clamav, add user clamav to the amavis group, and then add
                                            # # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
                                            # #   this entry; when running chrooted one may prefer a socket under $MYHOME.
                                            

                                            Add a comment to this line to enable anti-virus scan.

                                            # @bypass_virus_check_maps = (1);  # controls running of anti-virus code
                                            

                                            After that, add clamav user to amavis group to avoid permission problems.

                                            usermod -a -G amavis clamav
                                            

                                            Updating ClamAV virus definition database

                                            We need to run freshclam before starting the service for the first time or you will run into trouble/errors which will prevent ClamAV from starting correctly.


                                            Start and enable clamav-freshclam.service so that the virus definitions are kept up to date.

                                            systemctl enable clamav-freshclam.service
                                            

                                            Start and enable Amavis and ClamAV services.

                                            systemctl enable clamav-daemon.service
                                            
                                            systemctl enable amavisd.service
                                            

                                            Integration with Postfix

                                            /etc/postfix/master.cf
                                            
                                            #
                                            # anti spam & anti virus section
                                            #
                                            amavisfeed      unix  -    -       n       -       2       smtp
                                             -o smtp_data_done_timeout=1200
                                             -o smtp_send_xforward_command=yes
                                             -o disable_dns_lookups=yes
                                             -o max_use=20
                                            127.0.0.1:10025 inet n  -       y       -       -       smtpd
                                             -o content_filter=
                                             -o smtpd_delay_reject=no
                                             -o smtpd_client_restrictions=permit_mynetworks,reject
                                             -o smtpd_helo_restrictions=
                                             -o smtpd_sender_restrictions=
                                             -o smtpd_recipient_restrictions=permit_mynetworks,reject
                                             -o smtpd_data_restrictions=reject_unauth_pipelining
                                             -o smtpd_end_of_data_restrictions=
                                             -o smtpd_restrictions_classes=
                                             -o mynetworks=127.0.0.0/8
                                             -o smtpd_error_sleep_time=0
                                             -o smtpd_soft_error_limit=1001 
                                             -o smtpd_hard_error_limit=1000
                                             -o smtpd_client_connection_count_limit=0
                                             -o smtpd_client_connection_rate_limit=0
                                             -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
                                             -o local_header_rewrite_clients=
                                            

                                            In this configuration we assume that postfix and Amavis are running on the same machine (i.e. 127.0.0.1).
                                            If that is not the case edit /etc/amavisd/amavisd.conf and the prevous Postfix entry accordingly.
                                            Postfix will listen to port 10025 so that Amavis can send back checked emails to that port.
                                            We also have to add a configuration in our smtp or submission sections.

                                            -o content_filter=amavisfeed:[127.0.0.1]:10024
                                            

                                            Using this options implies that Postfix will send emails to Amavis on port 10024, so that these can be checked.
                                            If mail passes the control then these are sent to port 10025.

                                            We can now restart postfix.service and amavisd.service.


                                            SpamAssasin

                                            Install package.

                                            pacman -Syu spamassassin
                                            

                                            Note

                                            Spamassassin is integrated in Amavis so we do not have to start spamassassin.service.


                                            To enable support for Spamassassin comment the following line.

                                            /etc/amavis/amavis.conf
                                            
                                            # @bypass_spam_checks_maps = (1);  # controls running of anti-spam code
                                            

                                            Edit the SpamAssassin configuration.

                                            $sa_tag_level_deflt  = 1.0;  # add spam info headers if at, or above that level
                                            $sa_tag2_level_deflt = 1.0;  # add 'spam detected' headers at that level
                                            $sa_kill_level_deflt = 5.0;  # triggers spam evasive actions (e.g. blocks mail)
                                            $sa_dsn_cutoff_level = 8;   # spam level beyond which a DSN is not sent
                                            # $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
                                            $penpals_threshold_high = $sa_kill_level_deflt;  # do not waste time on hi spam
                                            $bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces
                                            

                                            Before we restart the amavisd service we have to run sa-update.

                                            mkdir /etc/mail/spamassassin/sa-update-keys
                                            
                                            chown spamd:spamd /etc/mail/spamassassin/sa-update-keys
                                            
                                            chmod 700 /etc/mail/spamassassin/sa-update-keys
                                            
                                            cd /etc/mail/spamassassin
                                            
                                            sudo -u spamd wget "http://spamassassin.apache.org/updates/GPG.KEY"
                                            
                                            sudo -u spamd sa-update --import GPG.KEY
                                            
                                            rm GPG.KEY
                                            
                                            sudo -u spamd sa-update -D
                                            
                                            sudo -u spamd sa-compile
                                            

                                            Keep SpamAssassin up to date

                                            Manual update.

                                            sudo -u spamd sa-update --channel updates.spamassassin.org
                                            
                                            sudo -u spamd sa-compile
                                            

                                            Create service to automate the process.

                                            /usr/lib/systemd/system/spamassassin-update.service
                                            
                                            [Unit]
                                            Description=SpamAssassin Update
                                            After=network.target
                                            
                                            [Service]
                                            User=spamd
                                            Group=spamd
                                            Type=oneshot
                                            # UMask=0022
                                            
                                            ExecStart=/usr/bin/vendor_perl/sa-update --channel updates.spamassassin.org
                                            SuccessExitStatus=1
                                            ExecStart=/usr/bin/vendor_perl/sa-compile
                                            # ExecStart=!/usr/bin/systemctl -q --no-block try-restart spamassassin.service
                                            
                                            # uncomment the following ExecStart line to train SA's bayes filter
                                            # and specify the path to the mailbox that contains spam email(s)
                                            # ExecStart=/usr/bin/vendor_perl/sa-learn --spam <path_to_your_spam_mailbox>
                                            

                                            /usr/lib/systemd/system/spamassassin-update.timer
                                            
                                            [Unit]
                                            Description=SpamAssassin Update Timer
                                            
                                            [Timer]
                                            OnCalendar=daily
                                            Persistent=true
                                            
                                            [Install]
                                            WantedBy=timers.target
                                            

                                            Start and enable spamassassin-update.timer.

                                            systemctl enable spamassassin-update.timer
                                            

                                            Check permissions in /var/lib/spamassassin/ if you get errors.


                                            Andreas Bauer. All rights reserved.

                                            Guacamole

                                            How to access remote desktops and command line interfaces from any browser with Guacamole remote desktop gateway



                                            guacamole.gif


                                            Installation

                                            pacman -Syu adobe-source-code-pro-fonts pipewire pipewire-alsa pipewire-jack pipewire-pulse wireplumber pipewire-docs helvum freerdp libwebsockets mariadb tomcat9 tomcat-native && yay -Syu guacamole-server guacamole-client
                                            

                                            Manual guacamole client installation

                                            wget https://apache.org/dyn/closer.lua/guacamole/1.4.0/binary/guacamole-1.4.0.war?action=download
                                            
                                            mv guacamole-1.4.0.war /usr/share/guacamole/guacamole.war
                                            

                                            Apache Tomcat Servlet

                                            ln -s /usr/share/guacamole/guacamole.war /var/lib/tomcat9/webapps
                                            

                                            /etc/tomcat9/tomcat-users.xml
                                            
                                            <tomcat-users>
                                              <role rolename="tomcat"/>
                                              <role rolename="manager-gui"/>
                                              <role rolename="manager-script"/>
                                              <role rolename="manager-jmx"/>
                                              <role rolename="manager-status"/>
                                              <role rolename="admin-gui"/>
                                              <role rolename="admin-script"/>
                                              <user username="tomcat" password="PASSWORD1" roles="tomcat"/>
                                              <user username="manager" password="PASSWORD2" roles="manager-gui,manager-script,manager-jmx,manager-status"/>
                                              <user username="admin" password="PASSWORD3" roles="admin-gui"/>
                                            </tomcat-users>
                                            

                                            systemctl enable tomcat9
                                            

                                            Database authentication

                                            Installing MariaDB/MySQL system tables.

                                            mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
                                            
                                            systemctl enable mariadb
                                            
                                            systemctl start mariadb
                                            

                                            Improve initial security with recommended security measures, such as removing anonymous accounts and removing the test database.

                                            mysql_secure_installation
                                            

                                            When prompted to “Switch to unix_socket authentication” enter n for No.


                                            Listen only on the loopback address

                                            /etc/my.cnf.d/server.cnf
                                            
                                            [mysqld]
                                            bind-address = localhost
                                            

                                            systemctl restart mariadb
                                            

                                            Create Guacamole database

                                            mysql -u root -p
                                            

                                            CREATE DATABASE guacamole_db;
                                            CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'PASSWORD';
                                            GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
                                            FLUSH PRIVILEGES;
                                            quit;


                                            Install MySQL extensions for Guacamole

                                            mkdir /etc/guacamole/{extensions,lib}
                                            
                                            chmod 755 /etc/guacamole/extensions
                                            
                                            chmod 755 /etc/guacamole/lib
                                            
                                            echo 'GUACAMOLE_HOME=/etc/guacamole' >> /etc/default/tomcat9
                                            

                                            Download the MySQL extension https://guacamole.apache.org/releases/

                                            cd /etc/guacamole/extensions/
                                            
                                            wget https://dlcdn.apache.org/guacamole/1.4.0/binary/guacamole-auth-jdbc-1.4.0.tar.gz
                                            
                                            tar -vxf guacamole-auth-jdbc-1.4.0.tar.gz
                                            

                                            Write SQL schema files into the MySQL database

                                            cat /etc/guacamole/extensions/guacamole-auth-jdbc-1.4.0/mysql/schema/*.sql | mysql guacamole_db
                                            

                                            Copy the extension

                                            cp /etc/guacamole/extensions/guacamole-auth-jdbc-1.4.0/mysql/guacamole-auth-jdbc-mysql-1.4.0.jar /etc/guacamole/extensions/
                                            
                                            chmod 644 /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-1.4.0.jar
                                            

                                            Download the JDBC driver https://dev.mysql.com/downloads/connector/j/

                                            wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-8.0.29.tar.gz
                                            
                                            tar -vxf mysql-connector-java-8.0.29.tar.gz
                                            
                                            cp mysql-connector-java-8.0.29/mysql-connector-java-8.0.29.jar /etc/guacamole/lib/
                                            
                                            chmod 644 /etc/guacamole/lib/mysql-connector-java-8.0.29.jar
                                            

                                            Configuring the client to use the database

                                            /etc/guacamole/guacamole.properties
                                            
                                            # Hostname and Guacamole server port
                                            guacd-hostname: localhost
                                            guacd-port: 4822
                                            
                                            # MySQL properties
                                            mysql-hostname: localhost
                                            mysql-port: 3306
                                            mysql-database: guacamole_db
                                            mysql-username: guacamole_user
                                            mysql-password: PASSWORD
                                            

                                            chmod 644 /etc/guacamole/guacamole.properties
                                            
                                            chmod 644 /etc/guacamole/guacd.conf
                                            
                                            systemctl enable guacd
                                            

                                            Logging in

                                            http://localhost:8080/guacamole

                                            The default Guacamole user created by the provided SQL scripts is guacadmin, with a default password of guacadmin.

                                            Warning

                                            Before continuing with configuring Guacamole, it’s recommended that you create a new admin account and delete the original.


                                            Create a new SSH connection using public key authentication

                                            ssh-public-key.png

                                            Generate key pair in PEM format on Guacamole machine

                                            ssh-keygen -t rsa -b 4096 -m PEM
                                            

                                            Tip

                                            Debug sshd

                                            journalctl -t sshd -b0
                                            

                                            Find out Public host key (Base64) on the machine you want to connect to

                                            ssh-keyscan -t ecdsa 192.168.0.204 2>&1 | grep ecdsa
                                            

                                            Setup SSH server on the machine you want to connect to

                                            /etc/ssh/sshd_config
                                            
                                            AuthenticationMethods publickey
                                            PubkeyAuthentication yes
                                            PubkeyAcceptedKeyTypes=+ssh-rsa
                                            PasswordAuthentication no
                                            

                                            Fix RDP connection issues

                                            Note

                                            Guacamole server (guacd) service runs as user daemon by default.

                                            ps aux | grep -v grep | grep guacd
                                            

                                            Create a guacd system user account which can be used to run guacd instead of running as daemon user.

                                            useradd -M -d /var/lib/guacd/ -r -s /sbin/nologin -c "Guacd" guacd
                                            
                                            mkdir /var/lib/guacd
                                            
                                            chown -R guacd: /var/lib/guacd
                                            

                                            Change the Guacd service user

                                            /usr/lib/systemd/system/guacd.service
                                            
                                            [Unit]
                                            Description=Guacamole Server
                                            Documentation=man:guacd(8)
                                            After=network.target
                                            
                                            [Service]
                                            User=guacd
                                            ExecStart=/usr/bin/guacd -f
                                            Restart=on-abnormal
                                            
                                            [Install]
                                            WantedBy=multi-user.target
                                            

                                            Write protect Guacamole service

                                            chattr +i /usr/lib/systemd/system/guacd.service
                                            

                                            Andreas Bauer. All rights reserved.

                                            Cozy

                                            How to self host Cozy, a personal cloud and password manager




                                            Installation

                                            pacman -Syu opensmtpd erlang-nox freeglut cairo chafa ghostscript libheif libjxl libraw librsvg libwebp libwmf libxml2 libzip ocl-icd openexr openjpeg2 djvulibre pango imagemagick-doc nodejs nsjail
                                            

                                            Apache CouchDB NoSQL database

                                            /etc/couchdb/local.ini
                                            
                                            [admins]
                                            admin = plain-password
                                            
                                            [couchdb]
                                            single_node = true
                                            
                                            [chttpd]
                                            port = 5984
                                            bind_address = 0.0.0.0
                                            

                                            After starting CouchDB for the first time, plain-password will be replaced with the hashed version.

                                            Tip

                                            Set bind_address to 0.0.0.0 to access CouchDB from other nodes.

                                            systemctl enable couchdb
                                            
                                            systemctl start couchdb
                                            

                                            Test to see if the service is running by running

                                            curl http://127.0.0.1:5984/
                                            

                                            You can now access the Fauxton admin interface by going to http://127.0.0.1:5984/_utils


                                            Increase security single node setup

                                            mkdir -pv /etc/systemd/system/couchdb.service.d
                                            
                                            /etc/systemd/system/couchdb.service.d/10-bind-locally.conf
                                            
                                            [Service]
                                            Environment=ERL_EPMD_ADDRESS=127.0.0.1
                                            
                                            /etc/couchdb/vm.args
                                            
                                            -kernel inet_dist_use_interface {127,0,0,1}
                                            
                                            /etc/cozy/cozy.yml
                                            
                                            couchdb:
                                              url: http://admin:MYSECUREPASSWORD@127.0.0.1:5984/
                                            

                                            Register credentials

                                            Retrieve the correct node name

                                            curl -X GET http://admin:MYSECUREPASSWORD@127.0.0.1:5984/_membership
                                            
                                            curl -X PUT http://admin:MYSECUREPASSWORD@127.0.0.1:5984/_node/"couchdb@127.0.0.1"/_config/admins/admin -d "\"MYSECUREPASSWORD\""
                                            

                                            Configuring Cozy

                                            cp /usr/share/cozy/cozy.example.yaml /etc/cozy/cozy.yml
                                            
                                            /etc/cozy/cozy.yml
                                            
                                            # server host - flags: --host
                                            #host: 0.0.0.0
                                            host: 192.168.0.207
                                            
                                            # server port - flags: --port -p
                                            port: 8080
                                            
                                            # how to structure the subdomains for apps - flags: --subdomains
                                            # values:
                                            #  - nested, like https://<app>.<user>.<domain>/ (well suited for self-hosted with Let's Encrypt)
                                            #  - flat, like https://<user>-<app>.<domain>/ (easier when using wildcard TLS certificate)
                                            subdomains: nested
                                            
                                            # administration endpoint parameters. this endpoint should be protected
                                            admin:
                                              # server host - flags: --admin-host
                                              host: localhost
                                              # server port - flags: --admin-port
                                              port: 6060
                                              # secret file name containing the derived passphrase to access to the
                                              # administration endpoint. this secret file can be generated using the `cozy-
                                              # stack config passwd` command. this file should be located in the same path
                                              # as the configuration file.
                                              secret_filename: cozy-admin-passphrase
                                            
                                            # file system parameters
                                              # file system url - flags: --fs-url
                                              # default url is the directory relative to the binary: ./storage
                                            
                                              # url: file://localhost/var/lib/cozy
                                              # url: swift://openstack/?UserName={{ .Env.OS_USERNAME }}&Password={{ .Env.OS_PASSWORD }}&ProjectName={>
                                            
                                              # Swift FS can be used with advanced parameters to activate TLS properties.
                                              # For using swift with https, you must use the "swift+https" scheme.
                                              #
                                              # root_ca: /ca-certificates.pem
                                              # client_cert: /client_cert.pem
                                              # client_key: /client_key
                                              # pinned_key: 57c8ff33c9c0cfc3ef00e650a1cc910d7ee479a8bc509f6c9209a7c2a11399d6
                                              # insecure_skip_validation: true
                                              # can_query_info: true
                                              # default_layout: 2 # 1 for layout v2 and 2 for layout v3
                                            
                                              # auto_clean_trashed_after:
                                              #   context_a: 30D
                                              #   context_b: 3M
                                            
                                              # versioning:
                                              #   max_number_of_versions_to_keep: 20
                                              #   min_delay_between_two_versions: 15m
                                            fs:
                                              url: file:///var/lib/cozy
                                            
                                            # vault contains keyfiles informations
                                            # See https://docs.cozy.io/en/cozy-stack/cli/cozy-stack_config_gen-keys/
                                            # to generate the keys
                                            vault:
                                            # the path to the key used to encrypt credentials
                                              credentials_encryptor_key: /etc/cozy/vault.enc
                                            # the path to the key used to decrypt credentials
                                              credentials_decryptor_key: /etc/cozy/vault.dec
                                            
                                            # couchdb parameters
                                            couchdb:
                                              # CouchDB URL - flags: --couchdb-url
                                              # url: http://localhost:5984/
                                              url: http://admin:MYSECUREPASSWORD@127.0.0.1:5984
                                            
                                            # konnectors execution parameters for executing external processes.
                                            konnectors:
                                            # run connectors with node
                                            # cmd: /usr/share/cozy/konnector-node-run.sh
                                            # run connectors with nsjail
                                              cmd: /usr/share/cozy/konnector-nsjail-run.sh
                                            
                                            log:
                                              # logger level (debug, info, warning, panic, fatal) - flags: --log-level
                                              level: info
                                              # send logs to the local syslog - flags: --log-syslog
                                              syslog: false
                                            
                                            # Registries used for applications and konnectors
                                            registries:
                                              default:
                                              - https://apps-registry.cozycloud.cc/selfhosted
                                              - https://apps-registry.cozycloud.cc/banks
                                              - https://apps-registry.cozycloud.cc/
                                            

                                            Configuring Cozy admin password

                                            cozy-stack config passwd /etc/cozy/cozy-admin-passphrase
                                            
                                            chown cozy:cozy /etc/cozy/cozy-admin-passphrase
                                            
                                            chmod 600 /etc/cozy/cozy-admin-passphrase
                                            

                                            Creating vault keys

                                            cozy-stack config gen-keys /etc/cozy/vault
                                            
                                            chmod 700 /etc/cozy
                                            
                                            chown cozy:cozy /etc/cozy/vault.dec
                                            
                                            chmod 600 /etc/cozy/vault.dec
                                            
                                            chown cozy:cozy /etc/cozy/vault.enc
                                            
                                            chmod 600 /etc/cozy/vault.enc
                                            

                                            Enable service

                                            systemctl enable cozy-stack
                                            
                                            systemctl start cozy-stack
                                            

                                            Creating an instance

                                            Add an instance. You will be prompted for your Cozy admin password,
                                            you might also pass it using COZY_ADMIN_PASSWORD env var

                                            cozy-stack instances add cozy.wildw1ng.com --apps home,settings,store
                                            

                                            You will then need to visit https://<instance>.example.tld/?registerToken=<token>
                                            which requires you to have setup a reverse proxy.


                                            Andreas Bauer. All rights reserved.

                                            Zabbix

                                            How to self host Zabbix, an Enterprise-class open source network monitoring solution



                                            zabbix.gif


                                            Install packages

                                            pacman -Syu zabbix-server zabbix-frontend-php mariadb apache php php-fpm php-apache php-gd fping traceroute
                                            

                                            Install MariaDB/MySQL system tables

                                            mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
                                            
                                            systemctl enable mariadb
                                            
                                            systemctl start mariadb
                                            

                                            Improve initial security with recommended security measures, such as removing anonymous accounts and removing the test database.

                                            mysql_secure_installation
                                            

                                            When prompted to “Switch to unix_socket authentication” enter n for No.

                                            Listen only on the loopback address

                                            /etc/my.cnf.d/server.cnf
                                            
                                            [mysqld]
                                            bind-address = localhost
                                            
                                            systemctl restart mariadb
                                            

                                            Database Initialization

                                            mysql -v -u root -p -e "create database zabbix character set utf8 collate utf8_bin"
                                            
                                            mysql -v -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'MYPASSWORD'"
                                            
                                            mysql -v -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/schema.sql
                                            
                                            mysql -v -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/images.sql
                                            
                                            mysql -v -u zabbix -p -D zabbix < /usr/share/zabbix-server/mysql/data.sql
                                            

                                            Database Configuration

                                            /etc/zabbix/zabbix_server.conf
                                            
                                            DBName=zabbix
                                            DBUser=zabbix
                                            DBPassword=MYPASSWORD
                                            LogType=system
                                            

                                            Setup Apache HTTP Server

                                            Enable proxy modules

                                            /etc/httpd/conf/httpd.conf
                                            

                                            uncomment LoadModule proxy_module modules/mod_proxy.so
                                            uncomment LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
                                            comment # LoadModule mpm_event_module modules/mod_mpm_event.so
                                            uncomment LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

                                            At the end of the LoadModule list
                                            add LoadModule php_module modules/libphp.so
                                            add AddHandler php-script .php

                                            At the end of the Include list
                                            add Include conf/extra/php_module.conf
                                            add Include conf/extra/php-fpm.conf

                                            /etc/httpd/conf/extra/php-fpm.conf
                                            
                                            DirectoryIndex index.php index.html
                                            <FilesMatch \.php$>
                                                SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"
                                            </FilesMatch>
                                            

                                            Symlink the Zabbix web application directory to your http document root

                                            ln -s /usr/share/webapps/zabbix /srv/http/zabbix
                                            

                                            Setup PHP

                                            List available php modules

                                            php -m
                                            
                                            /etc/php/php.ini
                                            
                                            date.timezone = Europe/Berlin
                                            display_errors = On
                                            open_basedir = /srv/http/:/var/www/:/home/:/tmp/:/var/tmp/:/var/cache/:/usr/share/pear/:/usr/share/webapps/:/etc/webapps/
                                            
                                            post_max_size = 16M
                                            max_execution_time = 300
                                            max_input_time = 300
                                            
                                            extension=bcmath
                                            extension=curl
                                            extension=gd
                                            extension=gettext
                                            extension=mysqli
                                            extension=sockets
                                            extension=zip
                                            

                                            Enable and start services

                                            systemctl enable php-fpm
                                            
                                            systemctl enable httpd
                                            
                                            systemctl enable zabbix-server-mysql
                                            

                                            Access Zabbix via your local web server, http://localhost/zabbix/,
                                            finish the installation wizard and access the frontend the first time.
                                            The default username is Admin and password zabbix.


                                            Fix “[ERROR] Incorrect definition of table mysql.column_stats: expected column ‘histogram’”

                                            mysql_upgrade --user=root
                                            

                                            Setup client machines

                                            Install client

                                            pacman -Syu zabbix-agent2
                                            

                                            Configuration

                                            /etc/zabbix/zabbix_agent2.conf
                                            

                                            Replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.

                                            Server=archlinux-zabbix
                                            
                                            ServerActive=archlinux-zabbix
                                            
                                            Hostname=HOSTNAME
                                            

                                            Make sure the port 10050 on your device being monitored is not blocked and is properly forwarded.

                                            comment out # Include=./zabbix_agent2.d/plugins.d/*.conf


                                            Monitor Arch Linux clients for available system updates using a custom UserParameter

                                            # Monitor Arch Linux system updates
                                            Include=/etc/zabbix/zabbix_agent2.conf.d/*.conf
                                            
                                            mkdir /etc/zabbix/zabbix_agent2.conf.d
                                            
                                            /etc/zabbix/zabbix_agent2.conf.d/archlinuxupdates.conf
                                            
                                            UserParameter=archlinuxupdates,checkupdates | wc -l
                                            
                                            chown -R zabbix-agent:zabbix-agent /etc/zabbix/zabbix_agent2.conf.d
                                            
                                            chmod 755 /etc/zabbix/zabbix_agent2.conf.d
                                            
                                            chmod 644 /etc/zabbix/zabbix_agent2.conf.d/archlinuxupdates.conf
                                            

                                            Monitor nVidia GPU

                                            /etc/zabbix/zabbix_agent2.conf.d/nvidiagpu.conf
                                            
                                            UserParameter=gpu.temp,nvidia-smi --query-gpu=temperature.gpu --format=csv,noheader,nounits -i 0
                                            UserParameter=gpu.memtotal,nvidia-smi --query-gpu=memory.total --format=csv,noheader,nounits -i 0
                                            UserParameter=gpu.used,nvidia-smi --query-gpu=memory.used --format=csv,noheader,nounits -i 0
                                            UserParameter=gpu.free,nvidia-smi --query-gpu=memory.free --format=csv,noheader,nounits -i 0
                                            UserParameter=gpu.fanspeed,nvidia-smi --query-gpu=fan.speed --format=csv,noheader,nounits -i 0
                                            UserParameter=gpu.utilisation,nvidia-smi --query-gpu=utilization.gpu --format=csv,noheader,nounits -i 0
                                            UserParameter=gpu.power,nvidia-smi --query-gpu=power.draw --format=csv,noheader,nounits -i 0
                                            UserParameter=cpu.temp,sensors | grep "CPU Temperature" | awk '{print $ 3}' | cut -c 2-5
                                            
                                            chown -R zabbix-agent:zabbix-agent /etc/zabbix/zabbix_agent2.conf.d
                                            

                                            Enable and start the zabbix-agent service

                                            systemctl enable zabbix-agent2
                                            
                                            systemctl start zabbix-agent2
                                            
                                            systemctl status zabbix-agent2
                                            

                                            Andreas Bauer. All rights reserved.

                                            Fail2ban

                                            How to protect your server from Brute-force attacks and prevent intrusions with Fail2ban




                                            Installation

                                            pacman -Syu firewalld fail2ban ipset
                                            

                                            Enable and start services

                                            systemctl enable firewalld
                                            
                                            systemctl start firewalld
                                            
                                            systemctl enable fail2ban
                                            
                                            systemctl start fail2ban
                                            

                                            Firewalld configuration

                                            Set the default zone

                                            firewall-cmd --set-default-zone=public
                                            

                                            Add an interface to a zone

                                            firewall-cmd --permanent --zone=public --add-interface=enp1s0
                                            

                                            Get active zones

                                            firewall-cmd --get-active-zones
                                            

                                            Get a list of all supported services

                                            firewall-cmd --get-services
                                            

                                            Enable firewalld services in a zone

                                            firewall-cmd --permanent --zone=public --add-service=ssh
                                            
                                            firewall-cmd --permanent --zone=public --add-service=http
                                            
                                            firewall-cmd --permanent --zone=public --add-service=https
                                            
                                            firewall-cmd --permanent --zone=public --add-service=zabbix-agent
                                            
                                            firewall-cmd --permanent --zone=public --add-service=smtp
                                            
                                            firewall-cmd --reload
                                            
                                            firewall-cmd --list-all
                                            
                                            firewall-cmd --state
                                            

                                            Fail2ban configuration

                                            Copy default fail2ban configuration from “jail.conf” to “jail.local”

                                            cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
                                            

                                            Set default values

                                            /etc/fail2ban/jail.local
                                            
                                            [DEFAULT]
                                            ignoreip = 127.0.0.1/8 10.0.0.0/22
                                            
                                            bantime  = 1w
                                            findtime  = 1d
                                            maxretry = 3
                                            
                                            backend = auto
                                            
                                            action = %(action_)s
                                            
                                            [recidive]
                                            
                                            enabled = true
                                            logpath  = /var/log/fail2ban.log
                                            banaction = %(banaction_allports)s
                                            bantime = -1        ; permanent
                                            findtime = 1d
                                            maxretry = 6
                                            

                                            Setup jails

                                            /etc/fail2ban/jail.d/nginx.local
                                            
                                            [nginx-noscript]
                                            enabled = true
                                            port = http,https
                                            filter = nginx-noscript
                                            logpath = /var/log/nginx/*access.log
                                            maxretry = 1
                                            bantime  = 86400
                                            
                                            [nginx-badbots]
                                            enabled = true
                                            port = http,https
                                            filter = nginx-badbots
                                            logpath = /var/log/nginx/*access.log
                                            bantime = 86400
                                            maxretry = 1
                                            
                                            [nginx-nohome]
                                            enabled = true
                                            port = http,https
                                            filter = nginx-nohome
                                            logpath = /var/log/nginx/*access.log
                                            bantime = 600
                                            maxretry = 2
                                            
                                            [nginx-noproxy]
                                            enabled = true
                                            port = http,https
                                            filter = nginx-noproxy
                                            logpath  = /var/log/nginx/*access.log
                                            maxretry = 2
                                            bantime  = 86400
                                            
                                            [nginx-http-auth]
                                            enabled = true
                                            port = http,https
                                            filter = nginx-http-auth
                                            logpath = /var/log/nginx/*error.log
                                            bantime = 600
                                            maxretry = 6
                                            
                                            [nginx-login]
                                            enabled = true
                                            port = http,https
                                            filter = nginx-login
                                            logpath  = /var/log/nginx/*access.log
                                            bantime = 600
                                            maxretry = 6
                                            
                                            [nginx-limit-req]
                                            enabled = true
                                            filter = nginx-limit-req
                                            port = http,https
                                            logpath = /var/log/nginx/*error.log
                                            bantime = 7200
                                            maxretry = 10
                                            

                                            Filter definitions

                                            /etc/fail2ban/filter.d/nginx-badbots.conf
                                            
                                            # Fail2Ban configuration file
                                            #
                                            # Regexp to catch known spambots and software alike. Please verify
                                            # that it is your intent to block IPs which were driven by
                                            # above mentioned bots.
                                            
                                            
                                            [Definition]
                                            
                                            badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|(?:Mozilla/\d+\.\d+ )?Jorgee
                                            badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
                                            
                                            failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
                                            
                                            ignoreregex =
                                            
                                            datepattern = ^[^\[]*\[({DATE})
                                                          {^LN-BEG}
                                            
                                            # DEV Notes:
                                            # List of bad bots fetched from http://www.user-agents.org
                                            # Generated on Thu Nov  7 14:23:35 PST 2013 by files/gen_badbots.
                                            #
                                            # Author: Yaroslav Halchenko
                                            

                                            /etc/fail2ban/filter.d/nginx-http-auth.conf
                                            
                                            # fail2ban filter configuration for nginx
                                            
                                            
                                            [Definition]
                                            
                                            
                                            failregex = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
                                                        ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
                                            ignoreregex = 
                                            
                                            datepattern = {^LN-BEG}
                                            
                                            # DEV NOTES:
                                            # Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
                                            # Extensive search of all nginx auth failures not done yet.
                                            # 
                                            # Author: Daniel Black
                                            

                                            /etc/fail2ban/filter.d/nginx-limit-req.conf
                                            
                                            # Fail2ban filter configuration for nginx :: limit_req
                                            # used to ban hosts, that were failed through nginx by limit request processing rate 
                                            #
                                            # Author: Serg G. Brester (sebres)
                                            #
                                            # To use 'nginx-limit-req' filter you should have `ngx_http_limit_req_module`
                                            # and define `limit_req` and `limit_req_zone` as described in nginx documentation
                                            # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
                                            #
                                            # Example:
                                            #
                                            #   http {
                                            #     ...
                                            #     limit_req_zone $binary_remote_addr zone=lr_zone:10m rate=1r/s;
                                            #     ...
                                            #     # http, server, or location:
                                            #     location ... {
                                            #       limit_req zone=lr_zone burst=1 nodelay;
                                            #       ...
                                            #     }
                                            #     ...
                                            #   }
                                            #   ...
                                            #
                                            
                                            [Definition]
                                            
                                            # Specify following expression to define exact zones, if you want to ban IPs limited 
                                            # from specified zones only.
                                            # Example:
                                            #
                                            #   ngx_limit_req_zones = lr_zone|lr_zone2
                                            #
                                            ngx_limit_req_zones = [^"]+
                                            
                                            # Use following full expression if you should range limit request to specified 
                                            # servers, requests, referrers etc. only :
                                            #
                                            # failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$
                                            
                                            # Shortly, much faster and stable version of regexp:
                                            failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>,
                                            
                                            ignoreregex = 
                                            
                                            datepattern = {^LN-BEG}
                                            

                                            /etc/fail2ban/filter.d/nginx-login.conf
                                            
                                            # Login filter /etc/fail2ban/filter.d/nginx-login.conf: Blocks IPs that fail to 
                                            # authenticate using web application's log in page
                                            #
                                            # Scan access log for HTTP 200 + POST /sessions => failed log in
                                            [Definition]
                                            failregex = ^<HOST> -.*POST /sessions HTTP/1\.." 200
                                            ignoreregex =
                                            

                                            /etc/fail2ban/filter.d/nginx-nohome.conf
                                            
                                            [Definition]
                                            
                                            failregex = ^<HOST> -.*GET .*/~.*
                                            
                                            maxlines = 1
                                            [^\]]*)?\] (?:for user (?:"[^"]*" )?)?failed\.\s*$
                                            datepattern = ^%%H:%%M:%%S\.%%f
                                            
                                            ignoreregex =
                                            

                                            /etc/fail2ban/filter.d/nginx-noproxy.conf
                                            
                                            [Definition]
                                            failregex = ^<HOST> -.*GET http.*
                                            ignoreregex =
                                            

                                            /etc/fail2ban/filter.d/nginx-noscript.conf
                                            
                                            # Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf:
                                            # Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts.
                                            # Matches e.g.
                                            # 192.168.1.1 - - "GET /something.php
                                            [Definition]
                                            
                                            failregex = ^<HOST> -.*"GET .*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi)[ /\?].*" .*$
                                            
                                            ignoreregex = ^<HOST> -.*GET.*(/zabbix.php|/jsLoader.php|https://app.plex.tv/)
                                            

                                            Set permissions

                                            chmod 644 /etc/fail2ban/filter.d/nginx-*
                                            
                                            systemctl restart fail2ban
                                            
                                            fail2ban-client status
                                            
                                            fail2ban-client banned
                                            
                                            firewall-cmd --list-rich-rules
                                            
                                            fail2ban-client get nginx-badbots actions
                                            
                                            fail2ban-client unban IPADRESS
                                            

                                            /etc/fail2ban/jail.d/00-firewalld.local
                                            
                                            [DEFAULT]
                                            banaction = firewallcmd-ipset
                                            

                                            Service hardening

                                            Currently, Fail2ban must be run as root. Therefore, you may wish to consider hardening the process with systemd.

                                            /etc/systemd/system/fail2ban.service.d/override.conf
                                            
                                            [Service]
                                            PrivateDevices=yes
                                            PrivateTmp=yes
                                            ProtectHome=read-only
                                            ProtectSystem=strict
                                            ReadWritePaths=-/var/run/fail2ban
                                            ReadWritePaths=-/var/lib/fail2ban
                                            ReadWritePaths=-/var/log/fail2ban
                                            ReadWritePaths=-/var/spool/postfix/maildrop
                                            ReadWritePaths=-/run/xtables.lock
                                            CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
                                            

                                            The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read access to every directory and file.
                                            CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to operate on any firewall that has command-line shell interface.
                                            By using ProtectSystem=strict the filesystem hierarchy will only be read-only,
                                            ReadWritePaths allows Fail2ban to have write access on required paths.

                                            Create /etc/fail2ban/fail2ban.local with the correct logtarget path

                                            /etc/fail2ban/fail2ban.local
                                            
                                            [Definition]
                                            logtarget = /var/log/fail2ban/fail2ban.log
                                            

                                            Create the /var/log/fail2ban/ directory as root.

                                            mkdir /var/log/fail2ban/
                                            

                                            reload systemd daemon to apply the changes of the unit and restart fail2ban.service


                                            Debug filter

                                            fail2ban-regex /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-http-auth.conf
                                            
                                            fail2ban-regex /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-limit-req.conf
                                            
                                            fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-noscript.conf
                                            
                                            fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-badbots.conf
                                            
                                            fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-nohome.conf
                                            
                                            fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-noproxy.conf
                                            
                                            fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-login.conf
                                            

                                            Check status

                                            fail2ban-client status
                                            
                                            fail2ban-client banned
                                            
                                            cat /var/log/fail2ban/fail2ban.log
                                            
                                            tail -f /var/log/fail2ban/fail2ban.log
                                            

                                            Manually ban IP

                                            fail2ban-client -vvv set recidive banip 83.97.73.87
                                            
                                            fail2ban-client status recidive
                                            

                                            Manually unban IP

                                            fail2ban-client banned
                                            
                                            fail2ban-client unban 192.168.0.100
                                            

                                            Andreas Bauer. All rights reserved.

                                            Hugo

                                            How to build a static website with Hugo




                                            Generate a static website with Hugo

                                            pacman -Syu hugo
                                            
                                            hugo new site wildw1ng.com
                                            
                                            cd wildw1ng.com
                                            

                                            Download a theme

                                            git init
                                            
                                            git submodule add https://github.com/McShelby/hugo-theme-relearn.git themes/relearn
                                            
                                            hugo new _index.md
                                            
                                            hugo new --kind chapter arch/_index.md
                                            
                                            hugo new arch/installation.md
                                            

                                            Preview the website

                                            hugo server
                                            

                                            http://localhost:1313


                                            Build the website

                                            hugo -D
                                            

                                            A public folder will be generated, containing all static content and assets for your website which can now be deployed on any web server.


                                            Deploy the website

                                            ~/bin/publish
                                            
                                            #!/bin/bash
                                            echo 'Build static site' &&
                                            hugo -D -s ~/sites/wildw1ng.com/ &&
                                            echo 'Change the owner to user' &&
                                            ssh archlinux-nginx 'sudo chown -R wildw1ng:users /srv/http/wildw1ng.com' &&
                                            echo 'Delete old website data' &&
                                            ssh archlinux-nginx 'rm -rfv /srv/http/wildw1ng.com/*' &&
                                            echo 'Upload new website data' &&
                                            rsync -ra --info=progress2 ~/sites/wildw1ng.com/public/ archlinux-nginx:/srv/http/wildw1ng.com &&
                                            echo 'Change the owner to root' &&
                                            ssh archlinux-nginx 'sudo chown -R root:root /srv/http/wildw1ng.com' &&
                                            echo 'Show new website files' &&
                                            ssh archlinux-nginx 'ls -la /srv/http/wildw1ng.com'
                                            
                                            chmod 700 ~/bin/publish
                                            

                                            Andreas Bauer. All rights reserved.

                                            Let’s Encrypt

                                            How to automatically renew Let’s Encrypt wildcard certificates with Certbot




                                            IONOS API

                                            Getting Started with the IONOS APIs

                                            Lookup your API key


                                            IONOS authentication hook

                                            This hook is executed before certbot creates the DNS record.
                                            It creates a temporary file containing a JSON payload with the DNS record data,
                                            then uses the curl command to send a PUT request to the IONOS API to create the record.

                                            /home/wildw1ng/bin/ionos-auth-hook
                                            
                                            #!/bin/bash
                                            IONOS_PUBLICPREFIX="YOUR_API_KEY"
                                            IONOS_SECRET="YOUR_API_SECRET"
                                            
                                            
                                            echo "{ \"data\": \"\$CERTBOT_VALIDATION\" }" > /tmp/ionos_payload.json
                                            curl -s -X PUT -H "Content-Type: application/json" -H "Authorization: Basic \$(echo -n "$IONOS_PUBLICPREFIX:$IONOS_SECRET" | base64 -w 0)" -d @/tmp/ionos_payload.json "https://api.hosting.ionos.com/dns/v1/zones/\$CERTBOT_DOMAIN." -o /dev/null
                                            
                                            chmod +x /home/wildw1ng/bin/ionos-auth-hook
                                            

                                            IONOS cleanup hook

                                            This hook is executed after certbot removes the DNS record.
                                            It creates a temporary file containing a JSON payload with the DNS record data,
                                            then uses the curl command to send a DELETE request to the IONOS API to delete the record.

                                            /home/wildw1ng/bin/ionos-cleanup-hook
                                            
                                            #!/bin/bash
                                            IONOS_PUBLICPREFIX="YOUR_API_KEY"
                                            IONOS_SECRET="YOUR_API_SECRET"
                                            
                                            echo "{ \"data\": \"\$CERTBOT_VALIDATION\" }" > /tmp/ionos_payload.json
                                            curl -s -X DELETE -H "Content-Type: application/json" -H "Authorization: Basic \$(echo -n "$IONOS_PUBLICPREFIX:$IONOS_SECRET" | base64 -w 0)" -d @/tmp/ionos_payload.json "https://api.hosting.ionos.com/dns/v1/zones/\$CERTBOT_DOMAIN." -o /dev/null
                                            
                                            chmod +x /home/wildw1ng/bin/ionos-cleanup-hook
                                            

                                            Note

                                            Make sure to replace YOUR_API_KEY and YOUR_API_SECRET with your actual IONOS API credentials.


                                            Renew Let’s Encrypt certificates with Certbot

                                            /home/wildw1ng/bin/wildcard-renewal
                                            
                                            #!/bin/bash
                                            # Domain to renew
                                            DOMAIN="wildw1ng.com"
                                            
                                            # Check if certbot is installed
                                            if ! command -v certbot &> /dev/null
                                            then
                                                echo "Certbot could not be found. Please install it first."
                                                exit
                                            fi
                                            
                                            # Renew wildcard certificate
                                            sudo certbot certonly \
                                                --non-interactive \
                                                --no-eff-email \
                                                --agree-tos \
                                                --staple-ocsp \
                                                --manual \
                                                --preferred-challenges=dns \
                                                --manual-auth-hook /home/wildw1ng/bin/ionos-auth-hook \
                                                --manual-cleanup-hook /home/wildw1ng/bin/ionos-cleanup-hook \
                                                -d "$DOMAIN" \
                                                -d "*.$DOMAIN" \
                                                -d "*.cozy.$DOMAIN"
                                            
                                            chmod +x /home/wildw1ng/bin/wildcard-renewal
                                            

                                            Service and timer for automatic renewal

                                            /etc/systemd/system/certbot.service
                                            
                                            [Unit]
                                            Description=Let's Encrypt renewal
                                            
                                            [Service]
                                            Type=oneshot
                                            ExecStart=/home/wildw1ng/bin/wildcard-renewal
                                            

                                            /etc/systemd/system/certbot.timer
                                            
                                            [Unit]
                                            Description=Twice daily renewal of Let's Encrypt's certificates
                                            
                                            [Timer]
                                            OnCalendar=0/12:00:00
                                            RandomizedDelaySec=1h
                                            Persistent=true
                                            
                                            [Install]
                                            WantedBy=timers.target
                                            

                                            Enable renewal service

                                            systemctl enable certbot.timer
                                            

                                            Andreas Bauer. All rights reserved.

                                            NGINX

                                            How to self host a NGINX HTTP server and reverse proxy




                                            Installation

                                            pacman -Syu nginx-mainline certbot certbot-nginx
                                            

                                            Configuration

                                            /etc/nginx/nginx.conf
                                            
                                            user http;
                                            worker_processes auto;
                                            worker_cpu_affinity auto;
                                            
                                            #error_log  logs/error.log;
                                            #error_log  logs/error.log  notice;
                                            #error_log  logs/error.log  info;
                                            
                                            #pid        logs/nginx.pid;
                                            
                                            
                                            events {
                                                multi_accept on;
                                                worker_connections  1024;
                                            }
                                            
                                            
                                            http {
                                                charset utf-8;
                                                sendfile on;
                                                tcp_nopush on;
                                                tcp_nodelay on;
                                                server_tokens off;
                                                log_not_found off;
                                                types_hash_max_size 4096;
                                                client_max_body_size 32M;
                                            
                                                # Excessive requests within the burst limit will be served immediately regardless of the specified rate,
                                                # requests above the burst limit will be rejected with the 503 error.
                                                # limit_req_zone $binary_remote_addr zone=one:20m rate=5r/s;
                                                # limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
                                            
                                                # MIME
                                                include       mime.types;
                                                default_type  application/octet-stream;
                                            
                                                #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                                                #                  '$status $body_bytes_sent "$http_referer" '
                                                #                  '"$http_user_agent" "$http_x_forwarded_for"';
                                                
                                                # logging
                                                access_log /var/log/nginx/access.log;
                                                error_log /var/log/nginx/error.log warn;
                                                #access_log  logs/access.log  main;
                                                
                                                # load configs
                                                include /etc/nginx/conf.d/*.conf;
                                                include /etc/nginx/sites-enabled/*;
                                            
                                                #keepalive_timeout  0;
                                                keepalive_timeout  65;
                                            
                                                gzip  on;
                                                gzip_vary on;
                                                gzip_min_length 10240;
                                                gzip_proxied expired no-cache no-store private auth;
                                                gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
                                                gzip_disable "MSIE [1-6]\.";
                                            }
                                            
                                            
                                            include /etc/nginx/passthrough.conf;
                                            

                                            Managing server entries

                                            Put different server blocks in different files.
                                            This allows you to easily enable or disable certain sites.

                                            Server block configuration files

                                            mkdir /etc/nginx/sites-available
                                            

                                            Symlinks to enable sites

                                            mkdir /etc/nginx/sites-enabled
                                            

                                            Enable HTTP server

                                            systemctl enable nginx
                                            

                                            Configure SSL

                                            /etc/letsencrypt/options-ssl-nginx.conf
                                            
                                            ssl_session_cache shared:le_nginx_SSL:10m;
                                            ssl_session_timeout 1440m;
                                            ssl_session_tickets off;
                                            
                                            ssl_protocols TLSv1.3;
                                            ssl_prefer_server_ciphers off;
                                            

                                            Andreas Bauer. All rights reserved.

                                            Website server block

                                            How to setup a server block for your website




                                            Server block configuration

                                            /etc/nginx/sites-available/lnxsrv.org.conf
                                            
                                            server {
                                                listen 443 ssl;
                                                http2  on;
                                                
                                            #   listen [::]:443 ssl http2;
                                            
                                                server_name lnxsrv.org;
                                            
                                                rewrite     https://$host$request_uri?  permanent;
                                            
                                                error_log   /var/log/nginx/lnxsrv.org.error.log;
                                                access_log  /var/log/nginx/lnxsrv.org.access.log;
                                            
                                                # How long Nginx is waiting between the writes of the client body
                                                # client_body_timeout 10s;
                                                # How long Nginx is waiting between the writes of client header
                                                # client_header_timeout 10s;
                                            
                                                    location / {
                                                        root   /srv/http/lnxsrv.org;
                                                        index  index.html index.htm;
                                            	    # limit_req zone=one burst=60 nodelay;
                                                    }
                                            
                                                    error_page   500 502 503 504  /50x.html;
                                                    location = /50x.html {
                                                        root   /usr/share/nginx/html;
                                                    }
                                            
                                                # These are the paths to your generated Let's Encrypt SSL certificates.
                                                ssl_certificate /etc/letsencrypt/live/lnxsrv.org/fullchain.pem; # managed by Certbot
                                                ssl_certificate_key /etc/letsencrypt/live/lnxsrv.org/privkey.pem; # managed by Certbot
                                                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                                                ssl_session_cache   shared:SSL:60m;
                                                
                                                # Cache-control Directive Header
                                                #add_header Surrogate-Control "public, no-transform, no-cache, max-age=86400";
                                                expires 1d;    
                                                add_header Cache-Control "public, no-transform";
                                            
                                                # Anti-MIME-Sniffing header
                                                add_header X-Content-Type-Options nosniff;
                                            
                                                # Content Security Policy (CSP) Header
                                                # add_header Content-Security-Policy "default-src 'self';" always;
                                            
                                                # Anti-ClickJacking Header
                                                add_header  X-Frame-Options "SAMEORIGIN" always;
                                            
                                                # HSTS (ngx_http_headers_module is required) (63072000 seconds)
                                                add_header Strict-Transport-Security "max-age=63072000" always;
                                            
                                                # verify chain of trust of OCSP response using Root CA and Intermediate certs
                                                ssl_trusted_certificate /etc/letsencrypt/live/lnxsrv.org/chain.pem; # managed by Certbot
                                                
                                                # OCSP stapling   
                                                ssl_stapling on; # managed by Certbot
                                                ssl_stapling_verify on; # managed by Certbot
                                            }
                                            
                                            server {
                                                if ($host = lnxsrv.org) {
                                                return 301 https://$host$request_uri;
                                                } # managed by Certbot
                                                listen       80;
                                            #   listen  [::]:80;
                                                server_name  lnxsrv.org;
                                                return 404; # managed by Certbot
                                            }
                                            

                                            ln -s /etc/nginx/sites-available/lnxsrv.org.conf /etc/nginx/sites-enabled/lnxsrv.org.conf
                                            

                                            Check nginx configuration file syntax

                                            nginx -t
                                            

                                            Restart service

                                            systemctl restart nginx.service
                                            

                                            unlink /etc/nginx/sites-enabled/lnxsrv.org.conf
                                            

                                            Andreas Bauer. All rights reserved.

                                            Cozy reverse proxy

                                            How to setup a reverse proxy for Cozy




                                            Server block configuration

                                            /etc/nginx/sites-available/cozy.wildw1ng.com.conf
                                            
                                            server {
                                                listen 443 ssl;
                                                http2  on;
                                                
                                            #   listen [::]:443 ssl http2;
                                            
                                                server_name .cozy.wildw1ng.com;
                                            
                                                rewrite     https://$host$request_uri?  permanent;
                                            
                                                error_log   /var/log/nginx/cozy.wildw1ng.com.error.log;
                                                access_log  /var/log/nginx/cozy.wildw1ng.com.access.log;
                                            
                                                # These are the paths to your generated Let's Encrypt SSL certificates.
                                                ssl_certificate /etc/letsencrypt/live/wildw1ng.com/fullchain.pem; # managed by Certbot
                                                ssl_certificate_key /etc/letsencrypt/live/wildw1ng.com/privkey.pem; # managed by Certbot
                                                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                                                ssl_session_cache   shared:SSL:60m;
                                                
                                                # Limit max upload size
                                                client_max_body_size 1g;
                                            
                                                location / {
                                                    # IP address of cozy server
                                            	    proxy_pass         http://10.0.1.15:8080;        
                                                    proxy_http_version 1.1;
                                                    proxy_redirect http:// https://;
                                                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                                                    proxy_set_header Host $http_host;
                                                    proxy_set_header Upgrade $http_upgrade;
                                                    proxy_set_header Connection connection_upgrade;
                                                    }
                                            
                                                    error_page   500 502 503 504  /50x.html;
                                                    location = /50x.html {
                                                        root   /usr/share/nginx/html;
                                                    }
                                            
                                                # Anti-MIME-Sniffing header
                                                add_header X-Content-Type-Options nosniff;
                                            
                                                # Anti-ClickJacking Header
                                                add_header  X-Frame-Options "SAMEORIGIN" always;
                                                
                                                # HSTS (ngx_http_headers_module is required) (63072000 seconds)
                                                add_header Strict-Transport-Security "max-age=63072000" always;
                                            
                                                # verify chain of trust of OCSP response using Root CA and Intermediate certs
                                                ssl_trusted_certificate /etc/letsencrypt/live/wildw1ng.com/chain.pem; # managed by Certbot
                                            
                                                # OCSP stapling
                                                ssl_stapling on; # managed by Certbot
                                                ssl_stapling_verify on; # managed by Certbot
                                            }
                                            
                                            server {
                                                if ($host = .cozy.wildw1ng.com) {
                                                return 301 https://$host$request_uri;
                                                } # managed by Certbot
                                                listen       80;
                                            #   listen  [::]:80;
                                                server_name *.cozy.wildw1ng.com;
                                                return 404; # managed by Certbot
                                            }
                                            

                                            ln -s /etc/nginx/sites-available/cozy.wildw1ng.com.conf /etc/nginx/sites-enabled/cozy.wildw1ng.com.conf
                                            

                                            Check nginx configuration file syntax

                                            nginx -t
                                            

                                            Restart service

                                            systemctl restart nginx.service
                                            

                                            unlink /etc/nginx/sites-enabled/cozy.wildw1ng.com.conf
                                            

                                            Andreas Bauer. All rights reserved.

                                            Guacamole reverse proxy

                                            How to setup a reverse proxy for Guacamole




                                            Server block configuration

                                            /etc/nginx/sites-available/guac.wildw1ng.com.conf
                                            
                                            server {
                                                listen 443 ssl;
                                                http2  on;
                                                
                                            #   listen [::]:443 ssl http2;
                                            
                                                server_name guac.wildw1ng.com;
                                            
                                                rewrite     https://$host$request_uri?  permanent;
                                            
                                                error_log   /var/log/nginx/guac.wildw1ng.com.error.log;
                                                access_log  /var/log/nginx/guac.wildw1ng.com.access.log;
                                            
                                                # These are the paths to your generated Let's Encrypt SSL certificates.
                                                ssl_certificate /etc/letsencrypt/live/wildw1ng.com/fullchain.pem; # managed by Certbot
                                                ssl_certificate_key /etc/letsencrypt/live/wildw1ng.com/privkey.pem; # managed by Certbot
                                                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                                                ssl_session_cache   shared:SSL:60m;
                                            
                                                location / {
                                                    # IP address of guacamole server
                                                    proxy_pass         http://10.0.1.12:8080/guacamole/;        
                                                    proxy_http_version 1.1;
                                                    proxy_set_header   Upgrade $http_upgrade;
                                                    proxy_set_header   Connection keep-alive;
                                                    proxy_set_header   Host $host;
                                                    proxy_cache_bypass $http_upgrade;
                                                    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                                                    proxy_set_header   X-Forwarded-Proto $scheme;
                                                    }
                                            
                                                    error_page   500 502 503 504  /50x.html;
                                                    location = /50x.html {
                                                        root   /usr/share/nginx/html;
                                                    }
                                            
                                                # Anti-MIME-Sniffing header
                                                add_header X-Content-Type-Options nosniff;
                                            
                                                # Anti-ClickJacking Header
                                                add_header  X-Frame-Options "SAMEORIGIN" always;
                                                
                                                # HSTS (ngx_http_headers_module is required) (63072000 seconds)
                                                add_header Strict-Transport-Security "max-age=63072000" always;
                                            
                                                # verify chain of trust of OCSP response using Root CA and Intermediate certs
                                                ssl_trusted_certificate /etc/letsencrypt/live/wildw1ng.com/chain.pem; # managed by Certbot
                                            
                                                # OCSP stapling
                                                ssl_stapling on; # managed by Certbot
                                                ssl_stapling_verify on; # managed by Certbot
                                            
                                            }
                                            
                                            server {
                                                if ($host = guac.wildw1ng.com) {
                                                return 301 https://$host$request_uri;
                                                } # managed by Certbot
                                                listen       80;
                                            #   listen  [::]:80;
                                                server_name  guac.wildw1ng.com;
                                                return 404; # managed by Certbot
                                            }
                                            

                                            ln -s /etc/nginx/sites-available/guac.wildw1ng.com.conf /etc/nginx/sites-enabled/guac.wildw1ng.com.conf
                                            

                                            Check nginx configuration file syntax

                                            nginx -t
                                            

                                            Restart service

                                            systemctl restart nginx.service
                                            

                                            unlink /etc/nginx/sites-enabled/guac.wildw1ng.com.conf
                                            

                                            Andreas Bauer. All rights reserved.

                                            Plex reverse proxy

                                            How to setup a reverse proxy for Plex




                                            Server block configuration

                                            /etc/nginx/sites-available/plex.wildw1ng.com.conf
                                            
                                            server {
                                                listen 443 ssl;
                                                http2  on;
                                                
                                            #   listen [::]:443 ssl http2;
                                            
                                                server_name plex.wildw1ng.com;
                                            
                                                rewrite     https://$host$request_uri?  permanent;
                                            
                                                error_log   /var/log/nginx/plex.wildw1ng.com.error.log;
                                                access_log  /var/log/nginx/plex.wildw1ng.com.access.log;
                                            
                                                # These are the paths to your generated Let's Encrypt SSL certificates.
                                                ssl_certificate /etc/letsencrypt/live/wildw1ng.com/fullchain.pem; # managed by Certbot
                                                ssl_certificate_key /etc/letsencrypt/live/wildw1ng.com/privkey.pem; # managed by Certbot
                                                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                                                ssl_session_cache   shared:SSL:60m;
                                            
                                                location / {
                                                    # IP address of Plex Media Server
                                                    proxy_pass http://10.0.1.11:32400;
                                                    proxy_buffering     off;
                                                    proxy_redirect      off;
                                                    proxy_http_version  1.1;
                                                    proxy_set_header    X-Real-IP       $remote_addr;
                                                    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
                                                    proxy_set_header    Upgrade         $http_upgrade;
                                                    proxy_set_header    Connection      $http_connection;
                                                    proxy_cookie_path   /web/           /;
                                                    # access_log          off;
                                            	}
                                                    
                                            	error_page   500 502 503 504  /50x.html;
                                                    location = /50x.html {
                                                        root   /usr/share/nginx/html;
                                                    }
                                            
                                                # Anti-MIME-Sniffing header
                                                add_header X-Content-Type-Options nosniff;
                                            
                                                # Anti-ClickJacking Header
                                                add_header  X-Frame-Options "SAMEORIGIN" always;
                                            
                                                # HSTS (ngx_http_headers_module is required) (63072000 seconds)
                                                add_header Strict-Transport-Security "max-age=63072000" always;
                                            
                                                # verify chain of trust of OCSP response using Root CA and Intermediate certs
                                                ssl_trusted_certificate /etc/letsencrypt/live/wildw1ng.com/chain.pem; # managed by Certbot
                                                
                                                # OCSP stapling
                                                ssl_stapling on; # managed by Certbot
                                                ssl_stapling_verify on; # managed by Certbot
                                            
                                            }
                                            
                                            server {
                                            	if ($host = plex.wildw1ng.com) {
                                            	return 301 https://$host$request_uri;
                                            	} # managed by Certbot
                                            	listen       80;
                                            #   	listen  [::]:80;
                                            	server_name  plex.wildw1ng.com;
                                            	return 404; # managed by Certbot
                                            }
                                            

                                            ln -s /etc/nginx/sites-available/plex.wildw1ng.com.conf /etc/nginx/sites-enabled/plex.wildw1ng.com.conf
                                            

                                            Check nginx configuration file syntax

                                            nginx -t
                                            

                                            Restart service

                                            systemctl restart nginx.service
                                            

                                            Configuring the Plex Media Server

                                            Browse to http://localhost:32400/web/

                                            Settings > Network

                                            plex-custom-server-access-url Within the field Custom Server Access URL’s add http://plex.wildw1ng.com:80,https://plex.wildw1ng.com:443

                                            plex-secure-connections Also make sure to change the Secure Connections setting to ‘Preferred’.


                                            unlink /etc/nginx/sites-enabled/plex.wildw1ng.com.conf
                                            

                                            Andreas Bauer. All rights reserved.

                                            PostfixAdmin reverse proxy

                                            How to setup a reverse proxy for PostfixAdmin




                                            Prepare server block for certbot

                                            /etc/nginx/sites-available/postfixadmin.wildw1ng.com
                                            
                                            server {
                                                listen 80;
                                            
                                                server_name postfixadmin.wildw1ng.com;
                                            
                                                rewrite     https://$host$request_uri?  permanent;
                                            
                                                error_log   /var/log/nginx/postfixadmin.wildw1ng.com.error.log;
                                                access_log  /var/log/nginx/postfixadmin.wildw1ng.com.access.log;
                                            
                                                location / {
                                                        proxy_set_header X-Forwarded-Host $host;
                                                        proxy_set_header X-Forwarded-Server $host;
                                                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                                                        proxy_pass http://10.0.1.18/postfixadmin/;
                                                } 
                                            
                                                    error_page   500 502 503 504  /50x.html;
                                                    location = /50x.html {
                                                        root   /usr/share/nginx/html;
                                                    }
                                            }
                                            

                                            ln -s /etc/nginx/sites-available/postfixadmin.wildw1ng.com /etc/nginx/sites-enabled/postfixadmin.wildw1ng.com
                                            

                                            Get SSL certificates with Certbot via Let’s Encrypt

                                            certbot --nginx --staple-ocsp
                                            

                                            Server block configuration

                                            /etc/nginx/sites-available/postfixadmin.wildw1ng.com
                                            
                                            erver {
                                                listen 443 ssl http2;
                                            #   listen [::]:443 ssl http2;
                                            
                                                server_name postfixadmin.wildw1ng.com;
                                            
                                                rewrite     https://$host$request_uri?  permanent;
                                            
                                                error_log   /var/log/nginx/postfixadmin.wildw1ng.com.error.log;
                                                access_log  /var/log/nginx/postfixadmin.wildw1ng.com.access.log;
                                            
                                                # These are the paths to your generated Let's Encrypt SSL certificates.
                                                ssl_certificate /etc/letsencrypt/live/postfixadmin.wildw1ng.com/fullchain.pem; # managed by Certbot
                                                ssl_certificate_key /etc/letsencrypt/live/postfixadmin.wildw1ng.com/privkey.pem; # managed by Certbot
                                                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                                                ssl_session_cache   shared:SSL:60m;
                                            
                                                location / {
                                                        proxy_set_header X-Forwarded-Host $host;
                                                        proxy_set_header X-Forwarded-Server $host;
                                                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                                                        proxy_pass http://10.0.1.18/postfixadmin/;
                                                }
                                            
                                                error_page   500 502 503 504  /50x.html;
                                                location = /50x.html {
                                                    root   /usr/share/nginx/html;
                                                }
                                            
                                                # Anti-MIME-Sniffing header
                                                add_header X-Content-Type-Options nosniff;
                                            
                                                # Anti-ClickJacking Header
                                                add_header  X-Frame-Options "SAMEORIGIN" always;
                                            
                                                # HSTS (ngx_http_headers_module is required) (63072000 seconds)
                                                add_header Strict-Transport-Security "max-age=63072000" always;
                                            
                                                # verify chain of trust of OCSP response using Root CA and Intermediate certs
                                                ssl_trusted_certificate /etc/letsencrypt/live/postfixadmin.wildw1ng.com/chain.pem; # managed by Certbot
                                            
                                                # OCSP stapling
                                                ssl_stapling on; # managed by Certbot
                                                ssl_stapling_verify on; # managed by Certbot
                                                resolver 8.8.8.8 8.8.4.4 valid=300s;
                                                resolver_timeout 30s;
                                            }
                                            
                                            server {
                                                if ($host = postfixadmin.wildw1ng.com) {
                                                return 301 https://$host$request_uri;
                                                } # managed by Certbot
                                                listen       80;
                                            #   listen  [::]:80;
                                                server_name  postfixadmin.wildw1ng.com;
                                                return 404; # managed by Certbot
                                            }
                                            

                                            Restart service

                                            systemctl restart nginx.service
                                            

                                            unlink ln -s /etc/nginx/sites-enabled/plex.wildw1ng.com
                                            

                                            Andreas Bauer. All rights reserved.

                                            Virtual Mail Server reverse proxy

                                            How to setup a reverse proxy for Virtual Mail Server




                                            Prepare server block for certbot

                                            /etc/nginx/sites-available/mail.wildw1ng.com
                                            
                                            server {
                                                listen 80;
                                            
                                                server_name mail.wildw1ng.com;
                                            
                                                rewrite     https://$host$request_uri?  permanent;
                                            
                                                error_log   /var/log/nginx/mail.wildw1ng.com.error.log;
                                                access_log  /var/log/nginx/mail.wildw1ng.com.access.log;
                                            
                                                location / {
                                                    # IP address of mail server
                                                    proxy_pass         http://10.0.1.18/;
                                                    proxy_set_header X-Real-IP $remote_addr;    
                                                    }
                                            
                                                    error_page   500 502 503 504  /50x.html;
                                                    location = /50x.html {
                                                        root   /usr/share/nginx/html;
                                                    }
                                            }
                                            

                                            ln -s /etc/nginx/sites-available/mail.wildw1ng.com /etc/nginx/sites-enabled/mail.wildw1ng.com
                                            

                                            Get SSL certificates with Certbot via Let’s Encrypt

                                            certbot --nginx --staple-ocsp
                                            

                                            Server block configuration

                                            /etc/nginx/sites-available/mail.wildw1ng.com
                                            
                                            server {
                                                listen 443 ssl http2;
                                            
                                                server_name mail.wildw1ng.com;
                                            
                                                rewrite     https://$host$request_uri?  permanent;
                                            
                                                error_log   /var/log/nginx/mail.wildw1ng.com.error.log;
                                                access_log  /var/log/nginx/mail.wildw1ng.com.access.log;
                                            
                                                # These are the paths to your generated Let's Encrypt SSL certificates.
                                                ssl_certificate /etc/letsencrypt/live/mail.wildw1ng.com/fullchain.pem; # managed by Certbot
                                                ssl_certificate_key /etc/letsencrypt/live/mail.wildw1ng.com/privkey.pem; # managed by Certbot
                                                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                                                ssl_session_cache   shared:SSL:60m;
                                            
                                                location / {
                                                    # IP address of mail server
                                                    proxy_pass         http://10.0.1.18/;
                                                    proxy_set_header X-Real-IP $remote_addr;
                                            
                                                    }
                                            
                                                    error_page   500 502 503 504  /50x.html;
                                                    location = /50x.html {
                                                        root   /usr/share/nginx/html;
                                                    }
                                            
                                                # Anti-MIME-Sniffing header
                                                add_header X-Content-Type-Options nosniff;
                                            
                                                # Anti-ClickJacking Header
                                                add_header  X-Frame-Options "SAMEORIGIN" always;
                                            
                                                # HSTS (ngx_http_headers_module is required) (63072000 seconds)
                                                add_header Strict-Transport-Security "max-age=63072000" always;
                                            
                                                # verify chain of trust of OCSP response using Root CA and Intermediate certs
                                                ssl_trusted_certificate /etc/letsencrypt/live/mail.wildw1ng.com/chain.pem; # managed by Certbot
                                            
                                                # OCSP stapling
                                                ssl_stapling on; # managed by Certbot
                                                ssl_stapling_verify on; # managed by Certbot
                                            }
                                            
                                            server {
                                                if ($host = mail.wildw1ng.com) {
                                                return 301 https://$host$request_uri;
                                                } # managed by Certbot
                                                listen       80;
                                                server_name  mail.wildw1ng.com;
                                                return 404; # managed by Certbot
                                            }
                                            

                                            Restart service

                                            systemctl restart nginx.service
                                            

                                            unlink ln -s /etc/nginx/sites-enabled/plex.wildw1ng.com
                                            

                                            Andreas Bauer. All rights reserved.

                                            Zabbix reverse proxy

                                            How to setup a reverse proxy for Zabbix




                                            Prepare server block for certbot

                                            /etc/nginx/sites-available/zabbix.wildw1ng.com
                                            
                                            server {
                                                listen 80;
                                            
                                                server_name zabbix.wildw1ng.com;
                                            
                                                rewrite     https://$host$request_uri?  permanent;
                                            
                                                error_log   /var/log/nginx/zabbix.wildw1ng.com.error.log;
                                                access_log  /var/log/nginx/zabbix.wildw1ng.com.access.log;
                                            
                                                location / {
                                                    # IP address of Zabbix server
                                                    proxy_pass         http://archlinux-zabbix/zabbix/;
                                                    proxy_http_version 1.1;
                                                    proxy_set_header   Connection keep-alive;
                                                    proxy_set_header   Host $host;
                                                    proxy_set_header   X-Forwarded-Server $host;
                                                    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                                                    proxy_cookie_path /zabbix /;       
                                                    }
                                            
                                                    error_page   500 502 503 504  /50x.html;
                                                    location = /50x.html {
                                                        root   /usr/share/nginx/html;
                                                    }
                                            }
                                            

                                            ln -s /etc/nginx/sites-available/zabbix.wildw1ng.com /etc/nginx/sites-enabled/zabbix.wildw1ng.com
                                            

                                            Get SSL certificates with Certbot via Let’s Encrypt

                                            certbot --nginx --staple-ocsp
                                            

                                            Server block configuration

                                            /etc/nginx/sites-available/zabbix.wildw1ng.com
                                            
                                            server {
                                                listen 443 ssl http2;
                                            #   listen [::]:443 ssl http2;
                                            
                                                server_name zabbix.wildw1ng.com;
                                            
                                                rewrite     https://$host$request_uri?  permanent;
                                            
                                                error_log   /var/log/nginx/zabbix.wildw1ng.com.error.log;
                                                access_log  /var/log/nginx/zabbix.wildw1ng.com.access.log;
                                            
                                                # These are the paths to your generated Let's Encrypt SSL certificates.
                                                ssl_certificate /etc/letsencrypt/live/zabbix.wildw1ng.com/fullchain.pem; # managed by Certbot
                                                ssl_certificate_key /etc/letsencrypt/live/zabbix.wildw1ng.com/privkey.pem; # managed by Certbot
                                                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                                                ssl_session_cache   shared:SSL:60m;
                                            
                                                location / {
                                                    # IP address of Zabbix server
                                                    proxy_pass         http://archlinux-zabbix/zabbix/;
                                                    proxy_http_version 1.1;
                                                    proxy_set_header   Connection keep-alive;
                                                    proxy_set_header   Host $host;
                                                    proxy_set_header   X-Forwarded-Server $host;
                                                    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                                                    proxy_cookie_path /zabbix /;       
                                                    }
                                            
                                                    error_page   500 502 503 504  /50x.html;
                                                    location = /50x.html {
                                                        root   /usr/share/nginx/html;
                                                    }
                                                
                                                # Anti-MIME-Sniffing header
                                                add_header X-Content-Type-Options nosniff;
                                            
                                                # Anti-ClickJacking Header
                                                add_header  X-Frame-Options "SAMEORIGIN" always;
                                            
                                                # HSTS (ngx_http_headers_module is required) (63072000 seconds)
                                                add_header Strict-Transport-Security "max-age=63072000" always;
                                            
                                                # verify chain of trust of OCSP response using Root CA and Intermediate certs
                                                ssl_trusted_certificate /etc/letsencrypt/live/zabbix.wildw1ng.com/chain.pem; # managed by Certbot
                                            
                                                # OCSP stapling
                                                ssl_stapling on; # managed by Certbot
                                                ssl_stapling_verify on; # managed by Certbot
                                            }
                                            
                                            server {
                                                if ($host = zabbix.wildw1ng.com) {
                                                return 301 https://$host$request_uri;
                                                } # managed by Certbot
                                                listen       80;
                                            #   listen  [::]:80;
                                                server_name  zabbix.wildw1ng.com;
                                                return 404; # managed by Certbot
                                            }
                                            

                                            Restart service

                                            systemctl restart nginx.service
                                            

                                            unlink /etc/nginx/sites-enabled/zabbix.wildw1ng.com
                                            

                                            Andreas Bauer. All rights reserved.

                                            Samba active directory

                                            How to setup an active directory domain controller in Linux using Samba




                                            Install packages

                                            pacman -Syu krb5 python-dnspython openresolv samba bind
                                            

                                            Rename machine

                                            Note

                                            Windows NetBIOS names are limited to 15 characters (16-bytes)

                                            /etc/hostname
                                            
                                            arch-vm-addc
                                            

                                            Setup network

                                            Wired NAT adapter using a static IP

                                            /etc/systemd/network/20-wired.network
                                            
                                            [Match]
                                            Name=enp1*
                                            
                                            [Network]
                                            Address=192.168.122.30/24
                                            Gateway=192.168.122.1
                                            DNS=127.0.0.1
                                            
                                            chmod 644 /etc/systemd/network/20-wired.network
                                            

                                            Tip

                                            Second bridged wired adapter using DHCP for ssh access

                                            /etc/systemd/network/21-wired.network
                                            
                                            [Match]
                                            Name=enp8*
                                            
                                            [Network]
                                            DHCP=yes
                                            
                                            chmod 644 /etc/systemd/network/21-wired.network
                                            

                                            Use local DNS server

                                            Reconfigure resolvconf to use only localhost for DNS lookups.

                                            /etc/resolv.conf.tail
                                            
                                            # Samba configuration
                                            search wildw1ng.local
                                            nameserver 127.0.0.1
                                            

                                            Set permissions

                                            chmod 644 /etc/resolv.conf.tail
                                            

                                            Regenerate the new file

                                            resolvconf -u
                                            

                                            read more…


                                            System clock synchronization

                                            read about systemd-timesyncd


                                            Provisioning

                                            samba-tool-provisioning Performing basic directory configuration.

                                            samba-tool domain provision --use-rfc2307 --interactive
                                            

                                            –use-rfc2307

                                            this argument adds POSIX attributes (UID/GID) to the AD Schema. This will be necessary if you intend to authenticate Linux, BSD, or macOS clients (including the local machine) in addition to Microsoft Windows.

                                            –interactive

                                            this parameter forces the provision script to run interactively.


                                            BIND configuration

                                            /etc/named.conf
                                            
                                            // vim:set ts=4 sw=4 et:
                                            acl local-networks {
                                                127.0.0.0/8;
                                                192.168.122.0/24;
                                            };
                                            
                                            options {
                                                directory "/var/named";
                                                pid-file "/run/named/named.pid";
                                                session-keyfile "/run/named/session.key";
                                            
                                                // Uncomment this line to enable IPv6 connections support
                                                //  listen-on-v6 { any; };
                                                // Add this for no IPv4:
                                                //  listen-on { none; };
                                            
                                                // Add any subnets or hosts you want to allow to the local-networks acl
                                                allow-query       { local-networks; };
                                                allow-recursion   { local-networks; };
                                                allow-query-cache { local-networks; };
                                                allow-transfer    { none; };
                                                allow-update      { none; };
                                            
                                                version none;
                                                hostname none;
                                                server-id none;
                                            
                                                auth-nxdomain yes;
                                                datasize default;
                                                empty-zones-enable no;
                                                tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
                                            
                                                // Uncomment if you wish to use ISP forwarders
                                                // Google (8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, and 2001:4860:4860::8844)
                                                // OpenDNS (208.67.222.222, 208.67.220.220, 2620:0:ccc::2 and 2620:0:ccd::2)
                                                // Appropriate values for subnets are specific to your network.
                                                // forwarders { 8.8.8.8; 8.8.8.4; };
                                            
                                            };
                                            
                                            zone "localhost" IN {
                                                type master;
                                                file "localhost.zone";
                                            };
                                            
                                            zone "0.0.127.in-addr.arpa" IN {
                                                type master;
                                                file "127.0.0.zone";
                                            };
                                            
                                            zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
                                                type master;
                                                file "localhost.ip6.zone";
                                            };
                                            
                                            // Load AD integrated zones
                                            dlz "AD DNS Zones" {
                                                database "dlopen /usr/lib/samba/bind9/dlz_bind9_12.so";
                                            };
                                            
                                            //zone "example.org" IN {
                                            //    type slave;
                                            //    file "example.zone";
                                            //    masters {
                                            //        192.168.1.100;
                                            //    };
                                            //    allow-query { any; };
                                            //    allow-transfer { any; };
                                            //};
                                            
                                            logging {
                                                channel xfer-log {
                                                    file "/var/log/named.log";
                                                        print-category yes;
                                                        print-severity yes;
                                                        severity info;
                                                    };
                                                    category xfer-in { xfer-log; };
                                                    category xfer-out { xfer-log; };
                                                    category notify { xfer-log; };
                                            };
                                            

                                            chmod 644 /etc/named.conf
                                            
                                            chgrp named /var/lib/samba/private/dns.keytab
                                            
                                            chmod g+r /var/lib/samba/private/dns.keytab
                                            
                                            touch /var/log/named.log
                                            
                                            chown root:named /var/log/named.log
                                            
                                            chmod 664 /var/log/named.log
                                            

                                            Kerberos

                                            Provisioning created a krb5.conf file for use with a Samba domain controller.

                                            mv /etc/krb5.conf{,.default}
                                            
                                            cp /var/lib/samba/private/krb5.conf /etc
                                            

                                            /etc/krb5.conf
                                            
                                            [libdefaults]
                                                    default_realm = WILDW1NG.LOCAL
                                                    dns_lookup_realm = false
                                                    dns_lookup_kdc = true
                                            
                                            [realms]
                                            WILDW1NG.LOCAL = {
                                                    default_domain = WILDW1NG.LOCAL
                                            }
                                            
                                            [domain_realm]
                                                    arch-vm-addc = WILDW1NG.LOCAL
                                            
                                            chmod 644 /etc/krb5.conf
                                            

                                            Samba

                                            Enable printing and automatic sharing of all CUPS print queues

                                            /etc/samba/smb.conf
                                            
                                            [global]
                                                    rpc_server:spoolss = external
                                                    rpc_daemon:spoolssd = fork
                                                    printing = CUPS
                                            
                                            [printers]
                                                   path = /var/spool/samba/
                                                   printable = yes
                                            

                                            Share only specific print queues

                                            /etc/samba/smb.conf
                                            
                                            [global]
                                                    load printers = no
                                            
                                            # Add and example print share
                                            [HPDJ3050]
                                                   path = /var/spool/samba/
                                                   printable = yes
                                                   printer name = hpdj3050
                                            

                                            Roaming profiles

                                            chmod 0777 /profiles
                                            

                                            Create samba share

                                            /etc/samba/smb.conf
                                            
                                            [profiles]
                                                comment = User Profiles
                                                path = /profiles
                                                browseable = no
                                                read only = no
                                                csc policy = disable
                                                vfs objects = acl_xattr
                                            

                                            /etc/samba/smb.conf
                                            
                                            # Global parameters
                                            [global]
                                                    netbios name = ARCH-VM-ADDC
                                                    realm = WILDW1NG.LOCAL
                                                    server role = active directory domain controller
                                                    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
                                                    workgroup = WILDW1NG
                                                    idmap_ldb:use rfc2307 = yes
                                                    tls enabled = yes
                                                    tls keyfile = tls/key.pem
                                                    tls certfile = tls/cert.pem
                                                    tls cafile = tls/ca.pem
                                                    # rpc_server:spoolss = external
                                                    # rpc_daemon:spoolssd = fork
                                                    # printing = CUPS
                                            [sysvol]
                                                    path = /var/lib/samba/sysvol
                                                    read only = No
                                            
                                            [netlogon]
                                                    path = /var/lib/samba/sysvol/wildw1ng.local/scripts
                                                    read only = No
                                            
                                            # [printers]
                                                    # path = /var/spool/samba
                                                    # printable = yes
                                            
                                            [profiles]
                                                    comment = User Profiles
                                                    path = /profiles
                                                    browseable = no
                                                    read only = no
                                                    csc policy = disable
                                                    vfs objects = acl_xattr
                                            
                                            chmod 644 /etc/samba/smb.conf
                                            

                                            LDB utilities

                                            /etc/profile.d/sambaldb.sh
                                            
                                            export LDB_MODULES_PATH="${LDB_MODULES_PATH}:/usr/lib/samba/ldb"
                                            
                                            chmod 0755 /etc/profile.d/sambaldb.sh
                                            
                                            . /etc/profile.d/sambaldb.sh
                                            

                                            Testing the installation

                                            Verify tcp-based _ldap SRV record in the domain verify-tcp-based_ldap-srv-record-in-the-domain

                                            host -t SRV _ldap._tcp.wildw1ng.local
                                            

                                            Verify udp-based _kerberos SRV resource record in the domain verify-udp-based_kerberos-srv-resource-record

                                            host -t SRV _kerberos._udp.wildw1ng.local
                                            

                                            Verify A record of the domain controller verify-a-record-of-the-domain-controller

                                            host -t A arch-vm-addc.wildw1ng.local
                                            

                                            Verify NT password authentication verify-nt-password-authentication

                                            smbclient //localhost/netlogon -U Administrator -c 'ls'
                                            

                                            Verify Kerberos is working as expected verify-kerberos-is-working-as-expected

                                            kinit Administrator@wildw1ng.local
                                            
                                            Note

                                            If the “KDC reply did not match expectations while getting initial credentials” error occurs, check your /etc/krb5.conf.
                                            Ensure that all Realm names are in upper case letters.

                                            List cached Kerberos tickets list-cached-kerberos-tickets

                                            klist
                                            

                                            Use smbclient with acquired ticket use-smbclient-with-acquired-ticket

                                            smbclient //arch-vm-addc/netlogon -k -c 'ls'
                                            

                                            DNS reverse lookup

                                            Create a reverse lookup zone for each subnet in your environment in DNS.
                                            It is important that this is kept in Samba’s DNS as opposed to BIND to allow for dynamic updates by clients.
                                            Use the first three octets of the subnet in reverse order (for example: 192.168.0.0/24 becomes 0.168.192)

                                            Create a reverse lookup zone for each subnet

                                            samba-tool dns zonecreate arch-vm-addc.wildw1ng.local 122.168.192.in-addr.arpa -U Administrator
                                            

                                            Add a record for you server (if your server is multi-homed, add for each subnet). Add the fourth octet of the IP for the server.

                                            samba-tool dns add arch-vm-addc.wildw1ng.local 122.168.192.in-addr.arpa 30 PTR arch-vm-addc.wildw1ng.local -U Administrator
                                            

                                            Verify the lookup verify-the-lookup

                                            host -t PTR 192.168.122.30
                                            

                                            Verify the file server verify-the-file-server

                                            smbclient -L localhost -N
                                            

                                            Enable services

                                            systemctl enable named
                                            
                                            systemctl enable samba
                                            

                                            read more…


                                            Manage roaming user profiles

                                            Windows RSAT tools on Windows Client

                                            roaming-profiles

                                            Use ‘Active Directory Users and Computers’ application on a Windows client to set the path to the user’s roaming profile and shared home directory. profile-properties

                                            User profile \\arch-vm-addc\profiles\%username%

                                            Home folder \\arch-vm-addc\shared\%username%

                                            Windows client OS sersion Windows Server OS version Profile suffix Profile directory name
                                            Windows NT 4.0 - Windows Vista Windows NT Server 4.0 - Windows Server 2008 none user
                                            Windows 7 Windows Server 2008 R2 V2 user.V2
                                            Windows 8.0 - 8.1* Windows Server 2012 - 2012 R2* V3 user.V3
                                            Windows 8.1* Windows Server 2012 R2* V4 user.V4
                                            Windows 10 (1507 to 1511) Windows Server 2016 V5 user.V5
                                            Windows 10 (1607 and later) V6 user.V6

                                            Manage user profiles with Samba

                                            samba-tool user list
                                            
                                            samba-tool user create User11 Password11
                                             --use-username-as-cn --surname="User"
                                             --given-name="11" --initials=U11
                                             --mail-address=User11@wildw1ng.local
                                             --company="Company inc." --script-path=shire.bat
                                             --profile-path=\\\\arch-vm\\profiles\\User11
                                             --home-drive=Z
                                             --home-directory=\\\\arch-vm\\shared\\User11
                                             --job-title="Fancy title"
                                            

                                            read more…


                                            Manage group policies

                                            group-policy-management Samba policies can be found in the ‘Group Policy Management Editor’ within User or

                                            Computer Configuration > Policies > Administrative Templates > Samba

                                            For Samba Domain Controllers, the Password and Kerberos settings are also applied, which are found in

                                            Computer Configuration > Policies > OS Settings > Security Settings > Account Policy.


                                            Andreas Bauer. All rights reserved.

                                            Additional domain controllers

                                            How to add additional domain controllers to an existing domain in Linux




                                            Install packages

                                            pacman -Syu krb5 python-dnspython openresolv samba bind
                                            

                                            Rename machine

                                            Note

                                            Windows NetBIOS names are limited to 15 characters (16-bytes)

                                            /etc/hostname
                                            
                                            arch-vm-dc
                                            

                                            Setup network

                                            Wired adapter using a static IP (NAT)

                                            /etc/systemd/network/20-wired.network
                                            
                                            [Match]
                                            Name=enp1*
                                            
                                            [Network]
                                            Address=192.168.122.31/24
                                            Gateway=192.168.122.1
                                            DNS=192.168.122.30
                                            

                                            chmod 644 /etc/systemd/network/20-wired.network
                                            
                                            Tip

                                            Second bridged wired adapter using DHCP for ssh access

                                            /etc/systemd/network/21-wired.network
                                            
                                            [Match]
                                            Name=enp8*
                                            
                                            [Network]
                                            DHCP=yes
                                            
                                            chmod 644 /etc/systemd/network/21-wired.network
                                            

                                            Use local DNS server

                                            Reconfigure resolvconf to use only localhost for DNS lookups.

                                            /etc/resolv.conf.tail
                                            
                                            # Samba configuration
                                            search wildw1ng.local
                                            nameserver 192.168.122.30
                                            

                                            Set permissions

                                            chmod 644 /etc/resolv.conf.tail
                                            

                                            Regenerate the new file

                                            resolvconf -u
                                            

                                            System clock synchronization

                                            read about systemd-timesyncd


                                            Join an existing domain as a new Domain Controller

                                            join-an-existing-domain-as-a-new-domain-controller

                                            samba-tool domain join wildw1ng.local DC -U "WILDW1NG\Administrator"
                                            

                                            Copy the krb5.conf:

                                            cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
                                            
                                            /etc/krb5.conf
                                            
                                            [libdefaults]
                                                    default_realm = WILDW1NG.LOCAL
                                                    dns_lookup_realm = false
                                                    dns_lookup_kdc = true
                                            
                                            [realms]
                                            WILDW1NG.LOCAL = {
                                                    default_domain = wildw1ng.local
                                            }
                                            
                                            [domain_realm]
                                                    ARCH-VM-DC2 = WILDW1NG.LOCAL
                                            
                                            chmod 644 /etc/krb5.conf
                                            

                                            Copy the idmap

                                            from existing domain controller machine

                                            tdbbackup -s .bak /var/lib/samba/private/idmap.ldb
                                            
                                            mv  /var/lib/samba/private/idmap.ldb.bak /home/wildw1ng/
                                            
                                            chown wildw1ng:users idmap.ldb.bak
                                            
                                            rsync -avhP ~/idmap.ldb.bak 192.168.122.33:/home/wildw1ng/
                                            

                                            to new machine

                                            mv ~/idmap.ldb.bak /var/lib/samba/private/idmap.ldb
                                            
                                            chown root:root /var/lib/samba/private/idmap.ldb
                                            
                                            chmod 600 /var/lib/samba/private/idmap.ldb
                                            
                                            Note

                                            If you intend to keep multiple DCs, you will need to automate this process going forward using one of the methods listed on the Samba website here.
                                            This also applies to transferring the idmap from Windows DCs.


                                            Enable services

                                            systemctl enable named
                                            
                                            systemctl enable samba
                                            

                                            BIND9_DLZ DNS backend

                                            samba_upgradedns --dns-backend=BIND9_DLZ
                                            

                                            Restart named.service

                                            systemctl restart named
                                            

                                            Update DNS records

                                            samba_dnsupdate --all-names --use-samba-tool --verbose
                                            

                                            domain-controllers

                                            read more…


                                            Andreas Bauer. All rights reserved.

                                            Arch Linux

                                            Lightweight rolling-release distribution



                                            Arch Linux is an independently developed, x86-64 general-purpose Linux distribution that strives to provide the latest stable versions of most software by following a rolling-release model.
                                            The default installation is a minimal base system, configured by the user to only add what is purposely required. Pacman, a package manager written specifically for Arch Linux, is used to install, remove and update software packages.
                                            Arch Linux uses a rolling release model, meaning there are no “major releases” of completely new versions of the system; a regular system update is all that is needed to obtain the latest Arch software; the installation images released every month by the Arch team are simply up-to-date snapshots of the main system components.
                                            Arch Linux has comprehensive documentation, consisting of a community-run wiki known as the ArchWiki.
                                            read more…


                                            • Installation
                                            • How to install an Arch Linux base system

                                              • Desktop environment
                                              • A desktop environment (DE) is made of a bundle of programs, which share a common graphical user interface (GUI).

                                                • KDE
                                                • How to install and configure KDE Plasma as your desktop environment

                                                  • GNOME
                                                  • How to install and configure GNOME as your desktop environment

                                                  • Pacman
                                                  • How to use the Pacman package manager and fix common errors

                                                    • Hardware video acceleration
                                                    • How to enable hardware video acceleration

                                                      • issue
                                                      • How to customize the tty login screen and SSH banner

                                                        • Zsh
                                                        • How to switch to Zsh and configure it as your default shell

                                                          • Alacritty
                                                          • How to install and configure Alacritty, a fast, cross-platform, OpenGL terminal emulator

                                                            • SSH
                                                            • How to setup Secure Shell Protocol public key authentication

                                                              • VNC
                                                              • How to connect to a remote desktop environment with VNC graphical desktop-sharing system

                                                                • VPN
                                                                • How to automatically connect to a Virtual private network system to create secure point-to-point or site-to-site connections

                                                                  • Kill switch
                                                                  • How to create a VPN kill switch with UFW firewall rules that will stop all internet traffic if your VPN connection drops

                                                                  • Bluetooth
                                                                  • How to install and configure Bluetooth

                                                                    • libvirt
                                                                    • How to setup and run KVM/QEMU virtual machines

                                                                      • USB autosuspend
                                                                      • How to disable autosuspend of specific USB devices

                                                                        • Flash android
                                                                        • How to flash an android factory image and uninstall bloat packages without rooting the phone

                                                                          • Network administration
                                                                          • Commands for Network administration

                                                                            • Subnetting
                                                                            • List of IPv4 and IPv6 ranges, subnet size tables and special address types

                                                                            • Gaming
                                                                            • How to install Steam, DXVK

                                                                              • nVidia
                                                                              • How to install and configure nVidia drivers and setup a default resolution and refresh rate

                                                                                • Gamemode
                                                                                • How to install and use Feral gamemode

                                                                                  • MangoHud
                                                                                  • How to install and use the MangoHud overlay layer for monitoring system performance in Vulkan and OpenGL applications


                                                                                  Andreas Bauer. All rights reserved.

                                                                                  Base system Installation

                                                                                  How to install an Arch Linux base system




                                                                                  Download the ISO and create a bootable USB Device

                                                                                  Option Download
                                                                                  Arch Linux https://archlinux.org/download/
                                                                                  balenaEtcher https://www.balena.io/etcher/
                                                                                  Rufus https://rufus.ie/
                                                                                  Note

                                                                                  If you experience glitches on booting the installation medium with a nVidia graphics card and do not see the command line
                                                                                  edit USBDEVICE/loader/entries/01-archiso-x86_64-linux.conf on your installation medium device
                                                                                  and add nomodeset as boot parameter

                                                                                  Tip

                                                                                  Press E during systemd-boot selection and pass nomodeset


                                                                                  Boot the installation medium and ensure that you’re using EFI

                                                                                  ls /sys/firmware/efi
                                                                                  

                                                                                  Ensure you have internet connectivity

                                                                                  Plug in a ethernet cable or if you use Wi-Fi

                                                                                  wifi-menu
                                                                                  

                                                                                  Login to your Network and note your IPADRESS

                                                                                  ip a s
                                                                                  

                                                                                  Check the Network Connection

                                                                                  ping -c 3 1.1.1.1
                                                                                  

                                                                                  Set USB installation media password for the root user

                                                                                  passwd
                                                                                  

                                                                                  Enable SSH on the installation medium

                                                                                  systemctl start sshd
                                                                                  
                                                                                  systemctl status sshd
                                                                                  
                                                                                  Tip

                                                                                  You may continue the installation through SSH from another Computer

                                                                                  ssh root@IPADRESS
                                                                                  

                                                                                  Check the avaible devices

                                                                                  lsblk -f
                                                                                  

                                                                                  Choose the device you want to install Arch Linux


                                                                                  Partition disk

                                                                                  cfdisk /dev/nvme1n1
                                                                                  

                                                                                  Select GPT label type, then select Free Space then hit on New from bottom menu.
                                                                                  Type the partition size in GiB (1G) and press enter key, select Type from bottom menu and choose EFI System partition type.
                                                                                  For /(root) partition use the following configuration: New -> Size: 100G-> Type Linux root.
                                                                                  For /home partition use the following configuration: New -> Size: rest of free space -> Type Linux home.

                                                                                  Option Size Type
                                                                                  /boot 1G EFI System partition
                                                                                  /(root) 100G Linux root
                                                                                  /home Rest Linux home
                                                                                  Warning

                                                                                  All previous files on the device will be erased

                                                                                  After you review the partition table select Write, answer with yes in order to apply disk changes and then, type quit to exit cfdisk utility.

                                                                                  Tip

                                                                                  You can also review the partition table summary by running fdisk command.

                                                                                  fdisk -l
                                                                                  

                                                                                  Format partitions

                                                                                  mkfs.fat -F32 /dev/nvme1n1p1
                                                                                  
                                                                                  mkfs.xfs /dev/nvme1n1p2
                                                                                  
                                                                                  mkfs.xfs /dev/nvme1n1p3
                                                                                  

                                                                                  Check partitions

                                                                                  lsblk -f
                                                                                  

                                                                                  Mount partitions

                                                                                  Mount root partition

                                                                                  mount /dev/nvme1n1p2 /mnt
                                                                                  

                                                                                  Mount boot partition

                                                                                  mkdir -pv /mnt/boot
                                                                                  
                                                                                  chmod 0700 /mnt/boot
                                                                                  
                                                                                  mount -o fmask=0137,dmask=0027 /dev/nvme1n1p1 /mnt/boot
                                                                                  

                                                                                  Mount home partition

                                                                                  mkdir -pv /mnt/home
                                                                                  
                                                                                  mount /dev/nvme1n1p3 /mnt/home
                                                                                  

                                                                                  Install arch base running package installs against mount

                                                                                  pacstrap -i /mnt linux linux-firmware base base-devel amd-ucode sudo zsh zsh-autosuggestions zsh-completions zsh-syntax-highlighting
                                                                                  
                                                                                  Tip

                                                                                  Install intel-ucode for Intel processors


                                                                                  Generate a Filesystem Table (fstab)

                                                                                  genfstab -U -p /mnt >> /mnt/etc/fstab
                                                                                  
                                                                                  Note
                                                                                  # Static information about the filesystems.
                                                                                  # See fstab(5) for details.
                                                                                  
                                                                                  # <device> <dir> <type> <options> <dump> <fsck>
                                                                                  # If the root file system is btrfs or XFS, the fsck order should be set to 0 instead of 1.
                                                                                  
                                                                                  # /dev/nvme1n1p2
                                                                                  UUID=1314508c-df47-4972-822c-7e60c9cd12eb / xfs defaults 0 0
                                                                                  # /dev/nvme1n1p1
                                                                                  UUID=1DE1-20E9 /boot vfat rw,relatime,fmask=0137,dmask=0027,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro	0 2
                                                                                  # /dev/nvme1n1p3
                                                                                  UUID=3650e797-e902-4c6a-a704-6aa3b3b448a9 /home xfs defaults 0 0
                                                                                  
                                                                                  
                                                                                  # /dev/sda1
                                                                                  UUID=07f20613-d710-4141-831d-60ca79f7dbd2 /mnt/sda1 ext4 defaults,noatime,noauto,x-systemd.automount 0 0
                                                                                  # /dev/sdb1
                                                                                  UUID=ca5f78a9-71db-408f-9148-b3add8dd7c80 /mnt/sdb1 ext4 defaults,noatime,noauto,x-systemd.automount 0 0
                                                                                  
                                                                                  
                                                                                  # ntfs3
                                                                                  # /dev/nvme0n1p2
                                                                                  # UUID=CCB22606B225F59C /mnt/nvme0n1p2 ntfs3 defaults,discard,noatime,noauto,x-systemd.automount 0 0
                                                                                  # /dev/nvme0n1p3
                                                                                  # UUID=0125876E5D886075 /mnt/nvme0n1p3 ntfs3 defaults,discard,noatime,noauto,x-systemd.automount 0 0
                                                                                  # /dev/nvme2n1p1
                                                                                  # UUID=73C99ED2175A3468 /mnt/nvme2n1p1 ntfs3 defaults,discard,noatime,noauto,x-systemd.automount 0 0
                                                                                  # /dev/nvme3n1p1
                                                                                  # UUID=0436AA0013BB9B40 /mnt/nvme3n1p1 ntfs3 defaults,discard,noatime,noauto,x-systemd.automount 0 0
                                                                                  
                                                                                  # /dev/sdc1
                                                                                  # UUID=43B0754E6391E844 /mnt/sdc1 ntfs3 defaults,noatime,noauto,x-systemd.automount 0 0
                                                                                  # /dev/sdd1
                                                                                  # UUID=72B601494AED575D /mnt/sdd1 ntfs3 defaults,noatime,noauto,x-systemd.automount 0 0
                                                                                  
                                                                                  # nfs
                                                                                  10.0.1.11:/srv/nfs/music /mnt/nfs/music nfs noauto,x-systemd.automount,x-systemd.device-timeout=10,timeo=14,x-systemd.idle-timeout=1min 0 0
                                                                                  
                                                                                  # hugepages
                                                                                  # hugetlbfs /dev/hugepages hugetlbfs mode=01770,gid=kvm 0 0
                                                                                  

                                                                                  Chroot to install directory

                                                                                  arch-chroot /mnt
                                                                                  

                                                                                  Set the machine hostname

                                                                                  echo "archlinux" >> /etc/hostname
                                                                                  

                                                                                  Set timezone

                                                                                  Remove old localtime

                                                                                  rm /etc/localtime
                                                                                  
                                                                                  ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime
                                                                                  

                                                                                  Set hardware clock to UTC

                                                                                  hwclock --systohc --utc
                                                                                  

                                                                                  Synchronize the system clock

                                                                                  /etc/systemd/timesyncd.conf
                                                                                  
                                                                                  [Time]
                                                                                  NTP=ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de
                                                                                  FallbackNTP=0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org
                                                                                  RootDistanceMaxSec=5
                                                                                  PollIntervalMinSec=32
                                                                                  PollIntervalMaxSec=2048
                                                                                  ConnectionRetrySec=30
                                                                                  SaveIntervalSec=60
                                                                                  
                                                                                  systemctl enable systemd-timesyncd
                                                                                  
                                                                                  timedatectl show-timesync --all
                                                                                  

                                                                                  Edit locale

                                                                                  /etc/locale.gen
                                                                                  

                                                                                  uncomment en_US.UTF-8 UTF8

                                                                                  locale-gen
                                                                                  
                                                                                  echo LANG=en_US.UTF-8 >> /etc/locale.conf
                                                                                  

                                                                                  Customize pacman & enable multilib and Arch AUR community repositories

                                                                                  /etc/pacman.conf
                                                                                  

                                                                                  uncomment [multilib]; Include = /etc/pacman.d/mirrorlist
                                                                                  uncomment Color
                                                                                  add ILoveCandy


                                                                                  Installing the systemd bootloader

                                                                                  bootctl install
                                                                                  
                                                                                  bootctl --path=/boot install
                                                                                  
                                                                                  Note

                                                                                  Whenever there is a new version of systemd-boot, the boot manager must be updated by the user.

                                                                                  bootctl update
                                                                                  
                                                                                  Tip

                                                                                  Create an automatic bootctl update hook for pacman

                                                                                  /etc/pacman.d/hooks/100-systemd-boot.hook
                                                                                  
                                                                                  [Trigger]
                                                                                  Type = Package
                                                                                  Operation = Upgrade
                                                                                  Target = systemd
                                                                                  
                                                                                  [Action]
                                                                                  Description = Updating systemd-boot
                                                                                  When = PostTransaction
                                                                                  Exec = /usr/bin/bootctl update
                                                                                  

                                                                                  Setup the systemd bootloader

                                                                                  /boot/loader/loader.conf
                                                                                  
                                                                                  default arch.conf
                                                                                  timeout 0
                                                                                  console-mode max
                                                                                  editor no
                                                                                  auto-entries 0
                                                                                  auto-firmware 1
                                                                                  

                                                                                  Add an entry for Arch Linux

                                                                                  /boot/loader/entries/arch.conf
                                                                                  
                                                                                  title Arch Linux
                                                                                  linux /vmlinuz-linux
                                                                                  initrd /amd-ucode.img
                                                                                  initrd /initramfs-linux.img
                                                                                  options root=UUID=1314508c-df47-4972-822c-7e60c9cd12eb rw quiet
                                                                                  
                                                                                  Info

                                                                                  If you are dual booting Windows you can add an manual entry for it

                                                                                  /boot/loader/entries/windows.conf
                                                                                  
                                                                                  title Microsoft Windows
                                                                                  efi /EFI/Microsoft/Boot/bootmgfw.efi
                                                                                  

                                                                                  Set root password

                                                                                  passwd
                                                                                  

                                                                                  Change root shell

                                                                                  usermod -s /usr/bin/zsh root
                                                                                  

                                                                                  Create non-privileged user and add him to the wheel group

                                                                                  Warning

                                                                                  Create a normal user for daily use. Do not use the root user for daily use.

                                                                                  useradd -m -G wheel -s /usr/bin/zsh USER
                                                                                  

                                                                                  Set user password

                                                                                  passwd USER
                                                                                  

                                                                                  Edit sudoers

                                                                                  /etc/sudoers
                                                                                  
                                                                                  # Enable insults
                                                                                  Defaults insults
                                                                                  
                                                                                  # Ask for the root password instead of the user password
                                                                                  Defaults targetpw
                                                                                  
                                                                                  # Infinite password timeout
                                                                                  Defaults passwd_timeout=0
                                                                                  
                                                                                  # # Password timeout
                                                                                  # Defaults passwd_timeout=1800
                                                                                  

                                                                                  uncomment root ALL=(ALL) ALL
                                                                                  uncomment %wheel ALL=(ALL:ALL) ALL

                                                                                  Warning

                                                                                  Set Sudoers default file permissions The owner and group for the sudoers file must both be 0.
                                                                                  The file permissions must be set to 0440.
                                                                                  These permissions are set by default, but if you accidentally change them,
                                                                                  they should be changed back immediately or sudo will fail.

                                                                                  chown -c root:root /etc/sudoers
                                                                                  
                                                                                  chmod -c 0440 /etc/sudoers
                                                                                  

                                                                                  Networking

                                                                                  Disable systemd-networkd and istall Network Manager

                                                                                  rm /etc/systemd/network/*
                                                                                  
                                                                                  pacman -Syu networkmanager
                                                                                  
                                                                                  systemctl disable systemd-resolved
                                                                                  
                                                                                  systemctl disable systemd-networkd
                                                                                  
                                                                                  systemctl enable NetworkManager
                                                                                  

                                                                                  Disable IPv6

                                                                                  /etc/sysctl.d/40-ipv6.conf
                                                                                  
                                                                                  net.ipv6.conf.all.disable_ipv6 = 1
                                                                                  net.ipv6.conf.default.disable_ipv6 = 1
                                                                                  net.ipv6.conf.lo.disable_ipv6 = 1
                                                                                  

                                                                                  Configure Connection

                                                                                  nmcli connection edit Wired\ connection\ 1
                                                                                  
                                                                                  set connection.id enp1s0
                                                                                  
                                                                                  set ipv6.method disabled
                                                                                  
                                                                                  save persistent
                                                                                  
                                                                                  quit
                                                                                  

                                                                                  Local hostname resolution

                                                                                  /etc/hosts
                                                                                  
                                                                                  # Static table lookup for hostnames.
                                                                                  # See hosts(5) for details.
                                                                                  127.0.0.1        localhost
                                                                                  ::1              localhost
                                                                                  

                                                                                  Networking through wired adapter using DHCP

                                                                                  /etc/systemd/network/20-wired.network
                                                                                  
                                                                                  [Match]
                                                                                  Name=en*
                                                                                  
                                                                                  [Network]
                                                                                  DHCP=yes
                                                                                  

                                                                                  Wireless Network using DHCP

                                                                                  /etc/systemd/network/25-wireless.network
                                                                                  
                                                                                  [Match]
                                                                                  Name=wl*
                                                                                  
                                                                                  [Network]
                                                                                  DHCP=yes
                                                                                  
                                                                                  [DHCPv4]
                                                                                  RouteMetric=20
                                                                                  

                                                                                  Wireless network configuration


                                                                                  Enable systemd network

                                                                                  systemctl enable systemd-resolved -f
                                                                                  
                                                                                  systemctl enable systemd-networkd -f
                                                                                  
                                                                                  Tip

                                                                                  NetworkManager prefers known wireless networks and has the ability to switch to the most reliable network.

                                                                                  Warning

                                                                                  You must ensure that only one service that wants to configure the network is running.
                                                                                  Multiple networking services will conflict.
                                                                                  You can find a list of the currently running services with systemctl --type=service and then stop them.


                                                                                  Exit chroot, unmount and reboot

                                                                                  exit
                                                                                  
                                                                                  umount -R /mnt
                                                                                  
                                                                                  reboot now
                                                                                  

                                                                                  Autoupdate mirrorlist

                                                                                  Install reflector

                                                                                  pacman -Syu reflector
                                                                                  

                                                                                  Edit reflector configuration

                                                                                  /etc/xdg/reflector/reflector.conf
                                                                                  
                                                                                  # Recommended Options
                                                                                  
                                                                                  # Set the output path where the mirrorlist will be saved (--save).
                                                                                  --save /etc/pacman.d/mirrorlist
                                                                                  
                                                                                  # Select the transfer protocol (--protocol).
                                                                                  --protocol https
                                                                                  
                                                                                  # Select the country (--country).
                                                                                  # Consult the list of available countries with "reflector --list-countries" and
                                                                                  # select the countries nearest to you or the ones that you trust. For example:
                                                                                  --country Switzerland,Germany
                                                                                  
                                                                                  # Use only the  most recently synchronized mirrors (--latest).
                                                                                  --latest 10
                                                                                  
                                                                                  # Sort the mirrors by synchronization time (--sort).
                                                                                  --sort rate
                                                                                  

                                                                                  Enable reflector timer and start reflector service

                                                                                  systemctl start reflector.service
                                                                                  
                                                                                  systemctl enable reflector.timer
                                                                                  

                                                                                  Discard unused packages weekly to prevent the directory to grow indefinitely in size

                                                                                  systemctl enable paccache.timer
                                                                                  

                                                                                  Update system

                                                                                  pacman -Syu
                                                                                  

                                                                                  Install base programs

                                                                                  pacman -Syu xfsprogs pacman-contrib openssh curl wget rsync git htop tldr fd ack ncdu duf man-db tree logrotate net-tools btop pwgen nfs-utils neofetch
                                                                                  

                                                                                  Install additional kernel

                                                                                  pacman -Syu linux-lts linux-zen
                                                                                  

                                                                                  Remove fallback from presets

                                                                                  /etc/mkinitcpio.d/linux-zen.preset
                                                                                  
                                                                                  # mkinitcpio preset file for the 'linux-zen' package
                                                                                  
                                                                                  #ALL_config="/etc/mkinitcpio.conf"
                                                                                  ALL_kver="/boot/vmlinuz-linux-zen"
                                                                                  ALL_microcode=(/boot/*-ucode.img)
                                                                                  
                                                                                  PRESETS=('default')
                                                                                  
                                                                                  #default_config="/etc/mkinitcpio.conf"
                                                                                  default_image="/boot/initramfs-linux-zen.img"
                                                                                  #default_uki="/efi/EFI/Linux/arch-linux-zen.efi"
                                                                                  #default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"
                                                                                  
                                                                                  #fallback_config="/etc/mkinitcpio.conf"
                                                                                  fallback_image="/boot/initramfs-linux-zen-fallback.img"
                                                                                  #fallback_uki="/efi/EFI/Linux/arch-linux-zen-fallback.efi"
                                                                                  fallback_options="-S autodetect"
                                                                                  

                                                                                  Install fonts

                                                                                  pacman -Syu ttf-ubuntu-font-family ttf-jetbrains-mono noto-fonts-emoji
                                                                                  

                                                                                  Install AMDGPU driver

                                                                                  pacman -Syu lib32-mesa mesa xf86-video-amdgpu lib32-vulkan-radeon vulkan-radeon lib32-libva-mesa-driver libva-mesa-driver lib32-mesa-vdpau mesa-vdpau
                                                                                  

                                                                                  Setup AUR

                                                                                  Enable compiler using all CPU threads

                                                                                  /etc/makepkg.conf
                                                                                  

                                                                                  uncomment and edit MAKEFLAGS="-j $(nproc)"
                                                                                  uncomment and edit COMPRESSXZ=(xz -c -T $(nproc) -z -)

                                                                                  Download AUR Helper

                                                                                  git clone https://aur.archlinux.org/yay.git
                                                                                  
                                                                                  cd yay
                                                                                  
                                                                                  makepkg -si
                                                                                  

                                                                                  Modify intiramfs

                                                                                  /etc/mkinitcpio.conf
                                                                                  
                                                                                  MODULES=(amdgpu)
                                                                                  ...
                                                                                  HOOKS=(base udev autodetect modconf kms keyboard keymap block filesystems fsck)
                                                                                  

                                                                                  Tip

                                                                                  Install optional firmware for the default linux kernel to get rid of the annoying
                                                                                  ‘WARNING: Possibly missing firmware for module:’ message

                                                                                  yay -Syu mkinitcpio-firmware
                                                                                  

                                                                                  Note

                                                                                  Despite XFS supporting async discard since kernel 4.7, xfs still recommends “that you use the fstrim application to discard unused blocks rather than the discard mount option because the performance impact of this option is quite severe.”

                                                                                  Enable weekly TRIM service for SSD devices

                                                                                  systemctl enable fstrim.timer
                                                                                  

                                                                                  Enable Logrotate

                                                                                  systemctl enable logrotate.timer
                                                                                  
                                                                                  /etc/logrotate.conf
                                                                                  
                                                                                  # uncomment this if you want your log files compressed
                                                                                  compress
                                                                                  compresscmd /usr/bin/zstd
                                                                                  compressext .zst
                                                                                  compressoptions -T0 --long
                                                                                  uncompresscmd /usr/bin/unzstd
                                                                                  

                                                                                  Remove memory limit

                                                                                  mkdir -pv /etc/security/limits.d
                                                                                  
                                                                                  /etc/security/limits.d/10-gcr.conf
                                                                                  
                                                                                  *               hard    memlock         unlimited
                                                                                  *               soft    memlock         unlimited
                                                                                  *               hard    nofile          1048576
                                                                                  

                                                                                  Run ulimit -l to check limits


                                                                                  Set max user watches

                                                                                  echo fs.inotify.max_user_watches=524288 | tee /etc/sysctl.d/50-max_user_watches.conf && sysctl --system
                                                                                  

                                                                                  Run cat /proc/sys/fs/inotify/max_user_watches to check it’s working


                                                                                  Enable Nano syntax highlighting

                                                                                  /etc/nanorc
                                                                                  

                                                                                  uncomment include "/usr/share/nano/*.nanorc"


                                                                                  Disabling automatic core dumps

                                                                                  /etc/sysctl.d/50-coredump.conf
                                                                                  
                                                                                  kernel.core_pattern=/dev/null
                                                                                  

                                                                                  Reducing shutdown timeout for “a stop job is running”

                                                                                  /etc/systemd/system.conf
                                                                                  

                                                                                  uncomment DefaultTimeoutStartSec=30s
                                                                                  uncomment DefaultTimeoutStopSec=30s


                                                                                  Add additional tty virtual consoles (CTRL+ALT+F1 - CTRL+ALT+F11)

                                                                                  /etc/systemd/logind.conf
                                                                                  
                                                                                  NAutoVTs=11
                                                                                  

                                                                                  Forward journald to /dev/tty12 (CTRL+ALT+F12)

                                                                                  Create a drop-in directory

                                                                                  mkdir -pv /etc/systemd/journald.conf.d
                                                                                  

                                                                                  create a config file in it

                                                                                  /etc/systemd/journald.conf.d/fw-tty12.conf
                                                                                  
                                                                                  [Journal]
                                                                                  ForwardToConsole=yes
                                                                                  TTYPath=/dev/tty12
                                                                                  MaxLevelConsole=info
                                                                                  

                                                                                  Change persistent journal size limit

                                                                                  Create a drop-in directory

                                                                                  mkdir -pv /etc/systemd/journald.conf.d
                                                                                  
                                                                                  /etc/systemd/journald.conf.d/00-journal-size.conf
                                                                                  
                                                                                  [Journal]
                                                                                  SystemMaxUse=50M
                                                                                  

                                                                                  Swap

                                                                                  Revome swap file

                                                                                  swapon --show
                                                                                  
                                                                                  swapoff /swapfile
                                                                                  
                                                                                  /etc/fstab
                                                                                  

                                                                                  remove /swapfile swap swap defaults 0 0

                                                                                  rm /swapfile
                                                                                  

                                                                                  Install Zram-generator package

                                                                                  pacman -Syu zram-generator
                                                                                  

                                                                                  Configure Zram

                                                                                  /etc/systemd/zram-generator.conf
                                                                                  
                                                                                  # This config file enables a /dev/zram0 device with the default settings:
                                                                                  # — size — same as available RAM or 8GB, whichever is less
                                                                                  # — compression — most likely lzo-rle
                                                                                  #
                                                                                  # To disable, uninstall zram-generator-defaults or create empty
                                                                                  # /etc/systemd/zram-generator.conf file.
                                                                                  [zram0]
                                                                                  zram-size = min(ram, 8192)
                                                                                  

                                                                                  Enable service

                                                                                  systemctl enable systemd-zram-setup@
                                                                                  

                                                                                  Create a swap file

                                                                                  dd if=/dev/zero of=/swapfile bs=1M count=8192 status=progress
                                                                                  
                                                                                  chmod 600 /swapfile
                                                                                  
                                                                                  mkswap /swapfile
                                                                                  
                                                                                  swapon /swapfile
                                                                                  

                                                                                  Edit the fstab configuration to add an entry for the swap file

                                                                                  /etc/fstab
                                                                                  

                                                                                  /swapfile swap swap defaults 0 0

                                                                                  Check the current swappiness value

                                                                                  sysctl vm.swappiness
                                                                                  

                                                                                  To set the swappiness value permanently, edit a sysctl configuration file

                                                                                  /etc/sysctl.d/99-swappiness.conf
                                                                                  

                                                                                  vm.swappiness=10


                                                                                  Hibernation into swap file

                                                                                  Identify swap device

                                                                                  findmnt -no UUID -T /swapfile
                                                                                  

                                                                                  Identify swap file offset

                                                                                  filefrag -v /swapfile | awk '$1=="0:" {print substr($4, 1, length($4)-2)}'
                                                                                  

                                                                                  Add the values to the systemd bootloader options

                                                                                  resume=UUID=eb22c14f-a1f2-4843-ae88-c8fee6113d9d resume_offset=3762176
                                                                                  

                                                                                  Andreas Bauer. All rights reserved.

                                                                                  Desktop environment

                                                                                  A desktop environment (DE) is made of a bundle of programs, which share a common graphical user interface (GUI).




                                                                                  A desktop environment bundles together a variety of components to provide common graphical user interface elements such as icons, toolbars, wallpapers, and desktop widgets. Additionally, most desktop environments include a set of integrated applications and utilities. Most importantly, desktop environments provide their own window manager, which can however usually be replaced with another compatible one.


                                                                                  • KDE
                                                                                  • How to install and configure KDE Plasma as your desktop environment

                                                                                    • GNOME
                                                                                    • How to install and configure GNOME as your desktop environment


                                                                                      Andreas Bauer. All rights reserved.

                                                                                      KDE desktop environment

                                                                                      How to install and configure KDE Plasma as your desktop environment




                                                                                      Install audio

                                                                                      pacman -Syu pipewire pipewire-alsa pipewire-jack pipewire-pulse wireplumber pipewire-docs helvum
                                                                                      

                                                                                      Install KDE Plasma

                                                                                      pacman -Syu xorg plasma plasma-wayland-session kdeconnect xdg-desktop-portal sshfs fwupd packagekit-qt5 sonnet
                                                                                      
                                                                                      systemctl enable sddm
                                                                                      
                                                                                      pacman -Rscn flatpak plymouth
                                                                                      

                                                                                      Tip

                                                                                      Disabling capslock key in KDE

                                                                                      System Settings > Input Devices > Keyboard > Advanced > Caps Lock key behavior > Caps Lock is disabled
                                                                                      

                                                                                      Tip

                                                                                      KDE Plasma tiling

                                                                                      Activate it in System Settings > Workspace Behavior > Desktop Effects
                                                                                      and then you can tile a window dragging it while holding down the Shift key.
                                                                                      To create custom tile layouts, hold down the Meta key, and then press T.
                                                                                      

                                                                                      Tip

                                                                                      KDE fix Firefox fonts

                                                                                      fc-match sans
                                                                                      fc-match serif
                                                                                      fc-cache --really-force


                                                                                      List of applications

                                                                                      Visual Studio Code

                                                                                      yay -Syu visual-studio-code-bin
                                                                                      
                                                                                      Tip

                                                                                      Fix VS Code remote connection uses 100% CPU of remote machine

                                                                                      Set settingsSync.keybindingsPerPlatform to false
                                                                                      Set search.followSymlinks to false

                                                                                      Image Viewer

                                                                                      yay -Syu nomacs
                                                                                      

                                                                                      PDF Viewer

                                                                                      pacman -Syu okular kdegraphics-mobipocket khtml chmlib calligra
                                                                                      

                                                                                      VNC

                                                                                      pacman -Syu remmina freerdp libvncserver spice-gtk webkit2gtk-4.1
                                                                                      

                                                                                      Image Editing

                                                                                      pacman -Syu gimp krita inkscape
                                                                                      

                                                                                      Audio editing

                                                                                      pacman -Syu audacity
                                                                                      

                                                                                      Video editing

                                                                                      pacman -Syu kdenlive
                                                                                      

                                                                                      Office Suite

                                                                                      pacman -Syu libreoffice-fresh ttf-caladea ttf-carlito ttf-dejavu ttf-liberation hunspell hunspell-en_us hunspell-de
                                                                                      

                                                                                      sane: for scanner access

                                                                                      Static Webpages

                                                                                      pacman -Syu hugo
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      GNOME desktop environment

                                                                                      How to install and configure GNOME as your desktop environment




                                                                                      Install audio

                                                                                      pacman -Syu pipewire pipewire-alsa pipewire-jack pipewire-pulse wireplumber pipewire-docs helvum
                                                                                      

                                                                                      Install GNOME

                                                                                      pacman -Syu gnome gnome-extra gnome-themes-extra gnome-power-manager qt5ct libsecret seahorse
                                                                                      

                                                                                      Install extensions and additional themes

                                                                                      yay -Syu gnome-shell-extension-dash-to-panel gnome-shell-extension-arc-menu gnome-shell-extension-no-overview gnome-shell-extension-tray-icons-reloaded xcursor-pro-cursor-theme adwaita-qt
                                                                                      

                                                                                      Optional MacOS theme

                                                                                      yay -Syu whitesur-icon-theme whitesur-gtk-theme
                                                                                      

                                                                                      Remove bloat

                                                                                      pacman -Rscn baobab gnome-recipes gnome-books gnome-boxes gnome-builder gnome-chess gnome-connections tali gnome-games geary ipython gnome-nibbles totem epiphany gnome-software polari iagno lightsoff four-in-a-row gnome-robots hitori gnome-klotski gnome-mines gnome-mahjongg gnome-sudoku quadrapassel swell-foop gnome-tetravex gnome-taquin gnome-remote-desktop
                                                                                      

                                                                                      Configuration of Qt5 apps under environments other than KDE Plasma

                                                                                      /etc/environment
                                                                                      
                                                                                      export QT_QPA_PLATFORMTHEME=qt5ct
                                                                                      

                                                                                      Run qt5ct to set an Qt5 icon theme


                                                                                      Use Xorg backend by default

                                                                                      /etc/gdm/custom.conf
                                                                                      

                                                                                      uncomment WaylandEnable=false


                                                                                      Enable display manager

                                                                                      systemctl enable gdm.service -f
                                                                                      

                                                                                      Hide user from GDM login list

                                                                                      To hide a ordinary users from the login list create or edit a file named after the user

                                                                                      /var/lib/AccountsService/users/username
                                                                                      
                                                                                      [User]
                                                                                      SystemAccount=true
                                                                                      
                                                                                      Info

                                                                                      GNOME login using tty (GDM disabled)
                                                                                      Sessions are stored in /usr/share/xsessions

                                                                                      ~/.xinitrc
                                                                                      
                                                                                      #!/bin/sh
                                                                                      
                                                                                      userresources=$HOME/.Xresources
                                                                                      usermodmap=$HOME/.Xmodmap
                                                                                      sysresources=/etc/X11/xinit/.Xresources
                                                                                      sysmodmap=/etc/X11/xinit/.Xmodmap
                                                                                      
                                                                                      # merge in defaults and keymaps
                                                                                      
                                                                                      if [ -f $sysresources ]; then
                                                                                          xrdb -merge $sysresources
                                                                                      fi
                                                                                      
                                                                                      if [ -f $sysmodmap ]; then
                                                                                          xmodmap $sysmodmap
                                                                                      fi
                                                                                      
                                                                                      if [ -f "$userresources" ]; then
                                                                                          xrdb -merge "$userresources"
                                                                                      fi
                                                                                      
                                                                                      if [ -f "$usermodmap" ]; then
                                                                                          xmodmap "$usermodmap"
                                                                                      fi
                                                                                      
                                                                                      # start some nice programs
                                                                                      
                                                                                      if [ -d /etc/X11/xinit/xinitrc.d ] ; then
                                                                                       for f in /etc/X11/xinit/xinitrc.d/?*.sh ; do
                                                                                        [ -x "$f" ] && . "$f"
                                                                                       done
                                                                                       unset f
                                                                                      fi
                                                                                      
                                                                                      export XDG_SESSION_TYPE=x11
                                                                                      export GDK_BACKEND=x11
                                                                                      exec gnome-session
                                                                                      
                                                                                      # redirect output to /dev/null.
                                                                                      >/dev/null 2>&1
                                                                                      

                                                                                      Start an Xorg display server

                                                                                      ~/.zprofile
                                                                                      
                                                                                      #
                                                                                      # ~/.zprofile
                                                                                      #
                                                                                      [[ -f ~/.zshrc ]] && . ~/.zshrc
                                                                                      
                                                                                      if [[ -z $DISPLAY && $(tty) == /dev/tty1 ]]; then
                                                                                          XDG_SESSION_TYPE=x11 GDK_BACKEND=x11 exec startx
                                                                                      fi
                                                                                      
                                                                                      Tip

                                                                                      Disable caps lock

                                                                                      Tweaks > Keyboard & mouse > additional layout options > Caps Lock behaivior

                                                                                      Confusingly, it is shown as Disabled
                                                                                      But this means that any customization on that is disabled
                                                                                      In the dropdown choose Caps Lock is disabled option and you are done


                                                                                      Unlock the keyring for a display manager

                                                                                      /etc/pam.d/login
                                                                                      
                                                                                      #%PAM-1.0
                                                                                      
                                                                                      auth       required     pam_securetty.so
                                                                                      auth       requisite    pam_nologin.so
                                                                                      auth       include      system-local-login
                                                                                      auth       optional     pam_gnome_keyring.so
                                                                                      account    include      system-local-login
                                                                                      session    include      system-local-login
                                                                                      session    optional     pam_gnome_keyring.so auto_start
                                                                                      

                                                                                      Set login keyring as default

                                                                                      ~/.local/share/keyrings/default
                                                                                      
                                                                                      login
                                                                                      

                                                                                      Automatically change default keyring password with user password

                                                                                      #%PAM-1.0
                                                                                      #password       required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
                                                                                      #password       required        pam_unix.so sha512 shadow use_authtok
                                                                                      password        required        pam_unix.so sha512 shadow nullok
                                                                                      password        optional        pam_gnome_keyring.so
                                                                                      

                                                                                      Complete initialization automatically

                                                                                      ~/.zprofile
                                                                                      
                                                                                      [[ -f ~/.zshrc ]] && . ~/.zshrc
                                                                                      
                                                                                      if [ -n "$DESKTOP_SESSION" ];then
                                                                                          eval $(gnome-keyring-daemon --start)
                                                                                          export SSH_AUTH_SOCK
                                                                                      fi
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      Pacman

                                                                                      How to use the Pacman package manager and fix common errors




                                                                                      Upgrading packages

                                                                                      pacman -Syu
                                                                                      

                                                                                      Uninstall packages

                                                                                      pacman -Rscn
                                                                                      

                                                                                      Remove orphaned packages

                                                                                      pacman -Qtdq | pacman -Rns -
                                                                                      

                                                                                      Remove all the cached packages that are not currently installed, and the unused sync database

                                                                                      pacman -Sc
                                                                                      

                                                                                      To remove all files from the cache, use the clean switch twice, this is the most aggressive approach and will leave nothing in the cache folder

                                                                                      pacman -Scc
                                                                                      

                                                                                      Create a hook to remove cached packages automatically after every pacman transaction

                                                                                      pacman -Syu pacman-contrib
                                                                                      
                                                                                      /etc/pacman.d/hooks/90-remove-cache.hook
                                                                                      
                                                                                      [Trigger]
                                                                                      Operation = Upgrade
                                                                                      Operation = Install
                                                                                      Operation = Remove
                                                                                      Type = Package
                                                                                      Target = *
                                                                                      
                                                                                      [Action]
                                                                                      Description = Cleaning the package cache...
                                                                                      When = PostTransaction
                                                                                      Exec = /usr/bin/paccache -rvk2
                                                                                      

                                                                                      List files installed by a package

                                                                                      pacman -Ql
                                                                                      

                                                                                      Force remove package

                                                                                      pacman -Rdd
                                                                                      

                                                                                      Downgrade package

                                                                                      pacman -U /var/cache/pacman/pkg/NAME
                                                                                      

                                                                                      Update your archlinux-keyring before upgrading your system

                                                                                      pacman -Sy archlinux-keyring && pacman -Su
                                                                                      

                                                                                      Skip a specific package when upgrading the system

                                                                                      pacman -Syu --ignore=PACKAGE
                                                                                      

                                                                                      Error: failed to commit transaction (conflicting files)

                                                                                      pacman -Syu PACKAGE --overwrite FILEPATH
                                                                                      

                                                                                      Error: unable to lock database

                                                                                      rm /var/lib/pacman/db.lck
                                                                                      

                                                                                      Create list of installed packages

                                                                                      pacman -Qqen > pkglist
                                                                                      
                                                                                      pacman --overwrite -S $(< pkglist
                                                                                      
                                                                                      pacman -Qqdn > pkglist_deps
                                                                                      
                                                                                      pacman --overwrite --asdeps -S $(< pkglist_deps
                                                                                      

                                                                                      Script to update the system

                                                                                      ~/bin/update
                                                                                      
                                                                                      #!/bin/bash
                                                                                      sudo /root/bin/update
                                                                                      
                                                                                      chmod 700 ~/bin/update
                                                                                      

                                                                                      /root/bin/update
                                                                                      
                                                                                      #!/bin/bash
                                                                                      GREEN='\033[0;32m'
                                                                                      echo -e "${GREEN}Updating keyring" &&
                                                                                      pacman -Sy archlinux-keyring --noconfirm &&
                                                                                      echo -e "${GREEN}Running pacman updates" &&
                                                                                      pacman -Syu --noconfirm &&
                                                                                      echo -e "${GREEN}Running AUR updates" &&
                                                                                      sudo -u wildw1ng yay -Syu --devel --needed --removemake --noconfirm --answerclean All --answerdiff None &&
                                                                                      echo -e "${GREEN}Checking for orphans and dropped packages" &&
                                                                                      pacman -Qdt
                                                                                      pacman -Qtdq | pacman -Rscn -
                                                                                      
                                                                                      echo -e "${GREEN}System is up to date"
                                                                                      PS3="Please select an option: "
                                                                                      options=(reboot shutdown continue)
                                                                                      select menu in "${options[@]}";
                                                                                      do
                                                                                        echo -e "\nyou picked $menu ($REPLY)"
                                                                                        if [[ $menu == "reboot" ]]; then
                                                                                          reboot; break;
                                                                                        elif [[ $menu == "shutdown" ]]; then
                                                                                          shutdown now The system is going down for required maintenance. Please save any important work you are doing now!; break;
                                                                                        else
                                                                                          break;
                                                                                        fi
                                                                                      done
                                                                                      
                                                                                      chmod 700 /root/bin/update
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      Hardware video acceleration

                                                                                      How to enable hardware video acceleration




                                                                                      Enable encoding with NVENC

                                                                                      NVENC requires the nvidia_uvm module and the creation of related device nodes under /dev.
                                                                                      Manually loading the nvidia_uvm module will not create the device nodes, but invoking the nvidia-modprobe utility will.

                                                                                      /etc/udev/rules.d/70-nvidia.rules
                                                                                      
                                                                                      ACTION=="add", DEVPATH=="/bus/pci/drivers/nvidia", RUN+="/usr/bin/nvidia-modprobe -c0 -u"
                                                                                      

                                                                                      Install Video Acceleration API (VA-API) and Video Decode and Presentation API for Unix (VDPAU)

                                                                                      pacman -Syu libva-utils vdpauinfo && yay -Syu libva-nvidia-driver
                                                                                      
                                                                                      pacman -Syu libva-mesa-driver mesa-vdpau libva-vdpau-driver libvdpau-va-gl libva-utils vdpauinfo
                                                                                      

                                                                                      Verify VA-API settings

                                                                                      vainfo
                                                                                      

                                                                                      Verify VDPAU settings

                                                                                      vdpauinfo
                                                                                      
                                                                                      grep -iE 'vdpau | dri driver' ~/.local/share/xorg/Xorg.0.log
                                                                                      

                                                                                      Enable VA-API in Firefox

                                                                                      about:support
                                                                                      

                                                                                      Verify WebRender is enabled under Compositing and ensure you are not running Software WebRender.
                                                                                      It should be enabled by default in GNOME and other desktop environments.

                                                                                      about:config
                                                                                      

                                                                                      Set flags
                                                                                      gfx.webrender.all to true to force enable Hardware WebRender.
                                                                                      media.ffmpeg.vaapi.enabled to true in order to enable the use of VA-API with FFmpeg.
                                                                                      media.ffvpx.enabled to false to disable the internal decoders for VP8/VP9. This is necessary despite this bug being fixed.
                                                                                      media.navigator.mediadatadecoder_vpx_enabled to true to enable hardware VA-API decoding for WebRTC.
                                                                                      media.rdd-vpx.enabled to false to disable the remote data decoder process for VP8/VP9.
                                                                                      image.webp.enabled to fasle to stop images from saving in WebP.


                                                                                      Enable VA-API in GStreamer

                                                                                      pacman -Syu gstreamer-vaapi gst-plugins-bad
                                                                                      

                                                                                      Verify VA-API support

                                                                                      gst-inspect-1.0 vaapi
                                                                                      
                                                                                      gst-inspect-1.0 nvcodec
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      issue

                                                                                      How to customize the tty login screen and SSH banner




                                                                                      Customization

                                                                                      /etc/issue
                                                                                      
                                                                                                       \e{red}-@\e{reset}
                                                                                                      \e{red}.##@\e{reset}
                                                                                                     \e{red}.####@\e{reset}
                                                                                                     \e{red}@#####@\e{reset}
                                                                                                   \e{red}. *######@\e{reset}
                                                                                                  \e{red}.##@o@#####@\e{reset}
                                                                                                 \e{red}/############@\e{reset}                  \e{red}\S{PRETTY_NAME} \e{reset}\m \r\e{reset}
                                                                                                \e{red}/##############@\e{reset}                 \e{red}Date \e{reset}\d\e{reset}
                                                                                               \e{red}@######@**%######@\e{reset}                \e{red}Logged in users \e{reset}\u\e{reset}
                                                                                              \e{red}@######`     %#####o\e{reset}               \e{red}Terminal \e{reset}\l\e{reset}
                                                                                             \e{red}@######@       ######%\e{reset}
                                                                                           \e{red}-@#######h       ######@.`\e{reset}
                                                                                          \e{red}/#####h**``       `**%@####@\e{reset}
                                                                                         \e{red}@H@*`                    `*%#@\e{reset}
                                                                                        \e{red}*`                            `*\e{reset}
                                                                                      

                                                                                      /etc/issue.net
                                                                                      
                                                                                      
                                                                                                      -@
                                                                                                     .##@
                                                                                                    .####@
                                                                                                    @#####@
                                                                                                  . *######@
                                                                                                 .##@o@#####@                       _                 ___       ____  ___   ___   ___
                                                                                                /############@        __ _ _ __ ___| |__        _ __ / _ \     | ___|/ _ \ / _ \ / _ \__  __
                                                                                               /##############@      / _` | '__/ __| '_ \ _____| '__| (_) |____|___ \ (_) | | | | | | \ \/ /
                                                                                              @######@**%######@    | (_| | | | (__| | | |_____| |   \__, |_____|__) \__, | |_| | |_| |>  <
                                                                                             @######`     %#####o    \__,_|_|  \___|_| |_|     |_|     /_/     |____/  /_/ \___/ \___//_/\_\
                                                                                            @######@       ######%
                                                                                          -@#######h       ######@.`
                                                                                         /#####h**``       `**%@####@
                                                                                        @H@*`                    `*%#@
                                                                                       *`                            `*
                                                                                      

                                                                                      
                                                                                                      -@
                                                                                                     .##@
                                                                                                    .####@
                                                                                                    @#####@
                                                                                                  . *######@
                                                                                                 .##@o@#####@             _      _               _                        _     _
                                                                                                /############@     __   _(_)_ __| |_ _   _  __ _| |  _ __ ___   __ _  ___| |__ (_)_ __   ___
                                                                                               /##############@    \ \ / / | '__| __| | | |/ _` | | | '_ ` _ \ / _` |/ __| '_ \| | '_ \ / _ \
                                                                                              @######@**%######@    \ V /| | |  | |_| |_| | (_| | | | | | | | | (_| | (__| | | | | | | |  __/
                                                                                             @######`     %#####o    \_/ |_|_|   \__|\__,_|\__,_|_| |_| |_| |_|\__,_|\___|_| |_|_|_| |_|\___|
                                                                                            @######@       ######%
                                                                                          -@#######h       ######@.`
                                                                                         /#####h**``       `**%@####@
                                                                                        @H@*`                    `*%#@
                                                                                       *`                            `*
                                                                                      

                                                                                      Enable SSH banner

                                                                                      /etc/ssh/sshd_config
                                                                                      

                                                                                      uncomment Banner /etc/issue.net


                                                                                      ASCII Font

                                                                                      pacman -Syu figlet
                                                                                      
                                                                                      figlet arch-r9-5900x >> /etc/issue.net
                                                                                      
                                                                                      Tip

                                                                                      Additional SSH banner customization using ASCII art generator


                                                                                      Andreas Bauer. All rights reserved.

                                                                                      Zsh

                                                                                      How to switch to Zsh and configure it as your default shell




                                                                                      ~/.zprofile
                                                                                      
                                                                                      #
                                                                                      # ~/.zprofile
                                                                                      #
                                                                                      [[ -f ~/.zshrc ]] && . ~/.zshrc
                                                                                      
                                                                                      if [ -n "$DESKTOP_SESSION" ];then
                                                                                          eval $(gnome-keyring-daemon --start)
                                                                                          export SSH_AUTH_SOCK
                                                                                      fi
                                                                                      

                                                                                      ~/.zshrc
                                                                                      
                                                                                      # ~/.zshrc file for zsh interactive shells.
                                                                                      # see /usr/share/doc/zsh/examples/zshrc for examples
                                                                                      
                                                                                      setopt autocd              # change directory just by typing its name
                                                                                      setopt correct             # auto correct mistakes
                                                                                      setopt interactivecomments # allow comments in interactive mode
                                                                                      setopt magicequalsubst     # enable filename expansion for arguments of the form ‘anything=expression’
                                                                                      setopt nonomatch           # hide error message if there is no match for the pattern
                                                                                      setopt notify              # report the status of background jobs immediately
                                                                                      setopt numericglobsort     # sort filenames numerically when it makes sense
                                                                                      setopt promptsubst         # enable command substitution in prompt
                                                                                      
                                                                                      WORDCHARS=${WORDCHARS//\/} # Don't consider certain characters part of the word
                                                                                      
                                                                                      # hide EOL sign ('%')
                                                                                      PROMPT_EOL_MARK=""
                                                                                      
                                                                                      # configure key keybindings
                                                                                      bindkey -e                                        # emacs key bindings
                                                                                      bindkey ' ' magic-space                           # do history expansion on space
                                                                                      bindkey '^U' backward-kill-line                   # ctrl + U
                                                                                      bindkey '^[[3;5~' kill-word                       # ctrl + Supr
                                                                                      bindkey '^[[3~' delete-char                       # delete
                                                                                      bindkey '^[[1;5C' forward-word                    # ctrl + ->
                                                                                      bindkey '^[[1;5D' backward-word                   # ctrl + <-
                                                                                      bindkey '^[[5~' beginning-of-buffer-or-history    # page up
                                                                                      bindkey '^[[6~' end-of-buffer-or-history          # page down
                                                                                      bindkey '^[[H' beginning-of-line                  # home
                                                                                      bindkey '^[[F' end-of-line                        # end
                                                                                      bindkey '^[[Z' undo                               # shift + tab undo last action
                                                                                      bindkey "^R" history-incremental-search-backward  # ctrl + r
                                                                                      bindkey "\e[A" history-beginning-search-backward  # arrow up
                                                                                      bindkey "\e[B" history-beginning-search-forward   # arrow down
                                                                                      
                                                                                      # enable completion features
                                                                                      autoload -Uz compinit
                                                                                      compinit -d ~/.cache/zcompdump
                                                                                      zstyle ':completion:*:*:*:*:*' menu select
                                                                                      zstyle ':completion:*' auto-description 'specify: %d'
                                                                                      zstyle ':completion:*' completer _expand _complete
                                                                                      zstyle ':completion:*' format 'Completing %d'
                                                                                      zstyle ':completion:*' group-name ''
                                                                                      zstyle ':completion:*' list-colors ''
                                                                                      zstyle ':completion:*' list-prompt %SAt %p: Hit TAB for more, or the character to insert%s
                                                                                      zstyle ':completion:*' matcher-list 'm:{a-zA-Z}={A-Za-z}'
                                                                                      zstyle ':completion:*' rehash true
                                                                                      zstyle ':completion:*' select-prompt %SScrolling active: current selection at %p%s
                                                                                      zstyle ':completion:*' use-compctl false
                                                                                      zstyle ':completion:*' verbose true
                                                                                      zstyle ':completion:*:kill:*' command 'ps -u $USER -o pid,%cpu,tty,cputime,cmd'
                                                                                      
                                                                                      # Help command
                                                                                      autoload -Uz run-help
                                                                                      (( ${+aliases[run-help]} )) && unalias run-help
                                                                                      alias help=run-help
                                                                                      autoload -Uz run-help-git run-help-ip run-help-openssl run-help-p4 run-help-sudo run-help-svk run-help-svn
                                                                                      
                                                                                      # History configurations
                                                                                      HISTFILE=~/.zsh_history
                                                                                      HISTSIZE=1000
                                                                                      SAVEHIST=2000
                                                                                      setopt hist_expire_dups_first # delete duplicates first when HISTFILE size exceeds HISTSIZE
                                                                                      setopt hist_ignore_dups       # ignore duplicated commands history list
                                                                                      setopt hist_ignore_space      # ignore commands that start with space
                                                                                      setopt hist_verify            # show command with history expansion to user before running it
                                                                                      #setopt share_history         # share command history data
                                                                                      
                                                                                      # force zsh to show the complete history
                                                                                      alias history="history 0"
                                                                                      
                                                                                      # configure `time` format
                                                                                      TIMEFMT=$'\nreal\t%E\nuser\t%U\nsys\t%S\ncpu\t%P'
                                                                                      
                                                                                      # make less more friendly for non-text input files, see lesspipe(1)
                                                                                      #[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
                                                                                      
                                                                                      # set a fancy prompt (non-color, unless we know we "want" color)
                                                                                      case "$TERM" in
                                                                                          xterm-color|*-256color) color_prompt=yes;;
                                                                                      esac
                                                                                      
                                                                                      # uncomment for a colored prompt, if the terminal has the capability; turned
                                                                                      # off by default to not distract the user: the focus in a terminal window
                                                                                      # should be on the output of commands, not on the prompt
                                                                                      force_color_prompt=yes
                                                                                      
                                                                                      if [ -n "$force_color_prompt" ]; then
                                                                                          if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
                                                                                              # We have color support; assume it's compliant with Ecma-48
                                                                                              # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
                                                                                              # a case would tend to support setf rather than setaf.)
                                                                                              color_prompt=yes
                                                                                          else
                                                                                              color_prompt=
                                                                                          fi
                                                                                      fi
                                                                                      
                                                                                      configure_prompt() {
                                                                                          prompt_symbol=🤓
                                                                                          [ "$EUID" -eq 0 ] && prompt_symbol=💀
                                                                                          case "$PROMPT_ALTERNATIVE" in
                                                                                              twoline)
                                                                                                  PROMPT=$'%F{%(#.blue.green)}┌──${:+($)─}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))─}(%B%F{%(#.red.blue)}%n$prompt_symbol%m%b%F{%(#.blue.green)})-[%B%F{reset}%(6~.%-1~/…/%4~.%5~)%b%F{%(#.blue.green)}]\n└─%B%(#.%F{red}#.%F{blue}$)%b%F{reset} '
                                                                                                  RPROMPT=$'%(?.. %? %F{red}%B⨯%b%F{reset})%(1j. %j %F{yellow}%B⚙%b%F{reset}.)'
                                                                                                  ;;
                                                                                              oneline)
                                                                                                  PROMPT=$'${:+($)}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))}%B%F{%(#.red.blue)}%n@%m%b%F{reset}:%B%F{%(#.blue.green)}%~%b%F{reset}%(#.#.$) '
                                                                                                  RPROMPT=
                                                                                                  ;;
                                                                                              backtrack)
                                                                                                  PROMPT=$'${:+($)}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))}%B%F{red}%n@%m%b%F{reset}:%B%F{blue}%~%b%F{reset}%(#.#.$) '
                                                                                                  RPROMPT=
                                                                                                  ;;
                                                                                          esac
                                                                                      }
                                                                                      
                                                                                      # The following block is surrounded by two delimiters.
                                                                                      # These delimiters must not be modified. Thanks.
                                                                                      # START CONFIG VARIABLES
                                                                                      PROMPT_ALTERNATIVE=twoline
                                                                                      NEWLINE_BEFORE_PROMPT=yes
                                                                                      # STOP CONFIG VARIABLES
                                                                                      
                                                                                      if [ "$color_prompt" = yes ]; then
                                                                                          # override default virtualenv indicator in prompt
                                                                                          VIRTUAL_ENV_DISABLE_PROMPT=1
                                                                                      
                                                                                          configure_prompt
                                                                                      
                                                                                          # enable syntax-highlighting
                                                                                          if [ -f /usr/share/zsh/plugins/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh ] && [ "$color_prompt" = yes ]; then
                                                                                              . /usr/share/zsh/plugins/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
                                                                                              ZSH_HIGHLIGHT_HIGHLIGHTERS=(main brackets pattern)
                                                                                              ZSH_HIGHLIGHT_STYLES[default]=none
                                                                                              ZSH_HIGHLIGHT_STYLES[unknown-token]=fg=red,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[reserved-word]=fg=cyan,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[suffix-alias]=fg=green,underline
                                                                                              ZSH_HIGHLIGHT_STYLES[global-alias]=fg=magenta
                                                                                              ZSH_HIGHLIGHT_STYLES[precommand]=fg=green,underline
                                                                                              ZSH_HIGHLIGHT_STYLES[commandseparator]=fg=blue,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[autodirectory]=fg=green,underline
                                                                                              ZSH_HIGHLIGHT_STYLES[path]=underline
                                                                                              ZSH_HIGHLIGHT_STYLES[path_pathseparator]=
                                                                                              ZSH_HIGHLIGHT_STYLES[path_prefix_pathseparator]=
                                                                                              ZSH_HIGHLIGHT_STYLES[globbing]=fg=blue,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[history-expansion]=fg=blue,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[command-substitution]=none
                                                                                              ZSH_HIGHLIGHT_STYLES[command-substitution-delimiter]=fg=magenta
                                                                                              ZSH_HIGHLIGHT_STYLES[process-substitution]=none
                                                                                              ZSH_HIGHLIGHT_STYLES[process-substitution-delimiter]=fg=magenta
                                                                                              ZSH_HIGHLIGHT_STYLES[single-hyphen-option]=fg=magenta
                                                                                              ZSH_HIGHLIGHT_STYLES[double-hyphen-option]=fg=magenta
                                                                                              ZSH_HIGHLIGHT_STYLES[back-quoted-argument]=none
                                                                                              ZSH_HIGHLIGHT_STYLES[back-quoted-argument-delimiter]=fg=blue,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[single-quoted-argument]=fg=yellow
                                                                                              ZSH_HIGHLIGHT_STYLES[double-quoted-argument]=fg=yellow
                                                                                              ZSH_HIGHLIGHT_STYLES[dollar-quoted-argument]=fg=yellow
                                                                                              ZSH_HIGHLIGHT_STYLES[rc-quote]=fg=magenta
                                                                                              ZSH_HIGHLIGHT_STYLES[dollar-double-quoted-argument]=fg=magenta
                                                                                              ZSH_HIGHLIGHT_STYLES[back-double-quoted-argument]=fg=magenta
                                                                                              ZSH_HIGHLIGHT_STYLES[back-dollar-quoted-argument]=fg=magenta
                                                                                              ZSH_HIGHLIGHT_STYLES[assign]=none
                                                                                              ZSH_HIGHLIGHT_STYLES[redirection]=fg=blue,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[comment]=fg=black,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[named-fd]=none
                                                                                              ZSH_HIGHLIGHT_STYLES[numeric-fd]=none
                                                                                              ZSH_HIGHLIGHT_STYLES[arg0]=fg=green
                                                                                              ZSH_HIGHLIGHT_STYLES[bracket-error]=fg=red,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[bracket-level-1]=fg=blue,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[bracket-level-2]=fg=green,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[bracket-level-3]=fg=magenta,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[bracket-level-4]=fg=yellow,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[bracket-level-5]=fg=cyan,bold
                                                                                              ZSH_HIGHLIGHT_STYLES[cursor-matchingbracket]=standout
                                                                                          fi
                                                                                      else
                                                                                          PROMPT='${:+($)}%n@%m:%~%# '
                                                                                      fi
                                                                                      unset color_prompt force_color_prompt
                                                                                      
                                                                                      toggle_oneline_prompt(){
                                                                                          if [ "$PROMPT_ALTERNATIVE" = oneline ]; then
                                                                                              PROMPT_ALTERNATIVE=twoline
                                                                                          else
                                                                                              PROMPT_ALTERNATIVE=oneline
                                                                                          fi
                                                                                          configure_prompt
                                                                                          zle reset-prompt
                                                                                      }
                                                                                      zle -N toggle_oneline_prompt
                                                                                      bindkey ^P toggle_oneline_prompt
                                                                                      
                                                                                      # If this is an xterm set the title to user@host:dir
                                                                                      case "$TERM" in
                                                                                      xterm*|rxvt*|Eterm|aterm|kterm|gnome*|alacritty)
                                                                                          TERM_TITLE=$'\e]0;${:+($)}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))}%n@%m: %~\a'
                                                                                          ;;
                                                                                      *)
                                                                                          ;;
                                                                                      esac
                                                                                      
                                                                                      precmd() {
                                                                                          # Print the previously configured title
                                                                                          print -Pnr -- "$TERM_TITLE"
                                                                                      
                                                                                          # Print a new line before the prompt, but only if it is not the first line
                                                                                          if [ "$NEWLINE_BEFORE_PROMPT" = yes ]; then
                                                                                              if [ -z "$_NEW_LINE_BEFORE_PROMPT" ]; then
                                                                                                  _NEW_LINE_BEFORE_PROMPT=1
                                                                                              else
                                                                                                  print ""
                                                                                              fi
                                                                                          fi
                                                                                      }
                                                                                      
                                                                                      # This is where you put your hand rolled scripts (remember to chmod them)
                                                                                      PATH="$HOME/bin:$PATH"
                                                                                      
                                                                                      # enable color support of ls, less and man, and also add handy aliases
                                                                                      if [ -x /usr/bin/dircolors ]; then
                                                                                          test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
                                                                                          alias ls='ls --color=auto'
                                                                                          #alias dir='dir --color=auto'
                                                                                          #alias vdir='vdir --color=auto'
                                                                                      
                                                                                          alias grep='grep --color=auto'
                                                                                          alias fgrep='fgrep --color=auto'
                                                                                          alias egrep='egrep --color=auto'
                                                                                          alias diff='diff --color=auto'
                                                                                          alias ip='ip --color=auto'
                                                                                      
                                                                                          export LESS_TERMCAP_mb=$'\E[1;31m'     # begin blink
                                                                                          export LESS_TERMCAP_md=$'\E[1;36m'     # begin bold
                                                                                          export LESS_TERMCAP_me=$'\E[0m'        # reset bold/blink
                                                                                          export LESS_TERMCAP_so=$'\E[01;33m'    # begin reverse video
                                                                                          export LESS_TERMCAP_se=$'\E[0m'        # reset reverse video
                                                                                          export LESS_TERMCAP_us=$'\E[1;32m'     # begin underline
                                                                                          export LESS_TERMCAP_ue=$'\E[0m'        # reset underline
                                                                                      
                                                                                          # Take advantage of $LS_COLORS for completion as well
                                                                                          zstyle ':completion:*' list-colors "${(s.:.)LS_COLORS}"
                                                                                          zstyle ':completion:*:*:kill:*:processes' list-colors '=(#b) #([0-9]#)*=0=01;31'
                                                                                      fi
                                                                                      
                                                                                      if [ "$TERM" = "linux" ]; then
                                                                                          echo -en "\e]P0000000"  # background
                                                                                          echo -en "\e]P87f7f7f"  # grey
                                                                                          echo -en "\e]P1cc0000"  # red
                                                                                          echo -en "\e]P9cc0000"  # lightred
                                                                                          echo -en "\e]P2a2e22e"  # green
                                                                                          echo -en "\e]PAa2e22e"  # lightgreen
                                                                                          echo -en "\e]P3ffb000"  # yellow
                                                                                          echo -en "\e]PBffb000"  # lightyellow
                                                                                          echo -en "\e]P4007acc"  # blue
                                                                                          echo -en "\e]PC007acc"  # lightblue
                                                                                          echo -en "\e]P5d4038a"  # magenta
                                                                                          echo -en "\e]PDd4038a"  # lightmagenta
                                                                                          echo -en "\e]P670b596"  # cyan
                                                                                          echo -en "\e]PE70b596"  # lightcyan
                                                                                          echo -en "\e]P7a5a5a5"  # text
                                                                                          echo -en "\e]PFcacecd"  # white
                                                                                          clear                   # for background artifacting
                                                                                      fi
                                                                                      
                                                                                      # Aliases
                                                                                      alias ls='ls -h --color=auto'
                                                                                      alias ll='ls -alh --color=auto'
                                                                                      alias la='ls -Ah --color=auto'
                                                                                      alias l='ls -CFlh --color=auto'
                                                                                      alias diff='diff --color=auto'
                                                                                      alias dir='dir --color=auto'
                                                                                      alias vdir='vdir --color=auto'
                                                                                      alias grep='grep --color=auto'
                                                                                      alias fgrep='fgrep --color=auto'
                                                                                      alias egrep='egrep --color=auto'
                                                                                      alias ..='cd ..'
                                                                                      alias ...='cd ../..'
                                                                                      alias s='ssh -l root'
                                                                                      alias reboot="systemctl reboot"
                                                                                      alias shutdown='shutdown now'
                                                                                      alias cp='cp -iv'
                                                                                      alias mv='mv -iv'
                                                                                      alias rm='rm -rfv'
                                                                                      alias df='df -h'
                                                                                      alias free='free -m'
                                                                                      alias sudo='sudo '
                                                                                      alias clear='clear && neofetch'
                                                                                      alias rsync='rsync -avhP'
                                                                                      
                                                                                      # This is GOLD for finding out what is taking so much space on your drives!
                                                                                      alias diskspace="du -S | sort -n -r |more"
                                                                                      # Command line mplayer movie watching for the win.
                                                                                      alias mp="mplayer -fs"
                                                                                      # Show me the size (sorted) of only the folders in this directory
                                                                                      alias folders="find . -maxdepth 1 -type d -print | xargs du -sk | sort -rn"
                                                                                      
                                                                                      # enable auto-suggestions based on the history
                                                                                      source /usr/share/zsh/plugins/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
                                                                                      source /usr/share/zsh/plugins/zsh-autosuggestions/zsh-autosuggestions.zsh
                                                                                      ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE='fg=#ffb000'
                                                                                      
                                                                                      # pacman -F "command not found" handler
                                                                                      function command_not_found_handler {
                                                                                          local purple='\e[1;35m' bright='\e[0;1m' green='\e[1;32m' reset='\e[0m'
                                                                                          printf 'zsh: command not found: %s\n' "$1"
                                                                                          local entries=(
                                                                                              ${(f)"$(/usr/bin/pacman -F --machinereadable -- "/usr/bin/$1")"}
                                                                                          )
                                                                                          if (( ${#entries[@]} ))
                                                                                          then
                                                                                              printf "${bright}$1${reset} may be found in the following packages:\n"
                                                                                              local pkg
                                                                                              for entry in "${entries[@]}"
                                                                                              do
                                                                                                  # (repo package version file)
                                                                                                  local fields=(
                                                                                                      ${(0)entry}
                                                                                                  )
                                                                                                  if [[ "$pkg" != "${fields[2]}" ]]
                                                                                                  then
                                                                                                      printf "${purple}%s/${bright}%s ${green}%s${reset}\n" "${fields[1]}" "${fields[2]}" "${fields[3]}"
                                                                                                  fi
                                                                                                  printf '    /%s\n' "${fields[4]}"
                                                                                                  pkg="${fields[2]}"
                                                                                              done
                                                                                          fi
                                                                                      }
                                                                                      
                                                                                      # source /usr/share/doc/pkgfile/command-not-found.zsh
                                                                                      
                                                                                      # color man pages
                                                                                      man() {
                                                                                          env LESS_TERMCAP_mb=$'\E[01;31m' \
                                                                                          LESS_TERMCAP_md=$'\E[01;38;5;74m' \
                                                                                          LESS_TERMCAP_me=$'\E[0m' \
                                                                                          LESS_TERMCAP_se=$'\E[0m' \
                                                                                          LESS_TERMCAP_so=$'\E[38;5;246m' \
                                                                                          LESS_TERMCAP_ue=$'\E[0m' \
                                                                                          LESS_TERMCAP_us=$'\E[04;38;5;146m' \
                                                                                          man "$@"
                                                                                      }
                                                                                      
                                                                                      # Saving ssh passphrase for this session
                                                                                      if [ ! -S ~/.ssh/ssh_auth_sock ]; then
                                                                                        eval `ssh-agent`
                                                                                        ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
                                                                                      fi
                                                                                      export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock
                                                                                      ssh-add -l > /dev/null || ssh-add
                                                                                      
                                                                                      cd $HOME
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      Alacritty

                                                                                      How to install and configure Alacritty, a fast, cross-platform, OpenGL terminal emulator



                                                                                      alacritty.gif


                                                                                      Installation

                                                                                      pacman -Syu alacritty
                                                                                      

                                                                                      Configuration

                                                                                      ~/.config/alacritty.yml
                                                                                      
                                                                                      # Configuration for Alacritty, the GPU enhanced terminal emulator.
                                                                                      
                                                                                      env:
                                                                                        TERM: xterm-256color
                                                                                      
                                                                                      window:
                                                                                        # Window dimensions (changes require restart)
                                                                                        #
                                                                                        # Specified in number of columns/lines, not pixels.
                                                                                        # If both are `0`, this setting is ignored.
                                                                                        dimensions:
                                                                                          columns: 128
                                                                                          lines: 24
                                                                                      
                                                                                        # Window position (changes require restart)
                                                                                        #
                                                                                        # Specified in number of pixels.
                                                                                        # If the position is not set, the window manager will handle the placement.
                                                                                        position:
                                                                                          x: 3836
                                                                                          y: 4
                                                                                      
                                                                                        # Background opacity
                                                                                        #
                                                                                        # Window opacity as a floating point number from `0.0` to `1.0`.
                                                                                        # The value `0.0` is completely transparent and `1.0` is opaque.
                                                                                        opacity: 0.8
                                                                                      
                                                                                      # Font configuration
                                                                                      font:
                                                                                        # Normal (roman) font face
                                                                                        normal:
                                                                                          # Font family
                                                                                          #
                                                                                          # Default:
                                                                                          #   - (macOS) Menlo
                                                                                          #   - (Linux/BSD) monospace
                                                                                          #   - (Windows) Consolas
                                                                                          family: JetBrains Mono
                                                                                      
                                                                                          # The `style` can be specified to pick a specific face.
                                                                                          style: Regular
                                                                                      
                                                                                        # Bold font face
                                                                                        bold:
                                                                                          # Font family
                                                                                          #
                                                                                          # If the bold family is not specified, it will fall back to the
                                                                                          # value specified for the normal font.
                                                                                          family: JetBrains Mono
                                                                                      
                                                                                          # The `style` can be specified to pick a specific face.
                                                                                          style: Bold
                                                                                      
                                                                                        # Italic font face
                                                                                        italic:
                                                                                          # Font family
                                                                                          #
                                                                                          # If the italic family is not specified, it will fall back to the
                                                                                          # value specified for the normal font.
                                                                                          family: JetBrains Mono
                                                                                      
                                                                                          # The `style` can be specified to pick a specific face.
                                                                                          style: Italic
                                                                                      
                                                                                        # Bold italic font face
                                                                                        bold_italic:
                                                                                          # Font family
                                                                                          #
                                                                                          # If the bold italic family is not specified, it will fall back to the
                                                                                          # value specified for the normal font.
                                                                                          family: JetBrains Mono
                                                                                      
                                                                                          # The `style` can be specified to pick a specific face.
                                                                                          style: Bold Italic
                                                                                      
                                                                                        # Point size
                                                                                        size: 11.0
                                                                                      
                                                                                      selection:
                                                                                        #semantic_escape_chars: ",│`|:\"' ()[]{}<>\t"
                                                                                      
                                                                                        # When set to `true`, selected text will be copied to the primary clipboard.
                                                                                        save_to_clipboard: false
                                                                                      
                                                                                      # Allow terminal applications to change Alacritty's window title.
                                                                                      #dynamic_title: true
                                                                                      
                                                                                      cursor:
                                                                                        # Cursor style
                                                                                        #
                                                                                        # Values for `style`:
                                                                                        #   - ▇ Block
                                                                                        #   - _ Underline
                                                                                        #   - | Beam
                                                                                        style:
                                                                                            blinking: Always
                                                                                        blink_interval: 500
                                                                                      
                                                                                      key_bindings:
                                                                                        - { key: F,   mods: Control,           action: SearchForward    }
                                                                                        - { key: C,   mods: Control,           action: Copy }
                                                                                        - { key: V,   mods: Control,           action: Paste }
                                                                                      
                                                                                      colors:
                                                                                         # Default colors
                                                                                         primary:
                                                                                         # background: '#ffffff'
                                                                                         # foreground: '#222222'
                                                                                          background: '#000000'
                                                                                         # background: '#111213'
                                                                                          foreground: '#cacecd'
                                                                                         # Normal colors
                                                                                         normal:
                                                                                           black:   '#222222'
                                                                                           red:     '#cc0000'
                                                                                           green:   '#a2e22e'
                                                                                           yellow:  '#ffb000'
                                                                                           blue:    '#007acc'
                                                                                           magenta: '#d4038a'
                                                                                           cyan:    '#70b596'
                                                                                           white:   '#ffffff'
                                                                                      
                                                                                         # Bright colors
                                                                                         bright:
                                                                                           black:   '#7f7f7f'
                                                                                           red:     '#cc0000'
                                                                                           green:   '#a2e22e'
                                                                                           yellow:  '#ffb000'
                                                                                           blue:    '#007acc'
                                                                                           magenta: '#d4038a'
                                                                                           cyan:    '#70b596'
                                                                                           white:   '#ffffff'
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      SSH

                                                                                      How to setup Secure Shell Protocol public key authentication




                                                                                      Generate key pairs on client

                                                                                      Ed25519 elliptic curve

                                                                                      ssh-keygen -t ed25519 -C "$(whoami)@$(uname -n)-$(date -I)"
                                                                                      
                                                                                      chmod 400 ~/.ssh/id_ed25519*
                                                                                      

                                                                                      Default configuration

                                                                                      mv /etc/ssh/sshd_config.pacnew /etc/ssh/sshd_config
                                                                                      

                                                                                      Allow root login to copy public key to the remote server

                                                                                      /etc/ssh/sshd_config
                                                                                      
                                                                                      PermitRootLogin yes
                                                                                      
                                                                                      systemctl restart sshd
                                                                                      

                                                                                      Unlock Server authorized_keys file on remote server before copy

                                                                                      chmod 666 ~/.ssh/authorized_keys
                                                                                      
                                                                                      ll ~/.ssh/authorized_keys
                                                                                      

                                                                                      Copying public key to remote server as non privileged user

                                                                                      ssh-copy-id root@localhost
                                                                                      

                                                                                      Lock authorized_keys file on remote server

                                                                                      chmod 400 ~/.ssh/authorized_keys
                                                                                      
                                                                                      ll ~/.ssh/authorized_keys
                                                                                      

                                                                                      Enable public key authentication on remote server

                                                                                      /etc/ssh/sshd_config.d/20-force_publickey_auth.conf
                                                                                      
                                                                                      # localhost configuration
                                                                                      # Edit SSH Configuration
                                                                                      AddressFamily inet
                                                                                      PermitRootLogin no
                                                                                      MaxAuthTries 3
                                                                                      PubkeyAuthentication no
                                                                                      PasswordAuthentication no
                                                                                      PermitEmptyPasswords no
                                                                                      AllowTcpForwarding no
                                                                                      X11Forwarding no
                                                                                      KbdInteractiveAuthentication no
                                                                                      UsePAM no
                                                                                      PrintMotd no
                                                                                      KerberosAuthentication no
                                                                                      GSSAPIAuthentication no
                                                                                      # Overriding settings on a per-user basis
                                                                                      Match User root Address 127.0.0.1
                                                                                          PermitRootLogin prohibit-password
                                                                                          PubkeyAuthentication yes
                                                                                          AuthenticationMethods publickey
                                                                                          AllowTcpForwarding yes
                                                                                          Banner /etc/issue.net
                                                                                      

                                                                                      Create local ssh config as non privileged user

                                                                                      ~/.ssh/config
                                                                                      
                                                                                      Host *
                                                                                          AddKeysToAgent yes
                                                                                          IdentityFile ~/.ssh/id_ed25519
                                                                                      
                                                                                      Host localhost
                                                                                          HostName localhost
                                                                                          Port 22
                                                                                          User root
                                                                                      

                                                                                      Login to remote server

                                                                                      ┌──(wildw1ng🤓arch-r9-5900x)-[~]
                                                                                      └─$ ssh localhost
                                                                                      

                                                                                      Saving ssh passphrase for current session on client

                                                                                      .zshrc
                                                                                      
                                                                                      # Saving ssh passphrase for current session
                                                                                      if [ ! -S ~/.ssh/ssh_auth_sock ]; then
                                                                                        eval `ssh-agent`
                                                                                        ln -sf "$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
                                                                                      fi
                                                                                      export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock
                                                                                      ssh-add -l > /dev/null || ssh-add
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      VNC

                                                                                      How to connect to a remote desktop environment with VNC graphical desktop-sharing system




                                                                                      Install VNC server

                                                                                      pacman -Syu tigervnc
                                                                                      

                                                                                      Create a password

                                                                                      vncpasswd
                                                                                      

                                                                                      Define user mappings

                                                                                      /etc/tigervnc/vncserver.users
                                                                                      
                                                                                      # TigerVNC User assignment
                                                                                      #
                                                                                      # This file assigns users to specific VNC display numbers.
                                                                                      # The syntax is <display>=<username>. E.g.:
                                                                                      #
                                                                                      # :2=andrew
                                                                                      # :3=lisa
                                                                                      :1=user
                                                                                      

                                                                                      Each user defined in this file will have a corresponding port on which its session will run.
                                                                                      The number in the file corresponds to a TCP port. By default, :1 is TCP port 5901 (5900+1).
                                                                                      If another parallel server is needed, a second instance can then run on the next highest,
                                                                                      free port, i.e 5902 (5900+2).


                                                                                      Issuing x509 certificates using OpenSSL

                                                                                      openssl req -x509 -newkey rsa:4096 -nodes -keyout /home/wildw1ng/.vnc/x509key.pem -out /home/wildw1ng/.vnc/x509cert.pem -subj '/CN=192.168.0.100' -addext "subjectAltName=IP:192.168.0.100"
                                                                                      
                                                                                      ~/.vnc/config
                                                                                      
                                                                                      session=gnome
                                                                                      geometry=1920x1080
                                                                                      alwaysshared
                                                                                      securitytypes=x509vnc
                                                                                      x509key=/home/wildw1ng/.vnc/x509key.pem
                                                                                      x509cert=/home/wildw1ng/.vnc/x509cert.pem
                                                                                      

                                                                                      Client machine

                                                                                      x509cert=/home/wildw1ng/.vnc/x509cert.pem
                                                                                      
                                                                                      vncviewer 192.168.0.245 -X509CA /home/wildw1ng/.vnc/x509cert.pem
                                                                                      

                                                                                      Accessing vncserver via SSH tunnel

                                                                                      Issuing x509 certificates using OpenSSL

                                                                                      openssl req -x509 -newkey rsa:4096 -nodes -keyout /home/wildw1ng/.vnc/x509key.pem -out /home/wildw1ng/.vnc/x509cert.pem -subj '/CN=localhost' -addext "subjectAltName=IP:127.0.0.1"
                                                                                      

                                                                                      Push the key to client machine

                                                                                      rsync -ra --info=progress2 /home/wildw1ng/.vnc/x509cert.pem 192.168.0.101:/home/wildw1ng/.vnc/
                                                                                      

                                                                                      Server configuration

                                                                                      ~/.vnc/config
                                                                                      
                                                                                      session=gnome
                                                                                      geometry=1920x1080
                                                                                      localhost
                                                                                      alwaysshared
                                                                                      securitytypes=x509vnc
                                                                                      x509key=/home/wildw1ng/.vnc/x509key.pem
                                                                                      x509cert=/home/wildw1ng/.vnc/x509cert.pem
                                                                                      

                                                                                      Remmina Client Settings

                                                                                      Basic >

                                                                                      Server: localhost:5901

                                                                                      SSH Tunnel > Enable SSH Tunnel

                                                                                      Custom: arch-r5-3600x
                                                                                      Authentification type: Public key (automatic)
                                                                                      Username: wildw1ng


                                                                                      Andreas Bauer. All rights reserved.

                                                                                      VPN

                                                                                      How to automatically connect to a Virtual private network system to create secure point-to-point or site-to-site connections




                                                                                      Installation

                                                                                      Remove systemd-networkd configuration and install NetworkManager

                                                                                      rm /etc/systemd/network/*
                                                                                      
                                                                                      pacman -Syu networkmanager networkmanager-openvpn
                                                                                      
                                                                                      systemctl disable systemd-networkd
                                                                                      
                                                                                      systemctl enable NetworkManager
                                                                                      

                                                                                      Download OpenVPN configuration files from VPN provider

                                                                                      wget https://privadovpn.com/apps/ovpn_configs.zip
                                                                                      
                                                                                      unzip ovpn_configs.zip 'zrh*'
                                                                                      
                                                                                      /home/wildw1ng/.vpn/zrh-001.ovpn
                                                                                      

                                                                                      comment: route 0.0.0.0 0.0.0.0 # vpn_gateway


                                                                                      Import OpenVPN configuration files to NetworkManager

                                                                                      nmcli connection import type openvpn file /home/wildw1ng/.vpn/zrh-001.ovpn
                                                                                      

                                                                                      Modify new NetworkManager VPN configuration

                                                                                      /etc/NetworkManager/system-connections/zrh-001.nmconnection
                                                                                      
                                                                                      password-flags=0
                                                                                      username=USERNAME
                                                                                      [vpn-secrets]
                                                                                      password=PASSWORD
                                                                                      

                                                                                      Modify NetworkManager connection to reconnect indefinitely

                                                                                      nmcli connection edit zrh-001
                                                                                      

                                                                                      nmcli> set connection.autoconnect yes
                                                                                      nmcli> set connection.autoconnect-retries 0
                                                                                      nmcli> save persistent
                                                                                      nmcli> quit


                                                                                      Automatically start a VPN connection

                                                                                      nmcli connection
                                                                                      
                                                                                      NAME UUID TYPE DEVICE
                                                                                      zrh-001 d46e4a92-778e-4792-b085-e1f638ecb8e3 vpn enp1s0
                                                                                      enp1s0 1715b889-3c47-3e21-a86f-94ce207297a9 ethernet enp1s0

                                                                                      Copy UUID of VPN connection you want to connect automatically

                                                                                      nmcli connection edit enp1s0
                                                                                      

                                                                                      nmcli> set connection.secondaries d46e4a92-778e-4792-b085-e1f638ecb8e3
                                                                                      nmcli> save persistent
                                                                                      nmcli> quit

                                                                                      systemctl restart NetworkManager
                                                                                      

                                                                                      Manual VPN connection

                                                                                      nmcli connection up zrh-001
                                                                                      
                                                                                      nmcli connection down zrh-001
                                                                                      
                                                                                      nmcli connection delete id zrh-001
                                                                                      

                                                                                      Check public IP address

                                                                                      ip route
                                                                                      
                                                                                      curl ifconfig.co
                                                                                      
                                                                                      curl ifconfig.me
                                                                                      
                                                                                      curl icanhazip.com
                                                                                      
                                                                                      whois $(curl ifconfig.co)
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      Kill switch

                                                                                      How to create a VPN kill switch with UFW firewall rules that will stop all internet traffic if your VPN connection drops




                                                                                      Installation

                                                                                      pacman -Syu ufw
                                                                                      
                                                                                      systemctl enable ufw
                                                                                      
                                                                                      systemctl start ufw
                                                                                      

                                                                                      Disable IPv6

                                                                                      /etc/sysctl.d/40-ipv6.conf
                                                                                      
                                                                                      net.ipv6.conf.all.disable_ipv6 = 1
                                                                                      net.ipv6.conf.default.disable_ipv6 = 1
                                                                                      net.ipv6.conf.lo.disable_ipv6 = 1
                                                                                      

                                                                                      Modify UFW configuration

                                                                                      /etc/default/ufw
                                                                                      
                                                                                      IPV6=no
                                                                                      

                                                                                      Modify NetworkManager connection

                                                                                      nmcli connection modify enp1s0 ipv6.method "disabled"
                                                                                      

                                                                                      Firewall configuration

                                                                                      ufw --force reset
                                                                                      

                                                                                      Allow local traffic

                                                                                      ufw allow in to 10.0.0.0/22
                                                                                      
                                                                                      ufw allow out to 10.0.0.0/22
                                                                                      

                                                                                      Allow VPN tunnel traffic

                                                                                      ufw allow out on tun0 from any to any
                                                                                      
                                                                                      ufw allow in on tun0 from any to any
                                                                                      

                                                                                      Allow connection to the VPN server to establish the tunnel

                                                                                      ufw allow out to 185.156.175.0/24 port 1194 proto udp
                                                                                      

                                                                                      Set the default policy to deny all traffic

                                                                                      ufw default deny outgoing
                                                                                      
                                                                                      ufw default deny incoming
                                                                                      

                                                                                      Enable firewall

                                                                                      ufw enable
                                                                                      
                                                                                      ufw status verbose
                                                                                      

                                                                                      Disable logging

                                                                                      ufw logging off
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      Bluetooth

                                                                                      How to install and configure Bluetooth




                                                                                      Enable bluetooth

                                                                                      pacman -Syu bluez bluez-utils bluez-plugins blueman perl-net-dbus
                                                                                      
                                                                                      systemctl enable bluetooth
                                                                                      

                                                                                      Connect to a bluetooth device

                                                                                      bluetoothctl
                                                                                      

                                                                                      [bluetooth]# power on
                                                                                      [bluetooth]# scan on
                                                                                      [bluetooth]# pair MACADDRESS
                                                                                      [bluetooth]# connect MACADDRESS
                                                                                      [bluetooth]# trust MACADDRESS

                                                                                      Auto power-on after boot/resume

                                                                                      By default, the Bluetooth adapter does not power on after a reboot or resuming from suspend.

                                                                                      /etc/bluetooth/main.conf
                                                                                      
                                                                                      [Policy]
                                                                                      AutoEnable = true
                                                                                      

                                                                                      Discoverable on startup

                                                                                      /etc/bluetooth/main.conf
                                                                                      
                                                                                      [General]
                                                                                      DiscoverableTimeout = 0
                                                                                      

                                                                                      Make sure that the bluetooth device is not blocked by rfkill

                                                                                      rfkill list
                                                                                      
                                                                                      rfkill unblock bluetooth
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      libvirt

                                                                                      How to setup and run KVM/QEMU virtual machines




                                                                                      Install packages

                                                                                      pacman -Syu libvirt qemu edk2-ovmf virt-manager
                                                                                      

                                                                                      If using the default NAT/DHCP networking instead of a bridge

                                                                                      pacman -Syu iptables-nft dnsmasq
                                                                                      

                                                                                      Access permissions qemu:///system

                                                                                      usermod -aG libvirt-qemu USER
                                                                                      

                                                                                      Enable service

                                                                                      systemctl enable libvirtd.service -f
                                                                                      

                                                                                      Create a network bridge

                                                                                      Warning

                                                                                      Check /etc/systemd/network/ for conflicting files

                                                                                      nmcli connection add type bridge ifname br0 stp no
                                                                                      
                                                                                      nmcli connection add type bridge-slave ifname enp5s0 master br0
                                                                                      
                                                                                      nmcli connection down enp5s0
                                                                                      
                                                                                      nmcli connection up bridge-br0
                                                                                      
                                                                                      nmcli connection up bridge-slave-enp5s0
                                                                                      
                                                                                      nmcli connection edit br0
                                                                                      
                                                                                      set bridge.mac-address
                                                                                      
                                                                                      save persistent
                                                                                      
                                                                                      quit
                                                                                      
                                                                                      /etc/systemd/network/mybridge.netdev
                                                                                      
                                                                                      [NetDev]
                                                                                      Name=br0
                                                                                      Kind=bridge
                                                                                      MACAddress=a8:5e:45:a7:09:99
                                                                                      
                                                                                      /etc/systemd/network/bind.network
                                                                                      
                                                                                      [Match]
                                                                                      Name=en*
                                                                                      
                                                                                      [Network]
                                                                                      Bridge=br0
                                                                                      
                                                                                      /etc/systemd/network/mybridge.network
                                                                                      
                                                                                      [Match]
                                                                                      Name=br0
                                                                                      
                                                                                      [Network]
                                                                                      DHCP=ipv4
                                                                                      
                                                                                      systemctl enable systemd-networkd -f
                                                                                      
                                                                                      ps aux | grep -i dnsmasq
                                                                                      
                                                                                      virsh list --all
                                                                                      
                                                                                      ip a s
                                                                                      
                                                                                      virsh net-dhcp-leases default
                                                                                      
                                                                                      route
                                                                                      
                                                                                      virsh net-destroy default
                                                                                      
                                                                                      virsh net-list --all
                                                                                      
                                                                                      ip link set enp4s0 down
                                                                                      
                                                                                      ip addr del 192.168.0.100/24 dev enp4s0
                                                                                      
                                                                                      systemctl disable NetworkManager
                                                                                      
                                                                                      systemctl disable dhcpcd.service
                                                                                      
                                                                                      systemctl stop systemd-networkd
                                                                                      
                                                                                      ip link add name br0 type bridge
                                                                                      
                                                                                      ip link set enp4s0 master br0
                                                                                      
                                                                                      ip addr add 192.168.0.100/24 dev br0 brd 192.168.255.255
                                                                                      
                                                                                      ip link set up enp4s0
                                                                                      
                                                                                      ip link set up br0
                                                                                      

                                                                                      From another device

                                                                                      arping 192.168.0.100 -I enp4s0
                                                                                      
                                                                                      route add default gw 192.168.0.1
                                                                                      

                                                                                      Add network bridge to virt-manager

                                                                                      bridged-network.xml
                                                                                      
                                                                                      <network>
                                                                                          <name>bridged-network</name>
                                                                                          <forward mode="bridge" />
                                                                                          <bridge name="br0" />
                                                                                      </network>
                                                                                      
                                                                                      virsh net-define bridged-network.xml
                                                                                      
                                                                                      virsh net-start bridged-network
                                                                                      
                                                                                      virsh net-autostart bridged-network
                                                                                      
                                                                                      virsh net-list
                                                                                      

                                                                                      Create a dynamic virtual disk from scratch

                                                                                      qemu-img create -f qcow2 -o preallocation=off diskname.qcow2 1T
                                                                                      

                                                                                      Disable virtual disk preallocation

                                                                                      qemu-img convert -f qcow2 -O qcow2 -o preallocation=off /home/user/directory/diskname-old.qcow2 /home/user/directory/diskname.qcow2
                                                                                      

                                                                                      Resize virtual disk

                                                                                      qemu-img info diskname.qcow2
                                                                                      
                                                                                      qemu-img resize diskname.qcow2 +180G
                                                                                      

                                                                                      Shrink virtual disk

                                                                                      Noop conversion (qcow2-to-qcow2) removes sparse space.
                                                                                      Shrink your disk without compression (better performance, larger disk size).

                                                                                      qemu-img convert -O qcow2 diskname.qcow2_backup diskname.qcow2
                                                                                      

                                                                                      Shrink your disk with compression (smaller disk size, takes longer to shrink, performance impact on slower systems)

                                                                                      qemu-img convert -O qcow2 -c diskname.qcow2_backup diskname.qcow2
                                                                                      

                                                                                      Enable huge pages

                                                                                      /etc/fstab
                                                                                      
                                                                                      hugetlbfs /dev/hugepages hugetlbfs mode=01770,gid=kvm 0 0
                                                                                      

                                                                                      Dynamic huge pages

                                                                                      /etc/sysctl.d/40-hugepage.conf
                                                                                      
                                                                                      vm.nr_hugepages = 0
                                                                                      vm.nr_overcommit_hugepages = 6144
                                                                                      

                                                                                      Static huge pages

                                                                                      /etc/sysctl.d/40-hugepage.conf
                                                                                      
                                                                                      vm.nr_hugepages = 6144
                                                                                      

                                                                                      Determine the number of hugepages needed. Huge pages will be automatically allocated, and freed after VM stops.

                                                                                      Check the size of the hugepages

                                                                                      grep Hugepagesize /proc/meminfo
                                                                                      
                                                                                      Tip

                                                                                      It is hardly recommended to drop caches, compact memory and wait couple of seconds before starting VM, as there could be not enough free contiguous memory for required huge pages blocks. Especially after some uptime of the host system.

                                                                                      echo 3 > /proc/sys/vm/drop_caches
                                                                                      
                                                                                      echo 1 > /proc/sys/vm/compact_memory
                                                                                      

                                                                                      Virt-manager

                                                                                      Make sure that Chipset: Q35 is selected. Under Firmware, select the 64 bit UEFI firmware UEFI x86_64: OVMF_CODE.fd

                                                                                      <memoryBacking>
                                                                                        <hugepages/>
                                                                                      </memoryBacking>
                                                                                      
                                                                                      <features>
                                                                                        <acpi/>
                                                                                        <apic/>
                                                                                        <hyperv>
                                                                                          <relaxed state="on"/>
                                                                                          <vapic state="on"/>
                                                                                          <spinlocks state="on" retries="8191"/>
                                                                                          <vpindex state='on'/>
                                                                                          <runtime state="on"/>        
                                                                                          <synic state='on'/>
                                                                                          <stimer state="on">
                                                                                            <direct state="on"/>
                                                                                          </stimer>
                                                                                          <reset state="on"/>
                                                                                          <vendor_id state="on" value="0123456789ab"/>
                                                                                          <frequencies state="on"/>
                                                                                          <reenlightenment state="on"/>
                                                                                          <tlbflush state="on"/>
                                                                                          <ipi state="on"/>
                                                                                          <evmcs state="off"/>
                                                                                        </hyperv>
                                                                                        <kvm>
                                                                                          <hidden state='on'/>
                                                                                        </kvm>
                                                                                        <vmport state="off"/>
                                                                                      </features>
                                                                                      <cpu mode="host-passthrough" check="none" migratable="on">
                                                                                        <topology sockets="1" dies="1" cores="4" threads="2"/>
                                                                                        <cache mode="passthrough"/>
                                                                                        <feature policy="require" name="topoext"/>
                                                                                      </cpu>
                                                                                      <clock offset="utc">
                                                                                        <timer name="rtc" tickpolicy="catchup"/>
                                                                                        <timer name="pit" tickpolicy="delay"/>
                                                                                        <timer name="hpet" present="no"/>
                                                                                        <timer name="hypervclock" present="yes"/>
                                                                                        <timer name="tsc" present="yes" mode="native"/>
                                                                                      </clock>
                                                                                      
                                                                                      <memballoon model="none"/>
                                                                                      

                                                                                      Sharing data between host and guest

                                                                                      <cpu mode="host-passthrough" check="none" migratable="on">
                                                                                        <numa>
                                                                                          <cell memory='2097152' unit='KiB' memAccess='shared'/>
                                                                                        </numa>
                                                                                      </cpu>
                                                                                      
                                                                                      <filesystem type='mount' accessmode='passthrough'>
                                                                                        <driver type='virtiofs'/>
                                                                                        <source dir='/mnt/sdc1'/>
                                                                                        <target dir='sdc1'/>
                                                                                      </filesystem>
                                                                                      

                                                                                      It should now be possible to mount the folder in the shared machine

                                                                                      mount -t virtiofs sdc1 /mnt/sdc1
                                                                                      

                                                                                      Add the following fstab entry to mount the folder automatically at boot

                                                                                      /etc/fstab
                                                                                      
                                                                                      sdc1 /mnt/sdc1 virtiofs rw,noatime,_netdev 0 0
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      USB autosuspend

                                                                                      How to disable autosuspend of specific USB devices




                                                                                      Find bus via vendor id

                                                                                      lsusb
                                                                                      

                                                                                      Bus 001 Device 002: ID 1b1c:1b65 Corsair Harpoon Wireless Dongle
                                                                                      Bus 001 Device 005: ID 1038:0617 SteelSeries ApS SteelSeries Apex M750 TKL

                                                                                      grep 1b1c /sys/bus/usb/devices/*/idVendor
                                                                                      

                                                                                      /sys/bus/usb/devices/1-2/idVendor:1b1c

                                                                                      grep 1038 /sys/bus/usb/devices/*/idVendor
                                                                                      

                                                                                      /sys/bus/usb/devices/1-4.1/idVendor:1038


                                                                                      Manual toggle

                                                                                      cat /sys/bus/usb/devices/usb1/1-2/power/control
                                                                                      
                                                                                      echo 'on' | sudo tee cat /sys/bus/usb/devices/usb1/1-2/power/control
                                                                                      
                                                                                      cat /sys/bus/usb/devices/usb1/1-4/1-4.1/power/control
                                                                                      
                                                                                      echo 'on' | sudo tee cat /sys/bus/usb/devices/usb1/1-4/1-4.1/power/control
                                                                                      

                                                                                      Script to disable USB autosuspend for mouse and keyboard

                                                                                      ~/bin/usbautosuspend
                                                                                      
                                                                                      #!/bin/sh
                                                                                      # Disable USB autosuspend for mouse and keyboard
                                                                                      sleep 5;
                                                                                      # Corsair Harpoon Wireless Dongle
                                                                                      MOUSE="/sys/bus/usb/devices/usb1/1-2/power/control";
                                                                                      # SteelSeries ApS SteelSeries Apex M750 TKL
                                                                                      KEYBOARD="/sys/bus/usb/devices/usb1/1-4/1-4.1/power/control";
                                                                                      if [ -f "$MOUSE" ]; then
                                                                                              echo 'on' | sudo tee cat $MOUSE;
                                                                                      fi
                                                                                      if [ -f "$KEYBOARD" ]; then
                                                                                              echo 'on' | sudo tee cat $KEYBOARD;
                                                                                      fi
                                                                                      
                                                                                      chmod 700 ~/bin/usbautosuspend
                                                                                      

                                                                                      Service to automate the process on startup

                                                                                      /etc/systemd/system/usbautosuspend.service
                                                                                      
                                                                                      [Unit]
                                                                                      Description=Disable USB autosuspend for mouse and keyboard
                                                                                      
                                                                                      [Service]
                                                                                      ExecStart=/home/USER/bin/usbautosuspend
                                                                                      
                                                                                      [Install]
                                                                                      WantedBy=multi-user.target
                                                                                      
                                                                                      systemctl enable usbautosuspend.service
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      Flash android factory image

                                                                                      How to flash an android factory image and uninstall bloat packages without rooting the phone




                                                                                      Install package

                                                                                      pacman -Syu android-tools
                                                                                      

                                                                                      Enable Developer Mode

                                                                                      Connect your phone to your computer.
                                                                                      Launch the Settings app > About phone
                                                                                      Tap build number seven times.


                                                                                      Enable USB Debugging

                                                                                      Settings > System > Developer options > enable USB Debugging
                                                                                      Authorize your computer connection on your phone when the prompt comes up on your phone,
                                                                                      if this is the first time you are connecting with this ADB computer.


                                                                                      Unlock bootloader

                                                                                      Settings > Developer Options > enable OEM unlocking
                                                                                      Reboot the phone into Fastboot mode.

                                                                                      adb reboot bootloader
                                                                                      
                                                                                      fastboot flashing unlock
                                                                                      

                                                                                      Vol up to select option on phone > press power button to confirm After reboot press power button to start.


                                                                                      Flash full Factory Image via Fastboot

                                                                                      Download the latest Factory Image

                                                                                      adb devices
                                                                                      

                                                                                      Reboot the phone into Fastboot mode.

                                                                                      adb reboot bootloader
                                                                                      
                                                                                      Info

                                                                                      Retain personal data by deleting the “-w” wipe attribute from the command within the script.
                                                                                      To avoid compatibility issues, a data wipe is recommended though.

                                                                                      ./flash-all.sh
                                                                                      

                                                                                      Once the script finishes, your device will reboot into the new OS.


                                                                                      Uninstall bloat packages

                                                                                      adb shell
                                                                                      
                                                                                      pm list packages
                                                                                      
                                                                                      Tip

                                                                                      Search for the package name in the url on Google Play Store

                                                                                      pm uninstall -k com.google.android.apps.youtube.music
                                                                                      
                                                                                      pm uninstall -k --user 0 com.google.android.apps.youtube.music
                                                                                      
                                                                                      pm uninstall -k com.google.android.youtube
                                                                                      
                                                                                      pm uninstall -k --user 0 com.google.android.youtube
                                                                                      
                                                                                      pm uninstall -k com.google.android.googlequicksearchbox
                                                                                      
                                                                                      pm uninstall -k --user 0 com.google.android.googlequicksearchbox
                                                                                      
                                                                                      pm uninstall -k com.google.android.gm
                                                                                      
                                                                                      pm uninstall -k --user 0 com.google.android.gm
                                                                                      
                                                                                      pm uninstall -k com.google.vr.apps.ornament
                                                                                      
                                                                                      pm uninstall -k com.google.android.apps.wearables.maestro.companion
                                                                                      
                                                                                      pm uninstall -k --user 0 com.google.android.apps.wearables.maestro.companion
                                                                                      
                                                                                      pm uninstall -k --user 0 com.google.android.calendar
                                                                                      
                                                                                      pm uninstall -k com.google.android.calendar
                                                                                      
                                                                                      pm uninstall -k --user 0 com.android.chrome
                                                                                      
                                                                                      pm uninstall -k com.android.chrome
                                                                                      
                                                                                      pm uninstall -k --user 0 com.google.ar.core
                                                                                      
                                                                                      pm uninstall -k com.google.ar.core
                                                                                      
                                                                                      pm uninstall -k --user 0 com.google.android.videos
                                                                                      
                                                                                      pm uninstall -k com.google.android.videos
                                                                                      

                                                                                      Lock bootloader

                                                                                      Reboot the phone into Fastboot mode.

                                                                                      adb reboot bootloader
                                                                                      
                                                                                      fastboot flashing lock
                                                                                      

                                                                                      Vol up to select option on phone > press power button to confirm.
                                                                                      After reboot press power button to start.
                                                                                      Settings > Developer Options > disable OEM unlocking


                                                                                      Transfer media files

                                                                                      pacman -S mtpfs gvfs-mtp gvfs-gphoto2
                                                                                      
                                                                                      /etc/fuse.conf
                                                                                      

                                                                                      uncomment user_allow_other

                                                                                      Mount your device

                                                                                      mtpfs -o allow_other ~/mnt
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      Network administration

                                                                                      Commands for Network administration




                                                                                      Install tools

                                                                                      pacman -S curl wget tcpdump rsync nmap iperf bmon socat mtr ipcalc duf ncdu
                                                                                      

                                                                                      Inspect the current network

                                                                                      ip a
                                                                                      

                                                                                      Use ICMP packages to check if two machines are connected

                                                                                      ping -c3 <network-ID>
                                                                                      

                                                                                      Show the path from your current machine to your remote server/system and each hop along the way

                                                                                      traceroute -I <network-ID>
                                                                                      

                                                                                      Combines the functionality of traceroute and ping into one tool

                                                                                      mtr <network-ID>
                                                                                      

                                                                                      Display or modify the routing table

                                                                                      route
                                                                                      

                                                                                      HTTP request with header

                                                                                      curl -IL <network-ID>
                                                                                      

                                                                                      Download a file

                                                                                      wget <network-ID>
                                                                                      

                                                                                      whois <network-ID>
                                                                                      

                                                                                      See what services are running and listening on your machine

                                                                                      ss -lt
                                                                                      
                                                                                      ss -tupln
                                                                                      

                                                                                      Captures packets off a network interface and interprets them for you

                                                                                      tcpdump -i <network-DEVICE>
                                                                                      

                                                                                      ARP (Address Resolution Protocol) is useful to view / add the contents of the kernel’s ARP tables:

                                                                                      arp
                                                                                      

                                                                                      Assess the bandwidth available between two computers

                                                                                      Client agent

                                                                                      iperf -s <server-network-ID>
                                                                                      

                                                                                      Server agent

                                                                                      iperf -c <client-network-ID>
                                                                                      

                                                                                      bmon
                                                                                      

                                                                                      Securely copy files from one server to another over SSH

                                                                                      scp </path/to/file/or/directory/> <username>@<network-ID>:/home/user/directory/
                                                                                      
                                                                                      rsync -avhP </path/to/file/or/directory/> <username>@<network-ID>:/home/user/directory/
                                                                                      

                                                                                      List physical ethernet ports

                                                                                      lspci | grep -i ethernet
                                                                                      

                                                                                      Find IP addresses on a network

                                                                                      nmap -sn <network-ID>/<network-prefix>
                                                                                      
                                                                                      nmap -sn <network-ID>/<network-prefix> | grep report | awk '{ print $5 }'
                                                                                      

                                                                                      Find the OS information associated with these IP addresses

                                                                                      nmap -sT -O <network-ID>/<network prefix>
                                                                                      

                                                                                      SYN stealth scan

                                                                                      nmap -sS <network-ID>/<network-prefix>
                                                                                      

                                                                                      Cloak a scan with decoys

                                                                                      nmap -sS -D <decoy1,decoy2[,ME],...> <network-ID>/<network-prefix>
                                                                                      

                                                                                      OS detection, version detection, script scanning, and traceroute

                                                                                      nmap -v -A <network-ID>/<network-prefix>
                                                                                      

                                                                                      Common vulnerabilities and exposures scan

                                                                                      nmap --script vuln <network-ID>/<network-prefix>
                                                                                      

                                                                                      more


                                                                                      -p- scan all ports
                                                                                      -Pn
                                                                                      -sA ACK scan
                                                                                      -sF FIN scan
                                                                                      -sl IDLE scan
                                                                                      -sL DNS(list-) scan
                                                                                      -sN NULL scan
                                                                                      -sO Protocol scan
                                                                                      -sP Ping scan
                                                                                      -sR RPC scan
                                                                                      -sS SYN scan (SYN > SYN ACK)
                                                                                      -sT TCP connect scan (three way handshake: SYN > SYN ACK > ACK)
                                                                                      -sW Window scan
                                                                                      -sX XMAS scan
                                                                                      -PI ICMP ping
                                                                                      -Po No ping
                                                                                      -PS SYN ping
                                                                                      -PT TCP ping
                                                                                      -oN Normal output
                                                                                      -oX XML output
                                                                                      -T0 through -T5 scan speed from very slow (-T0) to extremely aggressive ( -T5).
                                                                                      -v Increase verbosity level (use -vv or more for greater effect)

                                                                                      more


                                                                                      Netcat is the network engineer’s Swiss Army knife

                                                                                      ncat
                                                                                      

                                                                                      If you use it in client mode, it’s similar to telnet, and you can create a TCP connection to a specific port and send anything that you type.
                                                                                      You can also use it to open a TCP/IP port and read from standard input. That makes it an easy way to transfer files between two computers. Another use case is testing whether your firewall is blocking certain traffic. For example,
                                                                                      execute netcat in server mode on a host behind your firewall and then execute netcat in client mode from outside the firewall. If you can read on the server whatever you type on the client, then the firewall is not filtering the connection.

                                                                                      ncat -l -p <port>
                                                                                      

                                                                                      This executes Netcat in server mode on port and waits for incoming connections.

                                                                                      ncat -lnvp <port> -s <network-ID>
                                                                                      
                                                                                      ncat <network-ID> <port>
                                                                                      

                                                                                      This executes Netcat in client mode and connects to TCP port on remote host .

                                                                                      You can also use Netcat with pipe commands. For example you can compress a file before sending it to the remote host with Netcat.

                                                                                      tar cpf - /some/dir | compress -c | ncat -w 3 <network-ID> <port>
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      Subnetting

                                                                                      List of IPv4 and IPv6 ranges, subnet size tables and special address types




                                                                                      Calculate subnet masks

                                                                                      ipcalc 10.0.0.1/22 -s 254 254 254 254
                                                                                      

                                                                                      IPv4 ranges

                                                                                      Scope Class First Last Netmask
                                                                                      Public A 1.0.0.0 126.255.255.255 255.0.0.0
                                                                                      Public B 128.0.0.0 192.255.0.0 255.255.0.0
                                                                                      Public C 192.0.0.0 223.255.255.0 255.255.255.0
                                                                                      Public D 224.0.0.0 239.255.255.255
                                                                                      Public E 240.0.0.0 255.255.255.255
                                                                                      Private A 10.0.0.0 10.255.255.255 255.0.0.0
                                                                                      Private B 172.16.0.0 172.31.255.255 255.255.0.0
                                                                                      Private C 192.168.0.0 192.168.255.255 255.255.255.0

                                                                                      Special address types

                                                                                      Type CIDR IPv4 IPv6
                                                                                      Default 0.0.0.0/0 0.0.0.0 ::
                                                                                      Loopback (localhost) 127.0.0.0/8 127.0.0.1 - 127.255.255.254 ::1
                                                                                      Link-local 169.254.0.0/16 169.254.0.1 - 169.254.255.254 FE80::/64
                                                                                      Global broadcast 255.255.255.255 using multicast
                                                                                      Multicast 224.0.0.0/4 224.0.0.0 - 224.0.0.255 FF00::/8
                                                                                      Unique Local Unicast FC00::/7 FD00::/8

                                                                                      IPv6 Anycast

                                                                                      Routers direct packets addressed to this destination to the location nearest the sender
                                                                                      Anycast-addresses may have any random prefix and are formally indistinguishable from unicast addresses


                                                                                      IPv4 subnet sizes

                                                                                      IPv4 CIDR mask Dotted decimal mask Amount of usable host addresses
                                                                                      /1 128.0.0.0 2147483646
                                                                                      /2 192.0.0.0 1073741822
                                                                                      /3 224.0.0.0 536870910
                                                                                      /4 240.0.0.0 268435454
                                                                                      /5 248.0.0.0 134217726
                                                                                      /6 252.0.0.0 67108862
                                                                                      /7 254.0.0.0 33554430
                                                                                      /8 255.0.0.0 16777214
                                                                                      /9 255.128.0.0 8388606
                                                                                      /10 255.192.0.0 4194302
                                                                                      /11 255.224.0.0 2097150
                                                                                      /12 255.240.0.0 1048574
                                                                                      /13 255.248.0.0 524286
                                                                                      /14 255.252.0.0 262142
                                                                                      /15 255.254.0.0 131070
                                                                                      /16 255.255.0.0 65534
                                                                                      /17 255.255.128.0 32766
                                                                                      /18 255.255.192.0 16382
                                                                                      /19 255.255.224.0 8190
                                                                                      /20 255.255.240.0 4094
                                                                                      /21 255.255.248.0 2046
                                                                                      /22 255.255.252.0 1022
                                                                                      /23 255.255.254.0 510
                                                                                      /24 255.255.255.0 254
                                                                                      /25 255.255.255.128 126
                                                                                      /26 255.255.255.192 62
                                                                                      /27 255.255.255.224 30
                                                                                      /28 255.255.255.240 14
                                                                                      /29 255.255.255.248 6
                                                                                      /30 255.255.255.252 2
                                                                                      /31 255.255.255.254 no net, 2 hosts
                                                                                      /32 255.255.255.255 no net, one host

                                                                                      IPv6 subnet sizes

                                                                                      IPv6 CIDR mask Amount of networks or addresses
                                                                                      /1 9223372036854775808 networks of size /64
                                                                                      /2 4611686018427387904 networks of size /64
                                                                                      /3 2305843009213693952 networks of size /64
                                                                                      /4 1152921504606846976 networks of size /64
                                                                                      /5 576460752303423488 networks of size /64
                                                                                      /6 288230376151711744 networks of size /64
                                                                                      /7 144115188075855872 networks of size /64
                                                                                      /8 72057594037927936 networks of size /64
                                                                                      /9 36028797018963968 networks of size /64
                                                                                      /10 18014398509481984 networks of size /64
                                                                                      /11 9007199254740992 networks of size /64
                                                                                      /12 4503599627370496 networks of size /64
                                                                                      /13 2251799813685248 networks of size /64
                                                                                      /14 1125899906842624 networks of size /64
                                                                                      /15 562949953421312 networks of size /64
                                                                                      /16 281474976710656 networks of size /64
                                                                                      /17 140737488355328 networks of size /64
                                                                                      /18 70368744177664 networks of size /64
                                                                                      /19 35184372088832 networks of size /64
                                                                                      /20 17592186044416 networks of size /64
                                                                                      /21 8796093022208 networks of size /64
                                                                                      /22 4398046511104 networks of size /64
                                                                                      /23 2199023255552 networks of size /64
                                                                                      /24 1099511627776 networks of size /64
                                                                                      /25 549755813888 networks of size /64
                                                                                      /26 274877906944 networks of size /64
                                                                                      /27 137438953472 networks of size /64
                                                                                      /28 68719476736 networks of size /64
                                                                                      /29 34359738368 networks of size /64
                                                                                      /30 17179869184 networks of size /64
                                                                                      /31 8589934592 networks of size /64
                                                                                      /32 4294967296 networks of size /64
                                                                                      /33 2147483648 networks of size /64
                                                                                      /34 1073741824 networks of size /64
                                                                                      /35 536870912 networks of size /64
                                                                                      /36 268435456 networks of size /64
                                                                                      /37 134217728 networks of size /64
                                                                                      /38 67108864 networks of size /64
                                                                                      /39 33554432 networks of size /64
                                                                                      /40 16777216 networks of size /64
                                                                                      /41 8388608 networks of size /64
                                                                                      /42 4194304 networks of size /64
                                                                                      /43 2097152 networks of size /64
                                                                                      /44 1048576 networks of size /64
                                                                                      /45 524288 networks of size /64
                                                                                      /46 262144 networks of size /64
                                                                                      /47 131072 networks of size /64
                                                                                      /48 65536 networks of size /64
                                                                                      /49 32768 networks of size /64
                                                                                      /50 16384 networks of size /64
                                                                                      /51 8192 networks of size /64
                                                                                      /52 4096 networks of size /64
                                                                                      /53 2048 networks of size /64
                                                                                      /54 1024 networks of size /64
                                                                                      /55 512 networks of size /64
                                                                                      /56 256 networks of size /64
                                                                                      /57 128 networks of size /64
                                                                                      /58 64 networks of size /64
                                                                                      /59 32 networks of size /64
                                                                                      /60 16 networks of size /64
                                                                                      /61 8 networks of size /64
                                                                                      /62 4 networks of size /64
                                                                                      /63 2 networks of size /64
                                                                                      /64 18446744073709551616 addresses
                                                                                      /65 9223372036854775808 addresses
                                                                                      /66 4611686018427387904 addresses
                                                                                      /67 2305843009213693952 addresses
                                                                                      /68 1152921504606846976 addresses
                                                                                      /69 576460752303423488 addresses
                                                                                      /70 288230376151711744 addresses
                                                                                      /71 144115188075855872 addresses
                                                                                      /72 72057594037927936 addresses
                                                                                      /73 36028797018963968 addresses
                                                                                      /74 18014398509481984 addresses
                                                                                      /75 9007199254740992 addresses
                                                                                      /76 4503599627370496 addresses
                                                                                      /77 2251799813685248 addresses
                                                                                      /78 1125899906842624 addresses
                                                                                      /79 562949953421312 addresses
                                                                                      /80 281474976710656 addresses
                                                                                      /81 140737488355328 addresses
                                                                                      /82 70368744177664 addresses
                                                                                      /83 35184372088832 addresses
                                                                                      /84 17592186044416 addresses
                                                                                      /85 8796093022208 addresses
                                                                                      /86 4398046511104 addresses
                                                                                      /87 2199023255552 addresses
                                                                                      /88 1099511627776 addresses
                                                                                      /89 549755813888 addresses
                                                                                      /90 274877906944 addresses
                                                                                      /91 137438953472 addresses
                                                                                      /92 68719476736 addresses
                                                                                      /93 34359738368 addresses
                                                                                      /94 17179869184 addresses
                                                                                      /95 8589934592 addresses
                                                                                      /96 4294967296 addresses
                                                                                      /97 2147483648 addresses
                                                                                      /98 1073741824 addresses
                                                                                      /99 536870912 addresses
                                                                                      /100 268435456 addresses
                                                                                      /101 134217728 addresses
                                                                                      /102 67108864 addresses
                                                                                      /103 33554432 addresses
                                                                                      /104 16777216 addresses
                                                                                      /105 8388608 addresses
                                                                                      /106 4194304 addresses
                                                                                      /107 2097152 addresses
                                                                                      /108 1048576 addresses
                                                                                      /109 524288 addresses
                                                                                      /110 262144 addresses
                                                                                      /111 131072 addresses
                                                                                      /112 65536 addresses
                                                                                      /113 32768 addresses
                                                                                      /114 16384 addresses
                                                                                      /115 8192 addresses
                                                                                      /116 4096 addresses
                                                                                      /117 2048 addresses
                                                                                      /118 1024 addresses
                                                                                      /119 512 addresses
                                                                                      /120 256 addresses
                                                                                      /121 128 addresses
                                                                                      /122 64 addresses
                                                                                      /123 32 addresses
                                                                                      /124 16 addresses
                                                                                      /125 8 addresses
                                                                                      /126 4 addresses
                                                                                      /127 2 addresses
                                                                                      /128 1 address

                                                                                      Determine the necessary network mask for the network size in CIDR notation

                                                                                      750 Hosts
                                                                                      11111111 11111111 11111100 00000000
                                                                                      2^8 = 256 2^8 = 256 128 + 64 +32 +16 + 8 + 4 + 2 + 1
                                                                                      fits in 10 Bits = 2^10 1024 (zeros) = 32-10 = /22 (22 ones)

                                                                                      Binary to Decimal

                                                                                      255 . 255 . 252 . 0
                                                                                      100 fits in 2^7 = 128 32-7= /25
                                                                                      14000 fits in 2^14 = 16384 32-14= /18
                                                                                      3789 fits in 2^12 = 4096 32-12=/20


                                                                                      Andreas Bauer. All rights reserved.

                                                                                      Gaming

                                                                                      How to install Steam, DXVK




                                                                                      Steam Launch Options

                                                                                      DO=(%command%); “${DO[@]/%FalloutNVLauncher.exe/FalloutNV.exe}”
                                                                                      Enable GameMode
                                                                                      LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libgamemodeauto.so
                                                                                      Disable ESYNC
                                                                                      PROTON_NO_ESYNC=1
                                                                                      Disable DX11 or 10
                                                                                      PROTON_NO_D3D11=1
                                                                                      Get Cool States
                                                                                      DXVK_HUD=fps,frametimes
                                                                                      DXVK Other options: devinfo, submissions, drawcalls, pipelines, memory, version, api
                                                                                      Always end with this command
                                                                                      %command%
                                                                                      nVidia Caching options
                                                                                      __GL_THREADED_OPTIMIZATION=1
                                                                                      __GL_SHADER_DISK_CACHE_PATH=/path/to/location

                                                                                      WINEARCH="win64" WINEPREFIX=~/DIRECTORY winecfg
                                                                                      WINEARCH="win64" WINEPREFIX=~/DIRECTORY winetricks corefonts
                                                                                      WINEARCH="win64" WINEPREFIX=~/DIRECTORY /usr/share/dxvk/setup_dxvk.sh install
                                                                                      
                                                                                      ln -s ~/.local/share/Steam/steamapps/common/Proton*/dist ~/.local/share/lutris/runners/wine/proton
                                                                                      

                                                                                      battle.net

                                                                                      pacman -Syu lib32-gnutls lib32-libldap lib32-libgpg-error lib32-sqlite lib32-libpulse lib32-alsa-plugins
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      nVidia

                                                                                      How to install and configure nVidia drivers and setup a default resolution and refresh rate




                                                                                      Install nVidia driver

                                                                                      pacman -S nvidia nvidia-libgl lib32-nvidia-libgl nvidia-settings
                                                                                      

                                                                                      Enable persistence

                                                                                      systemctl enable nvidia-persistenced.service -f
                                                                                      
                                                                                      systemctl start nvidia-persistenced.service
                                                                                      

                                                                                      Enable runtime power management for nVidia VGA/3D controller devices on driver bind

                                                                                      /etc/udev/rules.d/80-nvidia-pm.rules
                                                                                      
                                                                                      ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto"
                                                                                      ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto"
                                                                                      
                                                                                      /etc/modprobe.d/nvidia-pm.conf
                                                                                      
                                                                                      options nvidia "NVreg_DynamicPowerManagement=0x02"
                                                                                      
                                                                                      xrandr -q
                                                                                      
                                                                                      xrandr --output DP-0 --mode 3440x1440 --rate 200
                                                                                      
                                                                                      cvt
                                                                                      

                                                                                      Make nVidia Settings permanent

                                                                                      nvidia-settings first config /etc/X11/xorg.conf.d/20-nvidia.conf second config /home/wildw1ng/.nvidia-settings-rc

                                                                                      /etc/X11/xorg.conf.d/20-nvidia.conf
                                                                                      
                                                                                      Section "Screen"
                                                                                          Option         "Coolbits" "28"
                                                                                          Option         "TripleBuffer" "off"
                                                                                      
                                                                                      /etc/X11/xorg.conf.d/10-monitor.conf
                                                                                      
                                                                                      Section "Monitor"
                                                                                              Identifier "Monitor0"
                                                                                              Modeline "3440x1440_200.00"  1569.78  3440 3760 4144 4848  1440 1441 1444 1619  -HSync +Vsync
                                                                                              Option "Primary" "true"
                                                                                              Option "PreferredMode" "3440x1440_200"
                                                                                      EndSection
                                                                                      
                                                                                      Section "Screen"
                                                                                          Identifier "Screen0"
                                                                                          Monitor "Monitor0"
                                                                                          DefaultDepth 24
                                                                                          Option         "Coolbits" "28"
                                                                                          Option         "TripleBuffer" "off"
                                                                                          Option         "metamodes" "3440x1440_200 +0+0 {AllowGSYNCCompatible=On}"
                                                                                          SubSection "Display"
                                                                                              Modes "3440x1440_200"
                                                                                          EndSubSection
                                                                                      EndSection
                                                                                      
                                                                                      Section "Device"
                                                                                          Identifier "Device0"
                                                                                          Driver "nvidia"
                                                                                      EndSection
                                                                                      

                                                                                      Custom TDP Limit on boot (without driver persistence)

                                                                                      /etc/systemd/system/nvidia-tdp.timer
                                                                                      
                                                                                      [Unit]
                                                                                      Description=Set NVIDIA power limit on boot
                                                                                      
                                                                                      [Timer]
                                                                                      OnBootSec=5
                                                                                      
                                                                                      [Install]
                                                                                      WantedBy=timers.target
                                                                                      
                                                                                      /etc/systemd/system/nvidia-tdp.service
                                                                                      
                                                                                      Description=Set NVIDIA power limit
                                                                                      
                                                                                      [Service]
                                                                                      Type=oneshot
                                                                                      ExecStart=/usr/bin/nvidia-smi -pl 320
                                                                                      
                                                                                      systemctl enable nvidia-tdp.timer -f
                                                                                      
                                                                                      ~/.config/autostart/nvidia-powermizer.desktop
                                                                                      
                                                                                      [Desktop Entry]
                                                                                      Type=Application
                                                                                      Encoding=UTF-8
                                                                                      Name=nVidia Performance Profile
                                                                                      Comment=Configure nVidia PowerMizer Settings
                                                                                      Exec=/usr/bin/nvidia-settings -c :0 -a '[gpu:0]/GPUPowerMizerMode=1'
                                                                                      Icon=/usr/share/pixmaps/nvidia-settings.png
                                                                                      Categories=__NVIDIA_SETTINGS_DESKTOP_CATEGORIES__
                                                                                      
                                                                                      lspci | grep -i nvidia
                                                                                      
                                                                                      nvidia-smi -q -d power
                                                                                      
                                                                                      export DISPLAY=:0
                                                                                      
                                                                                      X :0 &
                                                                                      

                                                                                      Configure nVidia performance profile Settings

                                                                                      /usr/bin/nvidia-settings -c :0 -a '[gpu:0]/GPUPowerMizerMode=2'
                                                                                      

                                                                                      GPUPowerMizerMode=0 Adaptive
                                                                                      GPUPowerMizerMode=1 Performance
                                                                                      GPUPowerMizerMode=2 Auto

                                                                                      nvidia-settings -q [gpu:0]/GPUPowerMizerMode
                                                                                      
                                                                                      (sleep 20 && DISPLAY=":0.0" nvidia-settings -a [gpu:0]/GPUPowerMizerMode=2) &
                                                                                      

                                                                                      GPU usage monitoring

                                                                                      watch -d -n 1 nvidia-smi
                                                                                      

                                                                                      GWE GUI to control cooling and overclock of nVidia cards flatpak run com.leinardi.gwe –hide-window

                                                                                      /usr/lib/modprobe.d/zz-nvidia-modeset.conf
                                                                                      
                                                                                      options nvidia_drm modeset=0
                                                                                      
                                                                                      /etc/mkinitcpio.conf
                                                                                      
                                                                                      MODULES=(nvidia nvidia_modeset nvidia_uvm nvidia_drm)
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      Feral gamemode

                                                                                      How to install and use Feral gamemode




                                                                                      pacman -S meson systemd git dbus
                                                                                      
                                                                                      git clone https://github.com/FeralInteractive/gamemode.git
                                                                                      
                                                                                      ./bootstrap.sh
                                                                                      
                                                                                      systemctl --user status gamemoded.service
                                                                                      
                                                                                      git clone https://github.com/gicmo/gamemode-extension.git
                                                                                      
                                                                                      ./make-zip.sh install
                                                                                      
                                                                                      gamemoded -v
                                                                                      
                                                                                      gamemoded -s
                                                                                      

                                                                                      cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
                                                                                      

                                                                                      You must manually request GameMode when running the game.
                                                                                      This can be done by launching the game through gamemoderun gamemoderun ./game
                                                                                      Or edit the Steam launch options gamemoderun %command%
                                                                                      Lutris find /usr/ -name libgamemodeauto.so
                                                                                      Lutris Values

                                                                                      Key = LD_PRELOAD
                                                                                      Value = /usr/lib/libgamemodeauto.so
                                                                                      

                                                                                      Andreas Bauer. All rights reserved.

                                                                                      MangoHud

                                                                                      How to install and use the MangoHud overlay layer for monitoring system performance in Vulkan and OpenGL applications




                                                                                      yay -Syu mangohud lib32-mangohud
                                                                                      

                                                                                      Start a game with overlay

                                                                                      mangohud /path/to/app
                                                                                      

                                                                                      For Lutris games, go to the System options in Lutris (make sure that advanced options are enabled) and add this to the Command prefix setting

                                                                                      mangohud
                                                                                      

                                                                                      For Steam games, you can add this as a launch option

                                                                                      mangohud %command%
                                                                                      

                                                                                      Or alternatively, add MANGOHUD=1 to your shell profile (Vulkan only).


                                                                                      Andreas Bauer. All rights reserved.

                                                                                      Microsoft Windows

                                                                                      Microsoft Windows proprietary graphical operating system



                                                                                      Microsoft Windows, commonly referred to as Windows, is a group of several proprietary graphical operating system families,
                                                                                      all of which are developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry.
                                                                                      Microsoft introduced an operating environment named Windows on November 20, 1985,
                                                                                      as a graphical operating system shell for MS-DOS in response to the growing interest in graphical user interfaces (GUIs).
                                                                                      Microsoft Windows came to dominate the world’s personal computer (PC) market with over 90% market share,
                                                                                      overtaking Mac OS, which had been introduced in 1984.
                                                                                      read more…


                                                                                      • Server 2022
                                                                                      • How to setup and manage a Windows Server 2022 with Active Directory domain services and roaming profiles

                                                                                        • 11
                                                                                        • Bypass Windows 11 installation restrictions and join an on-premises Active Directory domain

                                                                                          Andreas Bauer. All rights reserved.

                                                                                          Windows Server 2022

                                                                                          Microsoft’s operating system for server computers including Active Directory, DNS Server, DHCP Server and Group Policy




                                                                                          Downloads

                                                                                          Option Download
                                                                                          VirtIO Driver https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/
                                                                                          Microsoft Windows Server 2022 https://www.microsoft.com/en-us/evalcenter/download-windows-server-2022
                                                                                          Microsoft Server Language and Optional Features Preview https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver

                                                                                          Change hostname

                                                                                          Rename-Computer -NewName Server1 -PassThru
                                                                                          

                                                                                          Set time zone

                                                                                          Set-TimeZone "Central Europe Standard Time”
                                                                                          

                                                                                          Set time and date

                                                                                          Set-Date -Date "05/17/2022 08:12"
                                                                                          

                                                                                          Reduce boot menu timeout

                                                                                          bcdedit /timeout 3
                                                                                          

                                                                                          Scan the system for any device hardware changes

                                                                                          pnputil /scan-devices      
                                                                                          

                                                                                          List devices

                                                                                          pnputil /enum-devices      
                                                                                          

                                                                                          Install device driver

                                                                                          pnputil -i -a D:\NetKVM\2k22\amd64\*
                                                                                          

                                                                                          read more…


                                                                                          Change server core shell

                                                                                          Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\WinLogon' -Name Shell -Value 'PowerShell.exe'
                                                                                          

                                                                                          Enable PowerShell script execution

                                                                                          Set-ExecutionPolicy RemoteSigned
                                                                                          

                                                                                          Set PowerShell default working directory

                                                                                          notepad $PSHOME\Profile.ps1
                                                                                          
                                                                                          Set-Location $HOME
                                                                                          

                                                                                          read more…


                                                                                          Disable automatic updates

                                                                                          Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU -Name AUOptions -Value 1
                                                                                          

                                                                                          Enable install and manage updates via PowerShell

                                                                                          Install-PackageProvider -Name NuGet -Force
                                                                                          
                                                                                          Install-Module -Name PSWindowsUpdate -Force
                                                                                          

                                                                                          Create PowerShell updates inbound firewall rules

                                                                                          enable-WUremoting
                                                                                          

                                                                                          Download and install all available updates locally from Windows Update servers

                                                                                          Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot
                                                                                          

                                                                                          Restart local computer

                                                                                          Restart-Computer
                                                                                          

                                                                                          Stop (shut down) local computer

                                                                                          Stop-Computer
                                                                                          

                                                                                          Update remote computers

                                                                                          Get-WindowsUpdate -verbose -computer core,client1,server1 -AcceptAll -Install -AutoReboot
                                                                                          

                                                                                          remote-updates


                                                                                          Restart remote computers

                                                                                          Restart-Computer -ComputerName core,client1,server1 -Force
                                                                                          

                                                                                          Stop (shut down) remote computers

                                                                                          Stop-Computer -ComputerName core,client1,server1 -Force
                                                                                          

                                                                                          Enable download optional features directly from windows update

                                                                                          gpedit
                                                                                          

                                                                                          download-features-from-windows-update

                                                                                          Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing -Name RepairContentServerSource -Value 2
                                                                                          
                                                                                          regedit
                                                                                          

                                                                                          use-windows-update-server

                                                                                          Set-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\AU -Name UseWUServer -Value 1
                                                                                          

                                                                                          Feature on Demand (FOD)

                                                                                          Microsoft offers a special package which allows you to install some graphical tools and snap-ins on Windows Core Server.

                                                                                          Install-WindowsFeature -Name Failover-Clustering -IncludeManagementTools
                                                                                          
                                                                                          Add-WindowsCapability -Online -Name ServerCore.AppCompatibility
                                                                                          

                                                                                          Install Feature on Demand from mounted ISO image

                                                                                          Add-WindowsCapability -Online -Name ServerCore.AppCompatibility -Source D:\LanguagesAndOptionalFeatures\ -LimitAccess
                                                                                          

                                                                                          Feature on Demand tools

                                                                                          Server Configuration sconfig
                                                                                          Microsoft Management Console mmc
                                                                                          Event Viewer eventvwr
                                                                                          Performance Monitor perfmon
                                                                                          Resource Monitor resmon
                                                                                          Device Manager devmgmt
                                                                                          File Explorer explorer
                                                                                          Windows PowerShell powershell_ise
                                                                                          Disk Management diskmgmt
                                                                                          Failover Cluster Manager clusdmin
                                                                                          Hyper-V Manager virtmgmt
                                                                                          Task Scheduler taskschd

                                                                                          read more…


                                                                                          Check network profile

                                                                                          Get-NetConnectionProfile
                                                                                          

                                                                                          Set network profile from Public to Private

                                                                                          Set-NetConnectionProfile -InterfaceIndex 3 -NetworkCategory Private
                                                                                          

                                                                                          Check network settings

                                                                                          Get-NetIPConfiguration
                                                                                          

                                                                                          Set manual IP Address

                                                                                          New-NetIPaddress -InterfaceIndex 3 -IPAddress 192.168.122.20 -PrefixLength 24 -DefaultGateway 192.168.122.1
                                                                                          

                                                                                          Set Active Directory domain server as DNS server

                                                                                          Set-DNSClientServerAddress -InterfaceIndex 3 -ServerAddresses 192.168.122.10,192.168.122.1
                                                                                          
                                                                                          Note

                                                                                          Reset IP address

                                                                                          Set-DnsClientServerAddress -InterfaceIndex 3 -ResetServerAddresses
                                                                                          

                                                                                          Return to getting an IP address from DHCP Server

                                                                                          Set-NetIPInterface -InterfaceIndex 3 -Dhcp Enabled
                                                                                          

                                                                                          Set TrustedHosts

                                                                                          Set-item wsman:\localhost\client\TrustedHosts -value *
                                                                                          

                                                                                          Enable Active Directory domain services

                                                                                          active-directory-domain-services-deployment-windows-server-2022e

                                                                                          active-directory-domain-services-options-windows-server-2022


                                                                                          Create and share Roaming user profiles directory

                                                                                          roaming-user-profiles-directory-windows-server-2022


                                                                                          Create Roaming user profiles template

                                                                                          roaming-user-profiles-template-profile-windows-server-2022 Profile path \\Server1\User Profiles$\%username%

                                                                                          gpupdate
                                                                                          

                                                                                          read more…


                                                                                          Join on-premises Active Directory domain

                                                                                          ping wildw1ng.local
                                                                                          
                                                                                          ping 8.8.8.8
                                                                                          

                                                                                          Tip

                                                                                          Enable ping response on Server Core

                                                                                          Sconfig.exe > option 4) Remote management > option 3) Enable server response to ping

                                                                                          join-domain-windows-server-2022-core

                                                                                          Add-Computer -DomainName "wildw1ng.local" -Restart
                                                                                          

                                                                                          Add second Domain Controller to an existing domain

                                                                                          add-domain-controller-to-existing-domain


                                                                                          Disable network adapter

                                                                                          Disable-NetAdapter -Name “Ethernet0”
                                                                                          

                                                                                          Enable network adapter

                                                                                          Enable-NetAdapter -Name “Ethernet0”
                                                                                          

                                                                                          Disable IPv6 support for your network adapter

                                                                                          Disable-NetAdapterBinding -Name "Ethernet0" -ComponentID ms_tcpip6
                                                                                          

                                                                                          Enable IPv6 support for your network adapter

                                                                                          Enable-NetAdapterBinding -Name "Ethernet0" -ComponentID ms_tcpip6
                                                                                          

                                                                                          Check the status of IPv6 support for your network adapter

                                                                                          Get-NetAdapterBinding -ComponentID ms_tcpip6
                                                                                          

                                                                                          Configure winhttp proxy server

                                                                                          netsh Winhttp set proxy SERVERNAME:PORT
                                                                                          

                                                                                          Enable Windows Defender Firewall for all profiles

                                                                                          Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
                                                                                          
                                                                                          Note

                                                                                          Completely disable Windows Firewall

                                                                                          Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled False
                                                                                          

                                                                                          Check available OpenSSH packages

                                                                                          Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
                                                                                          

                                                                                          Install OpenSSH client

                                                                                          Add-WindowsCapability -Online -Name OpenSSH.Client
                                                                                          

                                                                                          Install OpenSSH server

                                                                                          Add-WindowsCapability -Online -Name OpenSSH.Server
                                                                                          

                                                                                          Start the sshd service

                                                                                          Start-Service sshd
                                                                                          
                                                                                          Set-Service -Name sshd -StartupType Automatic
                                                                                          

                                                                                          Allow incoming connections to TCP port 22 in the Windows Defender Firewall

                                                                                          New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH-Server-In-TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
                                                                                          

                                                                                          Verify the Firewall rule is configured

                                                                                          notepad verify-ssh-firewall.ps1
                                                                                          
                                                                                          if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
                                                                                              Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
                                                                                              New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
                                                                                          } else {
                                                                                              Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
                                                                                          }
                                                                                          
                                                                                          .\verify-ssh-firewall.ps1
                                                                                          
                                                                                          Tip

                                                                                          Run PowerShell cli instead of cmd.exe shell when logging in via SSH

                                                                                          New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
                                                                                          

                                                                                          Connect to OpenSSH Server

                                                                                          ssh administrator@core
                                                                                          

                                                                                          connect-via-ssh

                                                                                          System-wide configuration file at %programdata%\ssh\ssh_config


                                                                                          Public key authentication

                                                                                          Copy and rename ~/.ssh/id_rsa.pub from linux
                                                                                          to windows server %programdata%\ssh\administrators_authorized_keys sshd-windows-id_rsa

                                                                                          Update access control list (ACL)

                                                                                          icacls.exe "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
                                                                                          

                                                                                          Open SSH Server (sshd) reads configuration data from %programdata%\ssh\sshd_config by default

                                                                                          notepad %programdata%\ssh\sshd_config
                                                                                          
                                                                                          PubkeyAuthentication yes
                                                                                          PasswordAuthentication no
                                                                                          

                                                                                          sshd-windows

                                                                                          Restart-Service sshd
                                                                                          

                                                                                          read more…


                                                                                          Enable remote access via RDP

                                                                                          cscript C:\Windows\System32\Scregedit.wsf /ar 0
                                                                                          

                                                                                          Enable remote management

                                                                                          Configure-SMRemoting.exe -Enable
                                                                                          
                                                                                          Enable-NetFirewallRule -DisplayGroup “Windows Remote Management”
                                                                                          
                                                                                          Enable-NetFireWallRule -DisplayName “Windows Management Instrumentation (DCOM-In)
                                                                                          Enable-NetFireWallRule -DisplayGroup “Remote Event Log Management”
                                                                                          
                                                                                          Enable-NetFireWallRule -DisplayGroup “Remote Service Management”
                                                                                          
                                                                                          Enable-NetFireWallRule -DisplayGroup “Remote Volume Management”
                                                                                          
                                                                                          Enable-NetFireWallRule -DisplayGroup “Remote Scheduled Tasks Management”
                                                                                          
                                                                                          Enable-NetFireWallRule -DisplayGroup “Windows Firewall Remote Management”
                                                                                          
                                                                                          Enable-NetFirewallRule -DisplayGroup "Remote Administration"
                                                                                          

                                                                                          Display current Remote Management settings

                                                                                          Configure-SMRemoting.exe -Get
                                                                                          

                                                                                          Allow PowerShell Remoting

                                                                                          Enable-PSRemoting -Force
                                                                                          

                                                                                          List available roles on Windows Server

                                                                                          Get-WindowsFeature
                                                                                          

                                                                                          List installed roles and features in Windows Server

                                                                                          Get-WindowsFeature | Where-Object {$_. installstate -eq "installed"} | ft Name,Installstate
                                                                                          

                                                                                          Install role

                                                                                          Install-WindowsFeature DNS -IncludeManagementTools
                                                                                          

                                                                                          List services

                                                                                          Get-Service
                                                                                          

                                                                                          List stopped services

                                                                                          Get-Service | Where-Object {$_.status -eq   “stopped”}
                                                                                          

                                                                                          Restart service

                                                                                          Restart-Service -Name spooler
                                                                                          

                                                                                          Manage processes

                                                                                          Task Manager taskmgr.exe

                                                                                          Get-Process cmd, wuaucl* | Select-Object ProcessName, StartTime, MainWindowTitle, Path, Company|ft
                                                                                          

                                                                                          List physical disks status and health

                                                                                          Get-PhysicalDisk | Sort Size | FT FriendlyName, Size, MediaType, SpindleSpeed, HealthStatus, OperationalStatus -AutoSize
                                                                                          

                                                                                          List free disk space

                                                                                          Get-WmiObject -Class Win32_LogicalDisk |
                                                                                          Select-Object -Property DeviceID, VolumeName, @{Label='FreeSpace (Gb)'; expression={($_.FreeSpace/1GB).ToString('F2')}},
                                                                                          @{Label='Total (Gb)'; expression={($_.Size/1GB).ToString('F2')}},
                                                                                          @{label='FreePercent'; expression={[Math]::Round(($_.freespace / $_.size) * 100, 2)}}|ft
                                                                                          

                                                                                          List logs of last 10 boots

                                                                                          Get-EventLog system | where-object {$_.eventid -eq 6006} | select -last 10
                                                                                          

                                                                                          List installed programs

                                                                                          Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -AutoSize
                                                                                          

                                                                                          Download and extract archive file from an external website

                                                                                          Invoke-WebRequest https://servername/file.zip -outfile file.zip
                                                                                          
                                                                                          Expand-Archive -path '.\file.zip' -DestinationPath C:\Users\Administrator\Documents\
                                                                                          

                                                                                          Copy all files from a directory to a remote computer over the network

                                                                                          $session = New-PSSession -ComputerName REMOTEHOSTNAME
                                                                                          
                                                                                          Copy-Item -Path "C:\Logs\*" -ToSession $session -Destination "C:\Logs\" -Recurse -Force
                                                                                          

                                                                                          Force delete directory

                                                                                          directory-access-denied

                                                                                          Take ownership

                                                                                          takeown /f 'D:\User Profiles /a /r /d y /skipsl
                                                                                          

                                                                                          Change permissions

                                                                                          cacls 'D:\User Profiles' /e /t /g administrators:f
                                                                                          

                                                                                          Delete directory

                                                                                          Remove-Item -Force -Recurse -Path 'D:\User Profiles'
                                                                                          

                                                                                          List listening and established ports

                                                                                          Get-NetTCPConnection -State Listen,Established
                                                                                          

                                                                                          List process names for the OwningProcess fields

                                                                                          Get-NetTCPConnection | Select-Object -Property *,@{'Name' = 'ProcessName';'Expression'={(Get-Process -Id $_.OwningProcess).Name}}
                                                                                          

                                                                                          Check evaluation period

                                                                                          slmgr -dlv
                                                                                          
                                                                                          slmgr -dli
                                                                                          

                                                                                          Extend evaluation period

                                                                                          slmgr -rearm
                                                                                          

                                                                                          Activate Windows Server

                                                                                          slmgr.vbs -ipk PRODUCTKEY
                                                                                          
                                                                                          slmgr.vbs -ato
                                                                                          

                                                                                          Activate your host on a KMS server

                                                                                          slmgr /ipk PRODUCTKEY
                                                                                          
                                                                                          slmgr /skms kms.wildw1ng.local:1688
                                                                                          
                                                                                          slmgr /ato
                                                                                          

                                                                                          Andreas Bauer. All rights reserved.

                                                                                          Windows 11

                                                                                          Proprietary graphical operating system developed and marketed by Microsoft




                                                                                          Bypass install restrictions

                                                                                          cant-run-win11

                                                                                          This PC can"t run Windows 11

                                                                                          Shift + F10

                                                                                          regedit
                                                                                          

                                                                                          labconfig

                                                                                          Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\LabConfig
                                                                                          

                                                                                          Create new key LabConfig

                                                                                          Create new dword32 entries
                                                                                          BypassTPMCheck 1
                                                                                          BypassCPUCheck 1
                                                                                          BypassRAMCheck 1
                                                                                          BypassSecureBootCheck 1
                                                                                          BypassStorageCheck 1


                                                                                          Bypass install restrictions with registry file

                                                                                          bypass-reg

                                                                                          Option Download
                                                                                          bypass.iso http://s204520416.online.de/bypass.iso
                                                                                          BypassWindows11Check.reg http://s204520416.online.de/BypassWindows11Check.reg

                                                                                          Download and mount bypass.iso prior installation.
                                                                                          SHIFT + F10 on “This PC can"t run Windows 11”.
                                                                                          Type notepad.
                                                                                          Click ‘File’ > ‘Open’.
                                                                                          Set ‘Files of type’ to All files.
                                                                                          Click on ‘This PC’ and navigate to the mounted drive.
                                                                                          Right click the *.reg file, click on ‘Merge’ and confirm.


                                                                                          Bypass network requirements during installation

                                                                                          bypass-nro On the “Oops, you’ve lost internet connection” or “Let’s connect you to a network” page, use the Shift + F10 keyboard shortcut.
                                                                                          In Command Prompt, type the oobe\bypassnrocommand to bypass network requirements and press Enter.
                                                                                          The computer will restart automatically.
                                                                                          You will need to select the region and keyboard settings one more time to get to the network connection page.

                                                                                          Click the “I don’t have internet” option.
                                                                                          Click the “Continue with limited setup” option.


                                                                                          Post installation downloads

                                                                                          Option Download
                                                                                          Waterfox https://www.waterfox.net/download
                                                                                          ThisIsWin11 https://github.com/builtbybel/ThisIsWin11
                                                                                          O&O ShutUp10++ https://www.oo-software.com/en/shutup10
                                                                                          AutoRuns https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

                                                                                          Set Active Directory domain server as DNS server

                                                                                          join-domain-windows-11-client-dns


                                                                                          Join on-premises Active Directory domain

                                                                                          join-domain-windows-11-client


                                                                                          Remote Server Administration Tools (RSAT)

                                                                                          Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
                                                                                          

                                                                                          Open a new elevated PowerShell

                                                                                          Start-Process powershell -Verb runAs
                                                                                          

                                                                                          Share a Linux host directory with a Windows guest

                                                                                          Enable shared memory

                                                                                          shared-memory

                                                                                          <memoryBacking>
                                                                                           <hugepages/>
                                                                                           <access mode="shared"/>
                                                                                          </memoryBacking>
                                                                                          
                                                                                          <cpu>
                                                                                           <numa>
                                                                                            <cell id="0" cpus="0-5" memory="2097152" unit="KiB" memAccess="shared"/>
                                                                                           </numa>
                                                                                          </cpu>
                                                                                          

                                                                                          Add a virtiofs filesystem passthrough

                                                                                          Add Hardware > Filesystem virtiofsy


                                                                                          Install VirtIO Guest Tools on Windows guest

                                                                                          Option Download
                                                                                          VirtIO Guest Tools https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
                                                                                          D:.\virtio-win-guest-tools.exe
                                                                                          

                                                                                          Install Windows File System Proxy on Windows guest (WinFsp)

                                                                                          Option Download
                                                                                          WinFsp https://github.com/winfsp/winfsp/releases

                                                                                          Enable and start VirtioFsSvc service

                                                                                          virtioFsSvc


                                                                                          Restart-Computer
                                                                                          

                                                                                          A new drive appeared and now we can read and write files in that directory from either the host or the guest. new-drive