Install ssh-audit: pacman -S ssh-audit Server Audit the current server configuration: ssh-audit localhost If any fail or warn level log line appear, try implementing the following sections. Explicitly allow only selected algorithms Restrict key exchange algorithms, ciphers, message authentication codes, and asymmetric keys: # File: /etc/ssh/sshd_config.d/01-ssh-audit_hardening.conf # Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com # hardening guide. KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com Force usage of public key authentication and prevent root login # File: /etc/ssh/sshd_config.
Install snapper pacman -S snapper Make sure to have followed snapper’s recommendations regarding Btrfs subvolumes layout. Note that snapper creates a subvolume for snapshots at /.snapshots but with an unnecessary parent dependency on @. To allow snapper to go through the configuration step, make sure you have unmounted any subvolume (or other) mounted at /.snaphosts and deleted any corresponding directory. umount /.snapshots rm -r /.snapshots Create configuration for the root subvolume
Goodbye keyboards and monitors!
So easy!
We encrypt a user home directory with eCryptfs. The consequence is that the contents of this directory are only accessible if at least one of the following is true:
* or has processes surviving logout (for instance lingering services).
This may increase privacy, depending on how the system is used.
If the user home is not encrypted, it would suffice to be root (without the user necessarily being logged in). Note that being root on another system and mounting the partition hosting the user’s home suffices.
All users with an AMD or Intel CPU should install the microcode updates to ensure system stability.
All users with an AMD or Intel CPU should install the microcode updates to ensure system stability.
Install software pacman -S bluez bluez-utils If you want bluetooth to power on the chip as soon as bluetooth.service is running /etc/bluetooth/main.conf [Policy] AutoEnable=true Enable and start the bluetooth service systemctl enable --now bluetooth Connect bluetooth headset/speaker. pacman -S pulseaudio-bluetooth systemctl --user restart pulseaudio bluetoothctl agent on bluetoothctl power on bluetoothctl scan on bluetoothctl pair ... bluetoothctl connect ... Tip: Instead of typing bluetoothctl for each command you can start a REPL by calling bluetoothctl without arguments.
Put that second drive to use!
NGiИX crashes on boot when proxying via hostname resolution.