First actions on a clean Arch box⌗

Update system⌗

Update system as root:

pacman -Syu

If key issues:

pacman -S archlinux-keyring

and retry update

Set hostname:

vim /etc/hostname

Add user⌗

Add user (and add to wheel group):

useradd -m -G wheel -s /bin/bash <username>

Set password for user:

passwd <username>

Add user to sudoers file:

export SUDO_EDITOR=/usr/bin/vim

visudo

uncomment the line that starts with %wheel

reboot

Set up SSH safely⌗

Create a key for your user:

ssh-keygen -t ed25519

If a key was added to root (as is done with Linode), move it to the right user

mkdir /home/freek/.ssh

mv .ssh/authorized_keys /home/freek/.ssh/

chown freek:freek /home/freek/.ssh/authorized_keys

sudo chown freek:freek /home/freek/.ssh

chmod  0700 /home/freek/.ssh

vim /etc/ssh/sshd_config

set: PermitRootLogin no and PasswordAuthentication no

ssh should now work for the user

Set up the bash history search using arrows⌗

vim ~/.inputrc

Add this content:

"\e[A": history-search-backward
"\e[B": history-search-forward
"\e[C": forward-char
"\e[D": backward-char

Set up tailscale and restict SSH to the tailnet using UFW⌗

Add the Arch Linux server to the tailnet:

curl -fsSL https://tailscale.com/install.sh | sh

and authenticate (I use GitHub).

Install UFW:

sudo pacman -S install ufw

sudo ufw allow in on tailscale0

sudo ufw enable

sudo ufw default deny incoming

sudo ufw default allow outgoing

Now sudo ufw status should give:

Status: active

To                         Action      From
--                         ------      ----
Anywhere on tailscale0     ALLOW       Anywhere                  
Anywhere (v6) on tailscale0 ALLOW       Anywhere (v6)

No ports are open, except on the tailnet.

Make sure UFW is also enabled after every reboot and started now:

sudo systemctl enable tailscaled

sudo systemctl start tailscaled