This note includes all commands I typed when I set up Arch Linux on my new bare metal server.

Why I choose Arch Linux

  • Simple as it should be
  • Outstanding community efforts to maintaining package registry
  • Well organized wiki resources

Useful links


wipe whole disk

wipefs -a /dev/sda

create partition


select /dev/sda
mktable gpt
mkpart EFI fat32 0 512MB # EFI
mkpart Arch ext4 512MB 100% # Arch
set 1 esp on # flag part1 as ESP

install file-system

mkfs.vfat -F 32 /dev/sda1 # EFI
mkfs.ext4 /dev/sda2 # Arch

mount disk

mkdir -p /mnt/boot
mount /dev/sda2 /mnt
mount /dev/sda1 /mnt/boot

install base & Linux kernel

reflector -f 10 --latest 30 --protocol https --sort rate --save /etc/pacman.d/mirrorlist # optimize mirror list

pacstrap /mnt base linux linux-firmware vim man-db man-pages git informant
# base-devel need to be included as well?
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
pacman -Syu # upgrade
pacman -Qe # list explicitly installed pkgs
pacman -Rs # remove pkg and its deps
pacman -Qtd # list orphans


pacman -S \
  grub \
  efibootmgr \
  amd-ucode # AMD microcode
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg


sed -i -e 's/#NTP=/' -e 's/#Fall/Fall/' /etc/systemd/timesyncd.conf
systemctl enable --now systemd-timesyncd


ln -sf /usr/share/zoneinfo/Asia/Tokyo /etc/localtime
hwclock --systohc
vim /etc/locale.gen & locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf


hostnamectl set-hostname polka
hostnamectl set-chassis server
/etc/hosts localhost ::1 localhost polka


[Match] Name=enp5s0 [Network] #DHCP=yes Address= Gateway= DNS= # self-hosted DNS resolver DNS= # Cloudflare for the fallback DNS server MACVLAN=dns-shim # to handle local dns lookup to which is managed by Docker macvlan driver
# to handle local dns lookup to [NetDev] Name=dns-shim Kind=macvlan [MACVLAN] Mode=bridge
# to handle local dns lookup to [Match] Name=dns-shim [Network] IPForward=yes [Address] Address= Scope=link [Route] Destination=

ip equivalent to the above settings:

ip link add dns-shim link enp5s0 type macvlan mode bridge # add macvlan shim
ip a add dev dns-shim # assign host ip to shim defined in docker-compose.yml
ip link set dns-shim up # enable interface
ip route add dev dns-shim # route macvlan subnet to shim interface
systemctl enable --now systemd-networkd
networkctl status

# for self-hosted dns resolver
sed -r -i -e 's/#?DNSStubListener=yes/DNSStubListener=no/g' -e 's/#DNS=/DNS=' /etc/systemd/resolved.conf
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

systemctl enable --now systemd-resolved
resolvectl status
resolvectl query
drill @

pacman -S wpa_supplicant
vim /etc/wpa_supplicant/wpa_supplicant.conf
# ctrl_interface=/run/wpa_supplicant
# update_config=1
wpa_supplicant -B -i wlp8s0 -c /etc/wpa_supplicant/wpa_supplicant.conf
wpa_cli # default control socket -> /var/run/wpa_supplicant
modinfo iwlwifi

If networkctl keep showing enp5s0 as degraded, then run ip addr add dev enp5s0 to manually assign static IP address for the workaround.


pacman -S firewalld

See also Introduction to Netfilter – To Linux and beyond !


pacman -S zsh
chsh -s /bin/zsh


passwd # change root passwd

useradd -m -s /bin/zsh uetchy # add local user
passwd uetchy # change local user password

userdbctl # verify users

pacman -S sudo
echo "%sudo ALL=(ALL) NOPASSWD:/usr/bin/pacman" > /etc/sudoers.d/pacman # allow pacman without password
usermod -aG sudo uetchy # add local user to sudo group


pacman -S openssh
vim /etc/ssh/sshd_config
systemctl enable --now sshd

on the host machine:

ssh-copy-id [email protected]


git clone
cd yay
makepkg -si


exit # leave chroot
umount -R /mnt

Additional setup


pacman -S nvidia
cat /var/lib/modprobe.d/nvidia.conf # ensure having 'blacklist nouveau'

yay -S cuda-10.2 cudnn7-cuda10.2 # match the version number

nvidia-smi # test runtime


pacman -S docker docker-compose
yay -S nvidia-container-runtime
{ "log-driver": "journald", "log-opts": { "tag": "{{.ImageName}}/{{.Name}}/{{.ID}}" }, "exec-opts": ["native.cgroupdriver=systemd"], // for kubernetes "runtimes": { // for docker-compose "nvidia": { "path": "/usr/bin/nvidia-container-runtime", "runtimeArgs": [] } } }
systemctl enable --now docker

groupadd docker
usermod -aG docker user

docker run --rm -it --gpus all nvidia/cuda:10.2-cudnn7-runtime


yay -S telegraf
vim /etc/telegraf/telegraf.conf
Cmnd_Alias FAIL2BAN = /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status * telegraf ALL=(root) NOEXEC: NOPASSWD: FAIL2BAN Defaults!FAIL2BAN !logfile, !syslog, !pam_session


pacman -S fail2ban
systemctl enable --now fail2ban
[DEFAULT] bantime = 60m ignoreip = [sshd] enabled = true port = 22,10122 [mailu] enabled = true backend = systemd journalmatch = CONTAINER_NAME=mailu_front_1 port = smtp,submission chain = DOCKER-USER filter = mailu findtime = 600 maxretry = 1 bantime = 1d
[INCLUDES] before = common.conf [Definition] failregex = ^%(__prefix_line)s\d+\/\d+\/\d+ \d+:\d+:\d+ \[info\] \d+#\d+: \*\d+ client login failed: "Authentication credentials invalid" while in http auth state, client: <HOST>, server: \S+, login: "<F-USER>\S+</F-USER>"$ ignoreregex =
fail2ban-client reload
fail2ban-client status mailu


yay -S sendmail


Dynamic DNS for Cloudflare.

yay -S cfddns
token: <token>
systemctl enable --now cfddns


pacman -S smartmontools
systemctl enable --now smartd

smartctl -t short /dev/sdc
smartctl -l selftest /dev/sdc


[Unit] Description=Borg Daily Backup Service [Service] Type=simple Nice=19 IOSchedulingClass=2 IOSchedulingPriority=7 ExecStart=/etc/backups/
[Unit] Description=Borg Daily Backup Timer [Timer] WakeSystem=false OnCalendar=*-*-* 03:00 RandomizedDelaySec=10min [Install]
#!/bin/bash -ue # The udev rule is not terribly accurate and may trigger our service before # the kernel has finished probing partitions. Sleep for a bit to ensure # the kernel is done. # # This can be avoided by using a more precise udev rule, e.g. matching # a specific hardware path and partition. sleep 5 # # Script configuration # export BORG_PASSPHRASE="<secret>" MOUNTPOINT=/mnt/backup TARGET=$MOUNTPOINT/borg # Archive name schema DATE=$(date --iso-8601) # # Create backups # # Options for borg create BORG_OPTS="--stats --compression lz4 --checkpoint-interval 86400" # No one can answer if Borg asks these questions, it is better to just fail quickly # instead of hanging. export BORG_RELOCATED_REPO_ACCESS_IS_OK=no export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no # Log Borg version borg --version echo "Starting backup for $DATE" echo "# system" borg create $BORG_OPTS \ --exclude /root/.cache \ --exclude /var/cache \ --exclude /var/lib/docker/devicemapper \ --exclude 'sh:/home/*/.cache' \ --exclude 'sh:/home/*/.cargo' \ --exclude 'sh:/home/*/.pyenv' \ --exclude 'sh:/home/*/.vscode-server' \ --exclude 'sh:/home/*/.local/share/TabNine' \ --one-file-system \ $TARGET::'{hostname}-system-{now}' \ / /boot echo "# data" borg create $BORG_OPTS \ --exclude 'sh:/mnt/data/nextcloud/appdata_*/preview' \ --exclude 'sh:/mnt/data/nextcloud/appdata_*/dav-photocache' \ $TARGET::'{hostname}-data-{now}' \ /mnt/data /mnt/ftl echo "Start pruning" BORG_PRUNE_OPTS="--list --stats --keep-daily 7 --keep-weekly 3 --keep-monthly 3" borg prune $BORG_PRUNE_OPTS --prefix '{hostname}-system-' $TARGET borg prune $BORG_PRUNE_OPTS --prefix '{hostname}-data-' $TARGET echo "Completed backup for $DATE" # Just to be completely paranoid sync
ln -sf /etc/backups/borg.* /etc/systemd/system/
systemctl enable --now borg


pacman -S kubeadm kubelet kubectl
systemctl enable --now kubelet
kubeadm init --pod-network-cidr=''
cp /etc/kubernetes/admin.conf ~/.kube/config

kubectl taint nodes --all # to allow allocating pods to the master node

# setup flannel network manager
kubectl apply -f

# setup nginx ingress controller

kubectl cluster-info
kubectl get nodes
kubectl get pods -A
kubectl get cm -n kube-system kubeadm-config -o yaml

Kubernetes - ArchWiki

Kubernetes Ingress Controller with NGINX Reverse Proxy and Wildcard SSL from Let's Encrypt -


pacman -S certbot certbot-dns-cloudflare
echo "dns_cloudflare_api_token = <token>" > ~/.secrets/certbot/cloudflare.ini
chmod 600 ~/.secrets/certbot/cloudflare.ini
certbot certonly \
  --email [email protected] \
  --agree-tos \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
  -d "*"
openssl x509 -in /etc/letsencrypt/live/ -text
certbot certificates
[Unit] Description=Let's Encrypt renewal [Service] Type=oneshot ExecStart=/usr/bin/certbot renew --quiet --agree-tos --deploy-hook "docker exec nginx-proxy-le /app/signal_le_service"
[Unit] Description=Twice daily renewal of Let's Encrypt's certificates [Timer] OnCalendar=0/12:00:00 RandomizedDelaySec=1h Persistent=true [Install]


pacman -S alsa-utils # maybe requires reboot
arecord -L # list devices
pcm.m96k { type hw card M96k rate 44100 format S32_LE } pcm.!default { type plug slave.pcm "m96k" }
arecord -vv /dev/null # test mic
alsamixer # gui mixer


systemctl --failed
free -h
lsblk -f
journalctl -p err
networkctl status