Arch Server

The majority of the process to set up this server was followed from here. Here I will outline where I deviated and use workarounds to make all this work on Arch Linux.

Register a Domain -> Create SSH Key

• No changes

Create Your Server

• Step 6: Select Arch as operating system istead of OpenBSD

Attach Storage -> Point Your Domain Here

• No changes

SSH Into Root

• Step 9: command to update packages on Arch is pacman -Syu instead of syspatch

Create Your Username

• Step 2-16: useradd -m <UserName> will automatically fill out all the defaults
• Step 17-20: passwd <UserName> to set the users password.
• Step 21: usermod -aG wheel,wheelnpw <UserName> to allow executing as root without password

Another User?

• No extra users added

Secure Your login

• Step 2: replace doas in command with sudo
• Step 5: replace rcctl in command with systemctl

Format Storage

Here I deviated much more from the steps so I will write out the steps used without referring to Derek's original document.

• ssh <UserName>@yourdomain.name
• sudo su
• fdisk -l will list the disks available, look for the one with the size of the blockstorage you added to your server.
  • Likely /dev/vdb
• cryptsetup -y -v --type luks2 luksFormat /dev/vdb
  • Will ask for storage name, I used blockstorage
  • Enter your passphrase when asked and confirm it. Make sure you note this down somewhere, you will not be able to access your storage without it.
• dd if=/dev/zero of=/dev/mapper/blockstorage status=progress
  • This will write all 0s to the memory of the blockstorage and ensure that the data seen from the outside is random.
  • It will take a long time to complete. status=progress will show you the progress and you will be able to tell when it has completed.
• mkfs.ext4 /dev/mapper/blockstorage will create the filesystem on the disk
• mkdir /mnt/blockstorage to create the mountpoint
• chown /mnt/blockstorage <UserName>:<UserName> to set ownership to your user
• Basic commands to manually manage the filesystem
  • To mount the filesystem sudo mount /dev/mapper/blockstorage /mnt/blockstorage
  • To unlock the filesystem sudo cryptsetup luksOpen /dev/vdb blockstorage
  • To lock the filesystem sudo cryptsetup luksClose blockstorage
  • To unmount filesystem sudo umount /mnt/blockstorage

We don't need to deal with these complex commands each time. We can use aliasing to substitute much simpler commands to remember instead.

• echo "alias mntblk='sudo mount /dev/mapper/blockstorage /mnt/blockstorage' >> .bashrc" will set the mounting command to mntblk
• echo "alias unlkblk='sudo cryptsetup luksOpen /dev/vdb blockstorage' >> .bashrc" will set the unlocking command to unlkblk
• echo "alias lkblk='sudo cryptsetup luksClose blockstorage' >> .bashrc" will set the locking command to lkblk
• echo "alias umntblk='sudo umount /mnt/blockstorage' >> .bashrc" will set the unmounting command to umntblk

This will still need 2 commands to mount, and 2 more to unmount. I like having these aliased separately just in case I want to run one without the other for some reason. To bring this to 1 command for each I will make 2 more aliases using the ones I just created. You could make each of these 2 using the expanded commands above, but I find this way simpler to read.

• echo "alias m='mntblk && unlkblk' >> .bashrc" will make m mount the system and unlock it
• echo "alias m-x='lkblk && umntblk' >> .bashrc" will make m-x lock the filesystem and unmount it
• log out and log back in to be able to use these new aliases or run source .bashrc

Use Your Storage

• No changes

FreeFileSync

• I did not use this

Verify and Unmount

• No changes

Web Server

Ports are not open externally by defaul on Arch. sudo ufw 80 will open the port for the web server. Do not open unnecessary ports. Arch is fully capable of hosting an apache server like is used in the guide. I prefer Nginx and so used that. The configuration is a little more complex than apache but I am more familiar with it and it works well for single site hosting.

• install with sudo pacman -S nginx
• enable with sudo systemctl enable nginx.service
• start with sudo systemctl start nginx.service

When I was testing I was serving static content from /srv/http/domain.com/public_html. In the /etc/nginx/nginx.conf file in the http block I added:

    server {:
        server_name yourdomain www.yourdomain
        location / {:
            root /srv/http/yourdomain/public_html
        }
    }
    

Run nginx -s reload to reload the configuration file.

Then the html files to be served can be put in whatever folder specified in root and will be served from there. In the end I have my website built and served using SvelteKit and Nginx is working as a proxy for that program. I will go into Svelte in the future.

To have a secure webserver (https) I need a certificate.

• sudo pacman -S certbot certbot-nginx to install the certbot package and nginx plugin
• sudo certbot --nginx will scan for nginx sites and create certificates
• sudo certbot renew will renew all certificates on the machine managed by certbot.

To run this renewal periodically I made certref file in bin containing:

    #!/bin/bash
    sudo certbot renew
    

Set permissions to 700 with sudo chmod 700 bin/certref, then added a cronjob to run the refresh once a month.

Simple Website

Can use exactly what is in the guide here. Just make sure the files are located in the root you specified in the Nginx configuration above.

File Sharing With Pub

Did not set this up with Nginx yet. If I do will update this.

Calendar and Contacts

This is very similar for both Arch and OpenBSD so will list changes Arch does not have htpasswd by default. Install with sudo pacman -S apache then continue.

• Step 2: sudo su
• Step 3: pacman -S radicale
• Step 9: systemctl enable radicale.service
• Step 10: systemctl start radicale.service

Android and Iphone + Test

• No changes

Backups

• Step 3: replace '/sh' with '/bash' and 'doas' with 'sudo' in the echo command.

Email

I decided to use an external email provider (FastMail) instead of setting up the email verification myself. This was before the explanation for this was published in this article. May try again in the future but for now I am happy with my own email for a few dollars a month that I can move to a different provider if needed

Git

I use git extensively in my coding projects, configurations, and notes so I wanted to be able to host my own git server.

• assume root with sudo su
• install with pacman -S git
• in /etc/passwd file set the home directory for the git user to /srv/git
• created .ssh folder in /srv/git and added an ssh key like above to log into the server
• enabled with systemctl enable git-daemon.socket
• started with systemctl start git-daemon.socket

To make a new project I navigate to /srv/git and make a new project with git -bare init <projectName>.git. Set ownership to git user with chown <projectName>.git git:git. To set the remote origin for a project that is already initialized git remote add origin git@url:/srv/git/<projectName> To clone a project from remote to local git clone git://url/<projectName> localName

Evolving

This project is slowly but constantly evolving. The above state is how it is running currently and that may change. I will endeavor to update it when things do. Slowly grow from something mostly taken from Derek's guide (thank you so much for that) to something uniquely my own and serving the my exact needs.